On October 7, 2022, President Biden issued an "Executive Order on Enhancing Safeguards for United States Intelligence Activities" ("EO"), a much awaited action after the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. Privacy Shield program. Though this EO will not act as a U.S. data privacy law akin to the EU's General Data Protection Regulation ("GDPR"), it does pave the way to easing tensions for cross-border transfers of personal data between the EU and the U.S. While actual implementation of the EO will take place over the next few months, it signals President Biden's willingness to reconsider and revise the U.S. approach to personal data protection.

Legitimate Objectives

Rather than attempting to address or unify the U.S. federal approach to data privacy, the EO takes a targeted approach at addressing the issues noted by the CJEU, namely, collection of personal data by law enforcement agencies. A more comprehensive personal data transfer framework will likely be set forth in a new transatlantic data privacy framework, which is currently under negotiation; as a result, this EO focuses on "Signals Intelligence" activities by U.S. federal agencies. While not explicitly defined by the EO, Signals Intelligence generally refers to intelligence gathering based upon the interception (and where possible interpretation) of communications and other electronic signals, whether from citizens, military sources, and including sources in other countries. Recognizing that such activities "must take into account that all persons should be treated with dignity and respect . . . and that all persons have legitimate privacy interests in the handling of their person information," the EO sets forth a framework to support the U.S. national security apparatus.

After outlining various security objectives, the EO sets forth "prohibited" objectives for which collection of data shall not be conducted:

  • suppressing or burdening criticism, dissent, or the free expression of ideas or political opinions by individuals or the press;
  • suppressing or restricting legitimate privacy interests;
  • suppressing or restricting a right to legal counsel; or
  • disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion.

The EO also prohibits the collection of "foreign private commercial information or trade secrets to afford a competitive advantage to United States companies," though collection of such information is authorized to "protect the national security" of the United States.

To ensure a "legitimate" purpose, the EO tasks the Director of National Intelligence ("Director") with ensuring collection activities through cooperation with the Civil Liberties Protection Officer, who must verify that the collection (1) advances a legitimate objection; (2) does not run afoul of any prohibited objectives; and (3) was established after "appropriate consideration" of the civil rights of any person involved.

Handling of Personal Information

In addition to the collection of personal information, the EO also outlines certain principles to govern the handling of collected personal information. Aligning with the GDPR precepts, data handling should be designed to minimize "dissemination and retention" of personal information. Of note, the EO governs dissemination of both U.S. and non-U.S. persons' personal information, and puts various limits on when this information can be circulated, including limiting:

  • Dissemination of personal information of foreign citizens to similar circumstances as U.S. citizens.
  • Dissemination of personal information based only on a person's "nationality or country of residence."
  • Dissemination only if an "appropriately trained individual" determines the information will be "appropriately protected" and the recipient has a "need to know" the information.

The EO also places requirements on the retention of any personal information collected through Signals Intelligence; though broadly, it merely limits retention of non-U.S. persons' personal information to the same requirements as "comparable information" for U.S. persons.

Redress

Finally, the EO provides direction for redress in connection with the collection of data for Signals Intelligence purposes. Within 60 days of the EO (i.e., no later than December 6, 2022), the Director, in consultation with the Attorney General and various heads of other government agencies that use the collected information, must establish a process for submitting a complaint. Post-submission, the Civil Liberties Protection Officer ("CLPO") reviews the complaint and corresponding collection for protentional violations of the prohibited objectives and other provisions of the EO.

If a violation is found, the CLPO is responsible for determining the appropriate remediation, providing a report to the Assistant Attorney General for National Security, and notifying the relevant public authority ("without confirming or denying that the complainant was subject to U.S. Signals Intelligence activities") of the results. Should the public authority, or complainant, dispute the CLPO's determination, it may appeal the determination to the (newly established) Data Protection Review Court. This Court, to be established by the Attorney General with 60 days of the EO, is empowered with reviewing determinations made by the CLPO. The three-member panel of the Court appoints a special advocate to support the complainant's rights throughout the process and reviews the relevant information pertinent to the CLPO's determination. After review is complete, the Court prepares its own report, including—where necessary—its disagreements with the CLPO's determinations and remedial measures.

Conclusion

While President Biden's EO does not cover the same breadth of subject matter as the GDPR, it establishes a framework to amend the U.S. intelligence apparatus's processing of both U.S. and non-U.S. citizens' personal information.

At a commercial level, the EO will likely have only a limited effect on the data collection and processing systems already employed by companies throughout the country. But it signals the current administration's willingness to address the issues noted by the CJEU in invalidating the EU-U.S. Privacy Shield framework, laying a foundation that is intended to support the ongoing negations for a replacement transatlantic privacy framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.