Lexicon > Executive Order 12333
IT Glossary
Executive Order 12333 (or E.O. 12333) is an executive order of the President of the United States defining the purposes, roles, and responsibilities of the United States intelligence agencies.
Gradually strengthened since its entry into force in 1981, thus granting new powers and competences to intelligence agencies such as the National Security Agency, Executive Order 12333 and the Foreign Intelligence Surveillance Act (FISA 702) are at the origin of the invalidation of the Privacy Shield by the Court of Justice of the European Union in 2020.
In particular, Executive Order 12333 allows U.S. intelligence agencies to collect and analyze all data, including personal data, in transit to the U.S., including from undersea cables that allow the transfer of information between Europe and the U.S., for national security purposes.
The use of this information by intelligence agencies, however, is not subject to judicial oversight and is not subject to judicial review by the individuals whose data is intercepted.
In order to limit the risks of interception and use of information in transit to the United States, under Executive Order 12333, it is recommended that technical security measures be implemented to enable end-to-end encryption of transferred data and thus ensure the confidentiality of information.
In any case, Executive Order 12333 is not compatible with European Union law, and in particular with the GDPR because it does not meet the minimum requirements attached to the principle of proportionality, but also with the Charter of Fundamental Rights of the European Union, which enshrines the right to an effective remedy and access to an impartial tribunal.
Point of legislation
“U.S. intelligence agencies will provide the President, the National Security Council, and the Homeland Security Council with the necessary information on which to base decisions regarding the development and implementation of foreign security, defense, and economic policies and the protection of U.S. national interests from foreign threats. All departments and agencies must cooperate fully to achieve this goal.”
Section 1.1 of Executive Order 12333
Point of jurisprudence
The Court of Justice of the European Union(CJEU) has noted that“With respect to E.O. 12333, the referring court finds that it allows the NSA to access data ‘in transit’ to the United States, by accessing undersea cables laid on the floor of the Atlantic, and to collect and retain that data before it arrives in the United States and is subject to the provisions of FISA there. It clarifies that activities based on E.O. 12333 are not regulated by law. (…)
Moreover, according to this court’s findings, NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not subject to judicial review. (…)
However, this possibility, which allows, in the context of surveillance programs based on E.O. 12333, access to data in transit to the United States without this access being subject to any judicial oversight, does not, in any case, provide a sufficiently clear and precise framework for the scope of such bulk collection of personal data.”
Court of Justice of the European Union, July 16, 2020, N° C-311/18
The Bouchara Law firm assists you in particular in :
- Making your organization GDPRcompliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.
We are also the external Data Protection Officer of many data processors and subcontractors.
