Hot Topics
Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Identity & Access Security Boulevard (Original) Spotlight 

US, EU Tentatively Agree on Trans-Atlantic Data Privacy Framework

Avatar photo by Mark Rasch on March 30, 2022

On March 25, 2022, the United States and the European Union tentatively agreed to a framework for the protection of the privacy of EU residents, and to act as a workaround from the EU court’s Schrems II decision that determined the previous Privacy Shield agreement between the EU and the U.S. was insufficient to protect the inherent privacy rights of EU residents, particularly with respect to activities of the U.S. intelligence community. The White House’s press release announcing the agreement is short on details and delegates to the U.S. Commerce Department the role of working out the details of the new privacy framework. In particular, there is an agreement, in principle, that the U.S. government will limit signals intelligence (SIGINT) and data collection activities, which were at least one of the causes of the EU Court of Justice’s decision to essentially cut off the cross-border flow of personally identifiable information (PII).

A Bit of History

The U.S. and Europe do a lot of things differently. Europe has more history, quainter cities and better trains. We have more guns, bigger cars and more ice cubes. It’s a cultural difference. But in Europe, unlike the U.S., data privacy is considered a human right. This imbues Europeans with a right to know what data is collected about them, by whom, for what purposes, with whom it is being shared (and for what purpose), how long it is being kept and gives them a limited right to compel data deletion (right to be forgotten.)

In America (well, what people in the U.S. call America) the clickthrough and free market culture dictate that these “rights” are just the starting point of an online negotiation—that as long as you “agree” to the data collection and its use—well, no harm, no foul. You agree to the data collection by either going to that website with that website privacy policy (click “Legal” and then “Terms of use” and then “Privacy” and then “Privacy policy”) or just by clicking “I agree” in response to some terms you haven’t (and can’t meaningfully) read. A contract is a contract.

More concerning to Europeans is the power of the U.S. government to suck up personal data or compel its production by entities subject to its power or within its jurisdiction. Internet and data giants like Apple, Meta, Amazon and Google, as well as ISPs like AT&T, Comcast, Verizon and others can become conduits for the production of intimate personal data to entities like the NSA, CIA, FBI, DIA and others. At least that’s how Europeans view the American government.

To the extent that these U.S. companies collect, store, process or maintain data on EU residents and are subject to compelled dissemination of that information to the U.S. government, the privacy of those EU residents is at risk. The nature of the internet is such that data transcends national and international borders. Data don’t care if it is in Naples, Florida or Naples, Italy. So, to promote the transnational flow of data, it was necessary for there to be some kind of agreement to protect data originating in (or concerning) a high privacy protection jurisdiction (like Germany) when it resides in a relatively low privacy protection jurisdiction (like Houston). Either we have a general, enforceable agreement on privacy protection across the world or we “Balkanize” privacy and do not permit personal data collected in a high privacy regime to be transferred into a regime where it can be invaded. The problem was, while the EU has strong and comprehensive privacy protections, the U.S. has a patchwork quilt of privacy protections and weak and limited enforcement provisions.

The U.S. has no national data protection agency (the FTC assumes some of that function), and violations of data privacy are subject to various state (and federal) data breach disclosure laws or “deceptive” or “unfair” trade practice laws. In particular, the data protection laws mostly don’t apply to “authorized” law enforcement and intelligence activities—creating a gaping hole in U.S. data privacy law. Needless to say, EU residents (and the EU Court of Justice) are concerned about data being intercepted by U.S. intelligence agencies. This has put a damper on the authority of U.S. companies to collect information about EU residents or to store or process data about such EU residents within the United States. This has impacted cloud storage, international data flows and the ability to conduct international business.

The Data Privacy Agreement

The agreement between the Biden administration and the EU reportedly addresses several concerns raised by the EU court in the Schrems II decision. In agreeing to the new Trans-Atlantic Data Privacy Framework, the United States has attempted to address the court’s concerns that the U.S. intelligence agencies can circumvent EU data privacy laws; that there is no genuine privacy enforcement regulation and, frankly, that there is no oversight to prevent privacy violations.

The proposal commits the U.S. to provide additional privacy and civil liberties oversight over the U.S. SIGINT program with privacy oversight to ensure that SIGINT can only be undertaken “where necessary to advance legitimate national security objectives” and is only legitimate if it does not “disproportionately impact the protection of individual privacy and civil liberties.”

The agreement also provides a mechanism for EU residents to “seek redress from a new multi-layer redress mechanism that includes an independent data protection review court that would consist of individuals chosen from outside the U.S. government who would have full authority to adjudicate claims and direct remedial measures as needed; the agreement also commits the U.S. intelligence agencies to the adoption of procedures to ensure effective oversight of new privacy and civil liberties standards.

In addition, the Trans Atlantic Privacy Framework, like its predecessors—the Privacy Shield and Safe Harbor provisions—require companies that voluntarily participate in the framework to commit to the data protection principles expressed in the EU Agreement on General Data Protection (GDPR) and the derived Privacy Shield principles. The new agreement permits U.S. companies interested in voluntarily participating in Privacy Shield to self-certify their compliance with the privacy principles and therefore be presumed to have “legally adequate” mechanisms that would permit the trans-border flow of personal data. In the absence of such a legally adequate mechanism, the flow of data would be presumptively unlawful. If a company—whether participating in Privacy Shield or not—fails to adequately protect the privacy of data about EU residents (and/or fails to protect the security of such data) it may be liable either to EU data protection officials or to U.S. government regulations (typically, violations of Section 5 of the FTC Act) as well as being liable for private rights of actions and class action litigation, or arbitration.

Takeaways

The new agreement addressed a perceived deficiency in the Privacy Shield framework that limited its application with respect to the activities of the U.S. intelligence community. The EU Schrems II decision threatened to derail the entire framework (and restrict trans-border data flows) without some kind of workaround. By agreeing to some limits on and accountability by the U.S. intelligence community with respect to the privacy of EU residents, the Privacy Shield framework has effectively been restored to the status quo before the Schrems II decision. For U.S. companies, this means they will be expected to continue to comply not only with their own data privacy promises but with the provisions of the GDPR. Participation in (and compliance with) Privacy Shield, while voluntary, is helpful to ensure that EU/U.S. data can be transferred and processed in both the U.S. and EU.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark