Privacy Only On Paper: U.S. – EU Privacy Framework

President Biden signed an executive order that will help restore transatlantic data flow by changing U.S. privacy standards to meet those laid out by the European Union. The EU requires countries where the personal data of European citizens is being stored to use surveillance only when “strictly necessary” and “proportional” to the national security concern. They also require countries to have a clear path for European citizens to seek redress should they believe their rights are being violated. As a result, the signed executive order limits U.S. signal intelligence activity and develops an independent two-part system for investigations. These goals are achieved by adding more safeguards for U.S. intelligence activities, mandating data compliance policies, and authorizing the creation of an independent Data Protection Review Court. 

Created in 2000, Safe Harbor was the original U.S.- EU data transfer framework used to protect EU data on U.S. soil. However, in 2013 Edward Snowden revealed massive surveillance being carried out by U.S. intelligence communities that violated EU citizens’ rights. Privacy activist and lawyer Max Schrems developed a case that landed in the European Court of Justice (ECJ). The court deemed Safe Harbor invalid and ended transatlantic data transfer. The U.S. and the EU then collaborated to create a new framework named Privacy Shield, but Schrems built another case against it, resulting in the ECJ shutting down Privacy Shield in 2020. In March of 2021, President Biden and the President of the European Commission, Ursula von der Leyen, agreed on a new framework that addressed the concerns held by the ECJ. The newly signed executive order is just the next step in the implementation process before the European Commission can “draft an adequacy decision” and begin “its adoption procedure” according to the Commission’s website.

Without a framework in place, companies sharing data across the Atlantic are operating in uncertain limbo. But as von der Leyen tweeted, the executive order is helping to provide “more legal certainty for businesses – on both sides of The Atlantic.” U.S. Secretary of Commerce, Gina Raimondo, also says in a press release that the executive order will “create greater economic opportunities for companies and citizens on both sides of The Atlantic,” and that it “reflects the strength of the enduring U.S.-EU relationship.” The free flow of data is crucial to the $7.1 trillion relationship between the U.S. and the EU, so the executive order is essential to supporting the strategic economic and political relationship between the two regions. 

However, privacy experts are not as thrilled as CEOs and political leaders, as they argue the executive order does not do enough to address the two concerns of the ECJ. Senior Staff Attorney with the ACLU National Security Project, Ashley Gorski, states in an article published on the ACLU’s website that the executive order does not guarantee people “will have their claims resolved by a wholly independent decision maker.” Similarly, Sean Vitka, Google Policy Fellow at Georgetown Law’s Institute for Public Representation, says in a press release that the executive order is “inefficient” as it “does not provide meaningful redress” but it “provides for bulk surveillance” which means “The White House has failed to grapple meaningfully with the privacy questions at the heart of this issue.” Even Max Schrems, the activist and lawyer who helped overturn Safe Harbor and Privacy Shield, says “at first sight, it seems that the core issues [of the overturning of Privacy Shield] were not solved” in a brief shared by his organization NOYB. If the European Commission formally adopts the framework as is, it seems like privacy experts will be able to make another case to the ECJ and force the U.S. and the EU to create yet another policy. 

On paper, the executive order addressed the EJC’s concerns by defining what “strictly necessary” and “proportionate” mean, and developing an independent redress mechanism. Because of this, CEOs and government officials have applauded its signing, celebrating a return to transatlantic normalcy. But privacy experts have argued that it does not go far enough in addressing EU law nor in actually securing the right to privacy. The formal adoption process of a new framework won’t be completed until Spring 2023, but policymakers need to keep making data privacy a priority. Without proper measures in place to store and delete personal data, people and governments are left vulnerable to threats. Globalization isn’t going anywhere and as economies continue to grow, more than $7.1 trillion in trade will depend on the safe exchange of data across borders, meaning that global data privacy regulations could soon be the norm. Therefore, in order to bolster cybersecurity and maintain its power, U.S. policymakers need to work harder at leading the world in data privacy by making real legislation to protect its people and its assets.