WPF White House Briefing Outtakes on the New European Union – US Data Privacy Framework World Privacy Forum Skip to Content Javascript must be enabled for the correct page display Home Connect With Us: twitter Vimeo email Main Navigation Hot Topics

WPF White House Briefing Outtakes on the New European Union – US Data Privacy Framework

7 October 2022 I was among a small handful of privacy experts present Thursday, 6 October at a White House briefing on the new European Union – US Data Privacy Framework, the replacement for the EU-US Privacy Shield agreement that was invalidated by the Schrems II decision in Europe. Today, 7 October, President Biden has signed a landmark Executive Order which will enshrine the new agreement and create a set of concrete commitments by the United States government that will provide legal certainty around cross border flows between the Europe and the US. (E.O. Enhancing Safeguards for United States Signals Intelligence Activities.) In short, this will be the basis of a long-sought adequacy decision by Europe regarding the United States. The new framework is notable, and has several qualities which make it of immediate importance to the EU and the US. Notably, the critiques of Schrems II regarding a lack of substantive standards and a lack of redress have been carefully considered in this new framework. This framework, upon first inspection, appears to have installed new oversight and governance structures that bind the US intelligence community to do more to protect EU individuals than many countries require of their intelligence communities. Beyond this, the improved structure that the new layers of mandatory documentation and oversight creates provides a much more systemic and layered approach to providing assurances of at least equal level of protections between jurisdictions. It is a much more modern model, which if replicated, could have the potential to improve outcomes more broadly in jurisdictions beyond the EU and the US. The key operative parts of the new framework includes new principles and objectives, and new mechanisms for safeguards and oversight. The principles section of the framework specifically calls out the applicability of the framework to signals intelligence, and specifically states that any actions must be proportionate. The objectives section outlines the legitimate objectives for the signals intelligence, i.e., the specific list of reasons for which the US will engage in signals intelligence. In the briefing, government officials noted that this is the first time in a governing document in the US that these legitimate objectives have been laid out so specifically. Also included are specific prohibited objectives, which are not a new part of the framework, but have been brought over from existing language. Particularly notable in this framework are new systemic documentation requirements for assessing the activities that take place under the framework. The Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence (ODNI) must review the priorities of any given request for signals intelligence, and attach an assessment validating that the purposes are legitimate for the request. This decision is binding, and subject to review. If the ODNI cannot validate that a particular request is aligned with legitimate objectives, then the review will not continue. According to the briefing, any member of the intelligence community that does not abide by the assessment of the ODNI would be removed from their position. The ODNI oversight of the process creates a significant layer of new documentation requirements, and the framework mandates that the documentation requirements are distributed across the intelligence ecosystem. Each element across the agencies and individuals in the request process must maintain documentation regarding this process. The documentation requirement may not on first glance sound compelling, but it is in reality very compelling, and a key aspect of the framework, as it facilitates the redress process and creates improved and more nuanced oversight. Regarding the complaint process, when the US receives a complaint under the new framework, an investigation is initiated in the office of the ODNI and will be handled by the CPLO. This individual will have access to intelligence across the intelligence community. The requirement will be to review the information — including the documentation — and determine if there was a covered violation, and if there was appropriate remediation made if a violation occurred. A review will occur if there has been a remediation. Claimants will have options for further review in an Article 2 court that is independent, and staffed by individuals outside of the government, appointed by the Attorney General. A special advocate would also be appointed to ensure that claimants’ interests are being appropriately handled. The court would be granted authority to gather additional information, and would have full authority to agree or disagree with the decision. In addition to the framework’s requirements for senior level oversight by one or more compliance professionals (as discussed), it specifically forbids intelligence community professionals from impeding the oversight. New training obligations are also included in the framework. The US government will write implementing procedures for the framework, which officials said would likely take up to a year to complete. Officials also noted that the EU would be likely be issuing an adequacy decision sooner than that. I have written these initial thoughts based on an in-depth briefing and a fact sheet — as I and others at WPF read and evaluate the Executive Order, and then the implementing regulations, we will continue to publish updates and analysis, and wherever necessary, corrections to the information that we have published. Overall, my impression is that the US has heard the European Court, and in this framework has made a significant set of systemic advancements to mitigate the problems discussed in the Schrems II decision. While no system is perfect, it is important to notice just how far the US government has gone to address the problems. The additional systemic layers of oversight and documentation are welcome, as are the improved redress mechanisms. Some of these are new structures, and it will take careful evaluation of the implementing principles and outcomes over time to see how well the structures are working, and how they could potentially facilitate better overall models of oversight and redress that could be adapted and utilized more broadly. Pam Dixon, Executive Director, World Privacy Forum Posted October 7, 2022 in Complex Data Ecosystems, Cross-Border, EU - US Data Privacy Framework, EU - US Privacy Shield Next »WHO Health Data Collaborative Meeting: high level overview WPF updates and news CALENDAR EVENTS

WHO Constituency Meeting WPF co-chair

6 October 2022, Virtual

OECD Roundtable WPF expert member and participant Cross-Border Cooperation in the Enforcement of Laws Protecting Privacy

4 October 2022, Paris, France and virtual

OECD Committee on Digital and Economic Policy fall meeting WPF participant

27-28 September 2022, Paris, France and virtual more Recent TweetsWorld Privacy Forum@privacyforum·7 OctExecutive Order On Enhancing Safeguards For United States Signals Intelligence Activities The White House https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/Reply on Twitter 1578431679592427526Retweet on Twitter 1578431679592427526Like on Twitter 1578431679592427526TOP REPORTS National IDs Around the World — Interactive map About this Data Visualization: This interactive map displays the presence... Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974 This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process. COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers. While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.