NEWS10 October 2022

US strengthens privacy safeguards to allow EU data adequacy deal

Europe GDPR Legal News North America Privacy Public Sector

US – US president Joe Biden has signed an executive order implementing a series of safeguards for US intelligence gathering in the European Union to enhance EU citizens’ data privacy rights.

The White House

The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities sets out the steps the US will take to implement its commitments under the EU-US data privacy framework.

The framework was announced by Biden and president of the European Commission Ursula Von der Leyen in March 2022, and sets out the legal basis for transatlantic data flows to address concerns raised by the European Court of Justice.

In July 2020, the court had struck down the previous data privacy framework between the US and EU on the grounds of failing to adequately assess the potential impact of US government surveillance on personal data transferred from the EU.

The US executive order will bolster existing privacy and civil liberties safeguards for US signals intelligence activity, and allow Europeans to seek redress if they believe their personal data was collected in a manner that violates US law.

In particular, the order requires intelligence activities be conducted only in pursuit of defined national security objectives and take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence.

The safeguards also require that intelligence gathering be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.

The US Privacy and Civil Liberties Oversight Board will review intelligence community policies and procedures to make sure they are consistent with the executive order, and will carry out an annual review of the situation.

The order is part of an attempt to provide the European Commission with a basis to adopt a new data adequacy determination with the US under EU law, as well as providing greater legal certainty for companies using standard contractual clauses and binding corporate rules to transfer EU personal data to the US.

The full executive order can be read here