The European Union and the United States this week reached an agreement on the Data Privacy Framework focusing on the secure transfer of information from Europe to the US.
The framework is the culmination of a yearslong battle between Brussels and Washington over the security of European citizen data stored by tech giants such as Google and Meta in the United States, where data privacy rules are not as strict as in the EU.
While many have applauded the new deal, privacy advocates are not pleased with the EU-US Data Privacy Framework.
European non-profit privacy organization Noyb said it plans on challenging the pact, arguing that the new framework is largely a copy of the failed Privacy Shield. Noyb co-founder and chair Max Schrems noted that the “latest deal is not based on material changes, but political interests”.
Industry professionals have commented on various aspects of the EU-US Data Privacy Framework, including its benefits, its flaws, and implications for organizations.
And the feedback begins…
Christopher Dodson, member of Privacy Litigation – Emerging Trends practice, Cozen O’Connor:
“The new EU-US Data Privacy Framework (the “DPF”) is intended to address the EU’s concerns about national security-related access to personal data in the U.S., in particular perceived concerns about a lack of judicial oversight or a redress process for data subjects. The DPF limits U.S. intelligence authorities to accessing necessary and proportionate information and includes new privacy standards for the intelligence community. As part of the DPF, a new Civil Liberties Protection Officer (“CLPO”) is being added to the Office of the Director of National Intelligence, whose duties include investigating complaints and determining remedial measures, when appropriate. Additionally, a new Data Protection Review Court, consisting of judges appointed from outside the U.S. government, will review of CPLO decisions.
But none of that is likely to have an impact on businesses working with EU personal data. Instead, companies self-certifying under the DPF beginning July 17 are expected to experience a process and commitments that are largely the same as the Privacy Shield, including adhering to the program’s principles and designating a third-party dispute resolution provider. The DPF will provide a much-needed streamlined mechanism for compliant transfers of personal data from the EU to the U.S. Companies throughout the U.S. are undoubtedly hoping the new national security-related additions will be sufficient to withstand the expected court challenges in the EU.”
Claude Mandy, Chief Evangelist, Data Security, Symmetry Systems:
“The adequacy decision for the EU-US data privacy framework represents an ongoing attempt to resolve ongoing challenges to cross-border transfers between the EU and US and specifically concerns about US government surveillance. Most of the industry feedback has not surprisingly focused on the fact that the framework does not address all the concerns raised in the Schrems II ruling (that led to the invalidation of the Safe Harbor and Privacy Shield frameworks). Almost universally, It is widely expected that further challenges i.e. “Schrems III” will be forthcoming. In the meantime, this adequacy decision allows data between the EU and US to continue provided that a set of privacy principles are met.
So regardless of the longevity of the EU-US data privacy framework, organizations need to be able to demonstrate (through assertions and attestations) their commitment to safeguarding individuals’ personal data as outlined in the privacy principles laid out in the framework to build trust with their customers and partners. As we’ve seen time and time again at Symmetry Systems, this starts with a clear understanding of the personal data that they collect, process, and transfer, including where it originates from, who is using it and where it is being sent. Establishing a strong data security posture management (DSPM) capability that includes not only data within their own systems but also data shared with third parties or transferred across borders is essential. This gives organizations the ability to monitor access and activity around personal information and provide evidence based security to meet their attestation and assertion needs.”
Timothy Morris, Chief Security Advisor, Tanium:
“For privacy supporters this is a good start but doesn’t go far enough for the stronger privacy activists. It basically adds a review court for data protection. What it should do is signal to organizations, as if GDPR and CCPA weren’t enough (especially in the US), to take a close look at their data policies. Specifically, what is collected and how long it is retained. In today’s digital economy, data is a currency and a huge revenue generator. The trend in the last several years, especially from EU, is that privacy should be first and foremost. As such, data is a liability. Enterprises need to stop “hoovering” and only collect only minimum viable data to do what is necessary to perform their service. Also, protect the data, know where it is at, and be able to delete/remove. Either, upon request (consumers right to be forgotten) or once the data retention time has been reached.”
Ani Chaudhuri, CEO, Dasera:
“This EU-US Data Privacy Framework, the product of years of negotiation, attempts to balance national security and personal privacy. This feat is as complex as it is critical.
On the surface, it’s a commendable step. It provides a mechanism for EU residents to challenge perceived infringements on their data by US intelligence agencies and aims to ensure that protections are ‘traveling with the data.’ Yet, Max Schrems, a leading privacy activist, is already planning to sue, questioning the legality and practicality of the Framework. The situation underscores a fundamental question – is it possible to simultaneously maintain privacy and security in a data-driven world?
Firstly, let’s agree on this: data is the backbone of the modern economy. The absence of this agreement would have created a tumultuous environment for multinational businesses that rely heavily on data flows. However, this pact is a band-aid on a festering wound. It replaces the invalidated Privacy Shield but maintains many of its predecessor’s shortcomings.
Why? Because, at its core, the Framework assumes trust between EU citizens and American intelligence agencies. It assumes a complaint-based system backed by an independent review body would provide adequate redress. But let’s be real: how many Europeans would feel comfortable voicing their concerns, let alone feel confident that their complaint would be handled fairly and impartially? The primary question, as Schrems rightfully posits, is whether changes in US surveillance law can genuinely ensure Europeans’ privacy rights. I would argue that the answer is, as it stands, “no.”
The issues run deeper than policy alone. The EU-US Data Privacy Framework marks a step forward but doesn’t necessarily solve the problem. The elephant in the room remains the balance between privacy rights and national security concerns.”
Elle Todd, partner, Reed Smith:
“Companies are still battle-scarred and weary from the sheer admin and number of changes around data transfers that they have endured over the last couple of years. It has been very time consuming and very expensive and often diverted privacy team resources from other pressing activities.
The news of a new EU/US transfer solution will be welcome but of course also brings with it even more documentation changes from privacy policy updates to certifications to changes to impact assessments. Therefore, it’s welcome news but don’t be surprised if it is met with more of a hesitant response from many at least in the short term.”
Erfan Shadabi, cybersecurity expert, comforte AG:
“The recent approval of a new deal by the EU, enabling the free transfer of data between the EU and the United States, marks a significant development that could resolve the three-year legal uncertainty faced by tech giants like Facebook and Google. This positive step signifies the European Commission’s persistent efforts to establish a stable agreement on EU-US data transfers.
However, despite this breakthrough, there remains a possibility that the issue could once again find its way back to the Court of Justice (CJEU) in the coming months. A major concern lies in the fact that the fundamental problem with FISA 702, a controversial surveillance law in the US, has, seemingly, not been adequately addressed. This particular aspect could prove to be thorny, potentially leading to legal challenges and further uncertainty in the future. However, it is necessary to exercise patience and observe the forthcoming disclosure of the specific details regarding this new deal, as well as closely monitor its subsequent developments.”
Kris Lahiri, CSO, co-founder, Egnyte:
“I am encouraged by the recent adequacy decision for the EU-US Data Privacy Framework, which serves as an important inflection point for data protection.
As organizations navigate an increasingly complex data privacy landscape, this framework will help provide much-needed clarity when it comes to transferring data across the Atlantic while also strengthening individual privacy protections.”
Dan DeMers, CEO, co-founder, Cinchy:
“There’s no question that Europe sets the bar for data protection regulation globally, but it would be a mistake to assume that bringing US regulations into closer alignment with the GDPR solves any of the issues that fundamentally affect the ability of consumers to gain meaningful control of their personal data.
Until jurisdictions everywhere, including the EU, start to adopt new frameworks and regulations such as Zero-Copy Integration that incentivize software developers to take collaborative approaches to application design, we will continue to see the proliferation of data silos and the wide scale copying of personal data up and down digital supply chains.
Only when such copying is restricted in a way similar to how currency and Intellectual Property are protected will consumer data stop being collected, accessed, and in some cases weaponized beyond their control.”
Related: Industry Reactions to Hive Ransomware Takedown: Feedback Friday