Biden Order Brings New Transatlantic Data Pact Ever Closer

Stephanie Bodoni, Bloomberg News

(Bloomberg) -- The European Union and U.S. moved a step closer to securing the privacy of transatlantic data flows as President Joe Biden moved to end years of uncertainty and allow thousands of companies to legally move customer data across the Atlantic.

Biden signed an executive order Friday that’ll create an independent court system in the US for EU citizens who think their data was unlawfully accessed or used by intelligence agencies. Decisions by the the Data Protection Review Court will be binding and force the likes of the CIA to limit data collection to the “pursuit of defined national security objectives,” according to a White House fact sheet.

The EU Court of Justice in 2020 toppled the so-called Privacy Shield over concerns that user data wasn’t safe from prying eyes once on US soil. The ruling meant thousands of businesses that ship commercial data to the U.S. had to figure out an alternative and EU-U.S. negotiators were forced back to the drawing table. The prospect of no accord led Meta Platforms Inc. to say it would may have no choice but to pull its Facebook and Instagram services from the EU.

The order is designed to address concerns about the ability of American spies to access EU data, which led to two previous data transfer accords being struck down by the bloc’s top court. The EU and US have been working on a new deal for months and in March reached a breakthrough with an agreement in principle.

The order gives the European Commission a tool to “restore an important, accessible, and affordable” data transfer mechanism while also providing greater legal certainty for companies shipping data across the Atlantic, the White House said.

For its part, an EU official at a Friday briefing said the new commitments address all of the EU court’s concerns, giving the EU “a solid file that we are ready to defend.”

While EU judges upheld a separate contract-based system to keep transferring data, the doubts they expressed about American data protection made this a shaky alternative too. The Irish Data Protection Commission, the main privacy watchdog in the EU for some of the biggest US tech firms, has maintained it had doubts about the validity of transatlantic data transfers under the so-called standard contractual clauses.

Read more: Meta Repeats Why It May Be Forced to Pull Facebook From EU

Privacy campaigner Max Schrems has been behind two EU court cases that ended up striking down down the bloc’s previous transatlantic data flow decisions. Schrems said on Friday that his privacy group, Noyb, will analyze the package of measures proposed by the US toward a third deal “in detail.”

“At first sight it seems that the core issues were not solved and it will be back” in the EU court “sooner of later,” Schrems said.

Tech companies also weighed in on Friday. Microsoft Corp. said the US “makes meaningful commitments that will help realize the promise of trusted data flows and critical privacy protections for businesses and individuals worldwide.” Nick Clegg, Meta’s president for global affairs, tweeted that the “update to US law will help preserve the open internet.”

(Updates with responses in the last three paragraphs)