Today, the Biden administration issued an executive order to codify changes to privacy rules for transatlantic data transfers from the European Union (EU). A long-awaited announcement, the executive order is the next step toward establishing a new EU-US Data Privacy Framework (DPF), which will secure the free flow of personal data and thus underpins the US-EU commercial relationship.
The deal replaces the 2016 US-EU Privacy Shield agreement, which, according to the European Court of Justice’s (ECJ) 2020 ruling, failed to protect the EU citizens’ data from US government surveillance. It also left in jeopardy the future of transatlantic data transfers and the more than $250 billion worth of digital services trade that took place between the United States and the EU in 2020.
In practical terms, today’s executive order seeks to address the ECJ’s concerns with the previous data privacy framework by increasing transparency into the use of EU personal data by US authorities and national security justifications behind it, and creates a mechanism for EU individuals to seek a review and redress if they feel their personal data was used in violation of established privacy protections.
Will the new agreement be viable? Our experts break down the details of the DPF and tell us what to expect next.
Jump to an expert reaction
Kenneth Propp: Is the third time a charm for this dispute?
Frances Burwell: Resolving a major irritant in US-EU ties
Cameron Kerry: Biden’s new protections for EU citizens are strong. Congress can finish the job.
Is the third time a charm for this dispute?
Nearly a decade after former US National Security Agency (NSA) contractor Edward Snowden revealed that the NSA was tapping then German Chancellor Angela Merkel’s mobile phone, the EU has forced the United States to make real changes in its surveillance of Europeans. In exchange for and expectation that the EU will grant companies a convenient and stable method for transferring personal data from Europe to the United States, the US government has agreed to limit electronic surveillance on the continent to only what is “necessary and proportionate,” a European privacy law standard. Europeans also have gained the right to challenge wrongful surveillance before a new and independent US administrative tribunal.
The EU did not secure a commitment from Washington to put these changes into the form of a statute—instead settling for US President Joe Biden’s executive order and a new Department of Justice regulation structuring the administrative tribunal. In addition, the agreement does not identify a path for appealing an administrative decision to a US court has not been clearly laid out in the agreement, although it does not rule it out either. As a practical matter, administrative redress may well be the better approach.
European privacy activists, who twice previously overturned transatlantic data-transfer arrangements, are expected to seize on these points in a challenge to the DPF before the European Court of Justice. Neither the United States nor the European Commission can afford a third strike. But the details of the painstakingly negotiated accord offer a measure of hope that this thorny and long-lasting transatlantic digital dispute may finally be definitively resolved. Maybe the third time will be the charm.
—Kenneth Propp is a non-resident senior fellow at the Atlantic Council’s Europe Center.
Resolving a major irritant in US-EU ties
The Biden administration’s new executive order is an important step toward resolving one of the stickiest disputes between the United States and the European Union. The flow of data, including personal data, across the Atlantic is enormous and is an essential building block for the rapidly growing, data-driven transatlantic digital economy. But since July 2020, the legality of such transfers from the EU to the United States has been cast into doubt by the decision of the ECJ invalidating the Privacy Shield arrangement.
The Biden administration signaled the importance of this dispute by appointing its Commerce Department negotiator on its first day in office. Determined to improve relations with the EU, the Biden team realized that making a serious effort toward resolving this dispute was key to demonstrating its commitment to the US-EU partnership. Although the new DPF will inevitably be challenged before the ECJ, the agreement is still important on two levels.
First, it demonstrates a willingness and ability to resolve disputes—even very complicated matters based on differing regulatory approaches. This is good news for the valuable transatlantic digital economy, which faces disagreements over differing rules on non-personal data transfers, artificial intelligence risk assessments, cybersecurity criteria for cloud service providers, and many other issues. With the right approach and attitude, a solution can be found.
Second, this agreement removes a major US-EU irritant at a time when geopolitics requires as much transatlantic unity as possible. The issue of data transfers has not been one that grabbed headlines, but the lack of a solution would push the two biggest markets in the global democratic community toward forming two different blocs, creating divisions that would only multiply and harden as the digital element in our economies grows. The beneficiary of such a divide would be the other major power in the digital arena: China. This solution shows that the United States and EU understand the importance of finding a way forward together and is an essential step toward transatlantic leadership in the global digital economy.
—Frances Burwell is a distinguished fellow at the Europe Center.
Biden’s new protections for EU citizens are strong. Congress can finish the job.
Then President Barack Obama’s 2014 presidential policy directive 28 (PPD-28) set an international norm for foreign intelligence—and this new executive order builds on PPD-28 with clearer and more detailed protections for people outside the United States. It is a carefully thought-out response to the ECJ’s jurisprudence on government access tailored to American law and presidential powers, addressing specific safeguards and issues the ECJ has identified. Most notably, on necessity and proportionality—the EU legal standard for surveillance collection that the United States has agreed to abide by—as well as the use of bulk surveillance, Biden’s order spells out objective criteria for collection based in law that exclude simply being a foreign person; details procedures to ensure collection programs and individual queries are limited to what is necessary and take into account intrusion on privacy; and requires that dissemination and retention of information collected is also limited in the ways it is for “US persons.”
On redress for EU citizens who are the subjects of US surveillance, the package gives the new Article I court designed to solve these disputes judicial powers and independence, makes the court’s rulings as well as those of the Office of the Director of National Intelligence’s privacy and civil liberties officer and the Privacy and Civil Liberties Oversight Board binding on the intelligence community, and recognizes that EU citizens are entitled to these review procedures under federal law. Executive orders exercising presidential powers have been recognized as the law of the land throughout our history—the Emancipation Proclamation, for example—but Congress could emphasize the point for the ECJ by codifying key elements of this order when the Foreign Intelligence Surveillance Act comes up for reauthorization in 2023. That way, a future president could not simply undo Biden’s order with the stroke of a pen.
—Cameron Kerry is the Ann R. & Andrew H. Tisch Distinguished Visiting Fellow at the Brookings Institution and a former general counsel at the US Department of Commerce.