Biden Signs Executive Order Authorizing EU-US Transfer Framework

On October 7, 2022, President Joe Biden signed an executive order to secure a data transfer agreement between the European Union (EU) and United States (US).

Many industry experts are hopeful that this Agreement “could be the crucial step necessary” to replace the Privacy Shield agreement that was struck down by the Court of Justice of the European Union in August 2020.

As explained in this previous article, “the decision to invalidate Privacy Shield came from a lawsuit initiated by Austrian lawyer and privacy activist Max Schrems in 2013 (Case C-311/18). In that case, Schrems challenged Facebook Ireland’s reliance on the framework’s Standard Contractual Clauses (SCCs) as a legal justification for transferring personal data to Facebook Inc.’s United States servers. Based on this reliance, the court invalidated the framework, despite upholding the legal validity of SCCs.”

In response, on March 25, 2022, President Biden and EU President Ursula von der Leyen issued a joint statement affirming their intention to advance a Trans-Atlantic Data Privacy Framework, which will “foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020.”

According to the Wall Street Journal, this decision “prompted broad rulings on how companies use technology.” Reportedly, the EU regulators “said companies must stop moving data to the U.S. or using certain American tech providers altogether, citing the lack of protections to prevent potential surveillance.”

According to Mondaq, The new EU-US framework consists of two main objectives, the first being, “substantive safeguards for U.S. signals intelligence activities, requiring the necessary and proportionate collection of intelligence.” What does this mean? Surveillance of EU citizens by the U.S. must be conducted with consideration for “the privacy of all persons regardless of nationality or residency,” grounded in national security, and limited only to instances “necessary to advance validated intelligence priorities in a manner that is proportionate to such priorities.” Legitimate objectives of these activities “include protection against espionage, terrorism, foreign military capabilities, cybersecurity threats and other such purposes” as well as those authorized by the President.

Second, if the intelligence activities are beyond these legitimate bases, the executive order establishes a redress mechanism to address consumer complaints will be established “to address complaints pertaining to data collection.”

This redress mechanism will be subject to review for compliance with United States laws, and subject to remediation by “both the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence and a new independent Data Protection Review Court, established by the Attorney General.” The decisions of these oversight authorities are subject to challenge before the new Data Protection Review Court established under Biden’s executive order.

Additionally, the executive order requires the “elements of the Intelligence Community”— the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National Geospatial- Intelligence Agency (NGA), the National Reconnaissance Office (NRO), and intelligence elements of the five DoD services; the Army, Navy, Marine Corps, Air Force, and Space Force—to consult with the Privacy and Civil Liberties Oversight Board (PCLOB), and to update their policies and procedures to reflect newly-required safeguards within one year from now. In response to the order, PCLOB stated[1] they’d plan to comply.

Importantly, the Executive Order has reportedly provided the European Commission with a basis to adopt a new adequacy decision—which Mondaq predicts “will take around six months and will lead to a final adequacy decision being published in roughly March 2023.” Until then, The Association of the Internet Industry (Eco)—a European trade association —has urged the European data protection authorities to refrain from issuing fines or prohibiting transfers.

The Wall Street Journal states a draft of the EU-U.S. DPF is expected in the spring of 2023. Upon its release, regulatory and legislative authorities from both sides will scrutinize the agreement. Wojciech Wiewiórowski, the European Data Protection Supervisor stated “regulators will focus in part on whether the new data protection court is independent from government influence” and whether the additional oversight requirements to be placed on their agencies is tolerable. Implementation will require the representatives from the 27 EU countries to sign off on the terms.

In response to the release of the executive order, Max Schrems has expressed doubt about the inefficiencies in the program, in contrast with other activists. According to statements by John Miller—Chief Legal Officer at the Information Technology Industry Council, a Washington-based tech lobby group—and Peter Harrell, Senior Director For International Economics and Competitiveness at the National Security Council—companies are poised to benefit immediately from the increased security and support surrounding these trans-Atlantic data flows.

[1] https://documents.pclob.gov/prod/Documents/EventsAndPress/d0c925a9-26e6-47b9-a6c9-0d976c5ad134/Trans-Atlantic%20Data%20Privacy%20Framework%20EO%20press%20release%20(FINAL).pdf