Biden executive order on data transfers to offer temporary relief to advertisers
When it comes to data-driven surveillance, the writing is already on the wall.
The Biden administration is set to sign an executive order on transatlantic data transfers next week, Politico reported on Tuesday.
The move could make it easier for US advertisers and publishers whose businesses depend on the use of European consumer data. But the relief is probably temporary; amid growing scrutiny of data-driven surveillance, marketers are sure to face more hurdles down the line.
The highly anticipated Executive Order aims to replace the EU-US Privacy Shield, a legal framework that in 2016 established rules regarding the transfer of personal data between Europe and the United States (following repeal of previously established International Safe Harbor confidentiality principles). In 2020, the Privacy Shield was declared invalid by the European Court of Justice due to concerns about the United States’ use of Europeans’ personal information for surveillance purposes.
The new executive order, which according to reports could be issued as early as Monday, October 3, follows an agreement reached in March between the United States and Europe to revise the Privacy Shield. In particular, the executive order would seek to address concerns about the privacy and security practices of US government agencies handling data from Europeans.
Privacy advocates see this action as a promising sign. “After several months of seemingly stalled progress following the announcement in March of an agreement…on a replacement of the Privacy Shield to allow for cross-border EU-US exchange [data] transfer, news of this anticipated executive order is a welcome sign of continued momentum,” says Arielle Garcia, chief privacy officer at advertising agency UM Worldwide.
While details of the next executive order have yet to be shared, it will likely establish new protections for EU and US citizens designed to limit how US security agencies can use their information, according to Politico reports.
The White House’s priority will be to strike a balance that supports US national security interests while placating European regulators. In particular, the order is likely to more clearly define the limits of what is – in Privacy Shield legalese – “necessary and proportionate” for the use of personal data by US agencies.
“The hope is that this program will streamline requirements related to the global flow of personal data – ideally in a way that enables reasonable contracts while providing appropriate protections for data,” says Kirk Nahara, a leading lawyer specializing in in privacy and the co-chair of the big data practice and the cybersecurity and privacy practice at international law firm WilmerHale.
A long way to go
While a sign of progress, the executive order will only serve as a starting point for a broader collaborative effort between the US and EU. The announcement will kick off a longer process undertaken by the European Commission to make changes to the framework.
“Signing the executive does not mean that we will immediately have a Privacy Shield adequacy decision that would legitimize transfers of personal data from the EU,” says Gabriela Zanfir-Fortuna, Vice President of the global policy at the Future of Privacy Forum, a Washington, DC-based think tank and data privacy advocacy group. “The process is still long and it will take several months for the European Commission to adopt an adequacy decision”, she specifies. Some experts have indicated that a new framework is not expected before March 2023.
Moreover, even after the Privacy Shield is ratified by the European Commission, it could be challenged in court. Some experts predict Biden’s executive order will include lax language designed to continue to allow large-scale surveillance practices — the kinds of practices once rejected by the Court of Justice of the European Union, the judicial arm of the EU. .
“We anticipate that any new program will have to both be approved by the EU and then challenged. [in court] even if it is approved,” says Nahara. At best, he predicts, “we can buy about five years of stability.”
“Uncertainty and chaos” ahead for businesses
For businesses, especially those managing cross-border consumer data, like many advertisers, developers, and publishers, things can get better; but their fate is not set in stone. “We are moving toward a solution, but we still have significant hurdles to overcome before companies have a long-term solution they can rely on,” says Jessica B Lee, Partner and Co-President of Innovations in privacy, security and data at the full-service law firm Loeb & Loeb.
“There will still be uncertainty and chaos” for advertisers, Lee says. In particular, many advertisers are wary of increased scrutiny of data transfer practices in light of the legal challenges Google Analytics has faced in Europe this year regarding cross-border data transfers. This summer, the Italian data protection authority (DPA) sided with the French and Austrian DPAs in banning the popular analytics platform, concluding that the collection and transfer of user data through borders via cookies are illegal. According to this reasoning, there has also been speculation that Meta may be forced to shut down certain services in European jurisdictions.
“Companies that operate globally rely on the ability to transfer data across borders to serve their customers and their business. Recent rulings that have called into question even the use of…analytical tools – even when these tools share truncated IP addresses and apply additional security measures to collected data – have created a serious challenge for companies struggling to find new solutions to these legal challenges. .”
However, companies worried about the Google Analytics crackdown in Europe may feel a slight sigh of relief if the upcoming White House executive order establishes new protections for consumers but provides leeway for international data transfers.
For now, at least, an executive order can bring more clarity to organizations dealing with consumer data. “[It] can immediately provide easier and more streamlined assessments of the level of protection of US law that companies are required to make before transferring personal data under [the European Commission’s] standard contractual clauses or other alternative mechanisms,” says Zanfir-Fortuna of the Future of Privacy Forum.
But the writing is on the wall. It’s not just the European Commission looking at surveillance-driven data practices; they are policy makers and government agencies around the world. Just last month, the U.S. Federal Trade Commission announced it was launching a rule-making process intended to “crack down on commercial surveillance and lax data security practices.” Meanwhile, lawmakers in the EU, India, China, Vietnam and others are seeking to incorporate new data localization requirements — rules that prohibit cross-border transfers of consumer data — into broader privacy legislation.
“Many companies were waiting for a legal solution [to questions about data transfers] through a new Privacy Shield, while trying to find interim solutions that will help them continue to operate while complying with the law,” Lee said. “But this … is happening amid significant changes to the law in the United States, new platform changes and all the developments – the roller coaster of privacy – that we have [witnessed] This year. Businesses should be encouraged, but should be aware that there are still many months of uncertainty ahead. »