An American executive order designed to assuage the EU’s privacy concerns will, for the first time, also allow the U.S. government to flag any issues with European surveillance programs.
President Joe Biden’s executive order signed on Friday establishes a Data Protection Review Court within the Department of Justice, which will allow EU citizens to file lawsuits on how their data is collected and used by U.S. intelligence agencies. The order also requires intelligence agencies to only collect data for a necessary and proportionate use.
While the focus of the executive order is to ensure that companies can continue sending data between the EU and the U.S. while meeting the standards set by the Court of Justice of the European Union set in 2020, Biden’s privacy framework will also extend these privacy rights for American citizens, said Peter Harrell on Friday. Harrell is the senior director for International Economics and Competitiveness at the White House National Security Council.
The U.S. attorney general will have to designate the EU as a qualifying state or region under the privacy framework, which will open the door for the U.S. government to also assess the EU’s surveillance safeguards, Harrell said.
The move marks a win for the U.S. government, which has long griped that Brussels holds all the cards in data flows talks and that its national security laws are held to a higher standard than even the EU’s own. Under the new framework, the U.S. will be able to withhold use of the redress mechanism to countries or regional zones that don’t meet its standards.
“The decision to designate the EU will involve an assessment by the Attorney General as to whether the laws of the EU and or those EU member states, each on matters within their areas of competence, have appropriate safeguards relating to their signals intelligence for U.S. persons’ personal information that gets transferred from the United States to the EU,” Harrell said.
The attorney general will also take other factors into account when designating countries or regions as “qualifying” for the redress mechanism, such as whether they align with the U.S.’s national interest.
A European Commission official said the designation exercise would not be an assessment per se, but admitted that it would have to present its own safeguards.
“The redress mechanism is open to countries and regional organizations that offer appropriate safeguards and that have data flows arrangements with the US,” the spokesperson said.
The NSC and other Biden administration officials are confident that the European Commission will approve the executive order and withstand any legal challenges from privacy advocates.
Max Schrems, a privacy advocate who filed suits that dismantled Privacy Shield in 2015 and 2020, told POLITICO that he was reviewing the details of Biden’s executive order and intends to prepare for a potential challenge.
“As there is no change to bulk surveillance, I guess this will go back to the [Court of Justice of the European Union],” Schrems said.
The executive order likely won’t be approved by Brussels until around March 2023, but the signing hands a significant benefit for businesses sharing data between the two countries. Even before approval, companies will be able to use the executive order as a legal basis for transferring data between the U.S. and EU, even before it gets approved by the European Commission.
This helps companies like Facebook, which was expected to be blocked from sending EU data to the US without proper privacy protections.
“The US government has made real legal changes that are going to be important immediately in improving business certainty,” said John Miller, the Information Technology Industry Council’s senior vice president of policy.
This article is part of POLITICO Pro
The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology
Exclusive, breaking scoops and insights
Customized policy intelligence platform
A high-level public affairs network