Published by The Lawfare Institute
in Cooperation With
On Oct. 7, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. This order is a concrete step taken by the president to fulfill a commitment made in March during an announcement that the U.S. and the European Commission had agreed to the Trans-Atlantic Data Privacy Framework. The framework was negotiated after the Court of Justice of the European Union struck down the 2015 Privacy Shield agreement for failing to adequately protect individual privacy rights, and it aims to establish a higher privacy protection standard and provide a more durable basis for future trans-Atlantic data flows.
Signals Intelligence Activities
Section 2 of the executive order describes the framework in which U.S. government officials can conduct signals intelligence (SIGINT) activities. SIGINT activities include collecting information from foreign communications, radar, and other electronic systems. This section includes a description of 12 “legitimate objectives” for targeted collection, six objectives for bulk collection (information acquired without use of discriminants), and five “prohibited objectives.” This section also describes the safeguards the U.S. will put in place to ensure that privacy and civil liberties are “integral considerations” in the planning of SIGINT activities.
The 12 “legitimate objectives” include:
- Assessing capabilities of foreign governments or those controlled by them to protect U.S. national security.
- Assessing capabilites of foreign organizations, including terrorists groups, to protect U.S. national security.
- Assessing transnational threats that impact global security.
- Protecting against foreign militaries.
- Protecting against terrorism, hostages, and captives.
- Protecting against intelligence activities conducted by or on behalf of a foreign government, organization, or person.
- Protecting against threats surrounding weapons of mass destruction.
- Protecting against cybersecurity threats and malicious cyber activity conducted by or on behalf of a foreign government, organization or person.
- Protecting against threats to U.S. or allied personnel.
- Protecting against transnational criminal threats such as financial evasion related to other listed objectives.
- Protecting the integrity of U.S. elections and infrastructure.
- Advancing capabilities to further one of the other named objectives.
The order requires that targeted collection must be prioritized over bulk collection. Bulk collection is allowed only when targeted collection cannot reasonably obtain the necessary information. The objectives for allowing bulk collection are a subset of those for targeted collection, numbers 5-9 above, along with a correspondingly more limited illicit financial transaction provision similar to number 10 above. For both targeted and bulk collection, the order makes clear that the president may add other objectives at a later date and that those objectives will be disclosed publicly unless doing so poses a risk to national security.
The five prohibited objectives include:
- Suppressing free expression by individuals or the press.
- Restricting “legitimate privacy interests.”
- Restricting right to legal counsel.
- Disadvantaging people based on ethnicity, race, gender, gender identity, sexual orientation, or religion.
- Collecting foreign private commercial information or trade secrets to give U.S. companies an advantage in the market.
Section 2 adds the procedural step that the director of national intelligence shall obtain an assessment on proposed collection priorities from the civil liberties protection officer (CLPO) of the Office of the Director of National Intelligence to validate that SIGINT collection priorities fall within a legitimate objective and do not fall within a prohibited objective, and that there has been a consideration of the privacy and civil liberties of all persons regardless of nationality. The CLPO step must be taken before presenting proposed National Intelligence Priorities Framework changes to the president. The director does not have to agree with the CLPO assessments but must provide the assessments to the president when seeking approval.
Section 2 also describes the privacy and civil liberties safeguards, including how to determine when SIGINT is appropriate, how to handle collected “personal information” of non-U.S. persons, and how each element of the intelligence community should update its policies and procedures.
The process for determining when SIGINT collection is appropriate requires a reasonable assessment of all relevant factors, including the “availability, feasibility, and appropriateness” of other less intrusive ways of collecting the information. The existence of an alternative does not bar SIGINT collection so long as the assessment is completed and SIGINT is found to be necessary. SIGINT collection must be tailored in a way to not disproportionately impact privacy and civil liberties. The factors used to consider the impact include the nature of pursued objective, the steps taken to limit the scope of collection, the intrusiveness of collection activity including duration, the probable contribution of the SIGINT collection to the objective, the “reasonably foreseeable consequences to individuals,” the nature and sensitivity of the data, and the safeguards afforded once information is collected.
The handling of personal information includes procedures for minimization, data security and access, data quality, permissions to perform bulk collection queries, and documentation. Minimization includes safeguards on both dissemination and retention of non-U.S. persons’ personal information. Notably, the retention policy directs the intelligence community to treat non-U.S. persons’ personal information in the same manner as similar data on U.S. persons. However, the order does not define “personal information.”
The updated policies and procedures for elements of the intelligence community are requested to be published publicly to the “maximum extent possible” within one year of the executive order’s signing. The updated policies must be coordinated with the attorney general, the CLPO, and the Privacy and Civil Liberties Oversight Board (PCLOB) to ensure compliance with the privacy and civil liberties safeguards.
Elements of the intelligence community are required to put in place legal, oversight, and compliance officials to ensure the policies are being followed, along with updating training around the order to all those persons with access to SIGINT, and mandating that any “significant incident of non-compliance” is reported and remediatory actions undertaken.
Finally, in the savings clause of Section 2, the executive order makes clear that any SIGINT collection technique authorized under previous laws or presidential directives is not limited so long as it is conducted in line with the procedures laid out here.
Signals Intelligence Redress Mechanism
Section 3 of the executive order establishes a three-layer redress mechanism for “qualifying states,” which are countries or regional economic integration organizations that will be designated by the attorney general, in consultation with the secretary of state, the secretary of commerce, and the director of national intelligence, after a finding that (a) they have laws that require appropriate safeguards in the conduct of signals intelligence activities for U.S. persons’ personal information that is transferred from the U.S. to their territory; (b) they permit, or are anticipated to permit, the transfer of personal information for commercial purposes between the U.S. and their territory; and (c) the designation of them as qualifying states can advance the U.S. national interests.
The first layer of protection is the initial investigation of qualifying complaints by the CLPO. A qualifying state’s appropriate public authority can submit a complaint to the CLPO if they think a “covered violation” has occurred, which refers to intelligence activities regarding data transferred to the U.S. from a qualifying state that (a) adversely affects the complainant’s individual privacy and civil liberties interests and (b) violates this order or other applicable U.S. laws. If the CLPO makes a finding in favor of the complainant, it has the authority to determine appropriate remediation. The order requires the intelligence community to provide support and assistance to the CLPO in accessing necessary information and performing its review. And the CLPO’s determinations are binding on the intelligence community.
The second layer of protection is the review process of the Data Protection Review Court (DPRC), which is an independent court whose decisions are binding on all elements of the intelligence community. The DPRC will comprise judges appointed by the attorney general, in consultation with the secretary of commerce, the director of national intelligence, and the PCLOB, who are legal practitioners with appropriate experience in the fields of data privacy and national security law, not employees of the U.S. government, and preferably with prior judicial experience. After the initial decision of the CLPO, both the complainant and an element of the intelligence community can file an application for review to the DPRC. The DPRC will then convene a panel of three judges with requisite security clearances to hear the case. A special advocate with requisite security clearances will be provided to advocate for the complainant and to assist the panel in becoming well informed of the related issues and the law.
The third layer of protection is the annual review process by the PCLOB. The order encourages the PCLOB to conduct an annual review of the processing of qualifying complaints, including (a) whether the CLPO and the DPRC processed qualifying complaints in a timely manner; (b) whether the CLPO and the DPRC are obtaining full access to necessary information; (c) whether the CLPO and the DPRC are operating consistent with this order; (d) whether the safeguards established by Section 2 of this order are properly considered in the processes of the CLPO and the DPRC; and (e) whether the elements of the intelligence community have fully complied with determinations made by the CLPO and the DPRC.