Biden Executive Order Says We'll Be More Careful When We Use European Data for Spy Stuff

The White House laid out guidelines for data intelligence activities to comply with European privacy law. Experts are skeptical it goes far enough.

We may earn a commission from links on this page.
Joe Biden standing in front of American and European Union flags
Photo: Alexandros Michailidis / (Shutterstock)

President Biden signed an executive order placing new restrictions on how U.S. intelligence agencies harness data as it flows between the U.S. and the E.U., the White House announced Friday. The order creates a new framework to comply with European privacy rules.

GDPR, Europe’s sweeping privacy law, lays out guidelines for how data is handled as it’s transferred in and out of the E.U. The American government’s original proposal for dealing with these regulations was struck down by E.U. courts because it didn’t do enough to stop the U.S. from using data to spy on Europeans. Friday’s executive order commits to a number of safeguards in a bid to appease regulators’ concerns about American surveillance.


Essentially, the Biden administration says the government will be more careful when it does its spying, only intercepting data when it’s really, really necessary. The executive order focuses on “signals intelligence,” a publication-relations-friendly name for the ways that agencies like the CIA slurp up digital information.

U.S. signals intelligence activities will only be conducted “in pursuit of defined national security objectives,” and those activities will be limited in their scope, according to a White House fact sheet about the order released Friday.


It’s unclear whether the executive order goes far enough for privacy advocates. “Questions remain about the breadth of permissible surveillance,” said Greg Nojeim, director of the Security and Surveillance Project at the Center for Democracy & Technology, in an email to Gizmodo.

The executive order creates a mechanism for people covered by E.U. privacy laws to seek redress if they think their data was collected unlawfully. The new framework, which is being referred to as Privacy Shield 2.0, creates an independent Data Protection Review Court made up of people from outside the U.S. government that Europeans can appeal to.


It remains to be seen whether the new Data Protection Review Court will provide meaningful remedies in the event of unlawful or improper surveillance, Nojeim said.

The executive order could be a boon to companies that conduct international business. Byzantine laws like the GDPR lay out significant protections for consumers and thus complicate compliance, especially when businesses have to deal with competing international regulations. Privacy Shield 2.0 helps lay out a framework for companies to ensure they’re complying with the law.


Before the new privacy framework goes into effect, the Biden administration’s proposal has to go through an approval process where European regulators determine whether it provides adequate protections. That process is expect to take about six months, according to the International Association of Privacy Professionals. It may also face legal challenges in the states, as often occurs with executive orders.