Another Step Forward to Implementing the European Union – U.S. Data Privacy Framework

On October 7^th, the long-awaited Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities was signed by U.S. President Joe Biden (Fact Sheet located here).  The Executive Order directed the steps that the United States will take to implement the European Union – U.S. Data Privacy Framework (“EU-U.S. DPF”) previously announced in March 2022.

Background

As we have previously written, in 2020 the Court of Justice of the European Union (“CJEU”) invalidated the EU – U.S. Privacy Shield as a mechanism for transferring personal data from the EU to the U.S. The Court found that the U.S. had not been deemed an “adequate” location to store EU personal data due in large part to EU concerns about the U.S. surveillance laws in relation to EU personal data.  In March, U.S. President Biden and European Commission President Ursula von der Leyen announced that the U.S. and EU had agreed in principal on a new trans-Atlantic data transfer pact.  However, many questions – particularly around U.S. surveillance – remained regarding how that agreement might look.

What Is In the Executive Order?

The Executive Order focuses heavily on creating and enhancing safeguards for national security agencies’ use and access to EU and U.S. personal data.  These safeguards will be supported in several ways:

• Enhanced Policies & Procedures:  The Executive Order requires the intelligence community to update policies and procedures to reflect new requirements and calls for the Privacy and Civil Liberties Oversight Board to review these policies and procedures to ensure they meet the requirements and to conduct an annual review of the redress processes, including to review whether they are in compliance.
• Clarified Purpose Limitations:  As outlined in the Executive Order Fact Sheet, the Executive Order now explicitly requires that intelligence signals “be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.”
• New Safe-Handling Practices:  The Executive Order mandates certain minimization, dissemination, retention, data quality, and documentation requirements for the safe-handling of personal data, including the implementation of remediation activities for incidents of non-compliance.
• Review & Redress of Claims:  Finally, the Executive Order creates a tiered mechanism for individuals from certain states and organizations to have independent review and binding redress of claims regarding the collection or handling of their personal data in violation of applicable U.S. laws.
   

What Is Next?

Once complete, the Executive Order contemplates that these steps will help support and provide the basis for the European Commission to adopt a new adequacy determination for the United States and will “provide greater legal certainty for companies using Standard Contractual Clauses and Binding Corporate Rules to transfer EU personal data to the United States.”

What Should Companies Do Now?

For now, there are no major requirements on companies nor are companies likely to see any immediate impacts from the Executive Order. However, this is yet another step forward in replacing the EU-U.S. Privacy Shield and continues to show the importance the U.S. Federal government is placing on privacy and cybersecurity.

Our Data Privacy and Cybersecurity practice regularly advises companies on the impact of new privacy and security laws, regulations and guidance. If you have any questions about any privacy or cybersecurity issues, please do not hesitate to contact any member of our team.