U.S Intelligence Agencies Will Be Limited to Access People’s Personal Data in EU

According to an executive order that President Joe Biden signed on 7 October, intelligence agencies will be limited in accessing people’s personal data.

This action is a part of the data-sharing agreement reached by US president Joe Biden and European Commission President Ursula von der Leyden, in March.

In 2020, the EU abolished transatlantic data flow. As a result, thousands of small and medium-sized businesses were unable to send personal data across the Atlantic.

Meanwhile, the constant conflict between major US technology companies and EU regulators has resulted in some extreme claims.

How the New Framework Works

• U.S intelligence agencies will only collect information for clearly defined national security purposes
• U.S intelligence agencies should revise their policies and processes to take into account the new rules for data transfer.
• Allow Europeans to file cases via a "special advocate" to contest how their data is being used by U.S. agencies in the Data Protection Review Court, an independent court housed within the Department of Justice.
• Authorize the Office of the Director of National Intelligence's civil liberties protection officials to inspect privacy rights violations and complaints. (noyb.eu)

Why Data Transfer Framework Is Unlikely to Satisfy EU Law

Biden's decree contains certain terms that are displeasing privacy experts, such as Max Schrems, an Austrian privacy lawyer who advocated for the repeal of the previous Privacy Shield.

For instance, the procedure will now be divided into two steps, with the first being an officer reporting to the Director of National Intelligence and the second being a "Data Protection Review Court." 

However, this will not be a "Court" in the traditional legal sense of Article 47 of the Charter or the US Constitution, but rather a body within the executive branch of the US government. 

The new system is an improved version of the previous "Ombudsperson" system, which the CJEU already rejected. This executive body does not appear to provide "judicial redress," as required by the EU Charter.

Schrems said that “We have to study the proposal in detail, but at first glance, it is clear that this ‘court’ is simply not a court. The Charter has a clear requirement for ‘judicial redress’ – just renaming some complaints body a ‘court’ does not make it an actual court. The details of the procedure will also be relevant to see if this can satisfy EU law”.

The decree will then be sent to the European Commission in Brussels, where it will be reviewed by EU privacy agencies and politicians. This could take another six months, with the final agreement expected to be published in the spring.