Privacy Progress: New Restrictions on U.S. Intelligence Agencies Reignite EU Data Sharing Effort
Two years after the EU Court of Justice struck down a data sharing agreement between the United States and the European Union and seven months after an “agreement in principle on a new framework,” the reforms to change U.S. intelligence agencies’ behavior and implement a new transatlantic data flow are finally beginning to take shape.
U.S. President Joe Biden signed an executive order last week that requires U.S. signals intelligence activities be conducted only in pursuit of national security objectives; be conducted only when necessary to advance a validated intelligence priority and to the extent and manner proportionate to that priority; and that the activities take into consideration the privacy and civil liberties of all individuals.
“Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship,” the White House said in a fact sheet on the signing of the executive order. “The EU-U.S. [data protection framework] will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.”
The executive order also mandates requirements for personal information collected through signals intelligence activities, extending the responsibilities of legal, oversight, and compliance officials to ensure appropriate actions are taken to remediate incidents of non-compliance. The U.S. intelligence community is further required to update its policies and procedures to reflect the safeguards in Biden’s executive order.
These reforms are key because previously the U.S. intelligence community could obtain data—not limited to metadata—on foreign nationals from U.S. companies while prohibiting those companies from disclosing that the data was shared. The EU Court of Justice considered this a violation of EU law because U.S. intelligence agencies were not limited to collecting data that was “strictly necessary,” did not offer appropriate protections for EU residents’ data, and did not offer an appropriate mechanism for redress, causing the court to strike down the Privacy Shield agreement in a case brought by Austrian Maximillian Schrems (known as Schrems II).
President Joe Biden signed an executive order Friday designed to allay European concerns that U.S. intelligence agencies are illegally spying on them. https://t.co/qPzczL8aKH— The Associated Press (@AP) October 7, 2022
Another reform that the executive order makes—and was called out in the 2020 court ruling—is to create a multilayer mechanism for individuals from qualifying states and regions to obtain independent and binding review and redress of their claims that their personal information was collected through U.S. signals intelligence or handled by the United States in violation of U.S. law.
“Under the first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the executive orders’ enhanced safeguards or other applicable U.S. law were violated and, if so, to determine the appropriate remediation,” according to an executive order fact sheet.
The executive order makes CLPO decisions binding for the intelligence community, but they are subject to a second layer of review. The U.S. Attorney General will create a Data Protection Review Court (DPRC) made of judges appointed from outside the U.S. government with experience in data privacy and national security to review CLPO decisions. The DPRC will also have a special advocate for each case to advocate for the complainant’s interest.
As a final step, the executive order instructs the Privacy and Civil Liberties Oversight Board to review U.S. intelligence community policies and procedures to ensure they are consistent with the order.
On Twitter, European Commission President Ursula von der Leyen wrote that she welcomed Biden’s decision to sign the executive order. She called it an “important step forward for better data protection for citizens” with more legal certainty for businesses on both sides of the Atlantic.
I welcome @POTUS signing the executive order for a new 🇪🇺🇺🇸 Data Privacy Framework.— Ursula von der Leyen (@vonderleyen) October 7, 2022
An important step forward for better data protection for citizens and more legal certainty for businesses - on both sides of the Atlantic!
Now we will get to work on the adequacy decision. https://t.co/ZWxTX4Vwke
Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP), said the executive order clears a path for transatlantic business and diplomacy alike.
“Since the EU’s Schrems II decision invalidated the Privacy Shield more than two years ago, personal data flows from the EU to the U.S. have been legally questionable,” she said in a statement shared with Security Management. “Some might argue they were effectively banned. Enforcement actions have only trickled out, but their impact has been significant. That caused havoc for major U.S. tech firms in Europe, but led mainly to confusion, higher legal costs, and a limited selection of service providers for smaller firms.”
In an interview, Fennessy, who previously served as the Privacy Shield Director at the U.S. International Trade Administration, explains that international data transfers have been the greatest challenge for privacy professionals since the EU Court of Justice invalidated the Privacy Shield agreement in 2020.
A business process that has been difficult for organizations following the dissolution of the Privacy Shield agreement is how to use Google analytics and cookies to assess and monitor website traffic. Some EU member data protection authorities have said these tools are not in compliance with EU law because the data was not encrypted, and therefore potentially accessible to U.S. government authorities, Fennessy says.
“That left companies in Europe questioning whether they could work with U.S. service providers, primarily U.S. cloud providers, analytics providers, and companies working in the ad tech ecosystem,” Fennessy explains. “Even much more broadly, these enforcement actions suggested that any ability to access personal data in the clear could be a violation.”
When looking at the executive order reforms, Fennessy says requiring U.S. intelligence agencies to limit their data collection in terms of “necessity and proportionality” is important because those words have real weight in the European legal system.
“The U.S. government long sought to avoid the use of those terms in multilateral principles on these issues,” she explains, because the terms have a clear meaning and expectation under EU laws and rulings by the EU Court of Human Rights. “They come with a lot of prepackaged understanding,” she says, which is why the United States has previously used the “reasonable standard” for intelligence activities.
Even then, the new agreement is likely to face an immediate challenge. Schrems’ privacy activism group, noyb, issued a statement saying that the despite the executive order’s new requirements for U.S. intelligence agencies, there is no indication that U.S. mass surveillance practices will change.
“The EU and the U.S. now agree on the use of the word ‘proportionate’ but seem to disagree on the meaning of it,” Schrems said. “In the end, the CJEU’s definition will prevail—likely killing any EU decision again. The European Commission is turning a blind eye on U.S. law again and allowing the continued surveillance of Europeans.”
The American Civil Liberties Union (ACLU) also issued a statement saying that the executive order does not go far enough to protect Americans’ and Europeans’ privacy and does not meet EU legal requirements.
“The problems with the U.S. surveillance regime cannot be cured by an executive order alone,” said Ashley Gorski, senior staff attorney with the ACLU National Security Project. “To protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform. Until that happens, U.S. businesses and individuals will continue to pay the price.”
While the executive order is effective immediately, there is still a lengthy process to reinstate a full data transfer agreement with the European Union. The European Commission will now draft an adequacy determination of the new framework that incorporates the executive order’s measures and send it to the European Data Protection Board to issue a non-binding opinion on. The EU member states will then vote on the adequacy determination; 55 percent of member states (15 out of 27) must be in favor.
If the member states approve, then the European Commission will adopt the adequacy determination and publish it in the EU Official Journal to take immediate effect. When the EU conducted this process for the Privacy Shield agreement, Fennessy says it took approximately five months.
In the meantime, Fennessy says she will be looking to see how the United Kingdom and Switzerland—who previously recognized Privacy Shield—react to the executive order and a new data protection sharing agreement with the EU, as well as the reaction from the Organization for Economic Co-Operation and Development (OECD) that has also been working on developing principles for access to truste data.
“The question now is whether the cycles of break and rebuild will become perpetual or whether this new framework might instead serve as a building block for broader multilateral collaboration or even progress on U.S. federal legislation to make U.S. commercial data protections as binding for individuals regardless of nationality or residence, as are their new national security equivalents,” Fennessy says.