By David Shepardson and Philip Blenkinsop
WASHINGTON/BRUSSELS (Reuters) -U.S. President Joe Biden on Friday signed an executive order to implement a European Union-United States data transfer framework announced in March that adopts new American intelligence gathering privacy safeguards.
The deal seeks to end the limbo in which thousands of companies found themselves after Europe’s top court threw out two previous pacts due to concerns about U.S. surveillance.
U.S. Commerce Secretary Gina Raimondo told reporters the executive order “is the culmination of our joint effort to restore trust and stability to transatlantic data flows” and “will ensure the privacy of EU personal data.”
The framework addresses the concerns of the Court of Justice of the European Union (CJEU), which in July 2020 struck down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.
European Commissioner for Justice Didier Reynders said he was “quite sure” there would be a fresh legal challenge, but he was confident that the pact met the demands of the court.
“We have a real improvement relative to the Privacy Shield…. It’s totally different,” he told Reuters in an interview. “Maybe the third attempt will be the good one.”
The White House said “transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship” and the framework “will restore an important legal basis for transatlantic data flows.”
The U.S. Chamber of Commerce and Microsoft welcomed the executive order, but digital rights activist group Access Now and European consumer organization BEUC said it did not appear that people’s rights were being sufficiently protected.
The White House said Biden’s order bolstered current “privacy and civil liberties safeguards” for U.S. intelligence gathering and created an independent, binding multi-layer redress mechanism for individuals who believe their personal data was illegally collected by U.S. intelligence agencies.
Reynders said it would take about six months to complete a complex approval process, noting the previous system only had redress to an ombudsperson inside the U.S. administration, which the EU court rejected.
Biden’s order adopts new safeguards on the activities of U.S. intelligence gathering, requiring they do only what is necessary and proportionate, and creates a two-step system of redress – first to an intelligence agency watchdog then to a court with independent judges, whose decisions would bind the agencies.
Biden and European Commission President Ursula von der Leyen in March said the provisional agreement offered stronger legal protections and addressed the EU court’s concerns.
Raimondo on Friday will transmit a series of letters to the EU from U.S. agencies “outlining the operation and enforcement of the EU-U.S. data privacy framework” that “will form the basis for the European Commission’s assessment in a new adequacy decision,” she said.
Under the order, the Civil Liberties Protection Officer (CLPO) in the U.S. Office of the Director of National Intelligence will investigate complaints and make decisions.
The U.S. Justice Department is establishing a Data Protection Review Court to independently review CLPO’s decisions. Judges with experience in data privacy and national security will be appointed from outside the U.S. government.
European privacy activists have threatened to challenge the framework if they did not think it adequately protects privacy. Austrian Max Schrems, whose legal challenges have brought down the previous two EU-U.S. data flow systems, said he still needed to analyze the package.
“At first sight it seems that the core issues were not solved and it will be back to the CJEU (EU court) sooner or later,” he said.
(Reporting by David Shepardson; Additional reporting by Philip Blenkinsop, Andrea Shalal and Foo Yun Chee; Editing by Mark Potter and Andrea Ricci)