White House Updates Data Protection Framework with the EU

President Biden has signed an executive order designed to repair data sharing with the European Union. The arrangement has been in disarray since 2020, when the Court of Justice of the European Union nullified the Privacy Shield, jeopardizing what the White House calls a $7.1 trillion economic relationship, premised on companies doing business on both sides of the pond. Friday’s executive order stipulates new ways for the EU to challenge what it had previously identified as objectionable U.S. government surveillance practices. In March, the U.S. and European Union agreed “in principle” to a revamped framework for data transfers.

According to the executive order, the steps the U.S. is prepared to take to secure a European Union-U.S. Data Privacy Framework (EU-U.S. DPF) includes creating an independent and binding mechanism by which individuals and administrative organizations can “seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.”

The U.S. now awaits the European Commission’s evaluation and, it hopes, approval of the DPF measures, a process The Wall Street Journal estimates could take about six months.

“The issue is drawing high-level attention because two previous data agreements were rejected by the EU’s top court, and this new pact is likely to face legal challenges,” WSJ writes. Earlier this year, the Supreme Court made a surveillance ruling some speculated could be an obstacle to finalizing the DPF.

Emphasizing a “rigorous array of privacy and civil liberties safeguards,” the executive order:

  • Requires U.S. signals intelligence activities “be conducted only in pursuit of defined national security objectives,” and must “take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence.”
  • Mandates handling requirements for personal information.
  • Requires U.S. Intelligence Community members update policies and procedures to reflect the DPF.
  • Creates a mechanism for citizens in affected territories to obtain independent and binding review and redress for privacy violations.
  • Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the DPF and to conduct annual reviews.

The DPF is important “because it addresses the conditions and safeguards under which U.S. intelligence authorities will be able to access data transfers from the EU,” an EU official told WSJ, which writes that “the order specifies when intelligence authorities can collect personal data, such as for investigating terrorism and other crimes, and limits how long it can be retained.”

Members of the tech community applauded the White House move, with Meta Platforms president of global affairs Nick Clegg and TechNet president Linda Moore among those publicly approving. But CNBC writes that others say the order doesn’t go far enough.

“BEUC, a European consumer group, said in a release that the framework ‘is likely still insufficient to protect Europeans’ privacy and personal data when it crosses the Atlantic,’” writes CNBC, adding that the group says “there are no substantial improvements to address issues related to the commercial use of personal data, an area where the previous agreement, the EU-U.S. Privacy Shield, fell short of GDPR requirements,” a reference to Europe’s General Data Protection Regulation, enacted in 2018.