Now that the Executive Order (EO) and DOJ regulations on the EU-US Data Privacy Framework have been released, what do those instruments require the government to do next? There are a few components to think about. First, what is next for the conduct of signals intelligence (SIGINT), and second, what is next for redress? This post will provide an overview of these processes to help get you up to speed on the EO’s implementation.
At the outset, it is important to note that the new EO is effective immediately. There is no transition period.
Intelligence Community Policies and Procedures
The EO requires intelligence agencies to conduct SIGINT activities in accordance with the objectives and privacy and civil liberties safeguards listed in the document. The agencies must update their policies and procedures to reflect the EO’s mandate within one year of the EO’s release, or by October 7th, 2023. In the meantime, the intelligence agencies must comply with existing PPD-28 policies and procedures. The objectives and privacy civil liberties safeguards can be found in Section 2(b) and Section 2(c) of the EO. If a complainant believes an intelligence agency committed a covered violation of these safeguards, they can submit a qualifying complaint.
Before a complainant can submit a complaint, the Office of the Director of National Intelligence (ODNI) must establish the process of submission of qualifying complaints by the appropriate public authority in a qualifying state within 60 days from the date of the order, or by December 6th, 2022.
Additionally, the Attorney General must designate a country or regional economic integration organization as a qualifying state. A country or economic area can meet this status if:
- they provide “appropriate safeguards” while conducting signals intelligence on United States persons’ personal information that is transferred from the United States to another country;
- if transfers of data are permitted between the country and the United States; and
- if it advances the national interests of the United States.
Neither the EO nor DOJ regulations list a timeframe for this designation.
Starting Up the Data Protection Review Court (DPRC)
Unlike the EO, the DOJ regulations do not list timeframes for the tasks that the Department of Justice must accomplish to start up the DPRC. These include:
Initial Appointment of Judges
The Attorney General, in consultation with the Secretary of Commerce, the DNI, and Privacy and Civil Liberties Oversight Board (PCLOB), must appoint no fewer than six individuals to serve as judges for four-year renewable terms to form the DPRC. 28 C.F.R. § 201.3.
The judges must meet a few requirements:
- They cannot have been executive branch employees in the previous two years
- Prior judicial experience is preferred
- Experience in data privacy and national security law
- Good-standing member of the bar of a State, Commonwealth, Territory, or Possession, or of the District of Columbia
- Have the necessary security clearance to access classified national security information
If the complainant or element of the Intelligence Community elects to have the DPRC review the CLPO’s determination, a special advocate will be selected by the DPRC to advocate on the complainant’s behalf. The Attorney General will select two or more Special Advocates who will serve for two-year renewable terms. The Special Advocate position requires similar qualifications as DPRC judges.
The DOJ Regulations call on the DPRC to establish and publish its rules of procedure.