President Biden Issues Executive Order Providing for New EU-U.S. Data Privacy Framework
Wednesday, October 26, 2022
Data Privacy Concerns Lead to EU and US Data Privacy Framework
Print Mail Download i

On October 7, 2022, President Biden signed Executive Order (EO) 14086, “Enhancing Safeguards for United States Signals Intelligence Activities,” which provides a new framework for legal data transfers between the European Union (EU) and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020 when the European Court of Justice (ECJ) in Schrems II invalidated the EU-U.S. Privacy Shield Framework to transfer data from the EU and other European Economic Area (EEA) countries to the United States.

This follows the European Commission’s and the United States’ announcement in March 2022 that they had reached an agreement in principle on the new EU-U.S. Data Privacy Framework to facilitate transatlantic data flows.

The executive order addresses data privacy concerns raised by the ECJ in Schrems II by introducing additional safeguards and oversight of personal data collection by U.S. signals intelligence agencies’ (SIGINT) activities and provides individuals with a redress mechanism for their data protection concerns. In particular, EO 14086:

  • mandates that SIGINT activities only be “necessary to advance a validated intelligence priority” and “proportionate to the validated intelligence priority.” SIGINT activities shall be undertaken “only in pursuit of one or more” of twelve specific legitimate national security and intelligence objectives;

  • allows bulk collection of signals intelligence but subjects such bulk collection to tighter controls and requires that targeted collection be prioritized;

  • creates requirements for the handling of personal data collected in signals intelligence and expands oversight to verify compliance and remediate instances of noncompliance;

  • takes into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and

  • creates a multilayer mechanism for individuals of “qualifying state[s]” (including the EU) and regional economic integration organizations to obtain an independent and binding review and redress.

The redress mechanism includes establishing:

  • a civil liberties protection officer (CLPO) in the Office of the Director of National Intelligence to conduct initial investigations; and

  • the Data Protection Review Court (DPRC) to provide an independent and binding review of CPLO decisions. The DPRC judges will be appointed from outside the U.S. government in consultation with the U.S. Department of Commerce and the independent Privacy and Civil Liberties Oversight Board (PCLOB).

EO 14086 also:

  • directs U.S. intelligence agencies to update their policies and procedures “as necessary to implement the privacy and civil liberties safeguards” in EO 14086;

  • requires the PCLOB to review these policies and procedures, as well as conduct annual reviews of the redress process; and

  • imposes data retention requirements.

Next Steps

The European Commission will review EO 14086, raise any concerns, and, if satisfied, will issue a draft adequacy decision for review by member states, the European Parliament, and the European Data Protection Board (EDPB). The European Commission will also seek a legal opinion from the EDPB. Finally, an EU committee comprising representatives from each EU member state must vote to approve the draft adequacy decision. If the EDPB’s opinion provides a negative outlook, or if privacy campaigners challenge the Framework and/or EO 14086, it may be subject to further revision and discussions between the United States and EU. This legal process could take between six months and a year to complete.

While businesses wait for the draft adequacy decision and the process to commence, they may continue using the standard contractual clauses (SCCs) for transfers outside the EU and the International Data Transfer Agreement (IDTA) for transfers outside the United Kingdom (or the International Data Transfer Addendum to the SCCs, which is to be appended to the new SCCs) when transferring personal data outside the United Kingdom or EU to third countries, along with transfer impact assessments to justify transfers to third countries.

Businesses may want to update their existing contractual agreements to the new SCCs by December 27, 2022.

© 2024, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Current Legal Analysis

More from Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

DOJ Final Rule on Website Accessibility for State and Local Governments Portends Significant Changes for Private-Sector Websites
by: David Raizman
FTC Adopts Final Rule Banning Employers From Entering Non-Competes
by: Scott R. McLaughlin , Christine Bestor Townsend
DOL Finalizes Substantial Increase to Salary Threshold for FLSA White Collar Exemption
by: Charles E. McDonald, III , Keith E. Kopplin
Jury Awards Hospital System Employees $100 Million in Damages for Time Clock Rounding, Meal Break Violations
by: Adam T. Pankratz , Zachary V. Zagger
Off-Duty Conduct Protections for Employees’ 4/20 Celebrations: A Look at the High Points of a Few States’ Marijuana Laws
by: Jennifer L. Pacicco , M. Tae Phillips
Illinois District Court Enjoins Equal Benefits for Equal Work Provision of Illinois Day and Temporary Labor Services Act
by: Jennifer L. Colvin , Hilarie M. Carhill
Reeducating Educators on Discrimination Processes: the U.S. Department of Education Issues New Title IX Sex and Gender Nondiscrimination Regulations
by: Lisa Karen Atkins , Amanda T. Quan
Beltway Buzz, April 19, 2024
by: James J. Plunkett
Biden Administration Proposes Rule to Amend Higher Education Act as Part of Latest Effort to Tackle Student Loan Debt
by: Lisa Karen Atkins , Elizabeth T. Jozsi
New Jersey Appellate Division Addresses Employers’ Obligation to Reimburse Employee Business Expenses
by: Mark Diana

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins