The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, signed by President Biden on October 7, provides further clarity about the Trans-Atlantic Data Privacy Framework (“the Framework”), announced in March2022. The Framework is a new instrument to support the lawful transfer of data between the European Union and the United States(More information here). The Order and the Framework provide certainty about the legal basis for such transfers that has been absent since 2020, when the European Court of Justice (“ECJ”) declared the EU-U.S. Privacy Shield invalid.
Companies that wish to rely on the Framework will be reassured to know that requirements for lawful transatlantic transfer mirror those of the Privacy Shield – the Order does not impose new obligations. Instead, it addresses the ECJ’s concerns about the Privacy Shield as they relate to government surveillance, including the lack of an adequate redress mechanism for EU individuals who may have been subject to such surveillance by U.S. intelligence agencies. The Order therefore outlines steps that government – not companies – must take.
The framework enhances protections for EU residents with respect to the activities of such agencies by restricting U.S. processing of EU data subjects’ personal data. It also establishes a two-tier redress mechanism to address complaints of alleged violations. In the first step, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protection Officer' of the US intelligence community (the Officer).” In the second, EU individuals would have the right to appeal the decision of the Officer to the newly-created Data Protection Review Court (DPRC).
The DPRC will be comprised of members from outside the U.S. government, who will be appointed on the basis of specific qualifications. The members can only be dismissed for serious cause. Significantly, they cannot receive instructions from the government.
The DPRC “will have powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and will be able to take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, itwill be able to order the deletion of the data.”
The framework, explained in detail in a Fact Sheet released by the White House, must now be ratified by the European Data Protection Board, the European Parliament, and the European Commission. Following ratification, the framework is expected to come into effect in March 2023.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.