Biden Signs Executive Order on US-EU Personal Data Privacy

Executive order requires that US signals intelligence activities be conducted “only in pursuit of defined national security objectives”

US President Joe Biden signed an executive order on Friday designed to protect the privacy of personal data transfers between the EU and the United States and address European concerns about US intelligence collection activities.

The executive order provides a new legal framework for trans-Atlantic data flows that are critical to the digital economy, the White House said.

It will be subject to review and ratification by the European Commission, a process expected to take several months.

“This is a culmination of our joint efforts to restore trust and stability to trans-Atlantic data flows,” Commerce Secretary Gina Raimondo told reporters. 

“It will enable a continued flow of data that underpins more than a trillion dollars in cross-border trade and investment every year.”

US tech giants have faced a barrage of lawsuits from EU privacy activists concerned about the ability of US intelligence services to access the personal data of Europeans.

Europe’s top court has invalidated previous arrangements after hearing complaints that US laws violate the fundamental rights of EU citizens.

The White House said the executive order addresses concerns raised by the Court of Justice of the European Union when it ruled that the previous framework known as Privacy Shield did not provide adequate protection.

Privacy Shield, struck down in July 2020, was the successor to another EU-US deal, Safe Harbor, which was itself torpedoed by a court ruling in 2015.

Businesses have since resorted to legally uncertain workarounds to keep the data flow moving, with hope that the two sides could come up with something stronger in the long term.

US officials acknowledged that the new pact will almost certainly face intense legal scrutiny that began after revelations by Edward Snowden of mass digital spying by US agencies.

– ‘Robust commitments’ –

Raimondo expressed confidence that the new arrangement, which builds upon an agreement in principle announced in March, will pass muster.

“The EU-US data privacy framework includes robust commitments to strengthen the privacy and civil liberties safeguards for signals intelligence which will ensure the privacy of EU personal data,” she said.

The executive order requires that US signals intelligence activities be conducted “only in pursuit of defined national security objectives” and “take into consideration the privacy and civil liberties of all persons” regardless of nationality or country of residence.

It creates an independent court for EU individuals “to seek redress if they believe they are unlawfully targeted by US intelligence activities.”

The redress process includes two layers.

The first involves a “Civil Liberties Protection Officer” (CLPO) in the US Office of the Director of National Intelligence who will investigate complaints to determine whether they involve a violation of US law.

The second involves an independent Data Protection Review Court which will review the CLPO’s decisions.

“Judges on the DPRC will be appointed from outside the US Government… review cases independently, and enjoy protections against removal,” the White House said.

Their decisions will be binding.