Skip to content

Biden signs order on E.U.-U.S. data privacy

U.S. President Joe Biden set safeguards against American intelligence agencies misusing personal information as part of a transatlantic data privacy deal.

U.S. President Joe Biden watches as European Commission President Ursula von der Leyen speaks
U.S. President Joe Biden watches as European Commission President Ursula von der Leyen speaks in March 2022 at the U.S. Chief of Mission Residence in Brussels (AN/Adam Schultz)

WASHINGTON (AN) — U.S. President Joe Biden signed an executive order to safeguard citizens' personal information against intrusions by American intelligence as part of a transatlantic agreement with the European Union on data privacy.

Biden's executive order on Friday is meant to reassure Europeans wary about U.S. government surveillance that their data is safe on U.S. soil and to ensure that tech giants and thousands of other companies can keep operating efficiently.

"Transatlantic data flows are critical to enabling the US$7.1 trillion E.U.-U.S. economic relationship," the White House says.

It spells out how the United States will implement the E.U.-U.S. data privacy framework that European Commission President Ursula von der Leyen and Biden announced in March.

U.S. intelligence agencies will be required to collect data only for defined national security objectives," the White House says, and "only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority."

A final E.U.-U.S. accord is expected to be issued early next year once the European Commission accepts and incorporates the executive order into its own requirements.

The E.U.-U.S. data privacy framework patched up the crisis over the past couple of years on how to protect the massive flow of data between the two major economies. Two years ago, the Luxembourg-based Court of Justice of the European Union, or CJEU, found in a ruling that Europeans were vulnerable to data snooping by U.S. intelligence services.

The executive order signed by Biden calls for the U.S. Department of Justice to set up a new Data Protection Review Court that lets people challenge how national security agencies are allowed to access and use personal data obtained from U.S. and European citizens. The new court's decisions will be binding.

Officials within a federal body that oversees U.S. national intelligence agencies also will be empowered to investigate complaints of people's privacy breaches.

“These commitments fully address the Court of Justice of the European Union’s 2020 Schrems II decision and will cover personal data transfers to the United States under E.U. law," U.S. Secretary of Commerce Gina Raimondo said.

She said the data privacy framework is intended "to restore trust and stability to trans-Atlantic data flows and reflects the strength of the enduring U.S.-E.U. relationship based on our shared values."

Europeans entitled to same 'level of protection' as GDPR

Biden's order on how to implement the E.U.-U.S. data privacy framework was precipitated by a 2020 ruling from CJEU, the E.U.'s top court. That ruling struck down the so-called E.U.-U.S. Privacy Shield, unraveling the main conduit for data transfers between the 27-nation bloc and the United States.

Justices cited concerns about the far-reaching nature of U.S. surveillance in the wake of U.S. whistleblower Edward Snowden's leaks about American spying. It was the second instance in which CJEU ruled E.U. citizens' private data are not safe in American hands.

The complaint previously led the court to invalidate the E.U.-U.S. Safe Harbor data transfer agreement, which was replaced by the Privacy Shield.

E.U. data privacy rules, known as the General Data Protection Regulation, or GDPR, were adopted in 2016 and became enforceable in 2018, affecting businesses and consumers worldwide.

The 2020 ruling said personal data transferred to a third country "must be afforded a level of protection essentially equivalent to that guaranteed within the E.U. by the GDPR."

It confirmed the E.U.'s use of Standard Contractual Clauses that are “pre-approved” by the European Commission, meaning transatlantic data flows could continue.

But it found that U.S. data privacy rules "are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under E.U. law, by the principle of proportionality, in so far as the surveillance programs based on those provisions are not limited to what is strictly necessary."