President Biden today signed an executive order that outlines the steps the United States will take to uphold its commitments under a new European Union-U.S. Data Privacy Framework that the White House announced alongside the European Commission in March.
The framework strengthens existing privacy and civil liberties safeguards around U.S. intelligence collection activities, requiring such activities to be conducted “only in pursuit of defined national security objectives,” according to a White House fact sheet.
The Executive Order also creates a new redress system for European Union citizens who believe U.S. intelligence collected their personal data in a way that violates U.S. law. Complaints will first be reviewed by the civil liberties protection officer in the Office of the Director of National Intelligence and then by a new Data Protection Review Court that the executive order directs the Attorney General to establish. Judges will “have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal,” according to the fact sheet.
“The EU-U.S. data privacy framework includes robust commitments to strengthen the privacy and civil liberties safeguards for signals intelligence to ensure the privacy of EU personal data,” Secretary of Commerce Gina Raimondo told reporters in a press call.
The executive order comes more than two years after the European Union’s highest court struck down the previous agreement that allowed the transfer of European personal data to the United States, declaring that widespread U.S. surveillance and lack of redress for EU citizens violated the accords. The ruling, known as Schrems II after the activist that brought the case, threw thousands of U.S. businesses that relied on the shield to comply with EU data law and trillions of dollars in cross-border commerce into uncertainty.
Raimondo said the new framework will provide “a durable and reliable legal foundation and certainty for transatlantic data flows” and that the changes “fully address” the Schrems II ruling.
Following the executive order, the Commerce Department will send EU Commissioner for Justice Didier Reynders documents outlining the new safeguards. The European Commission will then decide whether or not to ratify the new agreement.
Whether it will hold up to scrutiny by EU Court of Justice is unclear.
“At first sight it seems that the core issues were not solved and it will be back to the [Court of Justice of the European Union] sooner or later,” said Max Schrems, the activist whose previous cases before the court against Facebook led to the invalidation of the past two data sharing agreements.
American privacy experts said the order highlights the need for additional domestic reforms to protect both American and European citizens.
“The executive order is a step in the right direction, but it does not go far enough,” Ashley Gorski, senior staff attorney at the American Civil Liberties Union’s National Security Project told CyberScoop. “It does not adequately protect the privacy of Americans and Europeans.”
She said that the administration’s proposal for redress fails to meet the European Union’s definition of an independent court since it is still under the executive branch.
“There’s no indication that the U.S. government is narrowing the scope of surveillance in practice, or that it’s meeting the EU requirement to establish criteria for surveillance that can justify the invasion of people’s privacy,” she said.
Other privacy experts also called for more comprehensive reforms.
“The United States must urgently act to reform surveillance, provide privacy and data protection rights in its statutes at the federal level, and give non-US persons a comprehensive right to remedy,” said Willmary Escoto, U.S. Data Protection Lead at digital rights groups Access Now. “The lack of political willingness in the US to protect privacy, in statutes and in practice, is putting people at risk in the US and outside.”
Gorski and other privacy experts say that a truly independent court would require legislative reform, something that Congress has an opportunity to enact as discussions over the renewal of Section 702 of FISA, which allows warrantless surveillance of people inside and outside the U.S., get down to the wire.
In a call with reporters, senior administration officials declined to speculate about any challenges from European privacy advocates to the framework but expressed confidence that the framework, which incorporated guidance from the European Council, will hold up.
The executive order received early praise from tech companies and industry groups.
“Microsoft applauds the European Commission and the U.S. government for achieving this important milestone,” Microsoft’s chief privacy officer Julie Brill wrote in a statement. “We greatly appreciate the enormous effort required for this important step, and we look forward to doing our full part to support these new measures and ensure that the new framework’s fundamental privacy protections are fully realized.”