The US President signed the data transfer agreement into law on Friday (October 7), restoring the legal basis for transatlantic data flows following the 2020 Schrems II judgment.
The White House has issued an executive order on data transfers with the intention of implementing US steps to fulfil commitments made in the EU-US Data Privacy Framework, which was first announced in March this year.
Transatlantic data flows are critical to enabling the $7.1trn EU-U.S. economic relationship, the White House has said, stating that the framework will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union (CJEU) raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.
The executive order imposes binding safeguards on the use of surveillance by US intelligence.
It requires that surveillance is only conducted in a necessary and proportionate manner in pursuit of national security objectives and considers the privacy and civil liberties of all people.
In addition, Biden’s intervention creates an independent redress mechanism to investigate and resolve complaints.
The Civil Liberties Protection Officer (CLPO) within the Office of the Director of National Intelligence (CLPO) will conduct an initial investigation of qualifying complaints received to determine whether the executive order’s enhanced safeguards or other applicable US law have been violated and, if so, to determine the appropriate remediation.
The executive order also authorises and directs the US Attorney General, Merrick Garland, to establish a Data Protection Review Court (DPRC).
The DRPC will provide independent and binding review of the CLPO’s decisions, upon an application from the individual or an element of the intelligence community.
Judges on the DPRC will be appointed from outside the US government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal.
Decisions of the DPRC regarding whether there is a violation of applicable US law and, if so, what remediation is to be implemented will be binding. To further enhance the DPRC’s review, the executive order also provides for the DPRC to select a special advocate in each case.
Said advocate will lobby for the complainant’s interest in the matter and ensure that the DPRC is well-informed of the issues and the law with regard to the matter.
Biden’s executive order is only a first step. Now, the European Commission must issue an adequacy decision, which Brussels has confirmed will be a four to six-month process.
This involves obtaining an opinion from the European Data Protection Board and approval from EU member states.
One significant issue for the EU and US alike here is that Max Schrems, the man behind Schrems II and the need for this framework in the first place, has signalled that he is less than impressed.
Schrems’ None of Your Business (NOYB) published a blog post arguing that the new executive order is unlikely to satisfy EU law.
"The EU and the US now agree on use of the word 'proportionate' but seem to disagree on the meaning of it. In the end, the CJEU's definition will prevail, likely killing any EU decision again,” said Schrems. “The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans."
The campaigner has said that NOYB will analyse the package in detail. “At first sight it seems that the core issues were not solved and it will be back to the CJEU sooner or later.
"It is amazing that the EU and the US actually agree that wiretapping needs probable cause and judicial approval,” quipped Schrems. “However, the US takes the view that foreigners don't have privacy rights.
“It is contradictory to me that the European Commission is working on a deal that accepts that Europeans are 'second class' citizens and don't deserve the same privacy rights as US citizens."