President Joe Biden signed an executive order Friday designed to allay European concerns that U.S. intelligence agencies are illegally spying on them. It promises strengthened safeguards against data collection abuses and creates a forum for legal challenges.
The order builds on a in March with European Commission President Ursula von der Leyen in a bid to end a yearslong battle over the safety of EU citizens' data that tech companies store in the U.S.
However, the European privacy campaigner who triggered the battle didn't think it resolved core issues and warned of more legal wrangling. Nor were U.S. privacy advocates, including the American Civil Liberties Union, satisfied.
The reworked Privacy Shield 鈥渋ncludes a robust commitment to strengthen the privacy and civil liberties safeguards for signals intelligence, which should ensure the privacy of EU personal data," Commerce Secretary Gina Raimondo told reporters.
"It also requires the establishment of a multilayer redress mechanism with independent and binding authority for EU individuals to seek redress if they believe they are unlawfully targeted by U.S. intelligence activities,鈥 she added.
Washington and Brussels have long been at odds over the friction between the European Union's stringent data privacy rules and the comparatively lax regime in the U.S., which lacks a federal privacy law. That has created uncertainty for tech giants including Google and Facebook鈥檚 parent company Meta, raising the prospect that U.S. tech firms might need to keep European data out of the U.S.
Industry groups largely welcomed Biden's order but European consumer rights and privacy campaigners, including activist Max Schrems whose complaint kicked off the legal battle a decade earlier, were skeptical whether it goes far enough and could end up in the bloc's top court again.
Friday's order narrows the scope of intelligence gathering 鈥 regardless of a target's nationality 鈥 to 鈥渧alidated intelligence priorities," fortifies the mandate of the Civil Liberties Protection Officer in the Office of the Director of National Intelligence and directs the attorney general to establish an independent court to review related activities.
Europeans can petition that Data Protection Review Court, which is to be composed of judges appointed from outside the U.S. government.
The next step: Raimondo's office was to send a series of letters to the 27-member EU that its officials can assess as the basis of a new framework.
The European Union鈥檚 executive arm, the , said the framework has 鈥渟ignificant improvements" over the original Privacy Shield and it would now work on adopting a final decision clearing the way for data to flow freely between EU and U.S. companies certified under the framework.
Raimondo said the new commitments would address European Union legal concerns covering personal data transfers to the U.S. as well as corporate contracts. A revived framework 鈥渨ill enable the continued flow of data that underpins more than $1 trillion in cross-border trade and investment every year,鈥 Raimondo said.
Twice, in 2015 and again in 2020, struck down data privacy framework agreements between Washington and Brussels. The first legal challenge was filed by Austrian lawyer and privacy activist Schrems, who was handled his data in light of 2013 revelations about U.S. government cyber-snooping from former U.S. National Security Agency contractor Edward Snowden.
European consumer group BEUC said despite the extra safeguards, fundamental differences between American and European privacy and data protection standards are too wide to bridge. 鈥淗owever much the U.S. authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and U.S. still have a different approach to data protection which cannot be cancelled out by an executive order," said the group's deputy director general, Ursula Pachl. 鈥淭he moment EU citizens鈥 data travels across the Atlantic, it will not be afforded similar protections as in the EU."
The American Civil Liberties Union said Biden's order is 鈥渁 step in the right direction鈥 but lacks adequate safeguards for Europeans or Americans. Ashley Gorski, an ACLU senior staff attorney, said in a statement that "it fails to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker.鈥
Further, the ACLU said in a tweet, 鈥淭he order still allows our government to engage in bulk, generalized data collection.鈥
Schrems said while his Vienna-based group, NOYB, would need time to study the order, his initial reading is that it 鈥渟eems to fail" on some key requirements, including for surveillance to be necessary and proportionate under the EU鈥檚 Charter of Fundamental rights to avoid indiscriminate mass data collection.
While the U.S. included those two words, Schrems said the two sides don't seem to have agreed they have the same legal meaning.
If it did, 鈥渢he U,S, would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of 鈥榩roportionate' surveillance," Schrems said.
___
Chan contributed to this report from London.
Frank Bajak And Kelvin Chan, The Associated Press
