On October 7, President Biden signed an Executive Order which imposes new limitations on U.S. surveillance programs and creates a new redress mechanism for data subjects abroad.[1] This Executive Order is intended to replace the now-defunct Privacy Shield program but is unlikely to satisfy the European Union (EU) legal standards for privacy protections. In particular, the Executive Order has two major weaknesses which will likely form the basis of future challenges under EU law:
- The Executive Order still permits bulk collection of personal data under many circumstances and its purpose limitations are quite broad and subject to revision by the President, raising concerns that they may not effectively restrain misuse of personal data.
- The new redress mechanism, while an improvement over prior frameworks, may not be independent and effective enough for individuals to meaningfully exercise their privacy rights.
More fundamentally, because the new framework is based on an Executive Order and not legislation, it is at risk of dilution—or even dissolution—with each new administration, leading to serious doubts about its stability. A new adequacy determination and a possible Schrems III decision by the Court of Justice of the European Union (CJEU) are a long way off. However, with Section 702’s reauthorization deadline approaching at the end of 2023, the weaknesses of the Executive Order underscore the need for Congress to step in to properly protect privacy rights against government mass surveillance.
I. The United States must ensure adequate protection to enable trans-Atlantic data flows.
The new Executive Order and accompanying DOJ regulations are the latest effort to resolve a protracted conflict between EU and U.S. data protection standards and establish a legal framework for trans-Atlantic data flows. Under the EU Charter of Fundamental Rights, any law enabling the processing of EU citizens’ data rights must be necessary in a democratic society and proportionate to a legitimate objective.[2] EU law also stipulates that processing of personal data should not interfere with the “essence” of the fundamental right to privacy.[3] The EU Charter further provides that anyone whose data rights have been violated must have access to a “fair public hearing within a reasonable time by an independent and impartial tribunal.”[4] EU law only permits transfers of personal data to third countries if they provide an adequate level of data protection, meaning a level that is “essentially equivalent” to those rights guaranteed to EU citizens within the EU.[5]
Adequacy has been a sticking point for EU-U.S. data transfers due to U.S. intelligence agencies’ bulk data collection programs. As opposed to targeted data collection, bulk collection occurs where personal data is collected without being associated with a current target of surveillance or without the use of discriminants (specific limiting criteria such as identifiers or selection terms). Bulk collection programs have long been a concern for European authorities and the CJEU has repeatedly found that the use of bulk collection is almost never justified under the necessary and proportionate standard because it interferes with the “essence” of…