Inside the first step in formalizing the new EU-US Data Privacy Framework

Gather ’round, Euro netizens—your privacy protections are going to continue to take precedence over US law.

President Biden signed a wide-ranging executive order on October 7 to strengthen data management privacy standards, a move intended to bring the US in line with EU requirements.

“These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law,” the White House said in a statement announcing the actions.

Biden’s order establishes a number of requirements and regulations for the handling of data, a response to a number of miscues and false starts that have plagued EU–US data sovereignty relations. It’s seen as a first step in formalizing the new EU–US Data Privacy Framework.

Two years of limbo. In 2020, a lawsuit filed against Facebook Ireland by an Austrian activist named Maximilian Schrems invalidated the EU–US Privacy Shield. That agreement, which facilitated data transfers, hasn’t yet been replaced, though there is a negotiated framework to replace the shield.

The full ramifications of the Schrems case weren’t fully appreciated in the US at first, said Kenneth White, a US-based cloud security researcher and the director of the Open Crypto Audit Project. Today, there’s a feeling of having to catch up, as cloud providers adapt data management to the countries their servers are located in and where their customers reside.

Yet, some of the concerns in Europe “about potential overreach” can miss the point of security and privacy protections, White said.

“What I think is missing in that conversation sometimes is that if a particular target is sought by a really well-resourced adversary, whether that’s a Western nation state or anyone else, it’s sufficiently motivated, there are technical means to get information,” White said.

The EU’s General Data Protection Regulation (GDPR) provides the bloc’s citizens with a wide range of powerful privacy protections, and presents the central challenge to the US’s approach to data management. The broad applicability of the GDPR means that its sovereignty extends past EU borders, explained Lukasz Olejnik, a Europe-based independent cybersecurity and privacy researcher and consultant.

“This regulation applies to the processing of personal data of data subjects who are in the union,” Olejnik said. “Which means that even if a company is outside of the European Union, those laws must be respected.”

Being extra(territorial). The GDPR’s extraterritoriality is constructed in a “clever” way, said Ojelnik, because “it applies to…the company’s data in Europe, or companies processing data of Europeans.” For data management companies, that means the protections have to be taken into account and applied—meaning that the GDPR is the gold standard.

“If you’re a US company, and you process [the] data of Europeans, the European law applies—you must respect that, especially when you have representation here in Europe,” Ojelnik told IT Brew.

White noted that whatever agreements the EU and US come to, they’re only as good as the next time they’re challenged—and how guidance is interpreted can change from company to company working within the regulatory framework.

“I’ve personally seen major global banks that have completely different interpretations of the latest guidance, depending on the country or which bank we’re talking about within certain Western European countries,” White said. “I’ve had conversations with managing directors, where, across two or three different things in the same country, came up with completely different understandings or postures to comply with GDPR.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.