President Biden recently issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Privacy EO) outlining steps that the US Government is taking to implement the US commitments under the European Union-US Data Privacy Framework (the Privacy Framework) that the US and the European Commission (EC) announced in March 2022 to address concerns previously raised by the Court of Justice of the European Union when it invalidated the 2016 EU-US Privacy Shield regime via the 2020 Schrems II ruling (please see our previous blog post on the Privacy Framework here). Although the EU-US Privacy Shield was designed with the EU’s 2018 General Data Protection Regulation (GDPR) in mind, the court in Schrems II held that the Privacy Shield was inadequate to meet GDPR data privacy standards. Since Schrems II, companies transferring data between the EU and US have had to rely upon case-by-case assessments and standard contractual clauses (SCCs). The Privacy EO is designed to address the concerns identified in Schrems II, given the significant economic value of trans-Atlantic data exchanges.
Among other items, Schrems II highlighted (i) the lack of binding safeguards in place under US law to limit the access to personal data by US intelligence agencies to only data which is necessary and proportionate to protect national security, and (ii) the lack of an effective means for redress to replace the “Ombudsman” under the EU-US Privacy Shield. In summary, the Privacy EO addresses both of these points:
- It strengthens US privacy safeguards and sets parameters around US “signals intelligence” activities, which refer to the US intelligence community’s collection and analysis of foreign (non-US) electronic, digital and related communications and data. Notably, the Privacy EO requires collection to be “necessary” and “proportionate” to US national security needs, see Privacy EO § 2(a)(ii)(A), (B), which differs from the “reasonableness” standard under the EU-US Privacy Shield.
- The Privacy EO also creates a tiered redress mechanism to review privacy-related complaints concerning US signals intelligence activities. In response to the Privacy EO, the EC announced it would begin preparation of a draft “adequacy” decision and commence its adoption procedures, which could result in a final adequacy decision around March 2023, while also noting that in the EC’s view the Privacy EO would implement “significant improvements” over the Privacy Shield, particularly in respect of avenues to address privacy concerns about US collection activities. As of this writing, the European Commission has recognized 14 countries as providing an adequate level of data protection for purposes of the GDPR.
The following provides a brief overview of certain requirements that the Privacy EO imposes on the US intelligence community:
Additional safeguards. The Privacy EO requires that signals intelligence activities must be authorized by and undertaken in accordance with US law or Presidential directive, which will “ensure that privacy and civil liberties are integral considerations in the planning and implementation of such activities.” Intelligence gathering may be conducted only in pursuit of 12 “legitimate objectives,” which are defined to include (among various matters) understanding the capabilities, intentions, or activities of a foreign government, a foreign military or a foreign organization (including criminal or terrorist organizations) in order to protect US national security and US allies and partners, as well as guarding against cybersecurity threats. Signals intelligence activities may be conducted only in a manner “that is proportionate to the validated intelligence priority for which they have been authorized.” Among other activities expressly prohibited by the Privacy EO (and as noted in an accompanying White House fact sheet) is the collection of “foreign private commercial information or trade secrets to afford a competitive advantage” to US businesses, although such information may be lawfully collected to protect US or allied national security interests.
Targeted vs. bulk collection. Signals intelligence collection, per the Privacy EO, is to be “as tailored as feasible to advance a validated intelligence priority” and may not disproportionately impact privacy and civil liberties. Targeted collection is the standard, and bulk collection of signals intelligence will not be permitted unless there is a US Government determination that the information necessary to advance a validated intelligence priority “cannot reasonably be obtained by targeted collection.” Even then, bulk collection may be used only to protect against: (i) terrorism and hostage taking; (ii) foreign espionage, sabotage, assassination, or other intelligence activities; (iii) threats from/proliferation of weapons of mass destruction; (iv) foreign cybersecurity threats or malicious cyber activities; (v) threats to US or allied personnel; and (vi) international criminal threats, including from financial crimes and sanctions evasion.
Handling of personal information. US intelligence agencies that collect personal information (PI) via signals intelligence must establish procedures to minimize the dissemination and retention of such PI. Among other restrictions, the Privacy EO limits PI dissemination within the US Government only on a need-to-know basis and only if such information will be “appropriately protected.” Non-US persons’ PI may be retained “only if the retention of comparable information concerning United States persons would be permitted under applicable [US] law,” and foreign PI will be subject to the same retention periods that would apply to comparable information concerning US persons.
Updated signals intelligence policies and procedures. The US intelligence community is directed to update their respective policies and procedures, after consultation with the US Attorney General, the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board, in order to implement the privacy and civil liberties safeguards of the Privacy EO. The policies/procedures are to be published to the extent intelligence and national security factors allow. Among other requirements, US intelligence entities that collect signals intelligence must provide compliance training to all employees that intersect with such intelligence, and must have in place senior-level legal and oversight officials, including an Inspector General and a Privacy and Civil Liberties Officer, to ensure compliance with the Privacy EO and related laws.
Signals intelligence redress mechanism. The Privacy EO creates a two-tiered mechanism to investigate and address complaints that PI collected via US signals intelligence activities was collected or handled by the US Government in violation of US law. At the first level, the CLPO would initially conduct an investigation of the complaint to determine whether US laws were violated, “taking into account both relevant national security interests and applicable privacy protections,” and if so, would determine the “appropriate remediation” for any violation. CLPO determinations are binding on the US intelligence community, subject to a contrary determination by the newly established Data Protection Review Court.
The second redress level involves review by that Data Protection Review Court (DPRC). Shortly after the Privacy EO issued, and as directed by the Privacy EO, the US Department of Justice issued regulations establishing the DPRC (see 28 C.F.R. Part 201) in a Final Rule published on October 7, 2022 (the DPRC Regulations). The preamble to the DPRC Regulations provides that the DPRC will review determinations made by the CLPO in response to qualifying complaints that allege certain violations of US law in connection with US signals intelligence activities. The DPRC Regulations impose a standard of proof of “substantial evidence,” which is applied by US administrative agencies. It generally represents a lower standard than, for example, the “preponderance of the evidence” standard used in the civil context.
To facilitate independent and impartial review, DPRC judges are not subject to the day-to-day supervision of the US Attorney General, and have certain protections against removal from office. DPRC decisions, including as to remedial measures to be imposed on US intelligence agencies, will be deemed final and binding. To assist the DPRC’s review, the Privacy EO and attendant regulations provide for the selection of a “special advocate” to press the complainant’s interests and make sure that the DPRC panel is “well informed of the issues and the law” with respect to the matter under review.
Finally, the White House issued a National Security Memorandum dated October 7, 2022, which partially revokes Presidential Policy Directive 28 (PPD-28) dated January 17, 2014. The court in Schrems II specifically cited PPD-28 as a key component of its finding that the United States lacked adequate protections, noting that PPD-28 does not create actionable rights for data subjects in US courts and allows for “bulk” data collection.
The US Secretary of Commerce will transmit letters from the relevant US government agencies regarding the operation and enforcement of the Framework and the Privacy EO in the coming weeks and will work with Privacy Shield participants (i.e., the more than 5000 companies currently registered under the EU-US Privacy Shield) to facilitate the transition to the new Framework). A number of additional steps will be required before the Privacy EO and DPRC Regulations are fully implemented, including, but not limited to, an adequacy decision from the EU.
We will continue to monitor developments.