News

Biden Data Privacy Order Triggers European Commission Review

• By Kurt Mackie
• 10/07/2022

The Biden administration on Friday announced an executive order implementing a "European Union-U.S. Data Privacy Framework" that aims to address privacy and legal due process complaints regarding data sharing.

The executive order currently requires European Commission review and confirmations. It stems from an agreement in principle reached between the White House and the European Commission back in March. The executive order an attempt to address complaints that led to the gutting of an earlier U.S. Privacy Shield proposal for ensuring data privacy, when U.S. organizations access the data of EU denizens.

The Privacy Shield proposal had been on hold since the European Union (EU) Court of Justice's Schrems II decision of July 2020, which found that Privacy Shield didn't meet the EU's General Data Protection Regulation stipulations.

At stake in the review is the "$7.1 trillion" trans-Atlantic data commerce trade, according to Biden's announcement.

European Commission Review
The new U.S. executive order does contain safeguards that will place a "substantive limitation on US national security authorities' access to data (necessity and proportionality) and the establishment of the new redress mechanism," the European Commission contended, in a Friday Q&A announcement. It'll address Schrems II concerns, the Q&A suggested.

Highlights of the executive order, according to the Q&A, include:

• Ability to lodge a complaint with a "so-called 'Civil Liberties Protection Officer' of the US intelligence community"
• The complainant will have representation by "a special advocate"
• An appeals process at a new Data Protection Review Court, with court members consisting of "members chosen from outside the US Government."

The European Commission's next steps will be to propose an "adequacy decision," based on the executive order. The agreement won't be in effect until the
European Commission gets opinions on the adequacy decision from the European Data Protection Board and EU member states.

After that vetting process, the European Commission will issue a "final adequacy decision," the Q&A noted:

Only after that, the European Commission can adopt the final adequacy decision in relation to the US. From that moment on, data will be able to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework. US companies will be able to join the framework by committing to comply with a detailed set of privacy obligations.

In the meantime, organizations can agree to data transfers using "model clauses" in their commercial contracts, the Q&A indicated.

The Biden administration suggested that the executive order and a finalized agreement with the European Commission would add "greater legal certainty for companies using Standard Contractual Clauses and Binding Corporate Rules to transfer EU personal data to the United States."

Objections
Schrems II complainant Maximillian Schrems, though, didn't seem appeased by this latest data privacy proposal.

He suggested in Friday posts that an "executive order for US surveillance is probably not enough." Moreover, the executive order failed to address rulings of European Court of Justice on both rights and judicial remedies, per a translation by Google Translate.

"There is still US mass surveillance and a 'court' that is not a court," Schrems indicated.