On October 7, 2022, U.S. President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”). The administrative Order creates new protections applicable to cross-border data sharing through a phased implementation process and is the latest step toward establishing a new data privacy framework intended to permit the free flow of data from the EU to certain U.S. businesses.

This blog post recaps the history of the EU-U.S. data sharing agreements, examines the key features of the Order, and outlines the process for an assessment of its adequacy by EU authorities.

How Did We Get Here?

The GDPR permits data transfers from the European Economic Area (“EEA”) to a non-EEA jurisdiction if the EU Commission has decided that the recipient country meets certain criteria and thus ensures an adequate level of data protection or through other mechanisms such as EU Standard Contractual Clauses (“SCCs”).

In the case of data transfers to the U.S., the EU Court of Justice (the “CJEU”) has invalidated two adequacy decisions, first with the “Safe Harbor” framework in the 2015 Schrems I ruling and, most recently, with the “Privacy Shield” framework in the 2020 Schrems II ruling (covered here and here). In Schrems II, the CJEU found that U.S. surveillance laws failed to satisfy the core requirements for an adequacy decision, but confirmed that SCCs can be used in the EU-U.S. context as long as they comport with European Data Protection Board (“EDPB”) guidance, including “supplemental measures” to ensure adequacy. Against this backdrop, the European Commission and the Biden Administration announced (here and here) in March 2022 the third attempt at creating an EU-U.S. data privacy framework, with further commitments to bring U.S. protections into greater alignment with the requirements of the GDPR, and thereby obtain an EU Commission adequacy decision.

Overview of the Executive Order

The Order was specifically crafted to address the CJEU’s concerns in Schrems I and Schrems II that (1) national security exceptions for U.S. agencies were overbroad, improperly permitting them to conduct surveillance of EU citizens’ data; and (2) there was a lack of judicial redress for data privacy violations.

“Proportionality” as a limit on public power in the data privacy context is a concept that is familiar in Europe, but not in the United States. To respond to the CJEU’s concern about a lack of proportionality in the monitoring of EU citizens, the Order:

  • restricts intelligence gathering to certain enumerated “legitimate objectives”;
  • directs the current Civil Liberties Protection Officer (the “CLPO”), who is housed within the Office of the Director of National Intelligence, to conduct an assessment prior to any new intelligence-gathering operations;
  • mandates that intelligence-gathering activities be narrowly tailored in scope, targeted to specific individuals and account for less intrusive alternatives; and
  • imposes a regime for whistleblowers to escalate alleged violations of the Order to the Director of National Intelligence.

In response to the lack of judicial redress, the Order creates a two-step complaint and review regime which will apply to data of individuals based in (as yet undetermined) jurisdictions designated by the U.S. Attorney General, which is expected to include EEA Member States.

  • Investigation by the CLPO: The CLPO has authority to investigate the complaint, make findings of fact, and render a determination about appropriate remediation that is binding on U.S. national security agencies.
  • Review by the Data Protection Review Court (the “DPRC”): After the completion of the CLPO’s review, the complainant may request review by the DPRC. DPRC judges will be individuals selected by the U.S. Attorney General who are not presently employed by the government and who have extensive national security credentials. Special advocates will be appointed to represent the complainant’s position. The Order also mandates that the DPRC operate as if it were a federal appellate court, meaning that it will be bound by U.S. Supreme Court decisions.

Next Steps: EU Adoption

The European Commission and the Biden Administration hope that these new measures will permit an adequacy decision that withstands the CJEU’s scrutiny. But before that can happen, the European Commission must submit a draft adequacy opinion to the EDPB for review, and then have a final adequacy decision approved by EU member states. Achieving this is far from certain, however. Moreover, raising the possibility of a future Schrems-type suit, critics in the EU have already spoken out against the Order, highlighting (1) that it does not adequately restrict the U.S.’s bulk data collection activities and (2) that the DPRC is not an independent and impartial tribunal, as required by EU law, but rather an extension of the U.S. executive branch.

Where Does This Leave Us?

For now, companies should continue to rely on the SCCs to export data from the EEA to the U.S., and reassess supplementary measures taken in light of the Order. While SCCs will remain an important mechanism for facilitating data transfers even with a new adequacy decision, companies may want to consider how their data transfer protocols and long-term operations may be impacted by the Order, whether that is positively by a durable adequacy decision from the European Commission, or negatively by continued legal uncertainty around EU-U.S. data privacy agreements.

We do not expect the EU adoption process to be complete until sometime in 2023 at the earliest, but we will continue to monitor developments closely.

The authors would like to thank Debevoise Law Clerk Cameron Sharp for his contribution to this blog post.

To subscribe to the Data Blog, please click here.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Tristan Lockwood is an associate in the firm’s Data Strategy & Security practice. He can be reached at tlockwood@debevoise.com.

Author

Melissa Muse is an associate in the Litigation Department based in the New York office. She is a member of the firm’s Data Strategy & Security Group, and the Intellectual Property practice. She can be reached at mmuse@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.