President Joe Biden signed an executive order Friday designed to allay European concerns that U.S. intelligence agencies are illegally spying on them. It promises strengthened safeguards against data collection abuses and creates a forum for legal challenges.
The order builds on a preliminary agreement Biden announced in March with European Commission President Ursula von der Leyen in a bid to end a yearslong battle over the safety of EU citizens’ data that tech companies store in the U.S. However, the European privacy campaigner who triggered the battle wasn’t satisfied it resolved core issues and warned of more legal wrangling.
The reworked Privacy Shield “includes a robust commitment to strengthen the privacy and civil liberties safeguards for signals intelligence, which should ensure the privacy of EU personal data,” Commerce Secretary Gina Raimondo told reporters.
“It also requires the establishment of a multilayer redress mechanism with independent and binding authority for EU individuals to seek redress if they believe they are unlawfully targeted by U.S. intelligence activities,” she added.
Washington and Brussels have long been at odds over the friction between the European Union’s stringent data privacy rules and the comparatively lax regime in the U.S., which lacks a federal privacy law. That has created uncertainty for tech giants including Google and Facebook’s parent company Meta, raising the prospect that U.S. tech firms might need to keep European data out of the U.S.
Industry groups largely welcomed Biden’s order but European consumer rights and privacy campaigners, including activist Max Schrems whose complaint kicked off the legal battle a decade earlier, were skeptical whether it goes far enough and could end up in the bloc’s top court again.
Friday’s order narrows the scope of intelligence gathering — regardless of a target’s nationality — to “validated intelligence priorities,” fortifies the mandate of the Civil Liberties Protection Officer in the Office of the Director of National Intelligence and directs the attorney general to establish an independent court to review related activities.
Europeans can petition that Data Protection Review Court, which is to be composed of judges appointed from outside the U.S. government.
The next step: Raimondo’s office was to send a series of letters to the 27-member EU that its officials can assess as the basis of a new framework.
The European Union’s executive arm, the European Commission, said the framework has “significant improvements” over the original Privacy Shield and it would now work on adopting a final decision clearing the way for data to flow freely between EU and U.S. companies certified under the framework.
Raimondo said the new commitments would address European Union legal concerns covering personal data transfers to the U.S. as well as corporate contracts. A revived framework “will enable the continued flow of data that underpins more than $1 trillion in cross-border trade and investment every year,” Raimondo said.
Twice, in 2015 and again in 2020, the European Union’s top court struck down data privacy framework agreements between Washington and Brussels. The first legal challenge was filed by Austrian lawyer and privacy activist Schrems, who was concerned about how Facebook handled his data in light of 2013 revelations about U.S. government cyber-snooping from former U.S. National Security Agency contractor Edward Snowden.
European consumer group BEUC said despite the extra safeguards, fundamental differences between American and European privacy and data protection standards are too wide to bridge.
“However much the U.S. authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and U.S. still have a different approach to data protection which cannot be cancelled out by an executive order,” said the group’s deputy director general, Ursula Pachl. “The moment EU citizens’ data travels across the Atlantic, it will not be afforded similar protections as in the EU.”
Schrems said while his Vienna-based group, NOYB, would need time to study the order, his initial reading is that it “seems to fail” on some key requirements, including for surveillance to be necessary and proportionate under the EU’s Charter of Fundamental rights to avoid indiscriminate mass data collection.
While the U.S. included those two words, Schrems said the two sides don’t seem to have agreed they have the same legal meaning.
If it did, “the U,S, would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of ‘proportionate’ surveillance,” Schrems said.