Special thanks to Jordyn Liebman, Articling Student, who helped write this article.
On October 7, 2022, President Biden signed an Executive Order (“E.O.”) on Enhancing Safeguards for United States Signals Intelligence Activities. Businesses might be wondering: What, if anything, does this mean for me?
Quite simply, if your business transfers personal information from one country or state / province to another country or state / province, you should know (1) what is mandated of you by law and (2) the best practices of how to facilitate such transfers, to bolster your cybersecurity.
This blog will: first, provide the general backdrop leading to this E.O.; second, summarize President Biden’s E.O.; and third, discuss your business’ next steps.
The E.U. has a generally applicable privacy law known as the General Data Protection Regulation (“GDPR”). This law regulates your ability to export the personal information (called “personal data” in the European context) of Europeans to other countries. Generally speaking, to export personal information from the E.U. to another country, you need either an adequacy decision from the European Commission or to implement appropriate legal safeguards; both routes intend to ensure that the transferred personal information will receive a level of legal protection equivalent to the GDPR. The two most common appropriate legal safeguards are binding corporate rules or the E.U. standard contractual clauses.
Exporting personal information from the E.U. to a country already found to be adequate by the European Commission is the safest and quickest method. For example, the Commission has decided that Canada is an adequate jurisdiction in respect to private-sector companies collecting, using, and disclosing personal information in the course of commercial activities.
The United States and its Privacy Shield program used to be adequate. However, in July of 2020, the Court of Justice of the E.U. (the “CJEU”) released the landmark Schrems II case, which held that transfers of personal information to the U.S. from the E.U. could not be based on the U.S. Privacy Shield program because such program did not create an “adequate” level of data protection comparable to that under European Privacy Law (i.e., the General Data Protection Regulation—initialed to “GDPR”).
At the heart of the CJEU’s analysis involved:
- the broad power wielded by the U.S. intelligence community against non-U.S. residents via Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and executive order 12333;
- the lack of proportionality when the intelligence community collected bulk data; and,
- the lack of redress available for non-U.S. residents.
Therefore, since Schrems II, the E.U. does not consider the U.S. to be an “adequate” jurisdiction. Consequently, companies exporting E.U. personal information to the U.S. must place appropriate legal safeguards. However, due to the three reasons provided immediately above, it has become difficult for businesses to demonstrate that their applied safeguards actually create an appropriate level of legal protection.
In March 2022, the E.U. and U.S. reached “an agreement in principle” to a new Trans-Atlantic Data Privacy Framework, which would assist in the transfer of data between the E.U. and U.S. However, months passed without further details of what exactly this framework would look like.
Good news: your business’ trans-Atlantic data flows may get a little easier, soon
President Biden’s new E.O. generally provides the following:
- Additional safeguards: U.S. intelligence activities can only be pursued to achieve defined national security objectives and only to the extent necessary to advance a validated intelligence priority, balancing the “privacy and civil liberties of all persons, regardless of nationality or wherever they might reside.” Section 2(a)(ii)(B).
- Enhanced oversight: Intelligence agencies must designate compliance officials and publish / update policies and procedures that implement the safeguards described in this E.O.
- Redress mechanism: Complainants have access to a multi-layered mechanism for review and redress of claims concerning signals intelligence activities for any covered violation of U.S. law. Keep in mind that much of the decision-making process will be classified, and in the event you take a claim to the new Data Protection Review Court, a special advocate will be appointed to represent you.
Practically speaking, the E.O.’s exact specifics don’t exactly impact your business because it’s an executive order to U.S. intelligence agencies. The E.O. essentially represents the U.S. Commander and Chief tying his hands and the hands of the intelligence community. What’s important to you is how this E.O. impacts the legal uncertainty surrounding E.U. to U.S. transfers of data.
The most immediate impact is likely in negotiations with E.U. businesses. If you propose to transfer E.U. personal information to the U.S., a common rebuttal is often to point to the concerns raised in the Schrems II decision. You, as a business, can now point to this new E.O. to reassure them that there are additional data safeguards.
Otherwise, the U.S. will likely push for an adequacy decision from the European Commission. If the Commission confirms U.S. adequately, then cross-border businesses no longer need to transact within the ambiguity of whether their additional safeguards are satisfactory.
However, it is important to recognize that the E.O. is just an E.O. — it could be subject to amendment or revocation by any subsequent president. Additionally, even if President Biden’s E.O. leads to an adequacy decision, that decision could again be challenged in a European court. Lastly, President Biden’s E.O. does not eliminate the need for substantive U.S. privacy reform.
What are the takeaways for businesses?
Privacy and data export laws are becoming increasingly complex, and so are your business’ rights and obligations. Fines are becoming steeper for violating privacy legislation. For example, under the GDPR, administrative fines could reach €20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Likewise, Quebec’s new privacy law may subject your business to a comparable amount in Canadian dollars. If you transfer information across borders, you should seek legal advice.
If you have any questions related to this Article’s content, you may reach out to any lawyer in Siskinds’ Privacy, Cyber & Data Governance Team. You can also reach out to me, Savvas Daginis — a Canadian and American Business, Technology, and Privacy Lawyer — at [email protected] if you have any questions.