Does the Latest Move in Trans-Atlantic Privacy Really Change the Game?
Much ink has been spilled over the Executive Order Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”) signed by President Biden in early October. The Executive Order is supposed to establish the United States’ commitments reflected in the March 25, 2022 joint EU-U.S. announcement of the Trans-Atlantic Data Privacy Framework (the “Framework”). While the Framework is described as an “agreement in principle” to facilitate cross-border transfer of personal data, the Executive Order is supposed to go further, toward actually implementing the promised protective measures. But does it?
Much of the reporting on the Executive Order has taken at face value that it was a significant step toward common ground between the EU and United States on data privacy issues, addressing concerns raised by the Court of Justice of the European Union (“CJEU”) when it struck down the European Commission’s adequacy decision underlying the now invalidated EU-U.S. Privacy Shield Framework in 2020. But the new Executive Order does not amend or replace existing U.S. data surveillance law. Rather, it sets forth additional criteria designed to counter the CJEU’s criticisms of the Privacy Shield Framework. The two key changes include (1) additional safeguards surrounding signals intelligence activities and (2) a more robust redress mechanism for EU data subjects.
The CJEU previously concluded that U.S. surveillance laws are not compatible with the EU’s more stringent privacy protections, finding that (1) U.S. surveillance laws do not limit access to data for surveillance purposes to what is “necessary and proportionate,” and (2) EU data subjects were not granted actionable redress in courts against U.S. authorities, leaving EU data subjects with no rights to effective remedy. The new Executive Order attempts to make progress on both of these fronts. First, the Executive Order places additional safeguards on signals intelligence activities by the U.S. government (and consequently, companies dealing with the U.S. government), which include the collection of information from foreign communications, radar, and other electronic systems.
Second, the Executive Order sets forth a new redress mechanism for data subjects in “qualifying states” designated by the U.S. Attorney General in concert with other government officials based on a finding that (a) the country requires these safeguards in conduct of signals intelligence activities, (b) the country permits or will in the future permit the transfer of personal information for commercial purposes between the U.S. and the country, and (c) the designation will advance the U.S. national interest. Data subjects in qualifying states can make a complaint to the civil liberties protection officer (“CLPO”) of the Office of the Director of National Intelligence, and the CLPO is empowered to investigate, make findings, and remediate those complaints. The CLPO’s findings are then subject to review by review of a newly established reviewing body called the Data Protection Review Court, an independent court binding on the intelligence community.
So is all of that enough to ease the concerns of the EU? Maybe. The challenge is that the Executive Order is inherently limited because (1) it can only impact how executive government agencies carry out statutory obligations, (2) executive orders cannot change laws passed by the legislature, and (3) executive orders can be reversed/canceled/changed much more easily than laws passed by the legislature, or even regulations enacted by agencies. Moreover, this Executive Order has an express carve-out for Section 702 and Executive Order 12333, which are precisely the measures EU regulators and commentators have often highlighted as provisions of U.S. law creating significant privacy risks.
All that said, the Executive Order could directly impact companies that are involved with the exchange of data from member states of the EU, as data privacy regulations, particularly involving the EU, continue to rapidly change. U.S. companies should stay abreast of the developing Framework, as the European Commission is expected to formally adopt an adequacy decision of the Trans-Atlantic Data Privacy Framework over the next few months. The Framework will more than likely be challenged in the EU judicial system, which will determine whether or not the U.S. privacy standards are now “essentially equivalent” to those in the European Union. For now, contractual clauses related to overseas data transfer will remain a valid mechanism. The Privacy, CyberSecurity & Media Group at Vedder Price,P.C. continues to closely monitor these issues with respect to data privacy counseling and regulations.