The U.S. Takes a Huge Next Step Towards GDPR Adequacy

Oct 10, 2022 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Policy, Privacy Initiatives, BBB National Programs

On October 7, 2022, President Biden signed the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (EO), providing the legal basis for a new transatlantic data flow mechanism that will enable the $7.1 trillion economic relationship between the EU and U.S. to continue thriving. The new mechanism, EU-U.S. Data Privacy Framework (DPF), was agreed upon, in principle, by President Biden and European Commission President von der Leyen in March 2022.   

BBB National Programs commended the Executive Order as a positive step in support of the more than 5,000 businesses that rely on Privacy Shield for the transfer of personal data from the EU to the U.S.   

If we break down what it said, the majority of the EO is focused on signals intelligence. The National Security Agency defines signals intelligence (SIGINT) as the collection of “foreign intelligence from communications and information systems,” which in turn, is provided “to customers across the U.S. government, such as senior civilian and military officials.” The information collected is intended to protect U.S. troops, support allies, combat terrorism, fight crime, and assist with diplomatic negotiations. The information itself is collected through a variety of means including foreign communications, radar, and other electronic systems.  

U.S. surveillance programs and activities based on SIGINT served as the Court of Justice of the European Union’s (CJEU) rationale for invalidating the previous EU-U.S. Privacy Shield framework in Schrems II, a decision issued in July 2020.  

In Schrems II, the CJEU reasoned that U.S. surveillance program activities were not limited to what is “strictly necessary” and resulted in “disproportionate interference” with the rights afforded EU citizens under the GDPR. Additionally, the CJEU reasoned there was no redress mechanism for EU subjects against U.S. authorities administering these programs. The EO is a direct response to the CJEU’s concerns.  

To address these concerns, the EO outlines the following safeguards:  

  1. Necessity and proportionate requirement: SIGINT activities should only be used after determining they are reasonable under the circumstances to achieve a legitimate objective and must not disproportionately impact the privacy or civil liberties of an individual.
  2. Legitimate objectives: SIGINT may be used to achieve one of twelve objectives targeting foreign governments, foreign organizations, or foreign individuals.
    • Protecting the national security of the U.S., allies, or partners.
    • Identifying and monitoring terrorist organizations. 
    • Determining global security threats.
    • Protecting against foreign militaries. 
    • Protecting against terrorism.
    • Protecting against intelligence activities. 
    • Protecting against weapons of mass destruction. 
    • Protecting against cybersecurity threats.
    • Protecting against threats to U.S., ally, or partner personnel. 
    • Protecting against transnational criminal threats. 
    • Protecting the integrity of elections and political processes, government property, and U.S. infrastructure. 
    • Advancing the collection or operational capabilities or activities to further one of the legitimate objectives above. 
  3. Oversight mechanisms: SIGINT activities will be subjected to rigorous oversight processes both internally (by the respective intelligence agencies) and externally (by the Privacy and Civil Liberties Oversight Board).  
  4. Redress system: Individuals claiming their personal information was improperly collected through U.S. SIGINT activities may seek redress through a multi-layer mechanism. The first layer is an investigation by the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence to determine whether any safeguards or laws were violated. The second layer is a Data Protection Review Court that provides an independent and binding review of the CLPO’s determination. 

 

While this is a huge step towards adequacy under the GDPR, the process has just begun. The EO will serve as the legal basis for the European Commission to make a new adequacy decision. Based on previous adequacy decisions, and if all goes to plan, the DPF will likely take effect by March 2023.  

To learn more about how we got here, and what is expected over the next few months during the EU’s adequacy decision process, read The Next Phase of Privacy Shield. And follow along as we continue to assess this Executive Order and its implications on the Privacy Shield program or sign up to receive our additional insights moving forward from the Privacy Initiatives newsletter. 

If you need support or have questions specific to your Privacy Shield status, please reach out so we can discuss your situation at GlobalPrivacy@bbbnp.org.  

Suggested Articles

Blog

Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

U.S. companies in the Data Privacy Framework Program (DPF) program recertify each year with the Department of Commerce to assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. Here are 5 tips for making it a smooth process.
Read more
Blog

The Evolution of CARU: Laying the Foundation in the 70s and 80s

For the last 50 years, companies marketing to children have held each other to a high ethical standard. The Children’s Advertising Review Unit (CARU) was established in 1974 as the U.S. mechanism of independent self-regulation for protecting children from deceptive or inappropriate advertising. Spanning decades, CARU’s early cases reflect the evolution of the children’s advertising and marketing space.
Read more
Blog

Think of the Children: A Comparison of APRA and COPPA 2.0

It is vital that the business community at large parse through the differing approaches of COPPA 2.0 and APRA to children's privacy and understand where these bills would overlap or contradict each other. To help, the Children’s Advertising Review Unit (CARU) privacy team is breaking them down.
Read more
Blog

Unlocking Global Data Privacy Interoperability with CBPRs

In our digitally connected world, safeguarding personal data is essential. To help accomplish that goal, the new Global Cross Border Privacy Rules (CBPR) System launched this week by the Department of Commerce, offering a much-needed framework for a new era of international data protection.
Read more