U.S. Rewrites Digital Privacy Rules for Europeans to Keep Data Flowing

Now the European Commission, the EU’s executive arm, must approve the U.S. move to put the data-flow agreement, dubbed the EU-U. S. data privacy framework, into force—a process that could take roughly six months.

The issue is drawing high-level attention because two previous data agreements were rejected by the EU’s top court, and this new pact is likely to face legal challenges.

“The EU-U. S. data privacy framework will provide a durable and reliable legal foundation and certainty for trans-Atlantic data flows and create greater economic opportunities for companies and citizens on both sides of the Atlantic,” said U.S. Commerce Secretary

Gina Raimondo.

Ms. Raimondo said the executive order would strengthen privacy and civil-liberties protections and would create a mechanism for Europeans to seek redress if they believe they are being unlawfully targeted by U.S. intelligence activities.

She said the order includes a multilayered review process that draws in the civil-liberties protection officer in the office of the Director of National Intelligence. The executive order will also create a new U.S. court, the Data Protection Review Court, for secondary review of cases.

The executive order is important “because it addresses the conditions and safeguards under which U.S. intelligence authorities will be able to access data transfers from the EU,” an EU official said.

The order specifies when intelligence authorities can collect personal data, such as for investigating terrorism and other crimes, and limits how long it can be retained, the official said. Methods of data collection must be proportionate to requirements, the official said, meaning that authorities must also consider less intrusive measures and the consequences that surveillance would have on an individual.

If Europeans suspect their data has been accessed by U.S. intelligence authorities, they can file complaints to national privacy authorities in their home countries. The U.S. civil-liberties protection officer will determine whether their data was accessed, and can order intelligence agencies to delete personal data or correct it if it is incorrect, the EU official said.

If concluded, the deal could resolve one of the thorniest outstanding issues between the two economic giants, which has festered since the EU’s top court in 2020 ruled illegal an earlier deal authorizing trans-Atlantic data flows because it had deemed U.S. safeguards on Europeans’ data to be insufficient—particularly regarding government surveillance.

Hanging in the balance has been the ability of businesses to use U.S.-based data centers to do things such as sell online ads, measure their website traffic or manage company payroll in Europe. Completing a deal is particularly important for big U.S. technology companies, including

Meta Platforms Inc.

META -3.70%

and

Alphabet Inc.,

GOOG -2.28%

which have faced a number of cases in which European privacy regulators—citing the 2020 ruling—are ordering them or their clients to cut off their transfer of data to the U.S.

The most prominent threat is a draft order for Meta’s Facebook to stop sending certain data about its users to servers in the U.S., because it could be caught in surveillance requests. Under the EU’s power-sharing rules, Ireland’s Data Protection Commission in July submitted the draft order to privacy regulators across the bloc, which are discussing potential changes, and it could be officially issued in coming months, according to people familiar with the process. Ireland leads EU privacy enforcement for Facebook because the company’s regional headquarters are in Dublin.

Even if there is no final data deal before Ireland issues its order, Facebook could appeal the order in court, a process that could take months or years to play out, effectively keeping its data flows running. The company has repeatedly warned in securities filings that should it lose the ability to store data in the U.S., it might no longer be able to offer some of its services in Europe.

At the same time, in France and Austria, regulators citing the 2020 EU court decision have also in the past year ordered certain websites to stop using Alphabet’s Google Analytics service because it sends information about users’ internet addresses to the U.S., where the regulators say it could be requested by government agencies. Similar cases are pending in other EU countries.

Meta and Google were among tech companies that on Friday described the U.S. changes as an important step in securing the ability for companies to send data across the Atlantic.

The deal that the Biden administration took a step toward implementing on Friday is the latest effort to resolve more than two decades of squabbling over how to balance trade relations and privacy rules across the Atlantic. Many lawyers and lobbyists—as well as some officials in the EU—have expressed optimism that the new data deal will withstand likely legal challenges in the EU.

U.S. officials are confident the executive order addresses the EU court’s concerns because it creates fundamentally different safeguards compared with the previous arrangement, said Peter Harrell, senior director for international economics and competitiveness at the National Security Council.

The EU official said European negotiators were confident that they could defend the new data agreement against legal challenges.

But Max Schrems, the Austrian lawyer and privacy activist who led lawsuits opposing the previous trans-Atlantic data deals, is already saying he thinks the new deal could be struck down again by the same court, the EU’s Court of Justice.

“At first sight it seems that the core issues were not solved,” Mr. Schrems said Friday, saying the deal “accepts that Europeans are ‘second class’ citizens.”

Write to Sam Schechner at [email protected], Catherine Stupp at [email protected] and Ken Thomas at [email protected]

Now the European Commission, the EU’s executive arm, must approve the U.S. move to put the data-flow agreement, dubbed the EU-U. S. data privacy framework, into force—a process that could take roughly six months.

The issue is drawing high-level attention because two previous data agreements were rejected by the EU’s top court, and this new pact is likely to face legal challenges.

“The EU-U. S. data privacy framework will provide a durable and reliable legal foundation and certainty for trans-Atlantic data flows and create greater economic opportunities for companies and citizens on both sides of the Atlantic,” said U.S. Commerce Secretary

Gina Raimondo.

Ms. Raimondo said the executive order would strengthen privacy and civil-liberties protections and would create a mechanism for Europeans to seek redress if they believe they are being unlawfully targeted by U.S. intelligence activities.

She said the order includes a multilayered review process that draws in the civil-liberties protection officer in the office of the Director of National Intelligence. The executive order will also create a new U.S. court, the Data Protection Review Court, for secondary review of cases.

The executive order is important “because it addresses the conditions and safeguards under which U.S. intelligence authorities will be able to access data transfers from the EU,” an EU official said.

The order specifies when intelligence authorities can collect personal data, such as for investigating terrorism and other crimes, and limits how long it can be retained, the official said. Methods of data collection must be proportionate to requirements, the official said, meaning that authorities must also consider less intrusive measures and the consequences that surveillance would have on an individual.

If Europeans suspect their data has been accessed by U.S. intelligence authorities, they can file complaints to national privacy authorities in their home countries. The U.S. civil-liberties protection officer will determine whether their data was accessed, and can order intelligence agencies to delete personal data or correct it if it is incorrect, the EU official said.

If concluded, the deal could resolve one of the thorniest outstanding issues between the two economic giants, which has festered since the EU’s top court in 2020 ruled illegal an earlier deal authorizing trans-Atlantic data flows because it had deemed U.S. safeguards on Europeans’ data to be insufficient—particularly regarding government surveillance.

Hanging in the balance has been the ability of businesses to use U.S.-based data centers to do things such as sell online ads, measure their website traffic or manage company payroll in Europe. Completing a deal is particularly important for big U.S. technology companies, including

Meta Platforms Inc.

META -3.70%

and

Alphabet Inc.,

GOOG -2.28%

which have faced a number of cases in which European privacy regulators—citing the 2020 ruling—are ordering them or their clients to cut off their transfer of data to the U.S.

The most prominent threat is a draft order for Meta’s Facebook to stop sending certain data about its users to servers in the U.S., because it could be caught in surveillance requests. Under the EU’s power-sharing rules, Ireland’s Data Protection Commission in July submitted the draft order to privacy regulators across the bloc, which are discussing potential changes, and it could be officially issued in coming months, according to people familiar with the process. Ireland leads EU privacy enforcement for Facebook because the company’s regional headquarters are in Dublin.

Even if there is no final data deal before Ireland issues its order, Facebook could appeal the order in court, a process that could take months or years to play out, effectively keeping its data flows running. The company has repeatedly warned in securities filings that should it lose the ability to store data in the U.S., it might no longer be able to offer some of its services in Europe.

At the same time, in France and Austria, regulators citing the 2020 EU court decision have also in the past year ordered certain websites to stop using Alphabet’s Google Analytics service because it sends information about users’ internet addresses to the U.S., where the regulators say it could be requested by government agencies. Similar cases are pending in other EU countries.

Meta and Google were among tech companies that on Friday described the U.S. changes as an important step in securing the ability for companies to send data across the Atlantic.

The deal that the Biden administration took a step toward implementing on Friday is the latest effort to resolve more than two decades of squabbling over how to balance trade relations and privacy rules across the Atlantic. Many lawyers and lobbyists—as well as some officials in the EU—have expressed optimism that the new data deal will withstand likely legal challenges in the EU.

U.S. officials are confident the executive order addresses the EU court’s concerns because it creates fundamentally different safeguards compared with the previous arrangement, said Peter Harrell, senior director for international economics and competitiveness at the National Security Council.

The EU official said European negotiators were confident that they could defend the new data agreement against legal challenges.

But Max Schrems, the Austrian lawyer and privacy activist who led lawsuits opposing the previous trans-Atlantic data deals, is already saying he thinks the new deal could be struck down again by the same court, the EU’s Court of Justice.

“At first sight it seems that the core issues were not solved,” Mr. Schrems said Friday, saying the deal “accepts that Europeans are ‘second class’ citizens.”

Write to Sam Schechner at [email protected], Catherine Stupp at [email protected] and Ken Thomas at [email protected]