The EU’s General Data Protection Regulation (GDPR) places restrictions on transfers of personal data to certain countries outside of the EU and the European Economic Area (EEA). The United States is considered to be a high-risk country due to its lack of comprehensive privacy legislation along with laws such as the Foreign Intelligence Surveillance Act (FISA), which governs electronic surveillance by law enforcement of foreign powers and agents of foreign powers, particularly § 702 which permits law enforcement to conduct targeted surveillance of foreign persons located outside of the United States with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information when this information transverses U.S. territory.
For GDPR compliance, an adequacy decision from the European Commission is required for the lawful transfer of data between the EU and countries such as the United States. Said adequacy decisions are made by the European Commission and certify that data transfers between the EU and the country in question are sufficient to satisfy GDPR restrictions.
The now invalidated EU-U.S. Privacy Shield used to permit EU-based companies to lawfully transfer personal data to U.S.-based companies that were in compliance with the Privacy Shield Framework. However, in the Court of Justice of the European Union’s 2020 Schrems II decision, compliance with the Privacy Shield as an adequacy decision was invalidated, leaving EU-based companies with few means of lawfully transferring personal data between the EU and the United States.
As was noted in a publication announcing the signing of the new Executive Order, transatlantic data flows are critical to the $7.1 trillion in economic activity between the EU and the United States, and the Executive Order will reestablish a legal basis for lawful transatlantic data transfers by addressing concerns that the Court of Justice of the European Union raised in striking down the EU-Privacy Shield framework as a valid data transfer mechanism under EU law in Schrems II.
The Executive Order imposes restrictions on access by the U.S. government to data transferred from some jurisdictions, including the EU, and provides for legal redress for individuals with claims that their privacy rights have been infringed. The Executive Order requires that relevant surveillance activities be conducted only in pursuit of defined national security objectives and must take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence. Moreover, said surveillance must be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportional to that priority. The Executive Order further requires the U.S. Intelligence Community to update its policies and procedures to reflect the privacy and civil liberties safeguards contained in the Executive Order.
Notably, the Executive Order creates a mechanism for individuals from qualifying countries to obtain an independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law.
While the European Commission must still determine whether the Executive Order is sufficient for an adequacy decision, the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities is likely to provide some sense of direction for organization leaders striving to remain ahead of the rapidly changing privacy and security landscape. For said forward-thinking organization leaders, American Cyber Security Management is available to assist in proactively assessing and remediating their data privacy and cybersecurity management needs. To learn more about how ACSM can help your organization, please use our contact page at https://www.americancsm.com/contact-us/ and schedule a free discovery call today.
American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation. https://www.americancsm.com