EU-US data transfers have been subject to special restrictive regulations since July 2020, when a ruling by the EU’s highest court found that the region’s data partners must have parity in their laws with the terms of the General Data Protection Regulation (GDPR). As the US does not have a federal-level data privacy bill, or any legal guarantees that the sorts of interception and bulk collection described in the Snowden leaks are not continuing to happen, the US cannot be considered an adequate partner for data transfers. An executive order issued by the Biden administration looks to change this relationship, but it is already meeting resistance from privacy organizations such as the American Civil Liberties Union (ACLU).
The crux of the privacy objections is that the executive order does not guarantee that indiscriminate collection will be stopped; it merely attempts to narrow the scope of intelligence activity to meet standards found acceptable by the present GDPR interpretation. It also adds a GDPR-required mechanism for foreign subjects to request review of their collected data.
Executive order could turn the trans-atlantic data taps back on, but privacy issues linger
The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities builds on the European Union-U.S. Data Privacy Framework proposed in March 2022, as the two regions attempt to hammer out an agreement for data transfers that can survive future EU court challenges.
The executive order addresses concerns about signals intelligence interception by promising that espionage activities will only be conducted “in pursuit of defined national security objectives” and to “advance validated intelligence priorities” in a “proportionate” manner. Intelligence agencies are also being given added handling requirements for personal information, which will loop in additional legal and compliance officials for oversight. Impacted elements of the intelligence community will be required to update their policies and procedures to reflect these new safeguards.
One additional element proposed by the executive order specifically addresses another GDPR sticking point; the lack of required ability of data subjects to have visibility into what has been collected and to file complaints of misuse. The executive order addresses this by proposing a “multi-layer mechanism,” headed up by the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO), that will take qualifying complaints from EU data subjects and engage in a multi-stage investigation process. This funnels to a final decision by a Data Protection Review Court staffed with judges from outside the US government, and complainants will have a right to have a special advocate appointed during these cases.
This potential “Privacy Shield 2.0” arrangement now awaits review by the European Commission for adequacy status before restrictions on EU-US data transfers are loosened. This process is expected to be concluded in March 2023. Of course, any restoration of the US as an adequate partner in data transfers may well face another court challenge as soon as it is announced.
Privacy organizations think agreement on data transfers falls far short of serving needs
A number of major privacy organizations have already responded to the executive order, and the general sentiment is that while it may meet technical legal requirements it is not adequate to actually protect data subject privacy.
In Europe, the European Consumer Organisation (BEUC) is foremost among these critics and has issued a statement finding that the executive order makes no “substantial improvements” in the protection of personal data being transferred from the EU to the US. The ACLU has echoed these sentiments from across the pond, releasing its own similar statement and additionally noting that EU data subjects that have complaints will not be able to have their issue resolved by a decision-maker that is completely independent from the US government.
A statement to the press by Secretary of Commerce Gina Raimondo indicates that the US side believes that the executive order will hold up, at least under the present legal terms. However, today’s terms may not be the ones governing data transfers tomorrow. As Raimondo also noted, the US is expecting a “decent chance” of any arrangement being challenged in EU court once it is finalized. The most likely challenger will be Max Schrems and his privacy group noyb, the force behind invalidating the original Safe Harbor and Privacy Shield agreements and a continual GDPR thorn in the side of big tech platforms.
Privacy critics believe that EU-US data transfers will not truly be normalized until the US addresses the bulk data collection authorized under Executive Order 12333, particularly the broad scope of foreign individuals that can be spied on relatively freely under the Foreign Intelligence Surveillance Act and Executive Order. Privacy advocates also want to see a path to legal challenges to improper data collection opened by a reform of the “state secrets privilege” used by the NSA to scoop up vast amounts of communications entering and exiting the country’s borders.
Drew Bagley, VP & Counsel for Privacy and Cyber Policy at Crowdstrike, remains optimistic that the executive order will establish an enduring framework for data transfers: “It is encouraging to see a renewed commitment to cross-border data flows and data protection. Modern IT infrastructure, cybersecurity and privacy compliance programs are dependent upon global data flows. Introducing this new framework can help provide certainty for EU-US data transfers and showcase a strong contrast to policy proposals that mistakenly prioritize data localization over holistic data protection.”