U.S. President Joe Biden signed an executive order Friday that would limit the ability of American national security agencies to access people’s personal information as part of a transatlantic data-sharing agreement with the European Union.
The decree follows lengthy negotiations between the United States and the EU after the bloc’s highest court ruled in 2020 that Washington did not sufficiently protect Europe’s data when it was transferred across the Atlantic. The judges’ concerns focused on how U.S. surveillance programs did not have proper measures for European citizens to address how the government collected their data.
The order will create a new body within the U.S. Department of Justice that will oversee how American national security agencies are able to access and use information from both European and U.S. citizens. It will also give new powers to the civil liberties protection officials within the U.S. Office of the Director of National Intelligence, a body that oversees agencies’ work, to investigate possible breaches of people’s privacy rights.
When it is established, the so-called Data Protection Review Court within the Department of Justice will allow people to file lawsuits via a so-called “special advocate” to challenge how their data is used by these agencies, marking a potentially significant limit on how the likes of the National Security Agency operate.
The court’s decisions are intended to be independent and binding, Secretary of Commerce Gina Raimondo said in a briefing Thursday.
“These commitments fully address the Court of Justice of the European Union’s 2020 Schrems II decision and will cover personal data transfers to the United States under EU law,” Raimondo told reporters.
Biden’s executive order will require U.S. intelligence agencies only collect data for specific, defined national security purposes, and in a necessary and proportionate manner. U.S. intelligence agencies are required to update their policies and procedures to align with the order’s guidelines.
The executive order is the next step in the creation of a new transatlantic data-sharing agreement that is needed for thousands of companies — from Google to General Electric — to move data between two of the world’s most important economies. The decree will now be sent to Brussels where the European Commission — alongside input from the bloc’s privacy agencies and politicians, as well as EU countries — will transpose the text into its own rules.
That process is expected to take around six months and will lead to a final pact being published in roughly March 2023.
Senior Biden administration officials, who spoke on the condition of anonymity because they were not authorized to speak publicly, said they were confident the White House executive order and the Department of Justice’s new regulations would satisfy the Commission’s concerns. More importantly, the officials said they felt the new framework would also withstand any legal challenges that would force the U.S. government to have to go back to the drawing board.
“We do expect there’s a decent chance somebody may try to challenge this in Europe and I think what the courts will see is that we have really put forward a framework that is fundamentally different from what was in place before,” one of those officials said in a briefing Thursday.