The EU-US Privacy shield has been invalid since 2020, when the European Court of Justice invalidated it in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems), a follow-up decision to a 2015 ruling in the first case filed by Schrems against Facebook which found the Safe Harbour Privacy Principles did not offer sufficient protections for the personal data of EU citizens because of American surveillance programs.

President Biden issued an Executive Order in October 2022 approving the Trans-Atlantic Data Privacy Framework.  The DPF has not yet been approved by the European Commission, the executive body of the EU.

The DPF will require American intelligence agencies to update their regulations to comply with new safeguards for protecting data privacy.  A Civil Liberties Protection Officer in the Office of the Director of National Intelligence would conduct investigations into complaints about violations of data privacy.  The Attorney General would create a Data Protection Review Court to independently review the Civil Liberties Protection Officer’s holdings.  A Privacy and Civil Liberties Oversight Board would also conduct an annual review to ensure intelligence agencies comply with the order to update their policies.

The Civil Liberties Committee of the European Parliament issued this press release this April faulting the Executive Order for not going far enough to safeguard personal data.  The MEPs noted the decisions of the Data Protection Review Court wouldn’t be publicly disclosed and could be overturned by the President.  They question whether or not the DPF would be held up in an EU court.   A resolution passed by the Committee recommending that the European Commission not approve the DPF got 37 votes in favor, 0 against, and 21 abstentions.  The European Commission can approve the DPF without the consent of the EU Parliament.