Biden signs Executive Order for EU-US data transfer deal: privacy and surveillance reforms missing

(BRUSSELS/WASHINGTON DC) — Today, US President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which paves way for a new EU-US data transfer deal. But this document alone is not sufficient to protect privacy and reform disproportionate US surveillance programmes, leaving the future of the deal in limbo. 

“This Executive Order is a positive yet insufficient step to ensure that any future EU-US data transfer deal effectively protects people’s rights, and doesn’t end up invalidated by the EU’s highest court,” said Estelle Masse, Global Data Protection Lead at Access Now. “Access Now appreciates the work done to bring more clarity on US safeguards, but the measures signed today are not sufficient to guarantee an effective right to remedy and to put limitations to the far-reaching scope of US surveillance.”

Officials in the EU have been expecting this Executive Order to finalise the drafting and ratification process for the future data deal sometime early next year. 

The Court of Justice of the European Union (CJEU) struck down the previous data deals  — the Privacy Shield in 2020 and the EU-US Safe Harbour in 2015 —  because US authorities’ disproportionate data access and surveillance practices violate EU rights to data protection and privacy. The CJEU also found that the US failed to provide people in the EU with an effective remedy. 

The Executive Order importantly outlines new safeguards for US intelligence agencies to take into account the privacy and civil liberties of all people, regardless of their nationality or country of residence. It is unclear however how authorities may interpret and apply this criterion. It also establishes the creation of a “Data Protection Review Court” where special advocates will be able to represent plaintiffs. This is a significant progress compared to the past regime, although this new “court” is not fully independent from the US administration and likely does not allow for cases to be appealed. 

While the new Executive Order purports to fix some of the issues identified by the CJEU and offer better protection for people’s rights, it will not be enough. Certain issues identified by the EU Court including the need for the US to guarantee people access to a fully independent court, would require legislative reforms in the US. Access Now has further long argued that for a data transfer deal to go ahead, a comprehensive reform of US surveillance programmes is necessary — outlining them for negotiators in 2020. 

Beyond the reforms, the US still has a long way to go in guaranteeing the protection of personal data when used by companies, and it’s unusual for the European Union to enter into data transfer deals with countries lacking comprehensive data protection laws. This exceptionalism is to the detriment of people’s privacy rights both in Europe and in the US. 

“The United States must urgently act to reform surveillance, provide privacy and data protection rights in its statutes at the federal level, and give non-US persons a comprehensive right to remedy,” said Willmary Escoto, US Data Protection Lead at Access Now. “The lack of political willingness in the US to protect privacy, in statutes and in practice, is putting people at risk in the US and outside. This is a partial fix to a substantial problem, and while negotiators have made progress, this order may not satisfy all the requirements set by the EU Court.”

Access Now stands ready to work with the US administration and Congress to conduct the necessary reforms, and to advise EU negotiators and regulators on additional steps needed before a safe and sustainable data transfer deal can be concluded.