On Friday, US president Joe Biden signed an executive order that outlines new steps the United States will take to accommodate European Union data protection laws, to re-establish formal arrangements for transatlantic data transfers. But the executive order is unlikely to be enough to secure the new EU-US Digital Privacy Framework (DPF) agreement, which requires sturdier actions down the line.
Transatlantic data transfers “are critical to enabling the $7.1 trillion EU-US economic relationship”, according to the White House’s briefing document. And yet, for years, neither the EU nor the US, or most businesses, for that matter, have chosen to take transatlantic data protection seriously. Instead, most chose to believe weak and faffy forms of self- or semi-regulation would endure.
Then, those assumptions met legal reality. Two previous transatlantic agreements for data transfer – Safe Harbour and the Privacy Shield – were invalidated in succession by the Court of Justice of the European Union (CJEU), the side-outcomes (but in actual fact, the most significant) of two data privacy and protection cases Austrian lawyer Max Schrems has taken against Facebook in Ireland.
In both cases, the CJEU stated that the way in which US surveillance agencies operate in the US – indiscriminately collecting bulk data, using a secretive court, having few accountability or transparency obligations, and lacking redress mechanisms – was incompatible with the EU’s General Data Protection Regulation (GDPR) and other EU rights, thus failing to adequately protect European data transferred to the US.
Transfers had continued post both Schrems decisions, on the dual hopes that a new agreement might emerge soon-ish and that EU regulators would never actually halt transfers. The Trump administration ignored the festering problem (so much for electing a businessman) and then, in the summer, Facebook’s (now Meta’s) regulator – the Data Protection Commission here – issued a draft decision that said Meta would have to halt transatlantic transfers because its remaining method of doing so, using special contracts, was inadequate.
This, at last, seems to have galvanised the US into attempting to address, via the order, the core problems identified by the CJEU. Biden has offered a long-overdue overhaul of how US surveillance (“signals intelligence”) may be conducted, which benefits both US and EU citizens. Safeguards on how data is collected, used, stored, and deleted have been added, echoing EU requirements for proportionality and necessity in data collection.
Further, new structures are to allow EU citizens “to obtain independent and binding review and redress” on complaints. This includes strengthening the role of the US Civil Liberties Protection Officer by adding greater independence and making that officer’s decisions on complaints binding on intelligence agencies, albeit subject to a second layer of review.
The second layer comprises a new, independent Data Protection Review Court, to which individuals or agencies can appeal. Finally, the order mandates the US Privacy and Civil Liberties Oversight Board to ensure US intelligence agency policies and procedures are in accord with the order, and to conduct an annual review of the redress process.
Biden has taken groundbreaking steps with this executive order. But Congress needs to act to fix intelligence reforms into federal law
Reading the full order, it’s obvious that the new policy points and their phrasing are designed to meet concerns outlined by the CJEU repeatedly in the years since its landmark 2014 Digital Rights Ireland decision (in a case brought against the Irish State). This laid the grounds for both Schrems decisions, and other key data protection cases.
And no, the order is not – as some have argued – designed to make EU intelligence agencies more accountable to the US by mentioning that US data must be protected to the standards of US law when transferred to the EU. US data is already protected to a higher standard – the EU’s – when it lands in the EU. The citizenship of the individual does not mean their data is held to lesser (say, ahem, US) protections.
But many holes remain. The EU must approve the order’s proposals, but that seems likely to happen by early next year. A greater threat is that executive orders can be altered or retracted by this or future presidents, so a DPF built on this flimsy foundation remains rickety. And, the new provisions could be found inadequate if – as almost certainly will happen – the DPF is challenged and goes to the CJEU for review.
If so, the CJEU is likely to consider that Americans do not get the additional layers of protection offered to EU citizens through the new oversight and review mechanisms. And, the US still does not have a strong federal data protection law, only piecemeal state laws. A two-tiered system in which, inconceivably, US citizens lack data protections the US government nonetheless grants to EU citizens, will only continue to raise doubts about overall adequacy.
Still, Biden has taken groundbreaking steps with this executive order. But Congress needs to act to fix intelligence reforms into federal law, and clearly lay out better data protections and rights for Americans. For now, the executive order provides little more than a reprieve for transatlantic data transfers.