President Biden signs Executive Order to implement the EU-US Data Privacy Framework

October 10, 2022

US President Biden has signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. This sets out the steps that the US will take to implement the US commitments under the EU-US Data Privacy Framework announced in March 2022.

In particular, the Executive Order:

  • Adds safeguards for US signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all individuals, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
  • Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to deal with incidents of non-compliance.
  • Requires US Intelligence to update policies and procedures to reflect the new privacy and civil liberties safeguards in the Executive Order.
  • Creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organisations, as set out by the Executive Order, to obtain independent and binding review and redress of claims that their personal information collected through US signals intelligence was collected or handled by the US in violation of applicable US law, including the enhanced safeguards in the Executive Order.
  • Calls on the Privacy and Civil Liberties Oversight Board to review US Intelligence policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence and the newly set up Data Protection Review Court.

These steps will provide the European Commission with a basis to adopt a new adequacy determination. This aims to restore a data transfer mechanism under EU law. It also aims to provide greater legal certainty for companies using standard contractual clauses and binding corporate rules to transfer EU personal data to the US.