President Biden issued an executive order Friday expanding privacy protections for data transferred between the United States and Europe, a move aimed at addressing long-standing concerns about U.S. surveillance practices that spawned a series of high-profile legal bouts overseas.
U.S. and E.U. officials have sought for years to come to terms on a legal mechanism to replace Privacy Shield, a data pact that allowed businesses to safely transfer data across the Atlantic that was struck down by European courts in 2020 over U.S. surveillance concerns. But a deal proved elusive, even as businesses clamored for clarity around the legality of data flows.
U.S. Commerce Secretary Gina Raimondo said the order “fully addressed” the issues raised by the European Union’s top court when it struck down Privacy Shield, featuring “robust commitments to strengthen the privacy and civil liberties safeguards for signals intelligence.”
“This is a culmination of our joint efforts to restore trust and stability to transatlantic data flows and is a testament to the enduring strength of the U.S.-E.U. relationship and our shared values,” Raimondo told reporters on Thursday.
Senior administration officials, who briefed reporters to preview the order on the condition of anonymity, said they used the European Court’s “lengthy” decision and rationale for striking down the prior pact as a road map for the new agreement in a bid to stave off challenges. Top E.U. officials have also expressed confidence in its ability to overcome any legal battles.
The order bars U.S. intelligence agencies from collecting email, text messages and other electronic data transferred across the Atlantic outside of the “pursuit of a defined national security objective” and requires that any collection be “proportionate” and “necessary” to execute a priority objective, according to a fact sheet provided by the White House.
Under the plan, E.U. residents who believe their data was improperly accessed may file complaints for review with a civil liberties officer within the U.S. Office of the Director of National Intelligence, who is authorized to issue a binding decision to remedy the situation. The order also sets up a secondary independent review process through a data protection court within the Justice Department, staffed by nongovernmental appointees, who can also issue binding rulings.
The new data pact will now undergo a ratification process in Europe, which could take months. It’s unclear whether the pact would withstand a likely challenge in European courts.
Max Schrems, an Austrian privacy activist whose legal challenges ushered in the end of Privacy Shield, had said in March that he did not see how the preliminary deal “would remotely pass the test,” citing the lack of congressional surveillance reform and the use of executive action to mitigate concerns.
“The E.U.-U.S. data privacy framework will provide a durable and reliable legal foundation and certainty for transatlantic data flows and create greater economic opportunities for companies and citizens on both sides of the Atlantic,” Raimondo said.