The transatlantic data transfer saga continues with Schrems III, raising critical questions about data privacy, security, and cross-border data flows.
As we explore the complex nuances of EU-US data relations, it's essential to understand the Transatlantic Data Privacy Framework (TADPF), the latest attempt to establish a reliable framework for transatlantic data transfers. TADPF is not the first attempt to establish an EU-USA data transferring framework. “Safe Harbor” (2000) and the “Privacy Shield” (2016) have been implemented in the past to facilitate data transfer between the areas.
However, the huge discrepancies and incongruencies led data privacy activist and lawyer Max Schrems to take both frameworks to court and get them invalidated. These cases became known as Schrems I (for the Safe Harbour) and Schrems II (for the Privacy Shield).
Can data-transfer agreements between the US and EU truly assure data privacy?
To understand the complexity of this issue, we need to first understand the Foreign Intelligence Surveillance Act (FISA). Under FISA 702, US intelligence agencies are allowed to perform bulk collection of data from electronic communications providers (such as cloud services) without a warrant as long as the data is deemed to contain foreign intelligence information.
This broad authority means that the US intelligence agencies can monitor any foreign data and information that they regard feasible for the purpose of counterespionage, even those that belong to EU citizens. This is a major challenge for data privacy, as it allows US intelligence agencies to process data on EU citizens without their consent or knowledge.
What's even more concerning is that this practice is deemed unconstitutional under the Fourth Amendment if applied to US citizens, which is why it only allows tracking foreigners and foreign information. This not only poses a challenge in terms of surveillance of EU Citizens but also raises serious questions about the discrimination and fairness of these data-transfer agreements.
Even with data-transfer agreements like the TAPDF, US surveillance laws like FISA allow the US government to monitor any data being transferred from the EU to the US.
Even if an American company signs a contract to comply with GDPR and the new TAPDF framework, the data can still be surveilled and processed in a way that violates GDPR due to FISA. No matter how many assurances we get, the legal documents say otherwise.
"They assure us that there is no indiscriminate or mass surveillance, but the commission never said they don't have that. It’s like having China assure us that human rights are great in China.” - Max Schrems.
The Privacy Shield annexes even allowed for bulk collection of data for six reasons, including transitional criminal threats. This is concerning because the US definition of “bulk” surveillance only includes keeping the entire dataset, not looking through it and then deleting it.
This poses a grave threat to European citizens and businesses whose data is no longer protected. It was one of the reasons why the highest European court ruled in Schrems´ favour and dissolved the Privacy Shield.
Transatlantic Data Privacy Framework (TADPF) - The new Schrems III
The war in Ukraine has revived the conversations around transatlantic data transfer, and a new framework, TADPF, has been established.
On the surface, TADPF appears to be a copy of the past Privacy Shield, with only minor changes. A side-by-side study found that the only changes were that the word "USA" was added twice, a small footnote was added on one of the pages, and the framework opened the possibility of having a body of enforcement.
"The commercial principles, which is what a company can do with the data, is exactly the same as the Privacy Shield principles, which is exactly the same as the Safe Harbour principles.” - Max Schrems
However, the TADPF also coincides with a new Executive Order that increases the grounds for bulk surveillance, such as health crises and climate change. The Executive order also states that the surveillance will be proportionate, but this is only proportionate according to the new US definition of proportionality, which is drastically different from the European definition.
As a result, what would be considered an essential and critical violation of a fundamental right in the EU would be proportionate and acceptable in the US.
Privacy activist Max Schrems has already announced that he will be challenging the TADPF in court. He has pointed out that the TADPF doesn't seem to be an improvement from the Privacy Shield from a data protection standpoint.
“In Europe, you need consent as a legal basis (…) if you compare it to the TADPF, you only have an “Opt-Out” (…) That’s going to be easy enough for the judges to say that’s not the essential equivalent” - Max Schrems
It is unclear whether the TADPF will survive Schrems' legal challenge. However, the fact that he is challenging it is a sign that privacy advocates are deeply concerned about the framework's ability to protect the privacy of EU citizens. Schrems envisions a future where data privacy is handled globally, with a global agreement among the democratic countries on how much access the government have to personal data.
Why does this matter to European companies?
The use of many software providers implicitly involves the transfer of data from Europeans to the US, and European companies are thus (indirectly) promoting the surveillance practice outlined above.
If you are a European company, you are required to comply with the General Data Protection Regulation (GDPR). Therefore, if you want to implement a US tool to your tech stack, you should first dive deep into how they are handling your data to ensure that you are still compliant with EU regulations.
First, it should always be assessed whether the use of US software is necessary or if European tools with a similar scope and functionality are feasible alternatives. If possible, you should also make sure that all their servers and providers’ servers are in the EU.
You can further minimise the risks of an unlawful data transfer if you take the following 10 steps into account:
- Identify the legal basis for the transfer
- Obtain consent
- Use an approved transfer mechanism
- Assess the risks
- Implement appropriate safeguards
- Enter into data processing agreements
- Use encryption and other security measures
- Document the data transfer
- Inform individuals
- Conduct regular reviews
A detailed explanation of all steps can be found here in: International data transfers: 10 steps for compliance with EU privacy laws.
Want to learn more about the transatlantic data transfers? Watch Schrems critical talk on EPIC to learn more about transatlantic data transfers between EU-US.