Biden paves the way for 'Privacy Shield 2.0' with an Executive Order, but concerns are already being raised about what comes next

US President Joe Biden has finally signed an Executive Order to pave the way for implementation of a so-called ‘Privacy Shield 2.0’, but will it be strong enough to satisfy a wary administration in Brussels?

New readers, start here. Once upon a time, not so long ago, there was a transatlantic agreement called Safe Harbor, which allowed data to be sent to and fro across the Atlantic with impunity. But there were those in the European Commission who were not happy with the terms and conditions of this deal and wanted things toughened up.

Once it was revealed what fun the US intelligence agencies and assorted legal snoopers had been having through bulk surveillance, these complaints became ever louder. Things came to a head when Europe’s highest court, the European Court of Justice (CJEU), declared Safe Harbor to be not safe and struck it down.

This meant a replacement was needed or organizations trying to run a business that involved data crossing borders would need to waste time and money on ‘get arounds’ and Standard Contractual Clauses to do so. Both Europe and the US had been more than aware of the oncoming storm around Safe Harbor and had plenty of time to have put their respective heads together to come up with a viable replacement, but inevitably the two sides chose pigheadedness over practicality and did, well, SFA.

So with Safe Harbor in ruins, there was a desperate scramble to come up with something to paper over the cracks. The result was the 'lipstick on a pig' that was Privacy Shield, which sounds all butch and impressive, but was little more than a press release and a few flung together rules. It fooled no-one, least of all Europe’s various data protection regulatory bodies and committees, but it enabled politicians and Eurocrats to stand amid the rubble of transatlantic data flows and proclaim a new dawn.

Not for long. Complaints came from Europe that the Americans weren’t taking things seriously and were not living up to their end of the bargain. When Trump came to office, meeting Privacy Shield requirements was so far down the agenda that it couldn’t be seen. When pressure was put on the White House, the response was basically, ‘We’re done talking about this!’.

And so they were. Until we all ended up back in the ECJ again for the inevitable slaughtering of the pig and a slide back to square one.

Biden signs

Since then there’s been work underway on 'Privacy Shield 2.0', work that climaxed late last week as Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. aimed at putting into effect US commitments to a replacement EU/US Data Privacy Framework, first announced by President Biden and European Commission President Ursula von der Leyen back in March.

According to the official White House announcement, the Order:

• Adds further safeguards for US signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
• Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.   
• Requires US Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the E.O. 
• Creates a multi-layer mechanism for individuals from qualifying states and regional economic integration organizations, as designated pursuant to the E.O., to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O. 
• Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process, including to review whether the Intelligence Community has fully complied with determinations made by the CLPO and the DPRC.

It concludes:

These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law.

Will it work this time?

US tech organizations, looking at protecting $7.1 trillion EU/US economic relationship, were openly enthusiastic about the Order. Jason Oxman, President and CEO of the Information Technology Industry Council, said:

The movement of data across borders is the foundation of global trade and innovation in an increasingly digitized world.Today’s actions will help restore business certainty and safeguard continuity of key business operations as data moves across the Atlantic, while also upholding European citizens’ fundamental rights, and the security and public safety interests of the U.S., EU, and other qualified states. We appreciate the Biden Administration’s attention to this critical issue and look forward to working with the European Union to implement the EU-US Data Privacy Framework over the coming months.

Meanwhile Matt Schrurers, CEO of the Computer and Communications Industry Association, added:

We appreciate President Biden’s action to keep data flowing between the U.S. and EU, underpinning one of our deepest and most mutually beneficial trading relationships. Data transfers are at the heart of the transatlantic relationship, fueling the trade that keeps both of our economies running and brings benefits to consumers and businesses of all sizes who need legal clarity on mechanisms to transfer data.

But already there are dissenting voices, such as privacy activist group nyob - none of your business -  set up by Max Schrems, whose legal challenges to Privacy Shield helped bring it down. The group argues that the new Executive Order isn’t likely to meet the demands of EU law and is, essentially, another papering over of cracks.

It argues that bulk surveillance by US authorities can continue via two types of ‘proportionality’, with Schrems stating:

The EU and the US now agree on use of the word 'proportionate' but seem to disagree on the meaning of it. In the end, the CJEU's definition will prevail - likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continues spying on Europeans."

The group also questions how complaints will be handled by a supposed ‘court of appeal’, noting that complainants will have to raise issues with a national body in the EU, who will in turn raise the issue with the US government. Schrems again:

We have to study the proposal in detail, but at first glance, it is clear that this 'court' is simply not a court. The Charter has a clear requirement for 'judicial redress' - just renaming some complaints body a 'court' does not make it an actual court. The details of the procedure will also be relevant to see if this can satisfy EU law.

Perhaps most remarkably, nyob’s reading of the Executive Order suggests that US businesses do not need to comply with GDPR, finding it “striking” that the EC did not request that Privacy Shield Principles be aligned with that Regulation:

The principles are largely the same as the previous 'Safe Harbor' principles, which were drafted in 2000 and will continue to be used in the new framework. This means that US businesses can continue to process European data without complying with the GDPR. For example, they don't even need a legal basis for processing, such as consent. Under the Privacy Shield US companies only have to offer an opt-out option for users. This is despite the CJEU highlighting that there need to be "essentially equivalent" protections in the US.

My take

This is an important symbolic move by the US on the privacy front, but far from the end of the story. With the Executive Order in place, the European Commission now has to produce its own adequacy decision, which then goes to the European Data Protection Board and ultimately to a vote among EU member states, who could scupper the whole thing. Assuming it does all jump through the necessary hoops, it will be spring of next year before it’s all tied up. Then, if nyob’s reading of the Order is correct, we can all start to wonder when we’ll be back in court again for another go!