Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
US, EU Agree to a New Data-Sharing Framework
Comes as President Joe Biden Tours Europe Amid Russian Aggression in UkraineAs U.S. President Joe Biden continues his European visit this week, the U.S. and the European Commission, which is the executive branch of the European Union, announced that they have agreed in principle to a new Trans-Atlantic Data Privacy Framework, which officials say will foster cross-border data flows and address concerns raised by the Court of Justice of the EU in 2020.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The 2020 decision, Schrems II, struck down the previous framework, known as the EU-U.S. Privacy Shield, which allowed firms to share EU citizen data with the U.S. The court cited concerns around data handling and subsequent surveillance possibilities by U.S. agencies. The ruling determined that the Privacy Shield did not satisfy EU legal requirements.
Commenting on the agreement on Friday, European Commission President Ursula von der Leyen said: "I'm very pleased that we have found an agreement in principle on a new framework for trans-Atlantic data flows. This will enable predictable, trustworthy data flows between the EU and U.S., safeguarding privacy and civil liberties."
She called the agreement a "balanced and effective solution" and said it was another step for the nations in "strengthening" their partnership. Von der Leyen added that the framework "manages to balance security and the right to privacy and data protection."
US-EU Alignment?
According to CNBC, the cross-border data-flow agreement was announced alongside a new energy arrangement between the U.S. and Europe - in which the U.S. is providing 15 billion cubic meters more natural gas to Europe this year, meant to offset dependence on Russian energy exports.
Also on Friday, Biden and von der Leyen discussed further alignment around the Russia-Ukraine war, including sanctions designations. They said the countries would "advance cooperation on cybersecurity through a variety of actions, from supporting the government of Ukraine on cyber resilience and cyber defense to aiming to combat the abuse of virtual currency."
On data flows, it is expected that the new framework will face legal challenges, much like its predecessors - as both the U.S. and Europe have vastly different legal systems. To date, successful challenges have halted previous intergovernmental arrangements. Nonetheless, it is a glimmer of hope for Big Tech, whose operations involve bulk, cross-border data transfer. Big Tech has faced legal uncertainty since the Privacy Shield was taken off the books.
Officials Praise New Agreement
The Biden administration and the European Commission said in a joint statement issued on Friday that the new framework "marks an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities." Signals intelligence involves the interception of electronic signals/systems used by foreign targets.
In the new framework, the U.S. reportedly will apply new "safeguards" to ensure signals surveillance activities "are necessary and proportionate in the pursuit of defined national security objectives," the statement says.
It also will establish a two-level "independent redress mechanism" with binding authority, which it said will "direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities." The efforts, the statement says, places limitations on surveillance.
Officials said the framework reflects more than a year of negotiations between U.S. Secretary of Commerce Gina Raimondo and EU Commissioner for Justice Didier Reynders.
The White House and the commission said it will also "promote an inclusive digital economy" and help further U.S.-EU cooperation.
The U.S. government and the European Commission will now work the agreement into legal documents that will require dual approval.
Other Specifics
In a White House fact sheet issued on Friday, officials said the framework enables "the continued flow of data that underpins more than $1 trillion in cross-border commerce every year."
EU and U.S. officials also said the new arrangement addresses the Court of Justice's Schrems II decision regarding U.S. intelligence activities, though its specifics remain largely unclear.
And while the final agreement is being translated, the officials said it will ensure intelligence collection is conducted "only where necessary" and, in response to von der Leyen's comments, will account for the protection of individual privacy and civil liberties.
As part of the framework's European redress system, an independent Data Protection Review Court comprised of individuals outside the U.S. government would be empowered to review claims and issue remedial measures.
Officials also said U.S. intelligence agencies will adopt procedures "to ensure effective oversight."
A Long History
The Privacy Shield, which went into effect in July 2016, aimed to ease data flows to the U.S. alongside stricter EU privacy laws. It replaced the International Safe Harbor Privacy Principles, which were struck down by the Court of Justice in 2015.
The Privacy Shield included several main tenets, including ample notice of data collection, the ability to opt out, third-party transfers only occurring among compliant organizations, reasonable efforts to prevent data loss, and recourse for correction or deletion, among others.
Privacy groups challenged the framework and by 2020, the agreement was nullified due to remaining concerns for EU citizens. The court sided with the argument from privacy activist Max Schrems, who asserted that EU citizens were not adequately protected from government surveillance.
The decision and subsequent ambiguity caused social media giants such as Meta to question the future of their operations in Europe. In fact, according to CNBC, Meta considered shutting down Facebook and Instagram in Europe over the impasse.
A Political Agreement?
Schrems, who is honorary chairman of the digital rights nonprofit NOYB and lead litigant on the previous Schrems cases, said of the agreement on Friday: "We already had a purely political deal in 2015 that had no legal basis. From what you hear, we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the U.S. did not move.
"It is especially appalling that the U.S. has allegedly used the war on Ukraine to push the EU on this economic matter."
Schrems said the "final text will need more time," and at that point, he intends to "analyze it in depth, together with our U.S. legal experts."
He said if the agreement is not in line with EU law, it will be challenged.
"In the end, the Court of Justice will decide a third time. We expect this to be back at the court within months from a final decision," Schrems said.
He called it "regrettable" that the EU and U.S. "have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies."
As a result, he said, "customers and businesses face more years of legal uncertainty."