On October 7, 2022, President Biden signed a new executive order which commits to changes to be made in US intelligence in an attempt to restore important data transfers from the EU to the US. Following the Schrems II decision the regulations surround personal information in the US have been called into question. Subsequently a number of EU countries have also stated that transfer of data to the US violates GDPR due to the US privacy regulations. Specifically, the issue surrounding the US intelligence agencies access to any and all data stored and processed in the US.
The Executive Order focuses on the steps that the US will take under the new E.U.-U.S. Data Privacy Framework. It is hoped that the new framework will restore an important legal basis for transatlantic data flows. The European Commission previously rejected the prior Privacy Shield framework.
Under the new Executive Order, US signals intelligence activities will only be conducted:
- In the pursuit of defined national security objectives
- When necessary to advance validated intelligence priority
- To the extent and in a manner proportionate to the priority
It will also take into consideration the privacy and civil liberties of everyone, regardless of nationality or where they live.
Responsibilities of legal, oversight, and compliance officials have been extended to ensure that appropriate actions are taken in any instances of non-compliance.
Review and Redress
A multi-layer mechanism will be created for qualifying individuals to get a review and redress of any claims that their information was collected or handled in a way that violated a US law.
A Civil Liberties Protection Officer (CLPO) will conduct the initial investigation into the complaint. They will determine whether the Executive Order’s enhanced safeguards or other applicable US law was violated. Subsequently they will establish the appropriate remediation if there is a violation. Protections are in place to ensure the CLPO’s independence in any investigation.
The Executive Order builds on the CLPO’s existing functions. Any decision of this officer will be binding on the Intelligence Community, subject to the second layer of the review.
The Attorney General will be directed to create a Data Protection Review Court (DPRC). This court will undertake an independent and binding review of the CLPO’s decision, upon an application from the individual affected or an element of the Intelligence Community.
Judges on the DPRC will:
- Be appointed from outside the US government
- Have relevant experience in fields of data privacy and national security
- Review cases independently
- Enjoy protections against removal
Decision made by the DPRC will be binding. This not only includes whether a violation occurred but also whatever remediation they have decided on. The DPRC may appoint a special advocate to each case. The role of this advocate will be to:
- Advocate for the complainant’s interest in the matter
- Ensure that the DPRC is well-informed of the issues and law.
Updated Policies and Procedures
Elements of the U.S. Intelligence Community will be required to make update to reflect the changes in the order. The Privacy and Civil Liberties Oversight Board will also be called to review the Intelligence Community policies and procedures to ensure that they are consistent with the order. They will also need to conduct an annual review of the redress process. This will include whether the Intelligence Community has fully complied with determinations made by the CLPO and DPRC.
Max Schrems, chair of noyb.eu, has said that he thinks it is unlikely that this order will satisfy EU law.
The US takes the view that foreigners don’t have privacy rights. I doubt that the US has a future as the cloud provider of the world, if non-US persons have no rights under their laws. It is contradictory to me that the European Commission is working on a deal that accepts that Europeans are ‘second class’ citizens and don’t deserve the same privacy rights as US citizens.Max Schrems, https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law