Biden’s executive order on data transfers to offer temporary relief for advertisers
New rules on EU-US data transfers may alleviate some concerns for advertisers. But amid growing scrutiny of both commercial- and surveillance-related uses of consumer data, the writing is already on the wall.
Even if EU-US data transfers remain legal, emergent challenges to data-based surveillance abound / Chris Yang
The Biden administration is poised to sign an executive order on transatlantic data transfers next week, per reporting by Politico Tuesday.
The move may make it easier for US advertisers and publishers whose businesses rely on the use of European consumer data. But the relief is likely temporary; amid growing scrutiny of data-based surveillance, marketers are sure to face more hurdles down the line.
The highly anticipated executive order aims to replace the EU-US Privacy Shield, a legal framework that in 2016 established rules around transferring personal data between Europe and the US (following the repeal of the previously established International Safe Harbor Privacy Principles). In 2020, Privacy Shield was declared invalid by the European Court of Justice over concerns about the US’s use of Europeans’ personal information for surveillance purposes.
The new executive order, which, per reports, could be published as soon as Monday, October 3, follows an agreement made in March between the US and Europe to overhaul Privacy Shield. In particular, the executive order would seek to remedy concerns about the privacy and security practices of US government agencies handling Europeans’ data.
Privacy advocates see the action as a promising sign. “After several months of seemingly stymied progress following the March announcement of an agreement … on a Privacy Shield replacement to enable EU-US cross-border [data] transfer, news of this anticipated executive order is a welcome sign of sustained momentum,” says Arielle Garcia, chief privacy officer at ad agency UM Worldwide.
Although the specifics of the forthcoming executive order have yet to be shared, it will likely lay out new protections for both EU and US citizens designed to limit how US security agencies can use their information, per Politico reporting.
The priority for the White House will be striking a balance that supports the US’s national security interests while appeasing European regulators. In particular, the order is likely to more clearly define the bounds of what is – in Privacy Shield legalese – “necessary and proportionate” for US agencies’ use of personal data.
“The hope is that this program will streamline the requirements related to the global flow of personal data – ideally in a way that permits reasonable contracting while still providing appropriate protections for the data,” says Kirk Nahra, a leading privacy attorney and the co-chair of both the big data practice and the cybersecurity and privacy practice at international law firm WilmerHale.
A long path ahead
While a sign of progress, the executive order will serve only as a starting point in a broader collaborative effort between the US and the EU. The announcement will begin a longer process undertaken by the European Commission to make changes to the framework.
“Signing the executive doesn't mean that we will immediately have an adequacy decision for the Privacy Shield that would legitimize transfers of personal data from the EU,” says Dr Gabriela Zanfir-Fortuna, vice-president of global policy at Future of Privacy Forum, a Washington, DC-based think tank and data privacy advocacy group. “The process is still long and it will require several months for the European Commission to adopt an adequacy decision,” she says. Some experts have indicated that a new framework is not expected until March of 2023.
Plus, even after Privacy Shield is ratified by the European Commission, it could be challenged in court. Some experts anticipate that Biden’s executive order will include lax language designed to continue allowing mass-scale surveillance practices – the kinds of practices formerly rejected by the Court of Justice of the European Union, the EU’s judicial branch.
“We expect that any new program will both need to be approved by the EU and then will be challenged [in court] even if approved,” says Nahara. At best, he predicts, “we may buy about five years of stability.”
'Uncertainty and chaos' to come for businesses
For businesses – especially those that handle cross-border consumer data, like many advertisers, developers and publishers – things may be looking up; but their fate is not set in stone. “We are moving towards a solution, but we still have some significant hurdles to clear before companies have a long-term solution that they can rely on,” says Jessica B Lee, partner and co-chair of privacy, security and data innovations at multi-service law firm Loeb & Loeb.
“There will still be some uncertainty and chaos” ahead for advertisers, says Lee. In particular, many advertisers are wary of increasing scrutiny on data transfer practices in light of the legal challenges that Google Analytics has faced in Europe over cross-border data transfers this year. This summer, the Italian data protection authority (DPA) sided with the French and Austrian DPAs to ban the popular analytics platform, concluding that collecting and transferring user data across borders via cookies is illegal. Under this line of reasoning, there has also been speculation that Meta may be forced to shutter some services in European jurisdictions.
“Companies that operate at a global scale rely on the ability to transfer data across borders in order to serve their customers and their business. Recent decisions that have challenged even the use of … analytics tools – even when those tools are sharing truncated IP addresses and applying additional security measures to the data collected – have created a serious challenge for companies who are scrambling to find new solutions for these legal challenges.”
However, businesses worried about the crackdown on Google Analytics in Europe may enjoy a minor sigh of relief if the White House’s forthcoming executive order establishes new protections for consumers but offers wiggle room for international data transfers.
For now, at least, an executive order may bring greater clarity for organizations dealing in consumer data. “[It] may immediately bring easier and more streamlined assessments of the level of protection of US law that companies are required to do before transferring personal data under [the European Commission’s] standard contractual clauses or other alternative mechanisms,” says Future of Privacy Forum’s Zanfir-Fortuna.
But the writing is on the wall. It’s not just the European Commission scrutinizing surveillance-oriented data practices; it’s policymakers and government agencies the world over. Just last month, the US Federal Trade Commission announced that it’s kickstarting a rulemaking process intended to “crack down on commercial surveillance and lax data security practices.” Meanwhile, lawmakers from the EU, India, China, Vietnam and more are seeking to bake new data localization requirements – rules that forbid cross-border consumer data transfers – into broader privacy legislation.
“Many companies have been waiting for a legal solution [to questions about data transfers] via a new Privacy Shield, while trying to find interim solutions that will help them continue business while complying with the law,” says Lee. “But this … is happening in the middle of significant changes to the law in the US, new platform changes and all of the developments – the privacy rollercoaster – we have [witnessed] this year. Companies should be encouraged, but should be aware that there are still many months of uncertainty ahead.”