President Biden’s new Executive Order aims to reassure European judges who ruled that a previous agreement violated Europeans’ privacy rights by allowing American intelligence agencies to access their data. It establishes a new regulatory oversight board that will allow Europeans to seek redress for potential violations.
The open question is whether the move will stand up to imminent European legal challenges. Max Schrems, the privacy activist who filed the successful suits against the original transatlantic Privacy Shield, said that he was readying for a new case because Europe is “again turning a blind eye on US law, to allow continued spying on Europeans.” In the past, Schrems has likened any deal that fails to curb US intelligence to putting “lipstick on a pig.”
But the White House is confident its reforms will survive scrutiny. Under the Executive Order, US intelligence faces limitations on its data access. The Privacy and Civil Liberties Oversight Board and officials in the Office of the Director of National Intelligence will review compliance. A Data Protection Review Court will be established to review and rule on complaints submitted by European governments on the behalf of individuals who claim their privacy was violated. Independent judges appointed from outside the US government will issue binding decisions.
Although the Executive Order goes into immediate effect in the US, it will be months before the framework is approved in Europe. The European Commission must prepare an assessment for review by the bloc’s data protection authorities and the European Parliament. Both bodies are expected to be critical, though neither enjoys formal power to prevent the Commission from moving ahead. A majority of EU member countries must also sign off on the final text.
Privacy activists represent are already attacking the US proposal for a Data Protection Review Court. “It is clear that this ‘court’ is simply not a court,” complains Schrems. “Just renaming some complaints body a ‘court’ does not make it an actual court.”
Yet some influential independent lawyers believe the deal could pass judicial muster. Peter Swire, a Georgia Tech professor who is a leading voice on privacy and cybersecurity law, expressed confidence that the new “framework meets both EU and US legal requirements.” In February, he co-wrote a paper outlining a mutually acceptable redress mechanism.
Industry stakeholders are relieved after significant uncertainty over transatlantic data transfers. The Irish Data Protection Commission ruled in July that Meta, the parent company of Facebook, Instagram, and WhatsApp, could not use standard contractual clauses to transfer data. Meta warned that such a decision could force them to stop offering Facebook and Instagram in Europe.
Microsoft, IBM, and the tech trade association CCIA welcomed the new privacy framework. “We appreciate President Biden’s action to keep data flowing between the US and EU, underpinning one of our deepest and most mutually beneficial trading relationships,” said CCIA President Matt Schruers. “Data transfers are at the heart of the transatlantic relationship, fueling the trade that keeps both of our economies running and brings benefits to consumers and businesses of all sizes who need legal clarity on mechanisms to transfer data.”
The White House’s Executive Order opens the door to progress on data flows across the globe. British Digital Secretary Michelle Donelan and US Commerce Secretary Gina Raimondo said in London on October 7 that a new US-UK data flows pact was imminent. The deal will rely on the same oversight mechanisms as with the EU.
The announcement represents a bold political gamble. In the shadow of Russia’s full-scale invasion of Ukraine, President Joseph Biden and European Commission President Ursula von der Leyen overruled their deputies to announce a political agreement on data back in March 2022. The two leaders wanted an agreement in principle, even though the details were not yet worked out.
The new Executive Order fills in these details. While the new framework is a significant change to US data privacy regulations and intelligence practices, the US is far away from passing nationwide data protection legislation similar to Europe’s General Data Protection Regulation. It is now up to Europe to decide whether the new restrictions on US spies will be sufficient to assuage their privacy concerns.
Matthew Eitel is a Program Assistant in CEPA’s Digital Innovation Initiative.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.