President Biden Issues Executive Order on Signals Intelligence to Implement EU-US Data Privacy Framework

On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. The order aims to address concerns expressed by the Court of Justice of the European Union (CJEU) in the Schrems II case, in which it ruled the E.U.-U.S. Privacy Shield inadequate as a cross-border transfer mechanism. The order aims to provide the European Commission with the basis to adopt a new adequacy determination. In turn, this would restore the legal basis by which cross-border data flows can occur between the U.S. and the E.U., providing greater legal certainty for companies with respect to cross-border data transfers under GDPR.

Executive Requirements

Among other things, the Executive Order requires the following:

• Further safeguards and consumer protections for US signals intelligence activities, specifically prioritizing targeted (over bulk) collection and restricting agencies’ processing of E.U. personal data to activities necessary and proportionate to advance a national security purpose.
• A two-tier redress mechanism to address complaints, starting with the agency Civil Liberties Protection Officer (“CLPO”) with review by a newly created and independent Data Protection Review Court established by the Attorney General.
• Updating of police and procedures by various US Intelligence Community elements, to be reviewed by the Privacy and Civil Liberties Oversight Board (“PCLOB”); and
• A multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated under the Executive Order, to obtain independent and binding review and redress.

European Union Response

In response to the Executive Order, the European Commission announced it will now prepare a draft adequacy decision and launch adoption procedures, which could take up to six months. The European Commission confirmed that, prior to adopting an adequacy decision, it must obtain an opinion from the European Data Protection Board and receive approval from an EU Member State committee.  In addition, the European Parliament has a right of scrutiny over adequacy decisions.  Finally, the European Commission highlighted that an adequacy decision is not the only tool for international transfers and that all previously approved safeguards in the area of national security will be available for all transfers to the U.S. under the GDPR.

• View the Executive Order here.
• View the White House fact sheet here.
• View the EU Q&A here.
• View the U.S. Attorney General Final rule establishing the Data Protection Review Court here.