US President Joseph Biden signed the long-anticipated Executive Order on Enhancing Safeguard for United States Signals Intelligence Activities (EO) on October 7, 2022, providing enhanced protections in an effort to restore the free flow of personal data transfers from Europe to the United States.
The EO attempts to address the European Court of Justice’s Schrems II decision, which complicated data transfers from the European Union to the United States because of concerns over US government surveillance activities. In part, the EO offers enhanced protections for personal data collected through intelligence activities and implements new safeguards for the collection of personal data. The goal of these new protections is to enable the European Commission to restore a straightforward data transfer mechanism eliminating the uncertainty many organizations face when exporting data to the United States.
The EO builds on the preliminary agreement that President Biden and European Commission President Ursula von der Leyen announced in March 2022. Although this action is a step forward, there is still a long way to go before data can flow freely from the European Union to the United States.
The EO adds additional safeguards for US signals intelligence activities, including requiring these activities to be conducted only in pursuit of defined national security objectives.
Finally, the EO partially revokes the Presidential Policy Directive 28 of January 17, 2014 (Signals Intelligence Activities) (PPD-28). Following President Biden’s actions, only Sections 3 and 6 of PPD-28 and the classified annex remain in effect.
The European Commission has not yet released an official statement on the EO. However, NOYB, Max Schrems’s organization, promptly released a critical statement about the EO. NOYB stated that there is no indication that US mass surveillance will change in practice, and expressed the view that so-called “bulk surveillance” will be permitted under the EO and data sent to the United States will still be subject to government surveillance.
US surveillance laws were the key point in the Safe Harbor and Privacy Shield frameworks being overturned. To address these points in the context of using standard contractual clauses, the European Commission’s decisions with new forms of standard contractual clauses, as well as European Data Protection Board guidelines on implementing supplementary transfer tools and essential guarantees, require exporting and importing organizations to undertake risk assessments addressing these surveillance laws, not all of which apply to many organizations.
The new data transfer framework is likely to take several more months to be finalized and made available to US organizations. Several significant steps at various levels must be taken:
This process could take until spring 2023. Whatever the outcome is, privacy activists such as Schrems and NOYB will likely challenge it in court. The EO may also be subject to challenges in US courts because it arguably gives EU residents greater privacy protections than US citizens. It remains to be seen whether the United Kingdom will adopt this framework or enact its own data transfer framework with the United States.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: