Online Briefing with Peter Harrell, Senior Director for International Economics and Competitiveness, Ruth Berry, Acting Deputy Assistant Secretary for International Information and Communications Policy, and Peter A. Winn, Acting Chief Privacy and Civil Liberties Officer

U.S. DEPARTMENT OF STATE

For Immediate Release October 7, 2022

The Brussels Hub

MODERATOR: Thank you for joining us for today’s virtual press briefing. Today we’re very honored to be joined by Peter Harrell, the Senior Director for International Economics and Competitiveness at the National Security Council, and Ruth Berry, the Acting Deputy Assistant Secretary for International Information and Communications Policy in the newly established Bureau of Cyberspace and Digital Policy at the State Department.

I just want to remind folks that this call is on the record and that this call is also embargoed until 10 o’clock Washington time, 1600 Brussels time.

With that, let’s get started. Senior Director Harrell and Acting Deputy Assistant Secretary Berry, thank you so much for joining us today. I’ll turn it over to you for opening remarks.

MR. HARRELL: Thank you, John, and thanks to the Brussels Hub for setting this up, and thanks to all of you in the press for joining this morning as we talk about an important set of steps President Biden is taking today to implement U.S. commitments under the deal that he and President von der Leyen announced back in March to have a new EU-U.S. Data Privacy Framework that is a successor to the Privacy Shield data transfer agreement that the European Court of Justice struck down in 2020.

I know many of you covered the announcement of the deal in principle back in March, and over the last six months, we here in Washington have been working diligently to implement our commitments under this deal, which broadly are going to fall into two major categories.

First, the President is issuing an executive order later on this morning that will provide new direction to U.S. intelligence collection activities to ensure that U.S. intelligence collection activities are in support of defined intelligence objectives and are tailored to support those objectives, addressing the concerns in the Schrems II court regarding the need to have assurances

that intelligence-collection activities be in support of defined objectives and tailored to those objectives.

And then secondly, pursuant to presidential direction, Attorney General Merrick Garland will be signing regulations establishing a new Data Protection Review Court at the Department of Justice. This Data Protection Review Court is part of a multilayer redress mechanism so that if citizens in Europe or other qualifying countries believe they have been unlawfully surveilled, surveilled outside the bounds of the executive order, they will have a effective redress mechanism to come in, hear their case, determine if there was any improper surveillance, and provide a full remedy if there was determined to be any improper surveillance.

We think that the steps we are unveiling today to implement the deal in principle that was announced in March will fully address the concerns of the Schrems – of the ECJ in the Schrems II decision, and we believe really represent a fundamentally different approach to the issues raised in the Schrems II decision – for example, on redress, where it is just a fundamentally different approach from the redress mechanism taken under the Privacy Shield framework. And we are pleased that the announcement today will allow the European Commission to move forward with a – in the coming months with an adequacy decision that will restore legal certainty to transatlantic data flows that underpin trillions of dollars in commerce between the United States and the European Union.

So I think this is a huge and important issue for the transatlantic relationship, both at a government-to-government level, also very much at a level of benefiting businesses on both sides and citizens on both sides of the Atlantic.

And with that, let me turn it over to my colleague at the State Department, Ruth Berry.

A/DAS BERRY: Thank you, Peter. I’ll just reiterate that this is a very positive step forward to be in a position to implement this deal in principle between the U.S. and the European Union, and really to restore that legal certainty necessary for businesses on both sides of the Atlantic to be able to grow and operate. And so I think we really look forward to working with the commission over the coming months as well as stakeholders across the European Union, including member states and DPAs, to help explain this new deal and this executive order and the steps that we’re taking. So looking forward to restore transatlantic data flows. Thanks.

MODERATOR: Thank you both. We will now turn to the Q&A portion of today’s briefing. We do have a question right off the top from Vincent Manancourt from Politico. Vincent, would you like to ask your question?

QUESTION: Can you hear me?

MODERATOR: Yes, we can hear you.

QUESTION: Okay. Yes, so I sent in a written question but I can also say it out loud. So I want to know if the executive order introduces a reciprocal assessment. So, like, would the U.S. need to assess the EU too? Secondly, what powers does the U.S. have, if any, if it’s not satisfied with the EU safeguards presented? And thirdly, will the U.S. demand that the EU present country-by-country safeguards or a kind of pan-EU list of safeguards? I ask this question because national security is a national, non-EU competence. Thank you.

MR. HARRELL: So, Vincent, thank you very much for the question. I think as you’ll see in the executive order when it’s published in about an hour, hopefully in about an hour and a half, in order for European Union citizens to have access to the two-level redress mechanism established by the EU – and I talked a bit about the Data Protection Review Court as part of a multilevel review mechanism, but it is actually two levels. There’s a first level of review at the Office of the Director of National Intelligence, where the CLPO, the civil liberties and privacy officer, will conduct an initial review and that can then be reviewed by the DPRC. In order to have access to that two-level redress mechanism, the Attorney General will need to designate the EU as a qualifying state or regional economic integration organization.

So the EU will have to be designated to qualify for the protections of this – in order for citizens to have access to this redress mechanism, and we think that’ll happen. We think the Attorney General will be making these designations in the coming period of time.

The decision to designate the EU will involve an assessment by the Attorney General as to whether the laws of the EU and/or those of EU member states each on matters within their areas of competence have appropriate safeguards relating to their signals intelligence for U.S. persons’ personal information that’s transferred from the United States to the EU. So yeah, we will be doing an evaluation of this for – as the Attorney General makes this designation.

MODERATOR: Thank you for that. For our next question we’ll go to Alex Raufoglu. Alex, please. Alex, are you there?

QUESTION: Yes. Can you hear me?

MODERATOR: Yes, we hear you now. Thank you.

QUESTION: Okay. Good afternoon, good morning. Thank you so much for doing this. Could you just speak to a little bit about how the executive order would seek to remedy concerns about the privacy and security practices of U.S. Government agencies handling Europeans’ data? And also, I can’t help but ask about timing of this. I know it was expected sometime late last month, but we’re also ahead of the election in the U.S. coming up. Is there any relation between the upcoming election and the timing of this order? Thank you so much.

MR. HARRELL: No, no, look. On timing what I would just say is obviously when we announced this deal in principle back in March, it was an extraordinarily complex agreement that is requiring us to do on our side here in the U.S. a ton of work not just to write the executive order – I mean, writing an executive order is complex enough – but also to sort of make sure that the executive order and the intelligence – or to make sure that the intelligence agencies are actually going out and implementing and figuring out how to implement all of the parameters of the executive order. So when you’re doing something like this which has impacts on the operations of the intelligence agencies, obviously that takes some time. Plus, of course, actually getting all the regulations right to set up this new Data Protection Review Court, which will have – has protections for the judges so that they can’t be fired except for cause, that has a special advocate to make sure that the – has an advocate that’ll have access to some of the underlying facts of the case to advocate – to participate in the proceedings. Obviously, setting all of this up takes some period of time and is – and is a complex undertaking on our side.

So I think that maybe back in March, I think some of us probably had thought that maybe we’d be able to get this done a little bit quicker, but I think the only thing that has influenced our timing has been the need to work through really carefully and in a great deal of detail all of the new – all of the direction on changes to intelligence-collection activities and then make sure we really are setting up the kind of extremely robust redress mechanism that we committed to back in – back in March. That’s really the only – the only thing that affects – affected the timing.

I think on your question about – on your question about some of the changes, I mean, you’ll see some of that a little bit later on – you’ll see some of that a little bit later on this morning, but I think when you see the text of the EO with respect to intelligence collection, I think – what I think you’ll see generally speaking is that the President is directing the intelligence agencies to make sure that they are collecting only in support of kind of needed, identified, and defined intelligence-collection priorities, things like terrorism, the reasons we collect intelligence; and that then those agencies are – the actual activities are tailored in support of those activities. There are also record-keeping requirements and things like that. So I think what you’ll see is a really robust set of protections here being directed by the executive order.

MODERATOR: Thank you for that, sir. I’m going to go to a question that was just submitted by Catherine Stupp. She asks, “Do you expect the executive order to address concerns that have been raised by European courts and DPAs about the U.S. CLOUD Act as a potential risk to European data?”

MR. HARRELL: Sorry, I just – sorry, I was just on – I realized I had put myself on mute when you were speaking, John. Look, generally speaking, this executive order is responsive to the ECJ’s Schrems II decision and in order to ensure that we can have a new adequacy agreement between the U.S. and the European – and the European Union. We obviously have a wide range of discussions with Europeans on other data issues and other tech regulation data – tech regulation issues. But this executive order really is responsive to the Schrems II decision.

I don’t know, Ruth, if you have anything you want to add about some of our broader data discussions with Europe.

A/DAS BERRY: I think if it’s okay, maybe I’ll see if the Department of Justice wants to take the question about – specifically about the CLOUD Act.

MR. WINN: Sure, Ruth. This is Peter Winn. I’m the Acting Chief Privacy and Civil Liberties Officer at the Justice Department. And the executive order that we’re talking about today deals with signals intelligence, which is a national security activity. The CLOUD Act questions you’re raising deal with criminal justice. And we are in a lot of different discussions with our European partners as well as with the commission in an attempt to try to address those issues as well. And I would highlight the work that we’ve been doing cooperatively, very – partner – close working relationship we have with our European colleagues, not only at the commission but also at the member states in the OECD trusted government access to data process.

And so it’s hoped that the work we’re doing will be – will address – eventually we’re going to have to address all these different issues that are coming up, and the ones you’re raising aren’t being addressed specifically by this process. But the cooperative way in which we’ve addressed this and worked through this, I think, is going to be a model for how we’re going to be addressing some of the other issues as well.

MODERATOR: Thank you, sir. Vincent, can I ask, is your hand up again or do you have another question?

QUESTION: I just – sorry, I just had a follow-up question. Can you hear me?

MODERATOR: Yes, we can hear you.

QUESTION: Okay. So on Peter’s remarks on the Attorney General having to designate the laws of the EU as qualifying, so it’s safeguards relating to signals intelligence for U.S. persons on personal data that gets transferred from the U.S. to the EU; is that correct?

MR. HARRELL: Look, I think you’ll see the details when the executive order comes out, but I think broadly, we are looking – the Attorney General will be evaluating sort of whether there are appropriate safeguards on jurisdictions that will qualify for the U.S. – for jurisdictions that will qualify for the U.S. redress mechanism. I think the Attorney General will be looking at are there safeguards for collection by those jurisdictions on U.S. citizens, also looking at issues like whether the determination is – the determination to have the jurisdiction qualify here is in the national security interest of the United States and that kind of thing. It’s a couple of factors that the Attorney General will be looking at.

QUESTION: Just one last thing. I’m not aware – what are the conditions of this call? I think I missed that. Is it on the record, embargoed?

MODERATOR: Call is on the record, embargoed until 1600 Brussels time.

QUESTION: Okay, got it. Thanks.

MODERATOR: Can I ask the group if there are any other questions from those dialing in or anyone else? It does not appear that – Alex, do you have a follow-up question?

QUESTION: Yes. Thanks, John. Just very quickly, if I may. The potential implications of this to the U.S. advertisers and publishers whose business rely on the use of European consumer data, could you speak to that if possible? Thanks so much.

MR. HARRELL: Well, look. I think what I would say is certainly our – I think on both sides, both the European Commission and on the U.S. side, the goal with this agreement is to help restore certainty to transatlantic data flows which benefit companies of all kinds. I mean, if you look at the companies that were participating in the prior Privacy Shield agreement, it was like four or five thousand of them. Most of them were names that you and I had never heard of. They’re sort of small- and medium-sized businesses in the healthcare space or whatever that have a couple of – have some customers in Europe, but don’t even necessarily have a large presence in Europe. And we’re trying to restore some legal certainty for companies like that that can – that can – so they can operate across the Atlantic and that the companies can use data to underpin transatlantic commerce of all kinds.

This is an agreement, yeah, to address the issues raised in the Schrems II decision, which were about U.S. signals intelligence-collection activities and about redress mechanisms. This agreement does not directly deal with issues of sort of commercial – sort of commercial data – commercial data, sort of commercial privacy, the privacy – the privacy protections of individual – of individual firms.

MODERATOR: Thank you, sir, for that. And I’m afraid that’s all the time we have. Thank you for the questions, and to our speakers, thank you also for joining us. Shortly we will send an audio recording of the briefing to all the participating journalists and provide a transcript as soon as possible. We’d love to hear your feedback. You can contact us anytime at TheBrusselsHub, one word, @state.gov. Thanks again for your participation and we hope you can join us for another press briefing soon. This is the end of this press briefing.