President Joe Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe, the White House announced Friday.
The new framework fills a significant gap in data protections across the Atlantic since a European court undid a previous version in 2020. The court found the U.S. had too great an ability to surveil European data transferred through the earlier system.
The court case, known as Schrems II, “created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner consistent with EU law,” then-Deputy Assistant Commerce Secretary James Sullivan wrote in a public letter shortly after the decision. The outcome made it so U.S. companies would need to use different “EU-approved data transfer mechanisms” on an ad hoc basis, creating more complexity for businesses, Sullivan wrote.
The so-called Privacy Shield 2.0 seeks to address European concerns about possible surveillance by U.S. intelligence agencies. In March, after the U.S. and EU agreed in principle to the new framework, the White House said in a fact sheet that the U.S. “committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives.”
The new framework will allow individuals in the EU to seek redress through an independent Data Protection Review Court made up of members outside of the U.S. government. That body “would have full authority to adjudicate claims and direct remedial measures as needed,” according to the March fact sheet.
Before a matter reaches the DPRC, the civil liberties protection officer in the Office of the Director of National Intelligence will also conduct an initial investigation of complaints. Its decisions are also binding, subject to the independent body’s assessment.
The executive order directs the U.S. intelligence community to update policies and procedures to fit the new privacy protections in the framework. It also instructs the Privacy and Civil Liberties Oversight Board, an independent agency, to examine those updates and conduct an annual review of whether the intelligence community has fully adhered to binding redress decisions.
“The EU-U.S. Data Privacy Framework includes robust commitment to strengthen the privacy and civil liberties safeguards for signals intelligence, which will ensure the privacy of EU personal data,” Commerce Secretary Gina Raimondo told reporters Thursday.
Raimondo said she will transfer a series of documents and letters from relevant U.S. government agencies outlining the operation and enforcement of the framework to her EU counterpart, Commissioner Didier Reynders.
The EU will then conduct an “adequacy determination” of the measures, the White House said. It will assess the sufficiency of the data protection measures in order to restore the data transfer mechanism.
American tech companies and industry groups applauded the measure, with Meta‘s president of global affairs, Nick Clegg, writing on Twitter, “We welcome this update to US law which will help to preserve the open internet and keep families, businesses and communities connected, wherever they are in the world.”
Linda Moore, president and CEO of industry group TechNet, said in a statement, “We applaud the Biden Administration for taking affirmative steps to ensure the efficiency and effectiveness of American and European cross-border data flows and will continue to work with the Administration and members of Congress from both parties to pass a federal privacy bill.”
But some consumer and data privacy watchdogs critiqued the extent of the data protections.
BEUC, a European consumer group, said in a release that the framework “is likely still insufficient to protect Europeans’ privacy and personal data when it crosses the Atlantic.” The group added that “there are no substantial improvements to address issues related to the commercial use of personal data, an area where the previous agreement, the EU-US Privacy Shield, fell short of GDPR requirements,” referring to Europe’s General Data Protection Regulation.
Ashley Gorski, senior staff attorney at the ACLU National Security Project, said in a statement that the order “does not go far enough. It fails to adequately protect the privacy of Americans and Europeans, and it fails to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker.”
— CNBC’s Chelsey Cox contributed to this report.
WATCH: Why the U.S. government is questioning your online privacy