The US includes concessions on surveillance in its new transatlantic data flow framework.
The long-awaited executive order on a data privacy framework from President Joe Biden outlined a legal way for American businesses to complete transatlantic data exchanges without worrying about breaking the rigorous regulations of the European Union.
The executive order, which was made public on Friday, is the concrete result of an agreement in principle between the United States and the European Union that was first made public in March. Its goal was to create a practical, legally sound framework that would permit businesses to continue transferring and storing the personal data of EU citizens to servers located in the United States without running afoul of the General Data Protection Regulation (GDPR).
The executive order said that U.S. intelligence activities would be restricted to the achievement of national security goals and that attention would be given to the civil liberties and privacy rights of all individuals, not just Americans.
The framework reduces the range of data that U.S. intelligence can ask to review to what is necessary and proportional, according to Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals—two limitations that the United States had previously fought to keep out of any framework. She said that the Court of Justice of the European Union (CJEU), which overturned the prior data privacy accord in 2020, had aimed to provide "reasonable" safeguards for the privacy of those living in the Union.
The executive order also established two avenues for appeal in cases when U.S. intelligence is accused of violating data privacy.
A civil liberties protection officer (CLPO) in the Office of the Director of National Intelligence reviews any complaints as part of the first approach. The U.S. intelligence community would be bound by any decision made by the CLPO.
According to a White House information sheet, the second tier is a recently established Data Protection Review Court, established under the Office of the U.S. Attorney General, to enable "independent and binding review of the CLPO's decisions." Judges on the new court will be chosen from outside the executive branch of the U.S. government and will have protections against dismissal.
On Friday, Attorney General Merrick Garland officially established the new court.
The Privacy Shield, which U.S. businesses had relied on since 2016 to safeguard the personal data of Europeans when moved over the Atlantic for commercial purpose, was invalidated by the CJEU in July 2020. The same court invalidated Safe Harbor, an earlier arrangement, in 2015.
By addressing issues that the Court of Justice of the European Union raised in invalidating the previous EU-U.S. Privacy Shield framework as a legitimate data transfer mechanism under EU law, the new data privacy framework "will restore an important legal basis for transatlantic data flows," the White House claimed in its fact sheet.
In a Q&A, the European Commission stated that it supported Biden's executive order and described how the framework would resolve the legal concerns that the CJEU had raised in its decision to overturn the Privacy Shield (a ruling referred to as Schrems II).
According to the Q&A, "the objective of the commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the executive order, regarding both the substantive limitation on U.S. national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism."
The American business sector is hopeful that the new framework will deliver on its promises, according to Aaron Simpson, partner at the law firm Hunton Andrews Kurth.
"At this point, while the executive order is certainly a significant development, it doesn’t itself create a path to lawful data exports from Europe. What it does do is create optimism the European Commission will come up with an adequacy decision for data transfers from the EU to the U.S. The hope is certainly an adequacy decision premised on this executive order will provide a more durable, long-term solution for these data flows," he said.
According to Morgan Lewis partner Ezra Church, there are still a number of actions that must be completed by both parties before the framework can be fully implemented, which will not happen until sometime early next year.
"From the EU authorities’ perspective, the devil may be in the details here, since much of the order involves directions to [the Department of Justice], the Office of the Director of National Intelligence, and others within the U.S. government to set up various and multilayered processes to limit surveillance and provide review and redress for the claims of individuals. Those things will take time to implement," Church said.
Not everyone is as certain as others that the new structure will hold up to court review.
Max Schrems, a lawyer and privacy campaigner whose legal battles finally resulted in the repeal of the Privacy Shield and Safe Harbor, is still unconvinced.
The European Center for Digital Rights' blog article with the heading "New U.S. executive order unlikely to satisfy EU law" was written by Schrems, who serves as honorary chairman of the organization.
The blog post suggested that even with the new framework, U.S. intelligence will probably continue mass monitoring, and the recently established Data Protection Review Court is not a "real" court.