The United States took another decisive step to establish the new Trans-Atlantic Data Privacy Framework. After the EU and US side had announced in March 2022 that they agreed on the key principles of the framework (→ eucrim 1/2022, 31-32), US President Joe Biden signed an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” on 7 October 2022.

The Executive Order translates the agreed principles into US law and particularly provides for the following:

• Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
• The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court (“DPRC”); according to the mechanism, it will be possible that complaints regarding access to Europeans’ data by US national security authorities are investigated and resolved.

The Executive Order also requires US intelligence agencies to review their policies and procedures to implement these new safeguards.

The redress mechanism will consist of two layers: First, Europeans will be able to lodge a complaint with the “Civil Liberties Protection Officer” – a person who is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights. Second, Europeans will be able to appeal the decision of the Civil Liberties Protection Officer before the newly created DPRC. The DPRC will act in full independence from the government and will have the power to order the deletion of data, if necessary.

The Commission believes that the Executive Order together with other US regulations fulfils the requirements as set out in the CJEU’s Schrems II judgment, which toppled the predecessor agreement, the EU-US Privacy Shield in 2020 (→ eucrim 2/2020, 98-99). On the basis of the measures taken by the United States, the Commission will now prepare a draft adequacy decision and launch the EU’s adoption process. This necessitates, inter alia, an opinion by the European Data Protection Board (EDPB).