Missed opportunity for transatlantic data protection on equal terms
Our CEO, Ari Albertini, explains in an interview why the "Privacy Shield" was overturned, what changes have been made in the new framework, and why he also has concerns about the new agreement.
The new data protection agreement between the European Union and the United States has sparked considerable debate. After the previous agreement, the "Privacy Shield," was invalidated for data transfers between the two sides, the EU Commission has introduced a new agreement to ensure adequate protection of personal data. However, experts believe that this new proposal is unlikely to withstand scrutiny by the European Court of Justice.
FTAPI: Ursula von der Leyen and Joe Biden have reached an agreement on data protection. The new Trans-Atlantic Data Privacy Framework aims to ensure that data is protected even when exchanged beyond European borders. That sounds positive, doesn't it?
Ari Albertini: Fundamentally, it’s a good thing that the EU and the US are discussing data protection. However, when Ursula von der Leyen and Joe Biden presented a supposed solution after just 30 minutes of talks, it became clear that there was little genuinely new to expect. Unfortunately, this concern has been confirmed.
FTAPI: Can you elaborate? What exactly has changed?
Ari Albertini: Essentially, the new framework is a reworking of the EU-US Privacy Shield. According to the EU Commission, its goal is to provide adequate protection for personal data transferred from the EU to American companies.
The problem, however, is that the European Court of Justice declared the Privacy Shield invalid in July 2020 because the data was not protected according to EU standards. For example, US intelligence agencies could access data with few legal barriers. The opaque legal framework created by the Privacy Shield led to significant legal uncertainty for businesses. Following a lawsuit by Max Schrems, an Austrian lawyer and privacy activist, the Privacy Shield was invalidated.
In the Trans-Atlantic Data Privacy Framework, only two key changes have been made:
US intelligence agencies are now only allowed to access data if it is necessary and proportionate.
A new body, the "Data Protection Review Court," is supposed to handle complaints from EU citizens about unlawful access to data by US intelligence services.
FTAPI: That sounds promising – or does it?
Ari Albertini: The problem – and this is a view widely shared in the security community – is that both changes are effectively negligible. Why?
The US has a different understanding of "proportionate" than European courts. When is it proportionate to access data, and when is it not? The new framework provides no clear answers.
Additionally, the US continues to treat privacy violations of non-US citizens as unproblematic, at least as long as FISA 702, the Foreign Intelligence Surveillance Act, remains in effect.
FTAPI: So nothing has really changed – why might the new law still be problematic?
Ari Albertini: From my perspective, the current discussion around EU-US data transfers is problematic for two reasons.
First, policymakers have once again failed to adequately address this critical issue. It was unrealistic to expect Ursula von der Leyen and Joe Biden to resolve a topic that cybersecurity, privacy, and legal experts have debated for years in just one afternoon. Yet, expectations were higher than another rehash of two previously failed agreements. In my view, this was another missed opportunity for transatlantic data protection on equal terms.
Second, I worry that businesses and individuals might now be lulled into a false sense of security by this superficial reform. Like the Privacy Shield and Safe Harbor before it, the new framework does not provide real legal certainty for European companies that must protect data in compliance with the EU GDPR.
FTAPI: What should businesses do in light of this?
Ari Albertini: For data protection and security, I recommend that companies, public authorities, and organizations rely on solutions and providers from the EU that store data and backups exclusively in Europe. There are additional criteria to consider when evaluating whether a provider meets the high data protection standards required by the GDPR.
Data security should always come first, particularly in the software sector. My advice to businesses: Choose partners that not only promise security but can also demonstrate it. Does the provider, for example, hold certifications like ISO 27001 or other attestations? Does the software comply with recommendations from Germany’s Federal Office for Information Security (BSI)? Is the software regularly audited by third parties? Such certifications and audit reports provide valuable indicators when searching for a trustworthy partner.
In my opinion, companies currently only have real legal certainty when sensitive personal data does not leave European borders—at least until there is a new EU-US data transfer agreement that won’t be invalidated by the European Court of Justice.
FTAPI: Thank you for your insights and valuable perspectives!