{"id":22454,"date":"2023-07-12T12:30:06","date_gmt":"2023-07-12T20:30:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/07\/12\/news-16184\/"},"modified":"2023-07-12T12:30:06","modified_gmt":"2023-07-12T20:30:06","slug":"news-16184","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/07\/12\/news-16184\/","title":{"rendered":"EU-US Data Privacy Framework to face serious legal challenges, experts say"},"content":{"rendered":"

<\/p>\n

Nine months after US President Joe Biden signed an executive order that updated rules for the transfer of data between the US and the EU, the European Commission this week ratified the EU-US Data Privacy Framework<\/a>. Industry experts, however, say it will be challenged at the European Court of Justice (CJEU), and stands a good chance of being struck down.<\/p>\n

The move comes two years after the CJEU shut down the previous EU-US data sharing agreement, known as Privacy Shield,<\/a>\u00a0on grounds that the US doesn\u2019t provide adequate protection for personal data, particularly in relation to state surveillance. In 2015, a previous attempt to forge a data sharing pact, dubbed Safe Harbor<\/a>, was also struck down by the CJEU.<\/p>\n

The President of the European Commission, Ursula von der Leyen, said the new framework should provide “legal certainty” to transatlantic businesses, calling the commitments “unprecedented.”<\/p>\n

“Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values,” she said in a statement<\/a>. “It shows that by working together, we can address the most complex issues.”<\/p>\n

However, industry experts remain expect the accord to face a plethora of legal challenges from privacy advocates before ultimately being struck down like its predecessors.<\/p>\n

\u201cWe have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong,\u201d said Max Schrems, an Austrian lawyer and privacy activist who founded NOYB (None of Your Business) \u2013 European Center for Digital Rights. In 2016 and 2020, Schrems initiated legal proceedings against Safe Harbor and Privacy Shield, respectively, which led to the CJEU invalidating both agreements.<\/p>\n

\u201cWe currently expect this to be back at the Court of Justice by the beginning of next year,\u201d Schrems said in a statement<\/a> published on NOYB\u2019s website.<\/p>\n

The EU-US Data Privacy Framework is based on the executive order<\/a> signed by Biden in October 2022<\/a>. In essence, the agreement places new restrictions on electronic surveillance by American intelligence agencies and gives Europeans new avenues to launch a complaint when they believe their personal information has been used unlawfully by US intelligence agencies.<\/p>\n

This in itself could prove problematic as if the next US presidential election should see the top job go to a Republican candidate, there\u2019s a very real chance this executive order could be overturned, pulling the rug out from underneath the agreement, said Nader Henein, VP Analyst at Gartner. When Donlad Trump became president in 2016, he ripped up a number of international treates that had been approved by his predecessor, Democratic President Barack Obama.<\/p>\n

While privacy experts have said from the outset that the agreement doesn\u2019t adequately address the issues that led to Safe Harbor and Privacy Shield being struck down, it\u2019s not a surprise the agreement was signed despite its high chance of failure.<\/p>\n

\u201cBoth the EU and the US have invested a significant amount of effort in getting a new deal signed,\u201d said Jonathan Armstrong, a compliance and technology lawyer at UK-based compliance specialists Cordery.<\/p>\n

\u201cSome of the messaging suggests that both parties want to do a deal even if it ends up with a case of ‘deja vu all over again’,\u201d he said, while noting that the Data Privacy Framework is no where near as robust to legal challenges as some of the accords promoters have suggested.<\/p>\n

Although the agreement takes a few steps forward in terms of providing European data with protections from US law enforcement, it does not come close to meeting the requirements laid out by the European Court of Justice when it invalidated its predecessors, said Henein, echoing Armstrong\u2019s skepticism.<\/p>\n

\u201cWe expect it’s going to be invalidated in two to five years,\u201d he said, describing the situation as a \u201ctedious groundhog day\u201d that is essentially just a can-kicking exercise which will end up being a headache for future administrations long after the current signatories have left office.<\/p>\n

The US Constitution does not guarantee privacy, with laws and regulations around the issue having to be extracted from Fourth Amendment protections against illegal search and seizure. To pave the way to an agreement that is likely to pass CJEU scrutiny, the US would need to extend the same data privacy rights to non-US citizens, a policy that Henein said would be incredibly politically unpopular and would likely see champions of a legal overhaul labelled as \u201canti protection\u201d and accused of opposing intelligence gathering efforts that could protect the country.<\/p>\n

Currently there are no federal laws covering how companies store and protect personal data, which has led individual states enacting their own legislation, Henein noted.\u00a0 \u201cThere are no privacy protections relating to enterprise companies so they’re now being passed at the state level,\u201d Henein noted, adding that to date only 13 states out of 50 have passed such protections, meaning that it’s still early days for privacy legislation in the US.<\/p>\n

\u201cFor legislation to advance so it doesn\u2019t just cover US citizens, but also governs data pertaining to people sitting and living in other countries once that data lands legally in the US, is a tall order,\u201d he said.<\/p>\n

Both Armstrong and Henein agree that businesses want clarity on the issue of data privacy but unfortunately, the Data Privacy Framework doesn\u2019t provide it.<\/p>\n

Organizations need rock-solid regulations, not a plan that causes widespread panic every three years when it gets struck down and leaves companies noncompliant overnight, Henein said, adding that organizations cannot afford to pin their 10 year strategy on something that won’t survive half that time frame.<\/p>\n

If the deal does survive a legal challenge, however, it could change some aspects of the data protection landscape, Armstrong said, noting that more cross-boarder data protection pacts and copy-cat deals in countries such as Switzerland and the UK could occur. Since leaving the EU, the UK has been in talks with the US about a new data transfer scheme that would be similar to Data Privacy Framework, while Switzerland has been in discussions with the US for an agreement that mirrored Privacy Shield before it was struck down.<\/p>\n

\u201cData transfer will remain complex as it reflects world events,\u201d Armstroing said. \u201cSince global politics are complex, so global data transfers will remain complex too.\u201d<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

Nine months after US President Joe Biden signed an executive order that updated rules for the transfer of data between the US and the EU, the European Commission this week ratified the EU-US Data Privacy Framework<\/a>. Industry experts, however, say it will be challenged at the European Court of Justice (CJEU), and stands a good chance of being struck down.<\/p>\n

The move comes two years after the CJEU shut down the previous EU-US data sharing agreement, known as Privacy Shield,<\/a>\u00a0on grounds that the US doesn\u2019t provide adequate protection for personal data, particularly in relation to state surveillance. In 2015, a previous attempt to forge a data sharing pact, dubbed Safe Harbor<\/a>, was also struck down by the CJEU.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11063,8698],"class_list":["post-22454","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-data-privacy","tag-regulation"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22454"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22454\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}