Big privacy news as President Biden announces a new E.U.-U.S. data privacy framework that will likely become finalized in six months. The previous structure was declared invalid by the Court of Justice of the European Union as a legal data transfer mechanism under E.U. law. The new framework addresses their concerns and adopts new American privacy protections for intelligence gathering.
According to NBC News, “U.S. Commerce Secretary Gina Raimondo told reporters the executive order “is the culmination of our joint effort to restore trust and stability to transatlantic data flows” and “will ensure the privacy of E.U. personal data” (Reuters, 2022).
The White House says that Biden’s order strengthened the nation’s existing “privacy and civil liberties safeguards” for intelligence gathering and established a multi-tiered, independent redress process for people who feel their personal information was improperly obtained by American intelligence agencies.
Truyo President Dan Clarke’s Thoughts on the Proposed Framework
While we are probably six months from official ratification, the Biden administration now has a framework to address the concerns of the Court of Justice of the European Union, which struck down the prior Privacy Shield framework under Schrems II. This should enable U.S.-E.U. data transfers when the complex process is completed and gives US companies hope of a lasting framework that should survive the inevitable legal challenges.
Limitations on the US Government are the key enabler, and highly contentious among some detractors, but seem to have been overcome in Biden’s order. U.S. intelligence must do the following, along with updating policies & procedures to reflect such “civil liberty safeguards”:
Activities must only be conducted only in pursuit of defined national security objectives;
Activities must consider privacy implications and civil liberties of all persons, regardless of nationality or country of residence;
and activities must be conducted only when necessary and proportionate to advance a validated intelligence priority.
There is also a defined multi-layer review process commencing with an investigation by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) that is then forwarded to a newly established (by the AG) “Data Protection Review Court.” That court will be qualified and appointed from outside the U.S. Government, which will have binding authority – this is quite new. The prior structure appealed only to an ombudsman that carried questionable authority over intelligence agencies. There is even a requirement for annual review by the Civil Liberties Oversight Board to assure the procedures are consistent with the executive order and maintain the goals of the process.
This implies few changes for companies. Thus far, it would seem the existing Privacy Shield process would suffice, perhaps with a new attestation. We will keep our eyes on the specific process required of U.S. companies as this unfolds, but this is a promising development.
Reuters. (2022, October 7). Biden signs order to implement E.U.-U.S. Data Privacy Framework. NBCNews.com. Retrieved October 7, 2022, from https://www.nbcnews.com/tech/security/biden-signs-order-implement-eu-us-data-privacy-framework-rcna51241