President Joe Biden today signed an executive order that directs the U.S. government to implement a data privacy agreement signed with the European Union earlier this year.
Many tech companies store the information of EU users in U.S.-based data centers. Until a few years ago, the practice of moving EU users’ information to stateside data centers was governed by an agreement known as the Privacy Shield. In 2020, the EU’s top court struck down Privacy Shield over concerns about U.S. surveillance.
The U.S. and the EU in March announced a new agreement, the European Union-U.S. Data Privacy Framework, that is designed to replace Privacy Shield. The new agreement is aimed at allowing tech companies to send information to their U.S.-based data centers while also safeguarding user privacy.
Today’s executive order is focused on “directing the steps that the United States will take to implement the U.S. commitments under the European Union-U.S. Data Privacy Framework,” the White House detailed in a fact sheet. The commitments cover several different areas.
The government will create a multi-layer mechanism designed to let users seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated U.S. law. As part of the mechanism’s first layer, the Civil Liberties Protection Officer in the Office of the Director of National Intelligence will conduct investigations of qualifying privacy complaints. The investigations will evaluate whether privacy safeguards or applicable laws were broken and determine the appropriate remediation.
The second layer in the multi-layer mechanism specified by the executive order consists of a new Data Protection Review Court. According to the White House, the court will provide independent and binding review of privacy investigations carried out as part of the mechanism’s first layer.
“Judges on the DPRC will be appointed from outside the U.S. Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal,” the White House detailed.
Today’s executive order also specifies several other steps that the government must take to meet the requirements set forth in the new European Union-U.S. Data Privacy Framework.
The executive order will add further safeguards to U.S. signals intelligence activities. It mandates the implementation of handling requirements for personal information, while extending the responsibilities of legal, oversight and compliance officials. The officials’ extended responsibilities will include “ensuring that appropriate actions are taken to remediate incidents of non-compliance,” the White House stated.
The Privacy and Civil Liberties Oversight Board, an independent agency within the executive branch, will also play an important role. The executive order tasks the agency with reviewing intelligence community policies and procedures to ensure they meet the requirements specified in the executive order.
“These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law,” the White House stated.