Data Privacy Framework is just a "copy of Privacy Shield" & must fail.
EU and USA agree on a new data sharing law: Data Privacy Framework. The problem: US surveillance has not changed.
Data Privacy Framework Criticism
Data Privacy Framework is, according to the prominent data privacy activist Max Schrems, simply a copy of Privacy Shield - a law that got invalidated by the European Court of Justice (ECJ) due to privacy concerns for EU citizens.
The problem is that US secret services can easily request data from American tech companies that also includes data of EU citizens. But this data should be protected from excessive surveillance actions by the European GDPR. Thus, sending data of EU citizens to the US and storing them there is illegal.
With the Data Privacy Framework, the EU is now simply considering the protection from U.S. intelligence agencies is now sufficient.
This, of course, is heavily criticized.
Max Schrems, the lawyer who sued Facebook because it kept storing EU citizen’s data in the USA, told the Spiegel:
“They say the definition of insanity is doing the same thing over and over again and yet expecting a different result. (…) We’ve now had ‘Harbors’, ‘Umbrella’; ‘Shields’ and ‘Frameworks’ - but no substantive change in U.S. surveillance law.” The current press statements, he said, are almost a word-for-word copy of those from 23 years ago. “Merely claiming something is ‘new,’ ‘robust,’ or ‘effective’ is not enough before the Court. We needed a change in U.S. surveillance law, and it doesn’t exist.”
New in Data Privacy Framework is only the EU’s definition of US surveillance: The EU Commission has declared data protection in the USA to be equivalent to the level of protection in the EU. In doing so, the authority is creating a new legal basis for companies that want to send data of EU citizens to America.
Since the ECJ declared the European-American data agreement “Privacy Shield” illegal in 2020, the legal situation has been uncertain. With Data Privacy Framework companies on both sides of the Atlantic now get a legal basis for sharing data again, which is an important breakthrough - for the companies, not for the people.
Lawsuit before the ECJ
However, NOYB has already announced that they are going to bring the law before the European Court of Justice.
”The European Commission’s third attempt to reach a stable agreement on data transfers between the EU and the U.S. will again end up before the European Court of Justice (ECJ) in a few months. The supposedly “new” transatlantic data protection agreement is largely a copy of the failed “Privacy Shield” agreement. Contrary to what the European Commission claims, little changes in U.S. law: the fundamental problem with FISA 702 has not been addressed by the U.S., which means that as before, only U.S. persons have constitutional rights and may not be subject to warrantless surveillance.”
This criticism is exactly what led to the invalidation of Privacy Shield. Data privacy activists therefore criticise that the new law will not hold either.
Data Privacy Framework brings with it the same surveillance risks to personal data of European citizens as Privacy Shield.
We will now have to wait until the case is brought in front of the court to get a decision for better data protection of EU citizens’ data.
Why Data Privacy Framework is criticized
Data Privacy Framework is an agreement between the European Union (EU) and the United States (US), following infamous Privacy Shield (which followed the Safe Harbor framework), that aims to regulate the transfer of personal data from the EU to the US - mainly by US companies like Facebook and Google. It is designed to ensure that US companies meet certain privacy standards and provide adequate protection for personal data.
However, the Data Privacy Framework faces significant criticism and ultimately will meet a similar fate as Privacy Shield. Several factors are being criticized:
-
Inadequate protection against US surveillance: The problem is (as with Privacy Shield) that US surveillance programs, such as the National Security Agency’s mass surveillance activities, do not align with EU privacy standards. Date Privacy Framework will not provide sufficient safeguards against these practices, making it incompatible with EU law.
-
Lack of redress for EU individuals: Data Privacy Framework does not provide effective remedies or legal recourse for EU individuals whose personal data might be mishandled by US companies.
-
Insufficient oversight and enforcement: Critics argue that Data Privacy Framework lacks effective oversight and enforcement mechanisms. The responsibility for ensuring compliance primarily rests on US authorities, which is seen as insufficiently equipped to adequately monitor thousands of participating companies.
-
Unresolved concerns over data access by US authorities: The agreement fails to address the broader issue of US government access to personal data for national security purposes. With Privacy Shield the ECJ ruling emphasized that the access and surveillance practices by US intelligence agencies were not proportionate or limited, raising concerns about the protection of EU citizens’ privacy rights - the same it true for the new Data Privacy Framework.
The main criticism about Data Privacy Framework is that it does not provide an adequate level of protection for personal data transferred to the US.
Protect your data with encryption
The best way to protect your data from illegal mass surveillance is to encrypt as much data as possible.
Fortunately, there are lots of privacy-first services, particularly in Europe, that focus on data protection and encryption and enable you to communicate online safely and privately - without the risk of being monitored.
Check out your favorite private alternative to Google & Co!