Virtual Panel: the New US-EU Data Privacy Framework

Recent rulings by several European courts have set important precedents for restricting personal data transmission from the EU to the US. As a consequence, the US and EU have started working on a new agreement, known as Trans-Atlantic Data Privacy Framework, which should replace the current Privacy Shield. Recently, US President Biden signed an Executive Order defining the steps the US administration will take to provide the necessary safeguards to personal information handling required by the EU-US Data Privacy Framework.

At the heart of the problem lies a fundamental mismatch between EU and US privacy regulations. While EU citizens have their privacy protected by GDPR, the US lack federated privacy laws, which fueled the proliferation of state-level laws that do not provide a specific basis for enforcement.

Given the Court of Justice of the European Union's (CJEU) stance regarding US surveillance law, it is not clear how GDPR can be made compatible with transatlantic data transmission. Thus it is likely that any new privacy frameworks will be challenged in courts. Yet, the newly proposed Trans-Atlantic Data Privacy Framework brings an attempt to solve the underlying issues and may include an independent Data Protection Review Court as a mechanism to solve disputes that could provide an effective solution.

If the new framework did not pass European Courts' scrutiny, it is possible that a completely different approach to data privacy will be required in future to ensure data transmission and collaboration while granting privacy rights, such as treating user data as a currency or similarly to copyright.

In this virtual panel, three knowledgeable experts in the field of data privacy discuss where the existing agreements fall short, whether a new privacy agreement could improve transatlantic data sharing while granting privacy rights for EU citizens and stronger oversight of US intelligence, and more.

The panelists who have answered our questions are:

Chris McLellan, director of operations at the non-profit, Data Collaboration Alliance, which is dedicated to helping organizations get full control of their information for global collaborative intelligence.

Jeff Jockisch, leader of the Data Privacy Group at Node Zero and Data Privacy Researcher at PrivacyPlan.

Stephen Bailey, associate director & global privacy lead at NCC Group, one of the largest security consultancies in the world.

InfoQ: Could you briefly describe the current status of data privacy across the world?

Jockish: Data privacy has become a consumer rights issue worldwide because of 1) identity theft and 2) surveillance advertising. This lack of privacy can also cause problems with fundamental freedoms, as the same data easily flows to governments and politicians, and they often have agendas.

Much of the world is responding with new and stronger data privacy legislation, but the tenor and enforcement of these laws are not uniform.

Bailey: This can be described in one word: Varied. The number of countries with legislation to protect people’s personal data has grown significantly over recent years and there are now 130+ of them, many looking a lot like the European Union’s GDPR. The fact there are so many that are versions of GDPR does give some respite to global organizations looking to create policies and procedures that will work pretty much anywhere. Add into that mix the range of enforcement approaches taken by regulators and it makes for an interesting area of compliance for organizations.

Some laws are adding in new complexities for organizations that operate globally to get to grips with, the most obvious one being the demand for data localization, which often come with different classifications of data subject to those localization rules.

McLellan: The concept of data privacy–that consumers’ confidential information should be protected–is surely universal, but there are multiple and conflicting approaches to achieving it. For example, there’s no question that Europe has set the highest bar with the adoption of GDPR, and changed the conversation on what consumers can expect, and what the private and public sectors alike should do to comply with the regulation. However, that doesn’t mean that bringing American regulations into closer alignment with the sweeping EU legislation would necessarily solve privacy issues for US citizens. This is a deeply complicated issue that needs to respect cultural norms (even between US states), technology capabilities, government policies, and a host of other factors. However, certainly in the US, we’re seeing progress: California’s CCPA legislation has been followed by other states enacting their own data privacy laws, and within the next few years, we could see nearly all US states with their own legislation in place.

InfoQ: Why are agreements like Privacy Shield and the new Trans-Atlantic Data Privacy Framework important and necessary?

McLellan: For its part, the US government has been seeking to strengthen data privacy rights. For example, the Dept. of Commerce recently announced the Global Cross-Border Privacy Rules Forum, which features primarily Asian signatories. However, the biggest and most significant data flow is between the US and the EU, and this has been an area of heightened concern since 2015, when the principles known as ‘Safe Harbor’ were first declared invalid by EU courts. Its successor, known as Privacy Shield, was also struck down by the Court of Justice of the European Union in 2020 (in a decision known widely as ‘Schrems II’). The current draft agreement, known as the ‘Trans-Atlantic Data Privacy Framework’ reestablishes this important legal mechanism to regulate transfers of EU personal data to the United States.

The reason such regulations are so important is that most modern applications operate as part of a "data supply chain" in which information is routinely exchanged between application databases that typically span multiple regulatory jurisdictions. These ‘data flows’ routinely include personal and sensitive information such as search, location, and transaction data and so setting a baseline of rules between nations to govern who can access and utilize such data is vital to establishing data privacy rights for citizens and organizations. That said, regulations can only go so far, and they do not address the root causes that make data so difficult to control.

Bailey: The statement released jointly by the European Commission and the United States government declaring they’ve agreed on a Trans-Atlantic Data Privacy Framework, at least in principle, will raise the hopes of many organizations struggling to stay one step ahead of data protection regulators’ enforcement actions across the European Union. But it’s important to keep in mind that this is just a statement of intent and the detail has yet to be worked out, some of which could require legislative change.

Agreements like this are vital for organizations that are working across international boundaries as they provide certainty and, often, a reduced burden when they share personal data of their own people or the clients/customers/members that they serve. That certainty extends to individuals, who can take some comfort in the fact that the sharing of their data is being done under a recognized framework that is there to protect them.

Jockish: Efficient global business can’t happen without data flow - and virtually all large companies and online businesses have vendors and subsystems that cross borders. When different countries have different data privacy laws, things can get tricky.

In the case of Privacy Shield and the Trans-Atlantic Data Privacy Framework (TADPF), fundamental differences exist in how Europe and the US view data privacy, particularly over government surveillance of foreigners.

InfoQ: How did Privacy Shield fall short of properly protecting EU citizens data privacy?

Bailey: There were two main issues that pulled the privacy rug out from under Privacy Shield in the Schrems II case—the access that US public authorities have for national security purposes to personal data transferred from the EU, and the lack of any meaningful redress for those individuals whose data has been accessed.

Jockish: In the eyes of the European Court of Justice, Privacy Shield did not protect European citizens from unauthorized US government access to personal data via Foreign Intelligence Surveillance Act 702 requests. Specifically, there were no measures for European citizens to challenge FISA requests for access, either before or after the event, because FISA Court proceedings are secret. The third parties who provide data to the government are under a gag order.

InfoQ: In what respects does the new Trans-Atlantic Data Privacy Framework improve on Privacy Shield?

Jockish: Details of the agreement are still vague. What is concrete is the creation of an independent Data Protection Review Court. The Review Court would be part of a multi-layer redress process designed to give Europeans an independent mechanism outside of the FISA Court and PCLOB, which have different and perhaps conflicting motivations.

If the Review Board is genuinely independent and has enough power to stand up to law enforcement overreach, it could be meaningful for more than just Europeans.

Bailey: The joint statement mentions the issues present in Privacy Shield, but whether or not they will be addressed adequately remains to be seen. There seems to be commitment on the part of the US to address the two main issues. The joint statement references the US putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available.

InfoQ: Is the Trans-Atlantic Data Privacy Framework a robust solution? Does it address all the concerns related to data privacy in the context of collaboration between the US and the EU?

Bailey: EU to US transfers of personal data currently require the exporter to adopt an approach that provides for appropriate safeguards to a standard that is of "essential equivalence". One option for this is the use of EU standard contractual clauses (SCCs), plus supplementary measures, for which the European Data Protection Board adopted a set of recommendations, but this approach has not stood up to scrutiny in a number of recent investigations undertaken by supervisory authorities in the EU. The privacy campaigners that brought recent cases have many other similar ones in process so will be watching with great interest.

At the root of the problem is the fundamental disconnect between the EU and US with respect to privacy. The absence of federated privacy laws in the US and the proliferation of laws at the state level that are still either breach oriented or lacking in providing a specific basis for enforcement creates issues that will make it highly likely that this new framework will once again be successfully challenged.

The Trans-Atlantic Data Privacy Framework makes no mention of the Court of Justice of the European Union (CJEU), the judicial arm of the European Union that invalidated the adequacy decision for the EU-US Privacy Shield. It’s possible that’s because this is the early stages, but they will no doubt be asked to rule on whatever the new Trans-Atlantic Data Privacy Framework turns out to be.

There is no doubt that an agreement will be reached on transfers of personal data between the EU and US, but there is doubt around whether it will stand up to the scrutiny of the courts when it’s inevitably brought before them.

InfoQ: If we look at how things worked out with Privacy Shield, as well as with its predecessor, Safe Harbor, do we see a pattern at work? Shall we expect another negative ruling at some point?

Bailey: There is some learning to be had, and to push forward with the same approach and expect a different outcome has already been summed up rather nicely and attributed by some to Albert Einstein. In my view, there will be greater scrutiny, certainly by those on the outside if they are able to see how the framework develops, of how it compares with the previous attempts.

Jockish: There is little doubt that someone challenges TADPF. I would wager a large amount that Max Schrems outlines a legal strategy to overturn TADPF before the ink is dry.

But I’m not in the camp of privacy activists that believe data transfer deals between Europe and the US are doomed to fail. While there are fundamental differences in how we think about data rights, we can solve this issue of government surveillance and citizen redress.

McLellan: The bottom line is that nearly all data management technologies are basically band-aids that address a structural problem which is that data is currently managed within silos which are then integrated through the unrestricted exchange of copies. These copies do not simply stay within a walled garden - they end up in all sorts of 3rd party IT ecosystems. But whether application data stays at home or gets transferred abroad, the result is that data stakeholders (including citizens, partner organizations, and indeed the app developers themselves) have little or no control over how their data is accessed and used. The fact is that many of the outcomes associated with the GDPR; things like access control, data custodianship, data portability, and the right to be forgotten - all of these are next to impossible to enforce in a digital ecosystem defined by silos and unrestricted data copies. So yes, until we fundamentally re-address how we build and connect applications, it is inevitable that we will continually see challenges (and fines) aimed at the organizations who fail to build applications with technologies and frameworks that support control and collaboration, rather than copies and chaos.

InfoQ: How does the proposal for a Data Protection Review Court fit into this picture?

Jockish: The Foreign Intelligence Surveillance Court (FISC) has civilian review via the Privacy and Civil Liberties Oversight Board (PCLOB). This mechanism has two mandates, neither of which concerns the rights of foreign citizens. PCLOB was somewhat less effective for a period before Feb 2022 since it lacked a chairman.

The conception of a Data Protection Review Court may sound like bureaucracy to some. Still, it could be the additional layer of protection European citizens need with the right power and implementation.

Will the framework address the concerns of the Court of Justice of the European Union regarding US surveillance law? The details of the Review Court's formation and operation will matter greatly. How will it work? Will its operations be secret? At what point in the process will it be invoked? What power will the board have over the FISA Court?

Bailey: The Data Protection Review Court could address the lack of an analog to a Supervisory Authority which serves as an independent monitoring authority for GDPR in the EU. But without lawmaking to accompany the framework, any enforcement actions will be subject to question. The existence of the Data Protection Review Court, as it appears to be outside of the US justice system, could also lead to challenges from a variety of perspectives in the US legal system. Establishing the court, if successful, might provide the basis for enforcement, but absent a framework similar to GDPR, will not support proactive compliance.

InfoQ: What are your predictions about the future of data privacy, in the EU, the US, and the rest of the world?

McLellan: We’re all addicted to apps, and this is unlikely to change any time soon. Generally speaking (and with some notable exceptions within social media) this is a healthy addiction, as apps provide our business and personal lives with a great deal of convenience, efficiency, and entertainment.

However, the way apps currently manage data is at complete odds with the global movement for increased data privacy and data protection. In today’s globalized digital ecosystem, data respects no borders - it is copied (invisible and at scale) wherever it is needed in order to run the applications on which we depend.

As such, any regulation attempting to regulate such chaos is ultimately doomed to fail, because just as societies around the globe have learned with things of great value like currency and intellectual property, it is impossible to protect things that can be legally copied without restriction.

The bottom line is that if we want to get serious about data privacy, we need to start to build apps differently.

We need to accelerate the use of new frameworks like Zero-Copy Integration and encourage developers to adopt new technologies like Dataware and blockchain, all of which minimize data and reduce copies so that the data can be meaningfully controlled by its rightful owner. What’s incredibly encouraging is that building new apps via collaboration between data owners is actually far, far faster and more cost-effective than building them with data silos and copies.

This incredible efficiency will be the unstoppable force that helps to accelerate the shift away from data chaos and towards control.

Jockish: How data rights and data ownership evolve will determine the winners and losers in our future economy. We are now witnessing a fight to own the future by owning data.

Without better data privacy and the ownership of our personal data, I believe we tip further and further into a world of haves and have-nots with no middle class.

Bailey: "Essential equivalence" will always be a challenge to achieve and maintain until such time as the US passes effective data privacy legislation. As far as trans-atlantic data transfers go, few organizations will be putting their transfer impact assessment tools away any time soon.

I predict that there will be more of the same: Data protection and privacy laws appearing in countries that do not currently have them, and existing laws being tweaked or overhauled to align, no matter how loosely, to the EU GDPR and its variants. In this future, companies will continue to struggle with the many moving parts that make up an international transfer of an individual’s personal data.

InfoQ: What is the Zero-Copy Integration framework?

McLellan: Zero-Copy Integration is a national standard being developed by the CIO Strategy Council of Canada, an accredited agency of the Standards Council of Canada. It is currently in the final public review stage and expected to become an official standard in coming months. What makes this a pioneering approach is that it defines a framework for the development of new applications that is vastly more efficient, controlled, and collaborative than current approaches.

Zero-Copy Integration proposes to decouple data from applications in order to eliminate the database silos and copy-based data integration that erode the ability to meaningfully control data and to undertake a collaboration-based approach to data-centric development projects. Supporting it are a host of new technologies, including operational Data Fabrics, Dataware, blockchain, and Active Metadata.

For innovators, the elimination of database silos and copy-based integration not only maximized IT delivery capacity and accelerates the app development process, but enables application data to be protected and governed more like money, with its own innate access controls that can be universally enforced (comparable in principle to the holograms and special patterns used on physical currency).

The outcome of the adoption of Zero-Copy Integration for end users, partners, and other application stakeholders in application data is meaningful control over data access, custodianship, portability, and deletion.

This article was amended after its initial publication to include a mention to US President Biden's Executive Order to Implement the European Union-U.S. Data Privacy Framework.