CDT has submitted comments to the EU Commission to inform its first annual review of the EU-U.S. Data Privacy Framework (DPF). The DPF enables the transfer of personal data between the EU and the U.S. while ensuring adequate data protection standards. CDT's submission explains key changes in U.S. laws, regulations, and practices, focusing on the April 2024 reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA 702).
The reauthorization expanded the scope of FISA 702 so that — with limited exceptions — any company under U.S. jurisdiction that offers a service of any kind and has access to equipment on which communications are stored or transit can be compelled to comply with FISA 702 directives. These changes have introduced a high level of uncertainty about the scope of FISA 702 surveillance and magnify concerns about the lack of safeguards in FISA 702.
This raises questions as to whether U.S. surveillance laws provide a level of privacy and data protection essentially equivalent to the protection afforded by EU laws, particularly considering that the lack of guardrails for FISA 702 surveillance was a basis for the CJEU decisions that struck down adequacy determinations related to the EU-U.S. Privacy Shield and Safe Harbor agreements.
The EU-U.S. Data Privacy Framework (DPF), adopted by the EU Commission on July 10, 2023, replaces the previous "Privacy Shield" agreement, which was invalidated by the Court of Justice of the European Union (CJEU) in 2020 due to concerns about incompatibility with EU privacy and data protection standards, as well as a lack of effective legal remedies for EU citizens.
The new framework follows Executive Order 14086 signed by President Joe Biden on October 7, 2022, aiming to address requirements set forth by CJEU in its Schrems I and Schrems II case law. CDT has expressed concerns that this new framework may not sufficiently meet EU standards, raising doubts about its potential to withstand a challenge before CJEU.
