Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime
Governance & Risk Management
EO Puts Restraints on Electronic Communications Gathering by Intelligence Agencies
Update Oct 7, 2022 15:43 UTC: U.S. President Joe Biden signed the executive order titled “Enhancing Safeguards for United States Signals Intelligence Activities.” A copy is here. The president also signed National Security Memorandum 14, establishing new safeguards on signals intelligence gathering. A copy is here.
See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
Whether commercial data can legally cross the Atlantic into the United States now hinges on the European Commission’s reaction to an executive order President Joe Biden will sign Friday.
The executive order will create a tribunal within the Department of Justice staffed by judges from outside the government who will review European claims that personal information was wrongly swept up by U.S. intelligence agencies. The Data Protection Review Court will look at complaints already examined by the Civil Liberties Protection Officer within the Office of the Director of National Intelligence.
The order also imposes restraints on electronic gathering of communications by intelligence agencies, limiting them to cases where there’s a defined national security objective, when there’s a validated intelligence priority and even then in a proportionate manner that takes into account the privacy of all persons, regardless of nationality.
The order is the outcome of nearly two years of negotiations between Brussels and Washington, instigated by a Court of Justice of the European Union decision invalidating Privacy Shield, the legal framework underpinning trans-Atlantic commercial data flows. The 2020 ruling was actually the second time Europe’s highest court found U.S. assurances about privacy protections for ordinary European against American intelligence gathering to be wanting, having in 2015 struck down a previous arrangement known as Safe Harbor.
This third bid for a legal framework assuring that companies such as Facebook and Google can continue to obtain, store and analyze Europeans’ data in data centers located outside the continent is different than the previous two, administration officials say.
“I will transmit to Commissioner Reynders a series of letters from relevant U.S. government agencies and documents outlining the operation and enforcement of the EU-U.S. Data Privacy Framework,” said Commerce Secretary Gina Raimondo in a Thursday press call, referring to Didier Reynders, the European Commissioner for Justice. European and U.S. officials announced in March an agreement in principle but withheld further details pending the full conclusion of talks.
“The strength and safeguards for intelligence, the new redress mechanism and updated privacy principles will form the basis or the European Commission’s assessment,” Raimondo said.
Digital data flows underpin trade and investment between the U.S. and Europe, a relationship the federal government assesses is worth $7.1 trillion. Trans-Atlantic trade in information and communications technology services was worth more than $264 billion in 2020. A recent study commissioned by trade association Digital Europe concluded that a loss of cross-border data flows on exports from data-reliant sectors would lead to an annual reduction in EU gross domestic product of 330 billion euros annually.
Another court challenge to the agreement is all but inevitable, Biden officials acknowledged during the press call.
“What the courts will see is that we have really put forward a framework that is fundamentally different from what was in place before,” a senior administration official said on condition of anonymity.
Under Privacy Shield, European residents could theoretically bring complaints about intelligence gathering overreach to an ombudsman located within the Department of State. European judges said the position lacked independence and authority.
“What you’ll see with this is a far more independent tribunal” with the backing of the attorney general when it comes to enforcement,” the senior administration official said.
A Long History of Fraught Data Flows
Revelations last decade by former intelligence community contractor Edward Snowden over bulk surveillance by the National Security Agency led Austrian activist Max Schrems, who was then a law student, to challenge the trans-Atlantic data transfer legal agreement in effect since 2000 – the U.S.-EU Safe Harbor. He argued that American company assurances about respecting European privacy were meaningless given the extent of NSA surveillance. His challenge led to what’s now known as the Schrems I decision by the Court of European Justice, a 2015 ruling invalidating Safe Harbor (see: EU Court Invalidates U.S.-EU Data Sharing Agreement).
Talks already underway to strengthen Safe Harbor took on added urgency, resulting in the 2016 unveiling by European and U.S. officials of the Privacy Shield (see: Europe’s New Privacy Shield: Will It Hold?).
Schrems lodged another challenge, although French digital privacy advocacy group La Quadrature du Net also mounted a court case against the Privacy Shield. The July 2020 ruling by Europe’s high court, known as Schrems II, addressed issues brought by both activists, finding that the Privacy Shield itself was inadequate and that an alternative legal framework for trans-Atlantic commercial data flows known as standard contract clauses had to be assessed on a country-by-country basis.
The ambiguity put pressure on government negotiators and companies, including Meta, which told investors earlier this year it was considering pulling Facebook and Instagram from Europe.
Of course, it’s unlikely that today’s executive order or the expected acceptance by the European Commission of the framework will be the last legal word.
Schrems, in Friday morning statement signaled another likely court challenge, writing that “At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later.” The tribunal in the Justice Department “is simply not a court” and the intelligence gathering limitations agreed to by the U.S. don’t go far enough, he said.*
Asked about the possibility of a new round of legal challenges, another senior administration responded during Thursday’s press call that “We are confident that this addresses the concerns expressed in the court’s opinion, but obviously we can’t predict the outcome of any legal challenges that might occur in the future.”
With reporting by ISMG’s Anviksha More.
*Update Oct. 7, 2022 14:29 UTC:Updates story with comments from Max Schrems.