Executive Order on U.S.-EU Data Deal (Free Preview)

Executive Order on U.S.-EU Data Deal (Free Preview)
Photo by Pawel Czerwinski on Unsplash


The U.S. government has issued a directive upon which the EU will  use to justify the free flow of the personal data of its citizens and residents across the Atlantic even though the EU’s top court may find the U.S. measures insufficient under EU law.


In the last 15 years, political agreement on data flows between the United States (U.S.) and European Union (EU) has been relatively easy to reach. The EU’s courts, however, have taken a different view with the Court of Justice for the European Union (CJEU) having twice struck down the European Commission’s finding that the U.S.’ laws offered essentially equivalent data protection rights to EU persons. In response to the latest decision, the U.S. and EU have adopted an approach crafted by a trio of law professors on how the Biden Administration can provide equivalent rights without legislation. It seems doubtful the CJEU will bless this arrangement when a challenge reaches the court.


Data flows between the EU and U.S. have been valued at more than $250 billion annually, and the U.S. government has claimed that “U.S. goods and services trade with the EU 27 totaled an estimated $1.1 trillion in 2019.” So, if these statistics are close to accurate, data flows make up a significant portion of trade between two of the largest economies in the world. However, data flows have been impeded over the last ten years. In 2015, the CJEU struck down Safe Harbor, the first U.S.-EU data flows agreement, and in 2020, the same court struck down the successor arrangement, Privacy Shield, on many of the same grounds. In the latter decision the CJEU voiced its doubts about whether U.S. law provided the protection and redress available to EU persons in light of the U.S.’ signals intelligence activities, most of which are beyond the ability of U.S. persons to challenge.

Under Article 45 of the General Data Protection Regulation (GDPR), the personal data of EU citizens and residents can only be freely transferred to other nations if they provide an adequate level of protection as the GDPR and other EU law. At present, the EU has adequacy decisions with respect to 14 nations. Without an adequacy decision, EU data controllers need to use supplemental measures like standard contractual clauses (SCC) to achieve the necessary level of protection needed in order to transfer personal data for processing or onward transfer. In a perfect world, the EU would give the U.S. an adequacy decision the CJEU would accept that would permit personal information to be transferred and processed in the U.S. Another possibility for an adequacy decision is based on the U.S. changing its laws to permit EU persons to have meaningful redress in order to have equivalent rights to what they have in the EU. However, the elephant in the room, as always, is that the U.S. conducts significant surveillance that implicates the personal information of many non-Americans and does not permit people the same judicial redress that people in the EU enjoy.

Now comes the U.S. and EU in trying for the third time to implement a data flows framework that will withstand EU judicial scrutiny. After more than a year negotiating, the U.S. and EU reached a deal based on a proposal put forward by three data privacy experts based on their reading of EU and U.S. law. At a March 2022 joint press conference, U.S. President Joe Biden claimed:

§  This new agreement will enhance the Privacy Shield Framework; promote growth and innovation in Europe and the United States; and help companies, both small and large, compete in the digital economy.

§  Just as we did when we resolved the Boeing-Airbus dispute and lifted the steel and aluminum tariffs, the United States and the EU are finding creative, new approaches to knit our economies and our people closer together, grounded on shared values.

§  This framework underscores our shared commitment to privacy, to data protection, and to the rule of law. And it’s going to allow the European Commission to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.

EU President Ursula von der Leyen contended:

§  And we also need to continue adapting our own democracies to a changing world.  This is particularly true when it comes to digitalization, in which the protection of personal data and privacy has become so crucial.

§  And therefore, I’m very pleased that we have found an agreement in principle on a new framework for transatlantic data flows.  This will enable predictable and trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties.

§  And I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past month to finish a balanced and effective solution.  This is another step in our — strengthening our partnership.  We managed to balance security and the right to privacy and data protection.

The White House and the European Commission (EC) issued fact sheets with differing levels of detail on the agreement in principle (here and here) (see here for more detail and analysis of the Trans-Atlantic Data Privacy Framework.)

In order to execute the U.S.’ obligations under the Trans-Atlantic Data Privacy Framework, President Joe Biden signed an “Executive Order (EO) On Enhancing Safeguards For United States Signals Intelligence Activities” that purports to address the lack of redress EU citizens have regarding U.S. surveillance. This executive order implements the agreement in principle the U.S. and EU reached in late March and lays out the steps the administration will take to address successive rulings by the CJEU striking down previous data flows deals.

From the onset, the CJEU and critics of the EO will state the obvious. The U.S. efforts to conform to EU law can be easily rescinded by a future President, for unlike regulations promulgated under the Administrative Procedures Act, Presidential directives are not subject to the procedural requirements mandated for undoing regulations. A short Presidential directive wipes away previous directives. Hence, those in the EU may view the Biden Administration’s actions skeptically.

Subscribe to read the rest.

Other Developments

The United States (U.S.) Department of Commerce’s Bureau of Industry and Security (BIS) implemented “a series of targeted updates to its export controls as part of BIS’s ongoing efforts to protect U.S. national security and foreign policy interests” that will “will restrict the People’s Republic of China’s (PRC’s) ability to both purchase and manufacture certain high-end chips used in military applications and build on prior policies, company-specific actions, and less public regulatory, legal, and enforcement actions taken by BIS.”

The White House’s Office of Science and Technology Policy published a “Blueprint for an AI Bill of Rights”  that “identified five principles that should guide the design, use, and deployment of automated systems to protect the American public in the age of artificial intelligence.”

The European Data Protection Supervisor published his opinion and welcomed “the opening of negotiations for a Council of Europe convention on artificial intelligence, human rights, democracy and the rule of law (Convention).” The EDPS voiced his view that the “Convention as an important opportunity to complement the European Commission’s proposed Artificial Intelligence Act by strengthening the protection of individuals’ fundamental rights, such as the rights to privacy and to the protection of personal data.”

The British government submitted its response to the House of Commons’ Digital, Culture, Media and Sport Committee’s report “Influencer Culture: Lights, camera, inaction?”

United States Speaker of the House Nancy Pelosi (D-CA) and House Energy and Commerce Committee Chair Frank Pallone, Jr. (D-NJ) wrote to Federal Communications Commission (FCC) Chair Jessica Rosenworcel, “expressing serious concerns about the proposed acquisition of TEGNA, a broadcast news company that manages 64 stations across 51 domestic markets.”

The European Data Protection Board (EDPB) published for consultation “Guidelines 9/2022 on personal data breach notification under GDPR” and issued a “Statement 04/2022 on the design choices for a digital euro from the privacy and data protection perspective” and “EDPB Letter to the EU Commission on procedural aspects that could be harmonised at EU level.”

The United States (U.S.) Federal Trade Commission (FTC) “issued its latest report to Congress on protecting older adults, which highlights key trends based on fraud reports by older adults, and the FTC’s efforts to combat the problem through law enforcement actions, rulemaking, and outreach and education programs” per its press statement.

New York Attorney General Letitia James and Governor Kathy Hochul  “released a report on the role of online platforms in the tragic Buffalo mass shooting where 10 Black individuals were killed and three others were injured at the Tops grocery store.”

The European Council announced agreement with European Union Member States on measures “to strengthen the security of information and communication technologies (ICT) supply chains.”

Australia’s Office of the Information Commissioner “commenced an investigation into the personal information handling practices of Singtel Optus Pty Ltd, Optus Mobile Pty Ltd and Optus Internet Pty Ltd (the Optus companies) in regard to the data breach made public by Optus on Thursday, 22 September 2022.”

The United States (U.S.) Federal Energy Regulatory Commission (FERC) issued a notice of proposed rulemaking “to revise its regulations to provide incentive-based rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by utilities for the purpose of benefitting consumers by encouraging investments by utilities in advanced cybersecurity technology and participation by utilities in cybersecurity threat information sharing programs, as directed by the Infrastructure Investment and Jobs Act of 2021 (Infrastructure and Jobs Act).”

The United States (U.S.) Justice Department’s Antitrust Division Assistant Attorney General Jonathan Kanter, Federal Trade Commission Chair (FTC) Lina Khan and Executive Vice President Margrethe Vestager of the European Commission met “in Brussels for the second meeting of the U.S.-EU Joint Technology Competition Policy Dialogue (TCPD).”

The United States (U.S.) Government Accountability Office (GAO) published the following reports: “Ransomware: Federal Agencies Provide Useful Assistance but Can Improve Collaboration;” “Technology Business Management: OMB and GSA Need to Strengthen Efforts to Lead Federal Adoption;” “Artificial Intelligence in Health Care: Benefits and Challenges of Machine Learning Technologies for Medical Diagnostics;”  “Cybersecurity Workforce: Actions Needed to Improve Cybercorps Scholarship for Service Program;” “Federal Research: Information on Funding for U.S.-China Research Collaboration and Other International Activities;” and “Cloud Computing: Federal Agencies Face Four Challenges.”

The California Privacy Protection Agency issued revised draft regulations to implement the “California Privacy Rights Act” along with explanatory materials.

United States (U.S.) Senator Ron Wyden (D-OR) “revealed new details about how U.S. Customs and Border Protection violates Americans’ rights during warrantless searches of phones and other electronic devices, and called for immediate reforms.”

The United States (U.S.) Cyberspace Solarium Commission 2.0 (CSC) published  an assessment that “reviews the implementation of CSC recommendations over the past year and identifies areas for future action.”

United States (U.S.) Federal Trade Commission Chair Lina Khan announced “the appointment of two new senior agency leaders: Chief Technology Officer Stephanie Nguyen and Public Affairs Director Douglas Farrar.”

Tweet of the Day

Further Reading

Indian outlet on defensive after its explosive claims of Meta political censorship” By Gerry Shih, Niha Masih, Joseph Menn and Naomi Nix — Washington Post

Musk’s SpaceX says it can no longer pay for critical satellite services in Ukraine, asks Pentagon to pick up the tab” By Alex Marquardt — CNN

Elon Musk Foments More Geopolitical Controversy With Ukraine Internet Dispute” By Cade Metz, Cassandra Vinograd and Helene Cooper — New York Times

How TikTok ate the internet” By Drew Harwell  — Washington Post

YouTube loves recommending conservative vids regardless of your beliefs” By Katyanna Quach — The Register

Buffalo massacre report seeks to punish broadcasters of homicide live streams” By Cat Zakrzewski and Drew Harwell — Washington Post

Targeting two Americas” By Lachlan Markay — Axios

Privacy Advocates Say NYC’s Fix for the ‘Digital Divide’ Is a Hyper-Surveillance Mess” by Karl Bode — Vice

How Social Media Amplifies Misinformation More Than Information” By Steven Lee Myers — New York Times

5G Cell Service Can Coexist With Planes, US Study Suggests” By Alan Levin and  Todd Shields — Bloomberg

5th Circuit blocks Texas social media law as parties turn to SCOTUS” By Rebecca Kern — Politico

Federal Officials Trade Stock in Companies Their Agencies Oversee” By Rebecca Ballhaus, Brody Mullins, Chad Day, John West, Joe Palazzolo and James V. Grimaldi — Wall Street Journal

How cell carriers prepared for and responded to Hurricane Ian” By Mitchell Clark — The Verge

Coming Events

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media” with this agenda.

§ 20 October

o   The European Parliament’s special committee on Pegasus spyware will hold a hearing titled “The impact of Spyware on Fundamental Rights.”

o   The United States (U.S.) Federal Trade Commission (FTC) will hold an open meeting with this agenda.

§ 26 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 27 October

o   The United States (U.S.) Information Security and Privacy Advisory Board (ISPAB) will hold a meeting.

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.

Photo Credits

Photo by Pawel Czerwinski on Unsplash

Photo by Pawel Czerwinski on Unsplash

Photo by Pawel Czerwinski on Unsplash

Photo by Pawel Czerwinski on Unsplash

Photo by vackground.com on Unsplash

Photo by vackground.com on Unsplash

Photo by Michael Dziedzic on Unsplash