Publication
New Executive Order Paves the Way for EU-US Data Privacy Adequacy Agreements
By Aloke S. Chakravarty and Mary Colleen Fowler
On October 7, 2022, President Biden signed an Executive Order on enhancing safeguards for United States signals intelligence activities (the “EO”).1 The EO sets forth the United States’ commitments under the previously announced European Union-U.S. Data Privacy Framework (the “EU-U.S. DPF”).2 The EU-U.S. DPF creates a framework for Privacy Shield 2.0, and requires the U.S. to take measurable actions to comply with the General Data Protection Regulation.3 The EO signals the U.S.' determination to follow through on its commitments established in the EU-U.S. DPF and address the concerns raised in Schrems II (previously discussed in our Global Connection Newsletter). Now, the EU will draft an adequacy decision and initiate its adoption process—setting the stage for the implementation of Privacy Shield 2.0 in March 2023. Under Privacy Shield 2.0, U.S. organizations will be able to better comply with and fulfill data processing and transfer functions.
Under the EO, the U.S. commits to the following:
- Provide additional safeguards related to U.S. signals intelligence activities, specifically that such activities will be completed in the pursuit of defined and necessary national security objectives. The activities will further consider the privacy and civil liberties of all persons, regardless of nationality or residence.
- Establish handling requirements for collected personal information. Moreover, legal, oversight and compliance officials will work to address any instances of non-compliance.
- Require the U.S. Intelligence Community to update their policies and procedures in light of this EO.
- Outline a two-step redress mechanism for data subjects in “qualifying states” who believe that the U.S. Intelligence Community has processed their data in violation of applicable U.S. law. These data subjects can lodge a Complaint with the Civil Liberties Protection Officer (“CPLO”) and later appeal decisions of the CPLO to a newly established data protection review court.
- Empower the Privacy and Civil Liberties Oversight Board to review these policies and procedures on an annual basis to determine whether the U.S. Intelligence Community is in compliance.
In the meantime, as the U.S. and EU move toward establishing a streamlined path for data flow, organizations engaged in trans-Atlantic data transfers should continue to ensure their own data transfers occur under proper legal bases. Organizations should continue to carefully review their data maps and determine what analysis and impact assessments need to be completed for safe transfers. Organizations may want to consider additional supplementary transfer measures, such as use of standard contractual clauses (“SCCs”), binding corporate rules (“BCRs”), and data encryption tools, to indicate organizational efforts toward maintaining compliance. Organizations should consider reaching out to legal counsel to better understand the impact of the current data transfer landscape on their business opportunities and to see whether Privacy Shield 2.0 may be part of their planning going forward.
Footnotes
-
See Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (October 7, 2022), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/.
-
See White House Fact Sheet, United States and European Commission Announce
Trans-Atlantic Data Privacy Framework (March 25, 2022), available at https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/. -
Id.
About Snell & Wilmer
Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 16 locations throughout the United States and in Mexico, including Los Angeles, Orange County and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.