Earlier today, President Biden issued the Executive Order that is expected to lay the groundwork for the replacement for Privacy Shield.   

Key Takeaway 

President Biden issued an Executive Order to help pave the way for a new mechanism to transfer personal data subject to EU data protection law from the EU to the US. Whether and when the new mechanism will be available for US businesses remains to be seen.

Background

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in Case C-311/18, known as “Schrems II.” Among other holdings, Schrems II invalidated the mechanism—known as the EU-U.S. Privacy Shield Framework—which, at that time, more than 5,000 US businesses used to transfer personal data from the EU to the US in compliance with EU data protection law.  

In Schrems II, the CJEU ruled that US laws (including FISA Section 702) that enable US intelligence agencies to access the personal data of non-U.S. persons for national security and surveillance purposes do not adequately respect and protect the fundamental privacy rights of individuals in the EU whose personal data are transferred to the US. 

In particular, the CJEU noted the lack of an effective judicial redress process in US courts for those EU data subjects.

In March of this year, President Biden announced a commitment in principle by the US and European Commission to create a new “Trans-Atlantic Data Privacy Framework” (DPF) intended to address the concerns raised by the CJEU in Schrems II. At that time, President Biden expressed the specific commitment to “implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives” with the goal of creating “a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities”.  

Today’s Executive Order 

Today’s Executive Order included these main points:

• For US signals intelligence activities:
  • requiring defined national security objectives and to be conducted “only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.”
  • requirements for personal information collected through signals intelligence activities to include appropriate actions are taken to remediate incidents of non-compliance.  
• Creates a multi-layer mechanism for individuals to obtain review and redress of claims that their personal information collected through US signals intelligence was collected or handled by the United States in violation of applicable US law.    
  • Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the EO’s enhanced safeguards or other applicable US laws were violated and, if so, to determine the appropriate remediation. 
  • As a second layer of review, the EO authorizes and directs the Attorney General to establish a Data Protection Review Court (DPRC) to provide an independent and binding review of the CLPO’s decisions upon an application from the individual or an element of the Intelligence Community. The US Attorney General today issued accompanying regulations on the establishment of the DPRC.
• Requires US Intelligence Community to update policies and procedures to reflect the EO and the Privacy and Civil Liberties Oversight Board to review the Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order.
• Annual review of the redress process, including whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC.

The Executive Order was accompanied by a National Security Memo that revokes all but two sections of Presidential Policy Directive 28 (PPD 28). Former President Obama issued PPD 28 in 2014 to help address some of the concerns raised by EU regulators by articulating principles to guide “why, whether, when, and how the United States conducts signals intelligence activities for authorized foreign intelligence and counterintelligence purposes.” The two remaining sections are Section 3 titled “Principles Governing the Collection of Signals Intelligence,” and Section 6, which contains “General Provisions.” 

Privacy Shield’s invalidation came almost four years to the date after a joint EU-U.S. statement issued on July 12, 2016, announced its approval. Privacy Activist organization NYOB has already announced its belief that the Executive Order is unlikely to satisfy EU law.

Whether the DPF will prove more durable remains to be seen.