Biden signs new US-EU privacy framework, setting up surveillance safeguards
President Joe Biden signed an executive order cementing a privacy agreement between the United States and European Union focused on addressing European surveillance concerns and assuring continued flow of commercial data, the White House announced Friday.
A European court ruled in 2020 that the previous agreement, known as Privacy Shield, failed to sufficiently protect Europeans’ privacy rights. The framework for the deal enshrined in the new executive order was announced in March.
“U.S. and EU companies large and small across all sectors of the economy rely upon cross-border data flows to participate in the digital economy and expand economic opportunities,” the administration said in a press statement.
The order outlines additional safeguards for U.S. signals intelligence collection activities and how information gathered through those systems is handled. Among those safeguards is a preference for targeted — rather than bulk — collection. It also limits the use of information gathered through bulk collection to protecting against terrorism, foreign nation espionage, proliferation of weapons of mass destruction, threats against U.S. personnel, and foreign cybersecurity threats.
The order also sets up a new process for people in the European Union to object if they believe their data is being inappropriately spied upon.
The review process involves two steps. The first is an investigation by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence. Depending on the outcome of that inquiry, complainants may apply to be heard by the Data Protection Review Court (DPRC) — a new body with judges to be appointed from outside the U.S. government. Special advocates will be appointed by the DPRC advocate for complainants.
“Decisions of the DPRC regarding whether there was a violation of applicable U.S. law and, if so, what remediation is to be implemented will be binding,“ according to a White House fact sheet.
U.S. intelligence agencies are required to adjust their practices to account for the new safeguards in the order, which also tasks the Privacy and Civil Liberties Oversight Board with reviewing their compliance on an annual basis.
Greg Nojeim, Senior Counsel and Director of Security and Surveillance Project at the Center for Democracy and Technology, said the order’s safeguards are a step in the right direction.
However, “questions remain about the breadth of permissible surveillance” and if the DPRC can provide a functional forum for review and redress of surveillance claims.
“It remains uncertain whether EU authorities – and ultimately the EU Court of Justice – will deem these steps sufficient to satisfy the legal requirements for a new adequacy decision to support transatlantic data flows,” he said.
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.