Biden signs order to implement EU-US data transfer framework

The Privacy Shield is a European Union-United States data transfer framework that aims to ease European concerns regarding US surveillance practices. 

The framework is expected to end the limbo in which thousands of companies found themselves after the Court of Justice of the European Union (CJEU) struck down the two previous pacts over doubts regarding the safety of EU citizens' data that tech companies store in the US.

The agreement is set to soften the friction between the European Union's stringent data privacy rules and the comparatively lax regime in the US, which lacks a federal privacy law.

The White House said "transatlantic data flows are critical to enabling the $7.1tn (£6.4tn) EU-US economic relationship" and the framework "will restore an important legal basis for transatlantic data flows."

It added that Biden's order bolstered current "privacy and civil liberties safeguards" for US intelligence gathering and created an independent, binding multi-layer redress mechanism for individuals who believe their personal data was illegally collected by US intelligence agencies.

The agreement was first presented in March by Biden and European Commission President Ursula von der Leyen, which presented it as offering stronger legal protections and addressing the EU court's concerns.

US Commerce Secretary Gina Raimondo told reporters the executive order "is the culmination of our joint effort to restore trust and stability to transatlantic data flows" and "will ensure the privacy of EU personal data."

"It also requires the establishment of a multilayer redress mechanism with independent and binding authority for EU individuals to seek redress if they believe they are unlawfully targeted by US intelligence activities," she added.

European Commissioner for Justice Didier Reynders said he was "quite sure" there would be a fresh legal challenge, but he was confident that the pact met the demands of the court.

"We have a real improvement relative to the Privacy Shield.... It's totally different," he told Reuters in an interview. "Maybe the third attempt will be the good one."

The US Chamber of Commerce and industry groups largely welcomed Biden's order but European consumer rights and privacy campaigners, such as the group Access Now and activist Max Schrems - whose complaint kicked off the legal battle a decade earlier - were unsure of whether the new framework goes far enough. 

"At first sight, it seems that the core issues were not solved and it will be back to the CJEU (EU court) sooner or later," Schrems said.

European consumer group BEUC added: "However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be cancelled out by an executive order.

"The moment EU citizens' data travels across the Atlantic, it will not be afforded similar protections as in the EU."

The American Civil Liberties Union described the order as "a step in the right direction" but considered it as "lacking" adequate safeguards for Europeans or Americans. 

In turn, the European Commission said the framework has "significant improvements" over the original Privacy Shield and it would now work on adopting a final decision on whether to accept it. 

It is estimated that it would take about six months to complete a complex approval process. 

In September 2022, the European Court of Justice ruled that EU citizens' “traffic and location” data may not be stored except in cases of a “serious threat” to national security, in a move that directly opposed Germany's blanket data retention law. 

In July, the EU adopted two long-awaited legislative initiatives that are part of the EU’s wider ambition, announced in 2020, to create a single market for data within the bloc. The Digital Services Act (DSA) and the Digital Markets Act (DMA) are intended to create safer online spaces and bring more competition and transparency to digital markets.

Although the UK is currently covered by the EU’s data protection legislation, in 2022, the government revealed its plans to introduce a new Data Reform Bill, which will differ from the European Union’s General Data Protection Regulation (GDPR) and Data Protection Act, considered “highly complex.”