President Biden Signs Executive Order Creating New Safeguards for U.S. Surveillance Programs

Today, President Biden signed an Executive Order (EO) which imposes new limitations on U.S. surveillance programs and creates a new redress mechanism for EU residents. Though the EO takes substantial steps to address the problems that ultimately led to Privacy Shield being invalidated, the EO is unlikely to satisfy the Court of Justice of the European Union’s (CJEU) standards for privacy protections. The EO, which outlines the steps the U.S. government will take to implement the new EU-U.S. Data Privacy Framework (EU-U.S. DPF), places new requirements on the collection and handling of personal information by U.S. intelligence agencies, regardless of nationality of the data subject. The EO also creates a new redress mechanism for qualifying individuals claiming their personal information was unlawfully collected under these programs. This mechanism—which replaces the former Privacy Shield Ombudsperson mechanism invalidated by the CJEU in Schrems II—includes an initial investigation and determination by the Civil Liberties Protection Officer at the Office of the Director of National Intelligence (ODNI), followed by the opportunity for review by a new Data Protection Review Court within the Department of Justice (DOJ). 

However, it remains to be seen whether the new EU-U.S. DPF will survive a future challenge at the CJEU. While the EO does provide some privacy safeguards, it does not fully bar the use of bulk collection programs by U.S. intelligence agencies. Further, the complexity of the new redress mechanism—and the lack of any notice provisions—will likely raise concerns among Europeans that it is not a meaningfully accessible way to exercise their rights. Finally, because the EO’s protections are not legislative in nature, they likely lack the stability to withstand future challenges at the CJEU. 

“The Administration’s new Executive Order is a meaningful improvement over the prior privacy framework which has operated to the exclusion of non-U.S. persons, but these new safeguards and redress mechanism are unlikely to persuade the CJEU that U.S. law adequately protects privacy,” EPIC Executive Director Alan Butler said. “The new Data Protection Review Court is a step in the right direction, but the Administration must ensure that existing barriers to redress—such as notice, excessive secrecy, and undue deference to national security authorities—do not continue to stymie independent, meaningful efforts to vindicate privacy rights.” 

EPIC has supported calls for enhanced privacy protections prior to establishing a new data transfer framework. EPIC also participated as an amicus curiae in the Schrems II case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.