President Biden October 7, 2022 Executive Order on
Enhancing Safeguards for US Signals Intelligence Activities –
Towards an Updated EU-US Privacy Shield Framework
When the European Court of Justice issued its decision on Schrems and Facebook Ireland v. Data Protection Commissioner in July 2020 (Schrems II),[1] it triggered a brutal disruption and stoppage in the operations of the EU-US Privacy Shield framework (Framework). It also caused significant chaos in the operations of numerous US or EU/EEA businesses and organizations that were relying on the Framework as a strategic tool and structure for providing a legal basis for exchanges or transfers of personal data for commercial and business purposes between the two sides of the Atlantic.
After lengthy and challenging negotiations between representatives of the European Commission and the United States, a new proposed Trans-Atlantic Data Privacy Framework was published at the end of March 2022. According to the White House, the EU-US Trans-Atlantic Data Privacy Framework of March 2022 was intended to lay the ground for providing a legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in July 2020 in the Schrems II case.
Under the March 2022 EU-US Trans-Atlantic Data Privacy Framework, the United States made commitments to:
- Strengthen the privacy and civil liberties safeguards governing the U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority ; and
- Enhance the existing rigorous and layered oversight of signals intelligence activities.
On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.), which defines the steps that the United States will take to implement the commitments it made in the March 2022 European Union-U.S. Trans-Atlantic Data Privacy Framework. The Executive Order addresses in depth the three commitments made in the Trans-Atlantic Data Privacy Framework, as detailed below.
[1] Strengthening the Privacy and Civil Liberty Safeguards
The October 7, 2022 Executive Order requires that U.S. signals intelligence activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
Principles and Objectives
Section 2(a) of the EO defines the principles that will be used to determine whether a signals intelligence activities may be authorized and conducted. Section 2(b) of the EO identifies those objectives that will be deemed legitimate and those that will be prohibited.
Privacy and Civil Liberties Safeguards
Section 2(c) of the Executive Order focuses on the safeguards that must be used to ensure that privacy and civil liberties are integral considerations in the planning and implementation of the signal intelligence activities.
- Collection of Signals Intelligence
Section 2(c)(i) identifies general requirements that apply to all forms of such intelligence activities, while Section 2(c)(ii) provides specific requirements in the event bulk collection of signals intelligence. Bulk collection may be used only in the pursuit of specified objectives, such as protection against espionage, sabotage, or protection against cybersecurity threats created or exploited by or on behalf of foreign person, organizations or government.
- Handing of Personal Information Collected Through Signals Intelligence
In Section 2(c)(iii), the EO defines mandatory handling requirements for personal information collected through signals intelligence activities. It also extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.
The most prominent requirement is minimization of the dissemination and the retention of personal information collected through signals intelligence. In addition, there are specific requirements for data security and limitation of access to the information. Other provisions focus on ensuring data quality, accuracy and objectivity.
- Policies and Procedures to be Updated within One Year
Section 2(c)(iv) focuses on policies and procedures. U.S. Intelligence Community services are required to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the Executive Order within one year of the date of the Executive Order. The review of these updates must be conducted in consultation with the Attorney General, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (CLPO), and the Privacy and Civil Liberties Oversight Board (PCLOB).
- Review of the Policies and Their Implementation
The Executive Order provides for numerous levels of review, such as a review of the updated policies and procedures by the Privacy and Civil Liberties Oversight Board (PCLOB), once they have been issued to ensure their consistency with the enhanced safeguards contained in the Executive Order. Moreover, there are provisions for rigorous legal oversight as well as the use of compliance officials to conduct periodic oversight of signals intelligence activities, including an Inspector General, a Privacy and Civil Liberties Officer and the appointment of Officers with compliance roles to conduct oversight and ensure compliance with applicable US laws.
[2] Establishment of a New Redress Mechanism
Section 3 of the Executive Order provides for a redress mechanism to review qualifying complaints transmitted by the appropriate public authority in a “qualifying state”[2] concerning United States Signal intelligence activities for any covered violation of US laws.
The new redress mechanism will be multi-layer, independent and binding, and is intended to enable individuals in qualifying states and regional economic integration organizations, as designated under the E.O., to obtain an independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.
Initial Investigation of Qualifying Complaints by the CLPO
Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the enhanced safeguards or other applicable U.S. law were violated and, if so, to determine the appropriate remediation.
The process to be followed by the CLPO will be established by the Director of National Intelligence, in consultation with the Attorney General. Section 3(c) of the Executive Order defines in minute details the elements of that process, including review of the information necessary to investigate the complaint, determining whether there was a violation, preparation of a classified report on the alleged violation, and issuing a classified decision. The complainant or the element of the Intelligent Community affected by the decision may seek review of the CLPO’s decision by the Data Protection Review Court. Otherwise, the decision becomes binding.
Independence of the CLPO
One of the issues raised in the decision of the European Court of Justice in the Schrems II case was that the oversight over the data processing conducted by the US intelligence agencies as defined under the 2016 version of the EU US Privacy Shield lacked independence from the US government. Section 3(c)(iv) of the Executive Order, titled [Independence], specifically provides that the Director of National Intelligence shall not interfere with a review by the CLPO of a qualifying complaint, and shall not remove the CLPO for any action taken unless there has been misconduct, malfeasance, neglect of duty or incapacity.
Data Protection Review Court
The second layer of review, described in Section 3(d) of the Executive Order is provided by a Data Protection Review Court. Section 3(d) directs the Attorney General to establish a Data Protection Review Court (DPRC) to provide independent and binding review of the CLPO’s decisions, upon an application from the individual or an element of the Intelligence Community. The EO directs the Attorney General to promulgate regulations establishing the Data Protection Review Court along the lines defined in the EO, within sixty (60) days of the publication of the EO.
Independence of the Data Protection Review Court
In accordance with the focus on ensuring the Court’s independence, as discussed above, the Judges designated to serve on the DPRC must be appointed from outside the U.S. Government. review cases independently, and enjoy protections against removal. In addition, they must have relevant experience in the fields of data privacy and national security.
Further, Section 3(d)(iv), titled [Independence], specifically mandates that the Attorney General shall not interfere with a review by a Data Protection Review Court panel of a determination made by the CLPO regarding a qualifying complaint, and shall not revoke any judge appointed to service on that court except in case of misconduct, malfeasance, breach of security, neglect of duty or incapacity.
Binding Effect
Decisions of the DPRC regarding whether there was a violation of applicable U.S. law and, if so, what remediation is to be implemented will be binding. Under Section 3(d)(iii) each element of the Intelligence Community and each agency containing an element of the Intelligence Community is required to comply with any determination by the Data Protection Review Court panel to undertake appropriate remediation.
Annual Review of the Redress Process by PCLOB
In addition to the reviews and oversight described above, Section 3(e) of the Executive Order “encourages” the Privacy and Civil Liberties Oversight Board (PCLOB) to conduct annual reviews of the processing of qualified complaints by the redress mechanism discussed above, with respect to issues such as timeliness, full access to information, and whether the elements of the Intelligence Community have fully complied with determinations made by the CLPO and the Data Protection Review Court. The role and powers of the PCLOB are discussed in the next section.
[3] Enhancement of Oversight of Signals Intelligence Activities by the PCLOB
The CJEU decision in Schrems II voiced concern about the lack of oversight of the intelligence activities and the weakness of the protection granted to the personal data being collected and processed. The October 7, 2022 Executive Order gives specific authority to the Privacy and Civil Liberties Oversight Board (PCLOB) to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC. The role of the PCLOB is detailed in several sections of the Executive Order, as explained below.
Participation in the Drafting of the New Policies and Procedures
First, in Section 2, which defines the rules concerning privacy safeguards, Section 2(c)(iv)(B) provides for PCLOB participation in the drafting of the updates to the policies and procedures. In this case, PCLOB only has a consultative role, and the goal is to ensure that the updates to the policies and procedures required by the Executive Order implement the privacy and civil liberty safeguards outlined in the Executive Order.
Review of the Final Policies and Procedures
Once the policies and procedures have been updated and issued as described above, Section 2(c)(v)(A) encourages the PCLOB to conduct a review of the updated policies and procedures to ensure that they are consistent with the enhanced safeguards contained in this order. In addition, Section 2(c)(v)(B) requires that, within 180 days of the completion of the PCLOB review, the head of each element of the Intelligence Community “carefully” consider and implement or otherwise address all recommendations contained in the PCLOB review, consistent with applicable law.
Participation in the Appointment of Judges to Serve on the Data Protection Review Court
Section 3 of the Executive Order, which focuses on Signals Intelligence Redress Mechanism, allocates a role to the PCLOB in connection with the activities of the Data Protection Review Court. Under Section 3(d)(A) of the Executive Order provides that the Attorney General, must consult with the PCLOB – as well as with the Secretary of Commerce, and the Director of National Intelligence –, to appoint individuals to serve as judges on the Data Protection Review Court.
Annual Review of the Redress Process
Finally, in addition to the consultation, reviews and oversight described above, Section 3(e)(i) of the Executive Order “encourages” the Privacy and Civil Liberties Oversight Board (PCLOB) to conduct annual reviews of the processing of qualified complaints by the redress mechanism discussed above, including whether
- the CLPO and the Data Protection Review Court processed qualifying complaints in a timely manner;
- the CLPO and the Data Protection Review Court are obtaining full access to necessary information;
- the CLPO and the Data Protection Review Court are operating in a manner consistent with the Executive Order
- the safeguards established in the Executive Order a properly considered in the processes of the CLPO and the Data Protection Review Court; and
- the elements of the Intelligence Community have fully complied with the determinations made by the CLPO and the Data Protection Review Court.
To assist the PCLOB in its review, Section 3(e)(ii) instructs the Attorney General, the CLPO, and the elements of the Intelligence Community (inter alia) to provide the PCLOB with access to information necessary to conduct the review. In addition, Section 3(2)(iii) provides for the preparation of a classified report to be provided to the President, and the congressional intelligence committees (inter alia) and requires the PCLOB to make an annual public certification as to whether the redress mechanism is processing complaints consistent with the terms of the Executive Order, and to release to the public an unclassified version of the report.
[4] Designation of the Qualifying States for Purposes of the Redress Mechanism
Several provisions of the Executive Order refer to the rights granted to citizens of a “qualifying state.” Section 3(f) provides the criteria for a country or regional economic integration organization for be deemed a “qualifying state” for purpose of the redress mechanism defined in the Executive Order. Section 3(f)(i) grants the Attorney general the authority to designate a country or regional integration organization the status of “qualifying state”. The designation must be made in consultation with the US Secretary of State, US Secretary of Commerce, and the Director of National Intelligence.
The criteria for make the determination that the state or economic integration organization is a “qualifying state,” as listed in Section 3(f)(i)(A) include:
- the laws of the country, organization, or member of the organization require appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information that is transferred from the United States to the territory of the country or a member of the organization;
- the country, organization, or member of the organization permit, or are anticipated to permit, the transfer of personal information for commercial purposes between the territory of that country or those member countries and the territory of the United States; and
- such designation would advance the national interests of the United States.
The designation may be revoked or amended.
[5] Next Steps and Ultimate Goal
The next steps in the development of a new EU-US agreement on trans-Atlantic data transfers and data protection will likely focus on the development or update of the building blocks necessary for the preparation of an Adequacy Evaluation package, that, in the end, will be presented to the European Commission for its review and approval and issuance of a new adequacy decision. In the end, once the formalities have been completed, entities that wish to take advantage of the updated crossborder personal data transfer framework will continue to be required to adhere to the EU-US Privacy Shield Principles – or an updated version -. Those that had self-certified under the 2016 version of the EU-US Privacy Shield Framework, will have to re-certify their adherence to the Principles through the US Department of Commerce, and update their legal terms accordingly.
[1] Schrems and Facebook Ireland v. Data Protection Commissioner (2020) CJEU Case C-311/18; press release available at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf; July 16, 2020 decision available at: https://curia.europa.eu/juris/document/document.jsf;jsessionid=EBF54609D179D36D02BD7BB10DC3BDF3?text=&docid=228728&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=1285293.
[2] While Section 4(k), in the Definitions section, provides the criteria for a complaint to be deemed a “qualifying complaint”, in Section 4(k), there is no similar definition of the tern “qualifying state”. Instead, the criteria for a state to be deemed a “qualifying state,” and the method to be used for identifying a state as a “qualifying state” are defined in Section 3(f) of the Executive Order.