President Joe Biden signed an executive order to implement a new framework for protecting the privacy of personal data shared between the United States and Europe, the White House announced Friday.
The new framework fills a significant gap in data protection across the Atlantic since a European court struck down a previous version in 2020. The court found that the US had too much capacity to monitor European data transferred via the previous system.
The court case, known as Schrems II, “has created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner that complies with EU law. EU,” wrote James Sullivan, then Deputy Assistant Secretary of Commerce. public letter shortly after the decision. The result meant US companies would have to use different “EU-approved data transfer mechanisms” on an ad hoc basis, creating more complexity for businesses, Sullivan wrote.
The so-called Privacy Shield 2.0 aims to address European concerns about possible surveillance by US intelligence agencies. In March, after the US and EU agreed in principle to the new framework, the White House said in a fact sheet that the United States “is committed to implementing further safeguards to ensure that signals intelligence activities are necessary and proportionate to the pursuit of defined national security objectives”.
The new framework will allow EU citizens to seek redress through an independent Data Protection Review Tribunal made up of members from outside the US government. This body “would have full authority to adjudicate complaints and order necessary corrective action”, according to the March fact sheet.
Before a case reaches the DPRC, the Civil Liberties Officer in the Office of the Director of National Intelligence will also conduct an initial investigation of complaints. Its decisions are also binding, subject to the assessment of the independent body.
The executive order directs the U.S. intelligence community to update policies and procedures to accommodate new privacy protections in the framework. It also directs the Privacy and Civil Liberties Oversight Council, an independent agency, to review these updates and conduct an annual review to determine whether the intelligence community has fully embraced the binding appeals rulings.
“The EU-US data privacy framework includes a firm commitment to strengthen privacy and civil liberties safeguards for signals intelligence, which will ensure the privacy of EU personal data,” the EU said on Thursday. urge Commerce Secretary Gina Raimondo.
Raimondo said she would transfer a series of documents and letters from relevant US government agencies outlining the operation and application of the framework to her European counterpart, Commissioner Didier Reynders.
The EU will then make an “adequacy determination” of the measures, the White House said. It will assess the sufficiency of data protection measures to restore the data transfer mechanism.
U.S. tech companies and industry groups applauded the measure, with MetaPresident of Global Affairs Nick Clegg wrote on Twitter: “We welcome this update to U.S. law which will help keep the Internet open and families, businesses and communities connected, wherever that they are in the world”.
Linda Moore, president and CEO of industry group TechNet, said in a statement: “We commend the Biden administration for taking positive steps to ensure the efficiency and effectiveness of cross-border U.S. data flows and Europeans and we will continue to work with the administration and members of Congress from both parties to pass a federal privacy bill.”
But some consumer and data privacy watchdogs have criticized the breadth of data protections.
BEUC, a European consumer group, said in a statement that the framework “is probably still insufficient to protect the privacy and personal data of Europeans when crossing the Atlantic”. The group added that “there are no substantial improvements to address issues related to the commercial use of personal data, an area where the previous agreement, the EU-US Privacy Shield , did not meet the requirements of the GDPR”, referring to the European General Data Protection Regulation. .
Ashley Gorski, senior counsel for the ACLU’s National Security Project, said in a statement that the order “does not go far enough. It does not adequately protect the privacy of Americans and Europeans, and does not ensure that individuals whose privacy is violated will have their claims resolved by a fully independent adjudicator.”
– CNBC’s Chelsey Cox contributed to this report.
WATCH: Why the US government is questioning your online privacy