Data Privacy Framework: 3 factors of an inevitable shock

Members of the Privacy and Civil Liberties Oversight Board (PCLOB) asked to resign

Since the Edward Snowden revelations, we know that The United States massively collects data from Europeans via companies like Google, Apple or Microsoft. The New York Times reports that members of the Privacy and Civil Liberties Oversight Board (PCLOB), the guarantor of independent surveillance, were summoned to resign, threatening their functioning. As a reminder, the PCLOB was one of the guarantees put forward within the Data Privacy Framework. Without this framework, thousands of European businesses and administrations could lose the possibility of using American cloud services. Can the EU still trust such a fragile system? This situation threatens the security of European data transferred to the United States.

An unstable legal framework

Signed in July 2023, the Data Privacy Framework aimed to ensure an adequate level of protection for European data transferred to the United States. However, American surveillance laws, such as FISA 702, have already been found to be incompatible with European standards by the Court of Justice of the European Union (CJEU) in the Schrems I and II cases. These decisions highlighted the risks associated with access to data by American agencies.

To try to overcome these incompatibilities, the Data Privacy Framework is based on a set of guarantees supposed to protect the personal data of European citizens. These guarantees include the Privacy and Civil Liberties Oversight Board (PCLOB), an independent body responsible for overseeing US surveillance. This framework was supposed to provide adequate protection and allow businesses to continue to transfer data legally.

However, these foundations remain fragile. The Data Privacy Framework is based primarily on presidential decrees and executive guarantees, which do not have a solid legislative base. These mechanisms can be changed or canceled at any time, especially in the event of a change of administration in the White House. This legal instability raises concerns about the sustainability of the agreement.

Uncertain guarantees

The Privacy and Civil Liberties Oversight Board, mentioned 31 times in the European decision validating the Data Privacy Framework, is a central element of the system. However, the recent wave of forced resignations by its members directly threatens its proper functioning. If the PCLOB can no longer fulfill its control role, the guarantees offered by the Data Privacy Framework are losing their credibility in the eyes of European authorities.

The independence of American control bodies has often been questioned. The President of the United States can, by simple decree, modify or remove existing protections. This institutional flexibility creates a dangerous precedent, calling into question the reliability of the commitments made by the United States to the European Union.

Predictable disruptions

If the Data Privacy Framework were to become ineffective, the consequences for European businesses would be considerable. Thousands of businesses would face a legal vacuum, forcing them to immediately stop using American cloud services like Google, Amazon, or Microsoft. Such a situation would profoundly disrupt the European digital economy.

Faced with these uncertainties, the European Commission finds itself in a delicate position. Although it has validated the Data Privacy Framework to respond to corporate pressures, it may be forced to review its position if American guarantees collapse. Reacting too late would risk plunging European organizations into total uncertainty.

This situation is reminiscent of the criticisms made by the United States against TikTok, which is accused of collecting sensitive data on American citizens. While Washington imposes restrictions on the Chinese app, it is downplaying European concerns about its own surveillance. The European Union could eventually adopt similar measures against American companies.

In addition, an executive order signed by Donald Trump plans to review all executive decisions made by Joe Biden on national security matters within 45 days. There are therefore 41 days left before a potential turning point that could call into question all the guarantees of the Data Privacy Framework, with a simple stroke of a pen.

As long as the European decision validating the Data Privacy Framework remains in force, data transfers remain legal. However, Businesses must anticipate a possible collapse of the system and consider alternatives to secure their data flows. The future of transatlantic data transfers is more uncertain than ever.

Sources: New York Times article