EO 14086 and the EU-U.S. Data Privacy Framework

On 7 October 2022, President Biden signed Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities” (EO 14086). EO 14086 represents a significant milestone for transatlantic data transfers. Not only will the new safeguards form the basis of an adequacy decision by the European Commission for transfers made using the proposed EU-U.S. Data Privacy Framework, but they also provide greater legal certainty for companies transferring personal data from the EU to the U.S. using the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

This article answers some common questions about EO 14086 and the proposed EU-U.S. Data Privacy Framework.

1) How did we get here?

On 25 March 2022, the European Commission and U.S. government announced they had reached an agreement in principle on the proposed EU-U.S. Data Privacy Framework (Data Privacy Framework). The Data Privacy Framework is intended to revive and enhance the Privacy Shield, which was invalidated as a transfer mechanism by the Court of Justice of the European Union (CJEU) in Schrems II, and enable participating companies to freely transfer personal data from the EU to the U.S.

As part of the agreement in principle, the U.S. committed to introducing new privacy and civil liberties safeguards in connection with its signals intelligence programs in order to address the concerns raised in Schrems II. EO 14086 sets out these protections and marks an important step toward the possible adoption of an adequacy decision by the European Commission for transfers made using the Data Privacy Framework.

2) What safeguards have been introduced under U.S. law?

EO 14086 introduces a number of new safeguards with respect to the collection of personal data by U.S. intelligence agencies:

• First, it places new requirements on the collection and handling of personal data by U.S. intelligence agencies regardless of the subject’s nationality. It requires that signals intelligence activities must be “necessary” and “proportionate” to advance a validated intelligence priority and that such activities must be undertaken in pursuit of one of twelve enumerated national security and intelligence objectives.
• Second, it expands the oversight of signals intelligence programs by U.S. government agencies. The Civil Liberties Protection Officer (CLPO), appointed by the Director of National Intelligence (DNI), must conduct an assessment prior to any new intelligence-gathering operations. Bulk collection may only be authorised where the intelligence cannot be reasonably obtained through targeted collection. Additionally, intelligence agencies must maintain documentation regarding their collection of personal data through signals intelligence and update their policies and procedures to ensure effective oversight of the new safeguards.
• Third, it creates a redress mechanism for individuals from “qualifying states” who claim their personal data has been collected unlawfully through signals intelligence programs. Individuals can lodge a complaint with the CLPO, which has the power to investigate complaints and render binding decisions against intelligence agencies. Individuals can also appeal decisions by the CLPO before the Data Protection Review Court (DPRC), which has been established through regulations issued by the U.S. Attorney General. The DPRC will consist of six or more independent judges appointed from outside the U.S. government that have expertise in national security matters. The judges will not be subject to the day-to-day supervision of the Attorney General and may not be removed or otherwise subjected to adverse action arising from their service. Individuals will be represented before the DPRC by special advocates and the decisions of the DPRC will be final and binding.

According to Q&As issued by the European Commission, the new safeguards have been specifically designed to address the concerns identified in Schrems II and represent a significant improvement compared to the Privacy Shield.

3) What happens now?…

Read The Full Article on LinkedIn