Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

President Biden Signs Executive Order on New EU-US Data Privacy Framework

By Gareth Kristensen, Marcela Robledo, Hakki Can Yildiz, Federica Mammì Borruto & Melissa Faragasso on October 7, 2022
Email this postTweet this postLike this postShare this post on LinkedIn

Today, after over two years of detailed negotiations, President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”)  outlining steps the U.S. will take to implement its commitments under the European Union-U.S. Data Privacy Framework, originally announced by President Biden and European Commission President Ursula von der Leyen in March of 2022 (as previously discussed here).[1]

The Order follows the Court of Justice European Union’s (CJEU) 2020 judgment in Schrems II (previously discussed here), which invalidated the EU-US Privacy Shield as a valid data transfer framework under the European General Data Protection Regulation, requiring thousands of companies to resort to standard contractual clauses or binding corporate rules as virtually their only means to freely transfer data across the Atlantic. It is hoped that the steps proposed by the Order will alleviate the concerns raised by the CJEU regarding transfers of personal data to the U.S., and will lead to a new data transfer mechanism that can be used to legitimise transfers of personal data from the EU to the U.S.

Safeguards proposed by the Order

As noted above, the Order is proposed in response to the CJEU’s Schrems II decision which raised concerns related to U.S. government access and surveillance laws. Specifically, the CJEU found that the European Commissions’ adequacy decision for the EU-US Privacy Shield was insufficient on the basis that (i) U.S. surveillance programs permitted unjustifiably broad government oversight without regard for requirements to limit such surveillance to what is “strictly necessary and proportionate” as required by EU law and (ii) EU data subjects lacked actionable judicial redress, leaving them without a remedy in the U.S. in the event of a violation of their privacy rights. The CJEU also raised concerns with the fact that the requirements of U.S. national security, public interest and law enforcement have primacy and, therefore, interfere with the fundamental rights of persons whose data are transferred to the U.S. On these bases, the CJEU invalidated the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.

At a high level, the Order seeks to address the CJEU’s concerns by proposing a number of new safeguards for how U.S. intelligence officials conduct signals intelligence activities involving personal data transferred from the EU to the U.S., including:

  • mandating a number of safeguards and requirements for personal data collected through U.S. signals intelligence activities, including (i) requirements that surveillance activities be conducted only in pursuit of defined national security objectives, (ii) prioritization of “targeted collection” as opposed to “bulk collection,” which will only be authorized based on a determination that the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection, and (iii) the imposition of heightened responsibility for legal, oversight and compliance officials to ensure appropriate actions are taken to remediate instances of noncompliance;
  • requiring relevant U.S. authorities to update their policies and procedures to reflect the new safeguards proposed by the Order;
  • creating a multi-layer mechanism for independent and binding review and redress of claims related to information collected through U.S. signals intelligence (including the establishment by the Attorney General of a Data Protection Review Court allowing EU individuals to file lawsuits with the assistance of a “special advocate” to challenge how their data is used by US intelligence agencies and to receive redress related to their privacy concerns – see here the U.S. Department of Justice announcement regarding the establishment of that court);
  • conducting an annual review of the redress process; and
  • reviewing existing intelligence community policies and procedures to ensure they are consistent with the Order.

What next?

The publication of the Order will not automatically make data exports from EU to the U.S. permissible under the framework; instead, the Order will serve as a basis for the European Commission to adopt a new adequacy determination, required for the new framework to take effect. Following President Biden’s signature, the decree will be sent to Brussels where the European Commission will implement the text into its own legislation before considering whether to adopt an adequacy determination in respect of the revised data transfer framework. The process to adopt the final adequacy determination is expected to take a few months, with the final text likely to be published around March/April 2023.

Some are hesitant to breathe a sigh of relief, as it is likely that any such decision by the European Commission will eventually be subject to legal challenge before the EU courts, and ultimately the CJEU.  Nevertheless, officials remain confident that the Order and its implementation will adequately address the Commission’s concerns as a reliable framework to re-establish the free flow of data between the U.S. and EU.

[1] A copy of Executive Order can be found here. A copy of the fact sheet published by the White House can be found here.

Photo of Marcela Robledo Marcela Robledo

Marcela Robledo’s practice focuses on the intellectual property, data, and technology aspects involved in a wide range of corporate and transactional matters, including mergers and acquisitions, licensing, collaboration agreements, and joint ventures.

Read more about Marcela RobledoEmail
Hakki Can Yildiz

Hakki Can Yildiz focuses his practice on data protection, cyber security, digital markets regulatory, and technology matters.

Read more about Hakki Can YildizEmail
Melissa Faragasso

Melissa Faragasso’s practice focuses on intellectual property and technology transactions, cybersecurity, data protection, and privacy.

Read more about Melissa FaragassoEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    Cleary Cybersecurity and Privacy Watch
  • Organization:
    Cleary Gottlieb Steen & Hamilton LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • PatentNext
  • Tressler Insurance Law Blog
  • Tressler Employment Law Blog
  • Inside Global Tech
  • Proskauer Whistleblower Defense
Copyright © 2023, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo