An executive order signed today by President Biden is intended to address European Union concerns over data privacy protections related to intelligence activities and allow for implementation of a new U.S.-EU framework governing transatlantic data flows.
“Hopefully this resolves the issues of the past decade or so,” a senior administration official said, referring to backlash in the European Union following the 2013 Edward Snowden leaks about National Security Agency surveillance activities and over how tech giants like Facebook handled private citizens’ data.
The new executive order sets safeguards around “signals intelligence activities,” typically defined as communications intercepts, but the impacts of the privacy controversies have been acutely felt in the commercial space. A security and privacy arrangement for transfers of consumer data between the U.S. and EU was tossed out by the European Court of Justice in 2015, which invalidated a subsequent agreement in 2020.
U.S. business groups have been urging policymakers to forge agreement on a successor regime to the so-called “Privacy Shield,” and the U.S. and EU in March reached an agreement in principle on a replacement intended to ensure transatlantic data transfers were in line with local privacy standards. Those negotiations were led by the Commerce Department.
“Today, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) directing the steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework (EU-U.S. DPF) announced by President Biden and European Commission President von der Leyen in March of 2022,” the White House announced today.
“The Executive Order bolsters an already rigorous array of privacy and civil liberties safeguards for U.S. signals intelligence activities,” the White House said in a release. “It also creates an independent and binding mechanism enabling individuals in qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.”
According to the White House, the new order:
- Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
- Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.
- Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O.
- Creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.
- Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC.
The White House said, “These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law. It will also provide greater legal certainty for companies using Standard Contractual Clauses and Binding Corporate Rules to transfer EU personal data to the United States.”
Commerce Secretary Gina Raimondo on a press call said the EO is the result of a “major whole of government effort” and will result in “robust safeguards” to ensure the privacy of EU citizens. Raimondo and other officials stressed the positive impacts of the agreement for U.S. small businesses.
Early industry reaction to the announcement was positive. Drew Bagley, vice president and counsel for privacy and cyber policy at CrowdStrike, said in a statement, “It is encouraging to see a renewed commitment to cross-border data flows and data protection.”
He said, “Modern IT infrastructure, cybersecurity and privacy compliance programs are dependent upon global data flows. Introducing this new framework can help provide certainty for EU-US data transfers and showcase a strong contrast to policy proposals that mistakenly prioritize data localization over holistic data protection.” – Charlie Mitchell (cmitchell@iwpnews.com)