US President Joe Biden has signed an Executive Order (EO) to establish a new US-EU data transfer network.This is the 2nd provisional agreement the US government has issued. It aims to offer stronger legal protections to address current concerns from the EU Court of Justice regarding US intelligence practices, particularly how these may affect the private data of EU citizens.
This comes after the Court of Justice deemed the previous US-EU data transfer framework (the EU-US Privacy Shield) invalid in 2020 due to concerns about personal data protection. One of the problems this created was confusion among corporations that transfer user, client, or employee data between the US and EU countries.
This may be one of the reasons why the US was eager to get the ball rolling again, as the White House said in its statement that “Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship.”
On paper, it sounds as if US officials are taking careful steps to bolster privacy rights. Even so, the new framework’s protections may not be as impactful for EU citizens’ privacy as advertised.
What Is the EU-US Data Privacy Framework?
The new framework, first announced in March 2022, is supposed to offer safeguards against invasive US intelligence gathering – States Signals Intelligence Activities or SIGINT.
Signals intelligence is intelligence-gathering by interception of signals: generally communications between people, including encrypted communications. Cryptanalysis (a method to decipher encrypted messages) often plays a role in signals intelligence. The data covered by this framework includes people’s emails, phone numbers, and even private messages — likely with the latter in mind.
One of the largest problems this framework faces is the fact that privacy regulations in the EU and US differ by a staggering degree. While the EU has encompassing and decisive privacy regulations like the GDPR, the US has no such wide-ranging legislature. Instead, individual states are more or less encouraged to set up their own privacy safeguards.
These too are lacking in scope and clarity, as California’s Consumer Privacy Act is currently the most comprehensive consumer privacy law in the US. Yet, despite the new changes to the Executive Order signed by Biden, many privacy experts feel it still lacks adequate provisions for data protection. Some even speculate that digital privacy protections between the US and EU differ too much for one framework to make up the difference.
Digital Rights Activists Say New Privacy Provisions Still Insufficient
While many agree the new Executive Order is an improvement on the US’s previous Privacy Shield framework, the consensus is that it likely won’t be enough. Even the European Commissioner for Justice, Didier Reynders, said he was “quite sure” there would be a fresh legal challenge, but he was confident the pact met the demands of the court. Reynders also added that “Maybe the third attempt will be the (sic) good one.”
Based on the feedback given by EU digital rights activists, including Access Now and the BEUC, that assessment rings true. Many take issue with the fact that US data laws are still lacking compared to EU laws, even with these additional safeguards. Some also question how safe any data will be once it has entered the US.
On top of that, while the Executive Order gives people the power to now seek remediation if they feel their privacy was unjustly violated, regular citizens don’t have the tools or frameworks to see whoever handles their data.The EO provides a list of privacy clauses and responsibilities on the parts of those gathering and handling personal data, but there is no way for ordinary people to verify this.&n
It’s simply a trust-based system. Trust that the US government will do with your data what they say they will do in absence of proof.
Enter the Bureaucratic Red Tape
The new EO also wants to implement a multi-layer redress system with a complex approval procedure under the intention of providing better redress opportunities. Instead of doing just that, this system in its complexity may prove to be a barrier to reparation and could have the opposite effect, namely discouraging people from undertaking the months-long process.
The first step involves presenting the case to a US-based intelligence agency watchdog — the Civil Liberties Protection Officer (CLPO) in the Office of the Director of National Intelligence. This entity then conducts an investigation to determine if the safeguards set out in the Executive Order or other applicable US laws were violated.
Incidentally, the statement from the White House specifically mentions that qualifying complaints will be investigated, but refrains from indicating how complaints will be qualified.
Once the watchdog verifies that a case exists, it determines remediation and sends the case off to the second part of the redress system. This involves a Data Protection Review Court (“DPRC”), which will be established by the US Attorney General, who will provide an independent review of the CLPO’s decision. Their decision is final and it’s unlikely an appeal system will be implemented, at least at this stage.
The DPRC also has the power to select a special advocate in each case who can advocate in the complainant’s interest. This makes sure the judges are informed about the specifics of the case and the laws that apply in this matter.
Protecting EU Citizens’ Data Against US Intelligence Tactics
At the time of writing, it’s unclear whether the EU Court of Justice will accept the new Executive Order or not. Worst case scenario is that they do and expose EU citizens’ data and digital communications to a new level of scrutiny. Unfortunately, unlike with the GDPR, this framework doesn’t give you any control over who can collect or store your personal data.
That includes encrypted messages and files, which may be subject to cryptanalysis by US intelligence agencies who could be able to decrypt your private data. That’s concerning on multiple levels, as US intelligence employees don’t have the best track record when it comes to adhering to personal privacy laws. From spying on women through their phones and committing sex crimes involving children, to secretly spying for other countries.
Given the risk involved, EU citizens may want to adopt extra security measures to protect their private data and personal devices. While using private browsers and encrypted messengers is a good first step, adding another layer of encryption can help prevent cryptanalysis activities from successfully decrypting your data.
CyberGhost VPN uses uncrackable 256-bit AES encryption to secure your internet connection — including any data sent and received by your apps and messengers. Try CyberGhost VPN with our 45-day money-back guarantee for peace of mind when you go online.
Leave a comment