ADCG’s Update on the EU/US Data Transfer Framework

ADCG reported that on October 7, President Joe Biden signed an executive order to support a data transfer agreement between the European Union (EU) and United States (US).

On October 24, the Congressional Research Service (CRS) released a report titled The EU-U.S. Data Privacy Framework: Background, Implementation, and Next Steps. The report “explains the circumstances leading to the development of the Data Privacy Framework, US steps to implement the framework, and issues of possible interest to Congress.”

Predominant amongst these issues is the Privacy Shield Program—a now-defunct collaborative effort between the EU and US to allow data transfers. Though it was determined to be “adequate to enable data transfers under EU law,” in 2016, Privacy Shield didn’t hold up to new standards created under the EU’s GDPR in 2018, and was declared invalid in 2020 by the Court of Justice of the European Union (CJEU).

The CJEU’s 2020 determination “relied primarily on the extent of US surveillance of individuals located outside the United States under Section 702 of the Foreign Intelligence Surveillance Act (FISA), enacted in 2008, and Executive Order 12333, signed by President Reagan in 1981.” According to the CJEU, the Privacy Shield Program did not “lay down clear and precise rules” that “impos[e] minimum safeguards” to protect consumers’ personal data. As such, when U.S. personal data surveillance is utilized on EU individuals they are without “adequate administrative or judicial remedy for unlawful use of their data.”

The congressional report notes that CJEU’s concerns may persist under the new framework, and states the creation of the Data Protection Review Court under the new framework is a “necessary step,” but that “several steps remain before commercial entities may rely on the Framework.”

One of these steps requires deciding “what exact obligations will govern commercial entities[]” since this framework will not only permit data exchange by U.S. intelligence operations—like the Privacy Shield Program—but will also authorize private commercial participants to engage in these transfers. 

Other congressional interests include the authorization of US participation in the framework out of concern for the “importance of transatlantic data flows to US-EU trade and economic relations.” Executive orders can be revoked, and congress may need to codify the agreement through legislation.

Max Schrems, the Austrian privacy activist who has been at the forefront of the invalidation of both privacy shield proposals, has penned an article decrying the contents of the Framework as “unlikely to satisfy EU law.”  

Schrems writes: “It is amazing that the EU and the US actually agree that wiretapping needs probable cause and judicial approval. However, the US takes the view that foreigners don’t have privacy rights. I doubt that the US has a future as the cloud provider of the world, if non-US persons have no rights under their laws. It is contradictory to me that the European Commission is working on a deal that accepts that Europeans are ‘second class’ citizens and don’t deserve the same privacy rights as US citizens.”

* * * * * * *

To read our news alerts discussing: Global Regulators Come to Agreement on Facial Recognition; FTC Sets Sights on Ed Tech Industry; A New Form of Cryptography Could Enhance Privacy; and CIPL Publishes White Paper on Children’s Privacy New York to Pass Law, click here.

This week’s breach report covers breaches of the following companies: Twilio, U.S. Bank, Michigan Medicine, Microsoft and Vivendi. Click here to find out more

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

79 | Understanding 5G Cybersecurity Issues (with guest Carlos Solari)

78 | The Nexus Between Privacy, Cybersecurity & National Security (with guest, Corey Simpson)

77 | Privacy & Cybersecurity Whistleblowers: A New Trend? (with guest, Andrew Grosso)