President Biden Issues Executive Order Providing for New EU-U.S. Data Privacy Framework

In Europe

On October 7, 2022, President Biden signed Executive Order (EO) 14086, “Enhancing Safeguards for United States Signals Intelligence Activities,” which provides a new framework for legal data transfers between the European Union (EU) and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020 when the European Court of Justice (ECJ) in Schrems II invalidated the EU-U.S. Privacy Shield Framework to transfer data from the EU and other European Economic Area (EEA) countries to the United States.

This follows the European Commission’s and the United States’ announcement in March 2022 that they had reached an agreement in principle on the new EU-U.S. Data Privacy Framework to facilitate transatlantic data flows.

The executive order addresses data privacy concerns raised by the ECJ in Schrems II by introducing additional safeguards and oversight of personal data collection by U.S. signals intelligence agencies’ (SIGINT) activities and provides individuals with a redress mechanism for their data protection concerns. In particular, EO 14086:

  • mandates that SIGINT activities only be “necessary to advance a validated intelligence priority” and “proportionate to the validated intelligence priority.” SIGINT activities shall be undertaken “only in pursuit of one or more” of twelve specific legitimate national security and intelligence objectives;

  • allows bulk collection of signals intelligence but subjects such bulk collection to tighter controls and requires that targeted collection be prioritized;

  • creates requirements for the handling of personal data collected in signals intelligence and expands oversight to verify compliance and remediate instances of noncompliance;

  • takes into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and

  • creates a multilayer mechanism for individuals of “qualifying state[s]” (including the EU) and regional economic integration organizations to obtain an independent and binding review and redress.

The redress mechanism includes establishing:

  • a civil liberties protection officer (CLPO) in the Office of the Director of National Intelligence to conduct initial investigations; and

  • the Data Protection Review Court (DPRC) to provide an independent and binding review of CPLO decisions. The DPRC judges will be appointed from outside the U.S. government in consultation with the U.S. Department of Commerce and the independent Privacy and Civil Liberties Oversight Board (PCLOB).

EO 14086 also:

  • directs U.S. intelligence agencies to update their policies and procedures “as necessary to implement the privacy and civil liberties safeguards” in EO 14086;

  • requires the PCLOB to review these policies and procedures, as well as conduct annual reviews of the redress process; and

  • imposes data retention requirements.

Next Steps

The European Commission will review EO 14086, raise any concerns, and, if satisfied, will issue a draft adequacy decision for review by member states, the European Parliament, and the European Data Protection Board (EDPB). The European Commission will also seek a legal opinion from the EDPB. Finally, an EU committee comprising representatives from each EU member state must vote to approve the draft adequacy decision. If the EDPB’s opinion provides a negative outlook, or if privacy campaigners challenge the Framework and/or EO 14086, it may be subject to further revision and discussions between the United States and EU. This legal process could take between six months and a year to complete.

While businesses wait for the draft adequacy decision and the process to commence, they may continue using the standard contractual clauses (SCCs) for transfers outside the EU and the International Data Transfer Agreement (IDTA) for transfers outside the United Kingdom (or the International Data Transfer Addendum to the SCCs, which is to be appended to the new SCCs) when transferring personal data outside the United Kingdom or EU to third countries, along with transfer impact assessments to justify transfers to third countries.

Businesses may want to update their existing contractual agreements to the new SCCs by December 27, 2022.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
National Law Review, Volume XII, Number 299

Read More: President Biden Issues Executive Order Providing for New EU-U.S. Data Privacy Framework

Join Our Newsletter!

Love Daynight? We love to tell you about our new stuff. Subscribe to newsletter!

You may also read!

Georgia residents are fighting efforts to build a massive monkey-breeding facility in their

Residents have voiced concerns about the facility itself to the possibility that monkeys would escape — which has occasionally


Buenos Aires rocked by clashes over President Milei reforms

Riot police in Argentina's capital Buenos Aires have fired tear gas and water cannon to disperse protesters outside


House votes to hold Garland in contempt, refer him for criminal charges at own DOJ

The House voted to hold Attorney General Merrick Garland in contempt of Congress on Wednesday, referring the


Leave a reply:

Your email address will not be published.

Mobile Sliding Menu

Slot Garansi

depo 25 bonus 25

depo 25 bonus 25