Protect Privacy. That’s an Order.

Commerce Secretary Gina Raimondo and European Justice Commissioner Didier Reynders announced recently that the U.S. government and the European Commission “have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework.” In July 2020, the Court of Justice of the European Union (CJEU) issued an order in the Schrems II case that invalidated the arrangement known as Privacy Shield, under which companies were able to transfer personal data from the EU to the U.S. The CJEU took issue with how the U.S. legal framework authorizes intelligence agencies to collect information from companies, finding certain privacy protections to be inadequate because, according to the CJEU, they do not sufficiently embody the principles of necessity, proportionality and redress as those concepts are understood in EU law.

The Schrems II decision left companies scrambling to create additional safeguards so that they can continue the cross-border data transfers that have become an integral part of the digital economy. Their options are limited, however, because it is ultimately up to the government to address the privacy concerns raised by the CJEU over intelligence agencies’ access to data in the interests of national security. There is no grace period for the CJEU’s findings, so prompt action is needed.

Fortunately, the Biden administration is well positioned to take such action. Government officials have been working hard to develop enhanced privacy safeguards that would address the issues raised by the Schrems II ruling. There is keen interest in the content of those safeguards, but a different question is also important. What legal instrument will be used to embody the enhanced protections?

The Executive Order

In the U.S. legal framework, there is ample precedent for using an executive order or presidential directive to limit intelligence activities and establish safeguards to protect privacy and civil liberties. There is no better example of this than Executive Order 12333, which turns 40 this year. President Reagan issued this order in December 1981, and it has become a foundational legal document for U.S. intelligence agencies (the Privacy and Civil Liberties Oversight Board issued a report on April 2 describing its years-long review of the order). The executive order organizes and directs the intelligence activities of the U.S. government in securing the nation from foreign threats. In public discussion, Executive Order 12333 is sometimes inaccurately characterized as a permissive document, one that enables intelligence agencies to act without constraint. To the contrary, the order lays out important boundaries for intelligence agencies, commanding them to take action consistent with applicable law, and imposing restrictions to protect civil liberties and privacy.

Congress has long recognized the order’s validity. For example, in the provision of the Foreign Intelligence Surveillance Act that authorizes and circumscribes access to business records, the statute requires that records can be sought only for an “investigation conducted under guidelines approved by the Attorney General under Executive Order 12333.” And the courts, when considering overseas intelligence collection, have acknowledged the order’s key role in establishing procedures governing intelligence activities. For example, in ruling on an overseas surveillance issue, a district court stated: “[T]he Court does not take issue with the policies and procedures developed by the Executive Branch for foreign intelligence collection abroad. These are outlined in Executive Order 12,333.”

The Force of Law

Executive orders have the full force and effect of law and are binding on executive branch agencies if they are properly issued under the president’s constitutional and statutory authorities. Compliance is mandatory, not discretionary. This applies equally to presidential directives, for it is the substance of presidential action, not the form, that counts. Thus, when President Obama issued Presidential Policy Directive 28 (PPD-28) in January 2014 to articulate that key privacy protections in signals intelligence activities apply to people regardless of nationality, he issued a legally binding order to intelligence agencies.

The U.S. legal framework places enormous responsibility for national security in the hands of the president and the intelligence and defense agencies that the president commands. The framework is designed to give the president the flexibility needed to respond quickly to world events and to act decisively to counter foreign threats. That discretion is by no means unlimited and is circumscribed not only by the Constitution but also by the powers of Congress, the co-equal branch. Congress has embraced the president’s reliance on orders such as Executive Order 12333 to impose safeguards and limits on intelligence activities. In that case, as Justice Robert H. Jackson said in his famous concurring opinion in Youngstown Sheet & Tube Co. v. Sawyer, “When the President acts pursuant to an express or implied authorization of Congress, his authority is at its maximum, for it includes all that he possesses in his own right plus all that Congress can delegate.”

Continuity

What one president issues, another president can take away. It is by now a familiar ritual for the incoming president to rescind a slew of executive orders issued by his predecessor. This is to be expected. A new president will likely have different policy positions and will look to revoke orders that contradict that agenda. Regrettably, this ritual gives all such orders an air of impermanence.

In the national security arena, however, this is misleading; executive orders and presidential directives are built to last. They are a firmly established method by which the president organizes and directs federal agencies to protect the nation’s security, in furtherance of presidential responsibilities and authorities under the Constitution, and of duties delegated to the executive by Congress. Intelligence officers are trained on the rules they establish; compliance offices and inspectors general review their implementation; and potential violations are documented, reported and remedied. Executive orders and the procedures they establish are taught in law schools alongside constitutional principles, statutes, and court decisions, as an integral part of the national security legal framework.

The Biden administration is the sixth to take office since the Reagan administration and the sixth to leave Executive Order 12333 fully in effect. Indeed, as evidence of its foundational nature, the order looks very much the same as it did in 1981—apart from some minor adjustments and one major update when President George W. Bush amended the order in 2008 to reflect post-9/11 organizational changes in the intelligence community. It is further testament to the vital role such orders and directives play in the nation’s security that, notwithstanding President Trump’s much-discussed issues with the intelligence community, he left PPD-28 intact during his time in office.

An Order for the Digital Age

Which brings us back to the joint announcement that the U.S. and the EU are intensifying negotiations over how to respond to the CJEU’s order in Schrems II. President Biden already has the authority he needs within the existing national security legal framework to take prompt and decisive action in response to the concerns raised by Schrems II. The answer may lie in an order that will have the full force and effect of law, and that is consistent with long-standing precedent.

Will such an order be enough to solve the current crisis? That depends on whether the order’s measures will go far enough to satisfy EU legal requirements, particularly with respect to redress. Although the president enjoys significant discretion in national security matters, there are limits on what such an order can accomplish on its own.

There is reason, however, to be optimistic. While the United States’s national security legal framework has certain distinct features, it shares a great deal in common with the legal frameworks of the nation’s European allies. One such feature is the diversity of legal instruments involved. The European Union Fundamental Rights Agency conducted an authoritative survey of intelligence oversight within EU member states and found that in some member states, “complex frameworks made up of several laws and ordinances regulate specific aspects of [intelligence] services’ mandate, organisation, competences or means.”

The U.S. legal framework is nothing if not complex, yet underneath the complexity of that framework and those of the United States’s European partners is a shared commitment to conducting intelligence to pursue legitimate aims in a democratic society, under the rule of law, while respecting fundamental rights and freedoms. The Biden administration has the opportunity to make that even more clear by highlighting and crystallizing key privacy safeguards in an executive order for this digital, globally interconnected age.