The new framework is designed to help US companies comply with Europe’s GDPR regime.

US President Joe Biden signed an executive order on Friday that would limit the ability of American national security agencies to access people’s personal information, POLITICO reported. The order will form the cornerstone of a transatlantic data-sharing agreement with the European Union.

The decree follows lengthy negotiations between the United States and the EU after the bloc’s highest court ruled in 2020 that Washington did not sufficiently protect Europe’s data when it was transferred across the Atlantic. The judges’ concerns focused on how US surveillance programs did not have proper measures to address how the government collected the data of European citizens.

Biden’s order will create a new body within the US Department of Justice that will oversee how American national security agencies are able to access and use information from both European and US citizens. It will also give new powers to the civil liberties protection officials within the US Office of the Director of National Intelligence, a body that oversees agencies’ work, to investigate possible breaches of people’s privacy rights.

When it’s established, the so-called Data Protection Review Court within the Department of Justice will allow people to file lawsuits via a so-called ‘special advocate’ to challenge how their data is used by these agencies.

Forcing fundamental changes to US security policies

The new policy could impose a potentially significant limit on how the likes of the National Security Agency operate, according to POLITICO.

Biden’s executive order will require US intelligence agencies to only collect data for specific, defined national security purposes, and in a necessary and proportionate manner. US intelligence agencies are required to update their policies and procedures to align with the order’s guidelines. 

The executive order is the next step in the creation of a new transatlantic data-sharing agreement that is needed for thousands of companies — from Google to General Electric — to move data between two of the world’s most important economies.

The decree will now be sent to Brussels where the European Commission is expected to transpose the text into its own rules. That process is expected to take around six months and will lead to a final pact being published in roughly March 2023.