A new US Executive Order - another step towards an EU-US Privacy Shield 2.0

While the Executive Order is only one step towards agreement between the EU and the US, it is worthy of consideration as it sets out in detail the measures intended to address concerns raised by the European Court of Justice in the Schrems II Case C-311/18. The White House fact sheet calls out key features of the Executive Order (EO). For example, it highlights that the EO:

• implements safeguards with respect to the US signals intelligence activities by describing what are legitimate objectives and what are prohibited objectives. The activities must be authorised, take into consideration the privacy and civil liberties of all persons (irrespective of nationality of country of residence) and must be conducted only when necessary to advance a validated intelligence priority to the extent and in a manner that is “proportionate to the priority”. The EO provides further detail, including regarding bulk data collection safeguards;
• mandates the implementation of data handling requirements for personal information collected through signals intelligence. Requirements in the EO address, for example, prioritising narrow collection over bulk collection, the minimisation of dissemination and retention of that data; limiting access to authorised personnel on a need to know basis and preventing access by unauthorized persons; data quality and accuracy; and maintenance of documentation;
• builds on oversight mechanisms of the US intelligence community elements, for example through conduct of periodic oversight and information access to assess and remediate non-compliance;
• requires US intelligence community elements to update their policies and procedures to reflect the requirements of the EO;
• authorises the establishment of a multi-layer redress mechanism through which individuals from certain qualifying states (countries or regional economic integration organisations designated by the Attorney General) can bring a claim that their personal information was collected or handled in violation of US law,
  
  1. the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO) is granted the powers to investigate, review and order remediation for complaints. Its decisions will bind the US intelligence organisations;
  2. the Data Protection Review Court (DPRC), established by regulations signed by the Attorney General also on 7 October 2022 and composed of judges appointed by the Attorney General (but who are not otherwise employees by the US Government), will review the outcome of investigations into complaints. Individuals can apply for the review of the CLPO decision before the DPRC, alleging violations of US law concerning signals intelligence activities. The US intelligence community may also call for review. The DPRC will have powers to investigate the complaint, obtain information from intelligence agencies and issue binding remedial decisions (such as ordering deletion of data) for example;
• encourages the US Privacy and Civil Liberties Oversight Board to complete reviews of intelligence agency policies (in particular to ensure consistency with the EO) and to conduct an annual review of the redress process to determine compliance.

It is clear from the US Government’s press release that the steps set out in the Executive Order are intended to facilitate a targeted adequacy decision from the European Commission. However, it remains to be seen exactly what the practical legal impact of this latest development will be. Rigorous formal challenges to any framework, once implemented, are highly likely.

The European Commission published Q&As in response, outlining the next steps that it will take towards an adequacy decision, specifically preparing a draft decision and launching its adoption procedure (including an opinion of the EDPB).

Read the Executive Order, the Fact Sheet, the DPRC Regulations and the European Commission Q&As.

This entry is based on a client alert prepared by aosphere.