December 3, 2022

Volume XII, Number 337

Advertisement

December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis

Biden Administration Issues Executive Order for Privacy Shield Replacement

Earlier today, President Biden issued the Executive Order that is expected to lay the groundwork for the replacement for Privacy Shield.   

Key Takeaway 

President Biden issued an Executive Order to help pave the way for a new mechanism to transfer personal data subject to EU data protection law from the EU to the US. Whether and when the new mechanism will be available for US businesses remains to be seen.

Background

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in Case C-311/18, known as “Schrems II.” Among other holdings, Schrems II invalidated the mechanism—known as the EU-U.S. Privacy Shield Framework—which, at that time, more than 5,000 US businesses used to transfer personal data from the EU to the US in compliance with EU data protection law.  

In Schrems II, the CJEU ruled that US laws (including FISA Section 702) that enable US intelligence agencies to access the personal data of non-U.S. persons for national security and surveillance purposes do not adequately respect and protect the fundamental privacy rights of individuals in the EU whose personal data are transferred to the US. 

In particular, the CJEU noted the lack of an effective judicial redress process in US courts for those EU data subjects.

In March of this year, President Biden announced a commitment in principle by the US and European Commission to create a new “Trans-Atlantic Data Privacy Framework” (DPF) intended to address the concerns raised by the CJEU in Schrems II. At that time, President Biden expressed the specific commitment to “implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives” with the goal of creating “a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities”.  

Today’s Executive Order 

Today’s Executive Order included these main points:

  • For US signals intelligence activities:
    • requiring defined national security objectives and to be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
    • requirements for personal information collected through signals intelligence activities to include appropriate actions are taken to remediate incidents of non-compliance.  
  • Creates a multi-layer mechanism for individuals to obtain review and redress of claims that their personal information collected through US signals intelligence was collected or handled by the United States in violation of applicable US law.    
    • Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the EO’s enhanced safeguards or other applicable US laws were violated and, if so, to determine the appropriate remediation. 
    • As a second layer of review, the EO authorizes and directs the Attorney General to establish a Data Protection Review Court (DPRC) to provide an independent and binding review of the CLPO’s decisions upon an application from the individual or an element of the Intelligence Community. The US Attorney General today issued accompanying regulations on the establishment of the DPRC.
  • Requires US Intelligence Community to update policies and procedures to reflect the EO and the Privacy and Civil Liberties Oversight Board to review the Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order.
  • Annual review of the redress process, including whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC.

The Executive Order was accompanied by a National Security Memo that revokes all but two sections of Presidential Policy Directive 28 (PPD 28). Former President Obama issued PPD 28 in 2014 to help address some of the concerns raised by EU regulators by articulating principles to guide “why, whether, when, and how the United States conducts signals intelligence activities for authorized foreign intelligence and counterintelligence purposes.” The two remaining sections are Section 3 titled “Principles Governing the Collection of Signals Intelligence,” and Section 6, which contains “General Provisions.” 

Privacy Shield’s invalidation came almost four years to the date after a joint EU-U.S. statement issued on July 12, 2016, announced its approval. Privacy Activist organization NYOB has already announced its belief that the Executive Order is unlikely to satisfy EU law.

Whether the DPF will prove more durable remains to be seen.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 280
Advertisement
Advertisement
Advertisement

About this Author

Julia B. Jacobson New York Cybersecurity Attorney Squire Patton Boggs
Partner

Julia B. Jacobson is a Partner in Squire Patton Boggs' Data Privacy, Cybersecurity & Digital Assets Practice. For over 20 years, a world-class roster of national and multinational clients has turned to Julia for practical and tactical advice and counsel on privacy and cybersecurity compliance strategies, data breach response, technology transactions and marketing initiatives.

A significant portion of Julia’s practice is devoted to advising clients on an array of privacy, cybersecurity, data breach and data governance matters. She assists...

212-872-9832
Of Counsel

Shea Leitch is Of Counsel for Squire Patton Boggs' Washington D.C. office. For close to 10 years, Shea Leitch has served as a trusted advisor to multinational companies who rely on her to provide timely and practical advice as they build and adapt their global privacy and security programs. A Certified Information Privacy Professional (CIPP/US, E), Shea’s in-depth knowledge of privacy and data security issues makes her a sought-after counselor to companies in various sectors, including the social media, advertising, retail and automotive sectors.

...
202-457-6510
Advertisement
Advertisement
Advertisement