The United States is not going to stop spying on Europeans’ data, but it is going to make sure that spying is “proportionate.” This was the reassurance that US President Joe Biden offered concerned citizens across the Atlantic today by signing an executive order designed to restart the easy flow of data between Europe and the US.
For years, companies have been shuttling customer information between the two regions. “Transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship,” the White House said today. But two years ago, the EU Court of Justice in Luxembourg ruled that Europeans’ data sent to the US risked being snooped on by intelligence agencies, such as the US National Security Agency. As a result, the agreement that allowed companies to easily transfer data between the US and Europe was ripped up. Businesses instead had to make do with a costly and complex temporary replacement.
Biden’s executive order brings a new EU-US data privacy agreement one step closer and aims to restore trust among Europeans’ concerned by US government surveillance. The order creates a new body within the US Department of Justice that will oversee how US national security agencies access both Europeans’ and Americans’ data. But privacy campaigners say the order simply copies the wording of European law (adding in terms like proportionate and necessary) without making any real changes. “We do not see a ban on bulk surveillance and no actual limitations,” says Max Schrems, the Austrian privacy activist whose legal complaint against Facebook eventually dismantled the transatlantic data pact back in 2020.
Before then, around 5,000 businesses had been sending data back and forth across the Atlantic under a system called Privacy Shield. “The pre-Schrems system worked,” says Morgan Reed, president of the App Association, which represents small- and medium-size companies, mostly app developers. But the EU court ruling made the Privacy Shield system suddenly invalid, plunging thousands of companies into legal limbo.
Although the court decision did not stop transfers, it made them more complicated. “What the Schrems decision did was raise costs and concern for a lot of small companies that don't have giant compliance departments’ and fleets’ worth of lawyers to do what are called standard contractual clauses,” says Reed. Standard contractual clauses are time-consuming data transfer agreements that force companies to take steps to assess whether they are safely moving data around the world.
Companies that have spent the past two years wrestling with these clauses are pleased by the order; they want to get back to business as usual. The executive order is the next step in the US and EU reaching a new privacy agreement. “We appreciate President Biden’s action to keep data flowing between the US and EU, underpinning one of our deepest and most mutually beneficial trading relationships,” says Matt Schruers, president of the Computer and Communications Industry Association (CCIA), a lobbying group that represents tech giants including Google, Amazon, and Apple.
At Workday, a California-based HR software provider with more than 2,000 customers headquartered in Europe, the mood is optimistic. Chandler Morse, vice president of corporate affairs, believes this is evidence that the US and EU can reach an agreement on more than just the privacy shield problem. “There's a number of other tech issues that are pending in the EU-US bilateral, so for many of us this is a positive sign that the EU and the US can work together,” he says, adding that the EU AI Act and Data Act could also be beneficiaries of this new cooperation.
Yet privacy campaigners are not impressed—either by greater collaboration or Biden’s offer of a so-called Data Protection Review Court, which will allow EU citizens to challenge how US security agencies use their data.
“However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be canceled out by an executive order,” says Ursula Pachl, deputy director general of the European Consumer Organization (BEUC). “The moment EU citizens’ data travels across the Atlantic, it will not be afforded similar protections as in the EU.”
Biden’s executive order will now be sent to Brussels, where EU officials could spend up to six months scrutinizing the details. A new data agreement is expected to be ready around March 2023, although privacy activists are expected to challenge the ruling in court. “The order is never going to be enough for the privacy community in Europe,” says Tyson Barker, head of technology and global affairs at the German Council on Foreign Relations.
The European Commission believes the new agreement could survive a court challenge. But the US has been quietly hedging its bets, says Barker. At a conference in October 2021, Christopher Hoff, deputy assistant secretary for services in the Biden Administration, said he supported the global expansion of a rival privacy agreement—the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. “The United States wants to say, actually, we have an alternative and we'd like to set this as the global standard,” Barker adds.
Schrems, however, is not worried about another privacy agreement curbing the EU’s influence. “I don’t personally care what standards other countries prefer,” he says. “I know the law in the EU.”
