President Biden signs executive order aimed at legal reboot of EU-US data flows

U.S. president Joe Biden has signed an executive order attached to reupping a flagship data transfer agreement with the European Union — with the goal of making life easier for businesses that need to export EU user-data to the U.S. for processing.

The White House announced the development in a statement today — saying that the “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities” would “direct the steps” that the U.S. will take to implement its commitments under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), as the new arrangement is being called.

The new framework is intended to replace the defunct EU-U.S. Privacy Shield (which was invalidated by the bloc’s top court back in July 2020); and its much longer-lived predecessor, Safe Harbor (struck down by the CJEU in October 2015, following the 2013 disclosures of U.S. government surveillance programs by NSA whistleblower, Edward Snowden).

So this is yet another (third time lucky?) attempt to bridge the gap between two very different legal frameworks in order to ensure that EU users’ personal data can keep flowing over the pond.

Thousands of businesses, large and small, had relied upon earlier EU-U.S. data transfer deals to authorize their data exports — greasing the pipes of what the White House refers to as a $7.1TR EU-U.S. “economic relationship”.

But for the last two years there’s essentially been no risk-free legal route. And there still isn’t.

Although the EU responded to Biden signing the EO by saying it will now move to draft an adequacy decision and initiate the adoption process.

‘Safeguards for signals intelligence’

The White House press release said president Biden’s executive order beefs up safeguards around U.S. “signals intelligence” (aka digital surveillance conducted by spy agencies) by “requiring that such activities be conducted only in pursuit of defined national security objectives”; by “tak[ing] into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and by being “conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority”.

The EO also mandates “handling requirements” for personal data picked up via signals intelligence and beefs up enforcement around non-compliance. Elements of the US Intelligence Community will also be required to update their policies and procedures to reflect the “new privacy and civil liberties safeguards contained in the E.O.”, per the press release.

Another change is the creation of “a multi-layer” redress mechanism for EU individuals in the EU to obtain “independent and binding review and redress” on claims that their personal data was gathered in violation of applicable U.S. law.

This consists of — in the first layer — a Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence who will conduct a preliminary investigation “of qualifying complaints received ” to decide whether there has been a violation and, if so, determine appropriate next steps.

“The E.O. builds up the existing statutory CLPO functions by establishing that the CLPO’s decision will be binding on the Intelligence Community, subject to the second layer of review, and provides protections to ensure the independence of the CLPO’s investigations and determinations,” the White House writes.

The second layer entails the EO authorizing and directing the Attorney General to establish a Data Protection Review Court (DPRC) to “provide independent and binding review of the CLPO’s decisions, upon an application from the individual or an element of the Intelligence Community”.

Much will hinge on whether this body will be properly judged ‘court enough’ — under EU law — and therefore competent to uphold and defend EU citizens’ rights or not.

“Judges on the DPRC will be appointed from outside the US Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal,” the White House writes. “Decisions of the DPRC regarding whether there was a violation of applicable US law and, if so, what remediation is to be implemented will be binding.

“To further enhance the DPRC’s review, the EO.provides for the DPRC to select a special advocate in each case who will advocate regarding the complainant’s interest in the matter and ensure that the DPRC is well-informed of the issues and the law with regard to the matter. The Attorney General today issued accompanying regulations on the establishment of the DPRC.”

The EO also calls on the (existing) U.S. Privacy and Civil Liberties Oversight Board to review the polices and procedures of U.S. spy agencies to ensure consistency with what the order calls for; and conduct an annual review of the redress process, including to check whether intelligence agencies have fully complied with determinations made by the CLPO and the DPRC.

“These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law. It will also provide greater legal certainty for companies using Standard Contractual Clauses and Binding Corporate Rules to transfer EU personal data to the United States,” the White House suggests.

Responding to the EO being signed, the Commission said it contains “significant improvements” vs Privacy Shield’s mechanisms.

“At that time, individuals could turn to an Ombudsperson, which was part of the US State Department and did not have similar investigatory or binding decision-making powers,” it noted in a press release.

“The objective of the Commission in these negotiations has been to address the concerns raised by the Court of Justice of the EU in the Schrems II judgment and provide a durable and reliable legal basis for transatlantic data flows. This is reflected in the safeguards included in the Executive Order, regarding both the substantive limitation on US national security authorities’ access to data (necessity and proportionality) and the establishment of the new redress mechanism,” it added.

Political agreement on a new EU-U.S. data transfers deal was announced with much high level fanfare, back in March.

EU commissioners had initially suggested the process might be finalized by the end of this year. However things appears to have moved at a  slower pace than originally anticipated — so it now looks unlikely that all the necessary steps will be completed in time for the framework to be adopted before 2023.

EU review before adoption

With Biden’s ink dry on the EO, the baton now passes back to the EU to consider whether the framework passes muster.

A number of EU institutions will be involved in reviewing the framework, including the European Data Protection Board and representatives of Member States (and the European Parliament), although the final decision is the Commission’s alone.

And the EU’s executive can — and often does — override concerns raised during the review process (hence two strikedowns already despite plenty of objections raised to Privacy Shield prior to its adoption, in the most recent example… ).

The EU’s executive and the U.S. administration will both be keen for the new framework to stick and — ideally — prove robust enough to see off any legal challenges. But even if it only sticks in the short term (a few years) the prevailing view may be that is ‘fix’ enough — as it allows for ‘business as usual’ for cross-border data flows, getting both sides out of an immediate bind on the legality of trade-related data flows.

Tech giants, including Facebook and Google, will also be crossing their pinkies that the DPF sticks — and quickly — as both have been facing disruption to their businesses and ability to serve customers in the region.

Facebook narrowly avoided a looming shutdown of its EU-U.S. data flows this summer — after objections were raised to a draft regulatory decision ordering them to be suspended, adding months more to the process (and potentially enough time for it to avoid a shutdown altogether if the EU adopts the DPF). So it’s now a race to see what lands first: The DPF or an order to Facebook to shut off EU-to-U.S. data flows.

Google has also faced disruption to its customers, following scores of complaints targeting users of Google Analytics which led, in recent months, to a number of EU DPAs to warn against use of the tool in its standard configuration — saying such use breaches the EU’s General Data Protection Regulation and supplementary measures would need to be applied to raise the standard of data protection to the required level.

Thousands of smaller businesses also need legal certainty around their cross-border data flows, of course. And tech industry associations of all stripes were quick to welcome the signing of the EO — and urge EU adoption swiftly.

A statement by one industry group — calling itself the Reform Government Surveillance coalition (whose members include Amazon, Apple, Dropbox, Evernote, Google, Meta, Microsoft, Snap Inc., Twitter, Yahoo (TC’s parent), and Zoom) — welcomed the signing of the EO and what they dubbed its “robust new privacy protections”. However despite sporting a name with such a reforming-zeal vibe to it, the industry lobby group did not call for more root-and-branch changes to U.S. surveillance practices — instead offering the flattering line that: “We recognize and appreciate the effort of the US Government in finalizing its implementation of the Framework.”  

Other responses to the EO’s signing were less fulsomely welcoming.

BEUC, the European Consumer Organization, warned in a statement that there are still “fundamental differences in the level of privacy and data protection in the US and the EU which remain too large to make up for, despite the additional safeguards the US side is proposing to build in” — and urged data protection authorities to “scrutinise any new data transfer agreement with rigour”. “Nobody wants more legal uncertainty,” it added. “We need a long-lasting solution to make sure consumers can trust that their data is safe wherever it goes.”

While Max Schrems, the lawyer and European privacy campaigner whose earlier legal challenges brought down Privacy Shield and Safe Harbor, warned that the agreement looks like a fudge — suggesting, for example, that both sides have agreed to use some of the same words but have not agreed on what the terms mean, and arguing it would therefore likely come unstuck under legal scrutiny.

“The EU and the US now agree on use of the word ‘proportionate’ but seem to disagree on the meaning of it. In the end, the CJEU’s definition will prevail — likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans,” he said in a reaction statement, adding: “We will analyze this package in detail, which will take a couple of days. At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later.”

Schrems also pointed to the redress body the EO establishes not being a real court — which he said could also be a problem.

“We have to study the proposal in detail but at first glance, it is clear that this ‘court’ is simply not a court. The Charter has a clear requirement for ‘judicial redress’ — just renaming some complaints body a ‘court’ does not make it an actual court,” he said. “The details of the procedure will also be relevant to see if this can satisfy EU law.”

“It is amazing that the EU and the US actually agree that wiretapping needs probable cause and judicial approval. However, the US takes the view that foreigners don’t have privacy rights,” Schrems added. “I doubt that the US has a future as the cloud provider of the world, if non-US persons have no rights under their laws. It is contradictory to me that the European Commission is working on a deal that accepts that Europeans are ‘second class’ citizens and don’t deserve the same privacy rights as US citizens.”

When/if the DPF is adopted by the Commission — most likely next year — legal challenges remain highly likely since the fundamental clash between U.S. national-security-focused surveillance law and EU fundamental privacy rights still hasn’t gone anywhere.

Legal experts will certainly be poring over the EO in detail once they get their hands on the text.

“From the FactSheet: It is a solid improvement compared to 2016. But I want to also see the EO [text],” Dr. Gabriela Zanfir-Fortuna, VP for global privacy at the Washington-based thinktank, the Future of Privacy Forum, told TechCrunch — offering a snap first response.

She also pointed to a line in the White House release — in which the U.S. talks about “qualifying states” which it says will be “designated under the EO”, meaning that the US will itself decide — positing that it might be “looking at some form of reciprocity of sorts” in the national security area.

Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, also told TechCrunch: “We’re getting closer to European standards than under previous frameworks, although concerns remain about the long-term viability of an Executive Order. The proportionality and retention requirements look tighter and the older redress mechanism is improved. But it is enough? No one knows right now.”

Should a fresh cycle of data transfer litigation kick off, it will of course keep European privacy campaigners and data protection lawyers busy for years to come.

They remain busy enough now, though, as the question of where (and how) EU users’ data is stored remains a worry for businesses exporting it to third countries like the U.S. that lack EU adequacy — with a real prospect of regulatory enforcement in the meanwhile.

Further rounds of regulatory whack-a-mole would also be inevitable if this ‘third time lucky’ framework topples, restarting the data transfer complaint cycle once again. So we can all probably expect to be back in a fresh legal limbo soon enough.

This report was updated with additional comment.