Good things come to those who wait, they say. However, the European Commission’s long awaited decision to adopt the new EU-US Data Privacy Framework, following the completion of commitments under President Joe Biden's October 2022 Executive Order, is, as expected, dividing opinion.
Last Monday the European Commission released a statement saying that their review found “the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework”. As such personal data can be transferred from the EU to US companies participating in the framework without any additional data protection requirements to be put in place.
For many businesses this opens up the global stage for collaboration by providing clarity on a number of new safeguards, including:
But critics of the decision state that the new framework does nothing to address the original concerns raised by the European Court of Justice (ECJ) in its Schrems II decision, which invalidated the EU-US Privacy Shield in July 2020. In particular, concerns relating to US surveillance practices with respect to EU citizens.
Max Schrems, board member at digital rights advocate group nyob, commented, “We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it."
FISA 702 seems to be the sticking point here. Privacy advocates are asking for a reform to this law to give non-US persons reasonable privacy protections against US government surveillance. Whilst both sides agree FISA 702 violates fundamental rights under the 4th Amendment for US citizens, it is deemed that non-US persons do not have constitutional rights in the US - hence a violation of their right to privacy is not covered by the 4th Amendment.
Time will tell if the new EU-US Data Privacy Framework will provide the necessary data protections in practice. However, considering the tempestuous history surrounding the framework, organisations wishing to utilise this route for transatlantic data flows should lean heavily on the recommended technical security requirements, such as encryption, to ensure they can meet the data subject’s basic fundamental right to privacy - regardless of the challenges and iterations, this framework will likely see over time.
Encrypting data that needs to be shared with US companies from the EU, ensures that only the intended subject can access and decrypt that data. Even if that data were to be subpoenaed by the US government, all they would see is code or ciphertext, unless the data owner provided them access.
It's a robust and fail-safe way to allow the necessary sharing of data to do business without leaving it open to extraction by unintended third parties. One would argue that this should be standard business practice to protect any data that needs to be shared in the spirit of business collaboration.
The EU-US Data Privacy Framework is a complex but important issue, and organisations should watch closely. It is expected that a review will take place within a year of the framework's adoption but many believe that it could be even sooner.
If you need advice on how to implement encryption at your organisation, Virtru can help. Our solutions enable over 8,000 organisations worldwide to easily share data to do business - without sacrificing security or privacy. Contact the Virtru team today for more information.
Contact us to learn more about our partnership opportunities.