Biden’s Privacy Order Slaps a Band-Aid on the EU-US Data Crisis


The United States is not going to stop spying on Europeans’ data, but it is going to make sure that spying is “proportionate.” This was the reassurance that US President Joe Biden offered concerned citizens across the Atlantic today by signing an executive order designed to restart the easy flow of data between Europe and the US.

For years, companies have been shuttling customer information between the two regions. “Transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship,” the White House said

today. But two years ago, the EU Court of Justice in Luxembourg ruled that Europeans’ data sent to the US risked being snooped on by intelligence agencies, such as the US National Security Agency. As a result, the agreement that allowed companies to easily transfer data between the US and Europe was ripped up. Businesses instead had to make do with a costly and complex temporary replacement.

Biden’s executive order brings a new EU-US data privacy agreement one step closer and aims to restore trust among Europeans’ concerned by US government surveillance. The order creates a new body within the US Department of Justice that will oversee how US national security agencies access both Europeans’ and Americans’ data. But privacy campaigners say the order simply copies the wording of European law (adding in terms like proportionate and necessary) without making any real changes. “We do not see a ban on bulk surveillance and no actual limitations,” says Max Schrems, the Austrian privacy activist whose legal complaint against Facebook eventually dismantled the transatlantic data pact back in 2020.

Before then, around 5,000 businesses had been sending data back and forth across the Atlantic under a system called Privacy Shield. “The pre-Schrems system worked,” says Morgan Reed, president of the App Association, which represents small- and medium-size companies, mostly app developers. But the EU court ruling made the Privacy Shield system suddenly invalid, plunging thousands of companies into legal limbo.

Although the court decision did not stop transfers, it made them more complicated. “What the Schrems decision did was raise costs and concern for a lot of small companies that don’t have giant compliance departments’ and fleets’ worth of lawyers to do what are called standard contractual clauses,” says Reed. Standard contractual clauses are time-consuming data transfer agreements that force companies to take steps

to assess whether they are safely moving data around the world. 

Companies that have spent the past two years wrestling with these clauses are pleased by the order; they want to get back to business as usual. The executive order is the next step in the US and EU reaching a new privacy agreement. “We appreciate President Biden’s action to keep data flowing between the US and EU, underpinning one of our deepest and most mutually beneficial trading relationships,” says Matt Schruers, president of the Computer and Communications Industry Association (CCIA), a lobbying group that represents tech giants including Google, Amazon, and Apple.

At Workday, a California-based HR software provider with more than 2,000 customers headquartered in Europe, the mood is optimistic. Chandler Morse, vice president of corporate affairs, believes this is evidence that the US and EU can reach an agreement on more than just the privacy shield problem. “There’s a number of other tech issues that are pending in the EU-US bilateral, so for many of us this is a positive sign that the EU and the US can work together,” he says, adding that the EU AI Act and Data Act could also be beneficiaries of this new cooperation.

Yet privacy campaigners are not impressed—either by greater collaboration or Biden’s offer of a so-called Data Protection Review Court, which will allow EU citizens to challenge how US security agencies use their data.