On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under the new EU-U.S. Data Privacy Framework.  The framework was announced by the U.S. and the EU Commission in March 2022, after reaching a political agreement in principle (see our blog post here).

The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities is intended to address the concerns raised by the Court of Justice of the EU (“CJEU”) in its Schrems II judgment on July 16, 2020, which annulled the EU-U.S. Privacy Shield (see our blog post here).  There, the CJEU held that the U.S. did not provide an “essentially equivalent” level of data protection to that found in the EU, due in part to extensive powers granted to U.S. law enforcement and intelligence agencies to access individuals’ personal data, and an absence of effective legal remedies for EU residents in connection with those powers.  The CJEU focused on two U.S. authorities in particular:  FISA Section 702 and Executive Order 12333.

To address these concerns, the new Executive Order sets forth certain “privacy and civil liberties safeguards” for U.S. signals intelligence activities and creates a new method of redress for non-U.S. persons from “qualifying states.”  In particular, and among other provisions, the Executive Order:

  • Provides that U.S. signals intelligence activities shall be “necessary” and “proportionate” to a “validated intelligence priority.”  The Executive Order provides that U.S. signals intelligence activities may only be conducted following a determination that they are “necessary to advance a validated intelligence priority,” and “only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized.”  Exec. Order § 2(a)(ii)(A).  The Executive Order also specifies certain “legitimate objectives” and “prohibited objectives” for which U.S. signals intelligence activities may be carried out.  Exec. Order § 2(b).  For example, the Executive Order defines “legitimate objectives” to include understanding or assessing the capabilities, intentions, or activities of foreign organizations that pose a current or potential threat to the national security of the U.S. or its allies or partners; protecting against terrorism, the taking of hostages, and the holding of individuals captive conducted by or on behalf of a foreign government, foreign organization, or foreign person; and understanding or assessing transnational threats that impact global security.  Exec. Order § 2(b)(i).
  • Sets forth requirements for the handling of personal information collected through signals intelligence.  Each element of the U.S. Intelligence Community that handles personal information collected through signals intelligence must establish policies and procedures to minimize the dissemination and retention of personal information.  Exec. Order § 2(c)(iii)(A).  For example, under the Executive Order, the U.S. Intelligence Community may not disseminate personal information collected through signals intelligence solely because of a person’s nationality or country of residence, and shall retain non-U.S. persons’ personal information “only if the retention of comparable information concerning United States persons would be permitted under applicable law.”  Exec. Order § 2(c)(iii)(A).  The Executive Order further provides that each element of the Intelligence Community must maintain appropriate training requirements to ensure that employees with access to signals intelligence know and understand the requirements of the Order.  Exec. Order § 2(d)(ii).  The Executive Order encourages the Privacy and Civil Liberties Oversight Board to review the U.S. Intelligence Community’s updated policies and procedures to ensure that they are “consistent with the enhanced safeguards” contained in the Order.  Exec. Order § 2(c)(v).
  • Establishes a mechanism for non-U.S. persons to seek review of the U.S. Intelligence Community’s signals intelligence activities.  Within sixty days of the Executive Order’s issuance, the Director of National Intelligence (“DNI”), in consultation with the U.S. Attorney General and the heads of elements of the U.S. Intelligence Community, shall establish a process for the submission of “qualifying complaints transmitted by the appropriate public authority in a qualifying state.”  Exec. Order § 3(b).  To implement this redress mechanism, the Attorney General may designate a country or regional economic integration organization a “qualifying state” based on a determination, in consultation with the Secretary of State, the Secretary of Commerce, and the DNI, that the country’s or organization’s laws establish “appropriate safeguards” for U.S. persons’ personal information that is transferred from the United States.  Exec. Order § 3(f).  The DNI’s Civil Liberties Protection Officer (“CLPO”) will investigate, review, and, as necessary, order “appropriate remediation” for complaints from qualifying states.  Exec. Order § 3(c).  “Appropriate remediation” may include, depending on the specific covered violation at issue, terminating acquisition of data where collection is not lawfully authorized, deleting data that had been acquired without lawful authorization, or restricting access to lawfully collected data to those appropriately trained.  Exec. Order § 4(a).
  • Creates a Data Protection Review Court to review the CLPO’s determination regarding qualifying complaints.  The Attorney General, in consultation with the Secretary of Commerce, the DNI, and the Privacy and Civil Liberties Oversight Board, shall appoint judges to serve on a newly created Data Protection Review Court, who will be legal practitioners with appropriate experience in the fields of data privacy and national security law, and who may not be U.S. government employees.  Exec. Order § 3(d).  Following the CLPO’s determination, the complainant (or, in the event of an adverse decision against the U.S. government, an element of the U.S. Intelligence Community) may apply to the Data Protection Review Court for review of the CLPO’s decision.  Exec. Order § 3(c)(i)(E).  Upon receipt of an application for review, a three-judge panel of the Data Protection Review Court will convene to review the application and select a special advocate to assist with the review, including by advocating the complainant’s interest in the matter.  Exec. Order § 3(d)(i)(B)‑(C).  The Data Protection Review Court’s determination shall be binding on the U.S. Intelligence Community.  Exec. Order. § 3(d)(ii).

The European Commission will now review the Executive Order and commence drafting a new adequacy decision pursuant to Article 45 of GDPR.  The European Commission must then hear from the European Data Protection Board (“EDPB”) and the EU Member States.  The formal adoption process is expected to take around six months, and may result in the final adequacy decision’s publication in March 2023.

Once adopted, any new framework is certain to be pressure-tested before the EU courts.  To date, a number of privacy advocacy groups have issued statements opining that the new Executive Order is insufficient.

***

The Covington team will keep monitoring any developments on the EU-U.S. Data Privacy Framework and continue to report on them on our blog Inside Privacy.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets leads the intellectual property and technology and media groups in the firm’s London office. Ms. Peets divides her time between London and Brussels, and her practice embraces legislative advocacy, trade and IP enforcement. In this context, she has worked closely with…

Lisa Peets leads the intellectual property and technology and media groups in the firm’s London office. Ms. Peets divides her time between London and Brussels, and her practice embraces legislative advocacy, trade and IP enforcement. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known software and hardware companies.

On behalf of her clients, Ms. Peets has been actively engaged in a wide range of law reform efforts in Europe, on multilateral, regional and national levels. This includes advocacy on EU and national initiatives relating to e-commerce, copyright, patents, data protection, technology standards, compulsory licensing, IPR enforcement and emerging technologies. Ms. Peets also counsels clients on trade related matters, including EU export controls and sanctions rules and WTO compliance.

In the IP enforcement space, Ms. Peets coordinates a team of lawyers and Internet investigators who direct civil and criminal enforcement actions in countries throughout Europe and who conduct global notice and takedown programs to combat Internet piracy.

Ms. Peets is a member of the European Commission’s Expert Group on reform of the IP Enforcement Directive.

Photo of Diana Lee Diana Lee

Diana Lee is an associate in the firm’s London office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory, enforcement, and litigation matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy…

Diana Lee is an associate in the firm’s London office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory, enforcement, and litigation matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy and cybersecurity. Before rejoining the firm, she clerked for Judge Victor A. Bolden, United States District Judge for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.

Photo of Chloe Goodwin Chloe Goodwin

Chloe Goodwin is a litigator and regulatory attorney focused on privacy and technology issues. She represents several leading technology companies in litigation and compliance matters relating to electronic surveillance, law enforcement access to digital evidence, cybersecurity, and data privacy.