At a glance.
- European Commission gives the go-ahead on EU-US data transfers.
- TSA publishes tech strategy.
- New US state law could prohibit sale of cell phone location data.
- NATO considers Article 5 in cyberspace.
- EU-US Data Privacy Framework approved.
European Commission gives the go-ahead on EU-US data transfers.
The European Commission yesterday announced that it has reached an agreement with the US regarding trans-Atlantic data transfers. As the New York Times explains, the EU-US Data Privacy Framework regulates how data can travel between the EU and the US, and it is the culmination of a years-long debate regarding American intelligence access to European resident data and the impact on EU data privacy. By adopting this decision, the European Commission is formally stating that the US has sufficient protections, as outlined in the EU’s General Data Protection Regulation, to safeguard Europeans’ personal data. An FAQ from the Commission states, “As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any further conditions or authorisations. In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data.” Negotiated by European commissioner Didier Reynders, US attorney general Merrick B. Garland, and US Commerce Secretary Gina Raimondo, the agreement dictates when it is permissible for US intelligence to collect EU data, and when it is not. The accord also allows Europeans to object if they believe their personal information has not been collected in a way that is “necessary” and “proportionate” by American intelligence agencies, and such objections will be reviewed by the Data Protection Review Court, an independent body of American judges. Commission President Ursula von der Leyen stated, “Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the U.S., and at the same time to reaffirm our shared values.”
Tech giants like Meta and Google have been awaiting the decision with bated breath, as it determines when and how it is legal for such companies to transfer data across the Atlantic. This data transfer is essential for the thousands of firms that do business on both continents, and Politico notes that transatlantic data flows account for $7.1 trillion in economic activities. The agreement means that Meta should likely be able to circumvent an EU regulatory decision from earlier this year that determined the company would have to stop transferring European Facebook user data and delete already transferred data if no framework decision was reached by fall. That said, the Wall Street Journal notes it’s likely the deal will be challenged by EU privacy advocates, and Austrian lawyer and privacy activist Max Schrems has already said he plans to fight the agreement. “We would need changes in U.S. surveillance law to make this work and we simply don’t have it,” Schrems stated.
TSA publishes tech strategy.
MeriTalk reports that the US Transportation Security Administration (TSA) has released the third edition of its intent document, which summarizes the administration’s technology goals for the next two years. The document states, “The TSA Strategy establishes a clear mission, vision, values, priorities, and goals to guide us through the Agency’s 25th anniversary in 2026. The Admin Intent helps implement the strategy by outlining objectives that specifically define how we will work toward our strategic priorities.” In addition to upholding the agency’s eight-year strategy (released in 2018), it also aligns with the Department of Homeland Security’s 2023 Priorities and federal directives like the White House’s National Cybersecurity Strategy. Actions fall under three main headings – people, partnerships, and technology – and include twenty specific strategic objectives like improved cyber threat forecasting, possible use of innovative screening technologies for air cargo security, and the integration of security by design into Advanced Air Mobility systems. “I am proud of the hard work and outstanding achievements the TSA workforce has made in response to objectives outlined in prior editions of the Administrator’s Intent,” TSA Administrator David Pekoske stated. “In this new iteration of the Administrator’s Intent, we remain steadfast in our focus on people, partnerships and technology so we can build on previous successes and provide flexibility and resiliency.”
New US state law could prohibit sale of cell phone location data.
The US state of Massachusetts is considering restricting the purchase and sale of location data collected from consumers’ mobile devices. If passed, the Location Shield Act would be the first US law focused on cracking down on the lucrative market for location data, and it would also implement a warrant requirement for law enforcement wishing to access this info. As the Wall Street Journal explains, Massachusetts would be joining the nine other states that have recently enacted data privacy legislation, but the Location Shield Act goes beyond similar laws that merely require data brokers to obtain consent from consumers and restrict sales. Senator Cindy Creem, a Democrat and majority leader in the state Senate, said of the proposed law’s chances of passage, “I have every reason to be optimistic that something will be happening in this session.” However, at a hearing conducted last month, the State Privacy & Security Coalition – a trade association representing the tech industry – expressed its opposition to the legislation. “We do support heightened protections for particular types of personal information,” Andrew Kingman, a lawyer who represents the association, stated, however, “the definition of sale is extremely broad.” He added that the association felt consumers should be given “the ability to opt-out of sale.” The law’s supporters include American Civil Liberties Union and several groups that support abortion rights, who say protection of location data is essential to preserving personal freedoms.
NATO considers Article 5 in cyberspace.
The Vilnius summit affords an opportunity for NATO to take stock of its collective cyber defenses. The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn has proven its value, and, as cyberspace has become a generally recognized operational domain, the Alliance may consider ways in which it might build even more effective collective security in that fifth domain. Security Week offers a range of suggestions that may be under consideration, from collective joint cyber training, to the formation of a NATO cyber command analogous to the national cyber commands several of its members have developed, to considerations of the ways in which cyber attacks might trigger the collective defense provisions of Article 5. (And consideration of what a proportionate response to the cyber phases of a hybrid war might look like.)
The Record has an interview with Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, in which Lifländer discusses lessons learned from Russia's war against Ukraine. At a high level, he sees a need to avoid "self-deterrence," a reluctance to take action that might be perceived as escalatory, and a corresponding willingness to recognize that cyber operations, to a greater extent perhaps than those in other domains, tend to blur and overstep institutional lines. "But there seems to be something about cyber that doesn't really respect organizational boundaries," he said. "I mean, you need the technical, the operational, and the political layer to operate better together. So this is exactly what we're trying to achieve here. It means information sharing, it means intelligence sharing, but it also means a better way to react, a better way to shape cyberspace." Cyber is "always on," and warnings must be in place that enable an appropriate Alliance response to threats there, whether they amount to political pressure, disruption, or direct attack against infrastructure.
An op-ed in POLITICO urges NATO to recognize what the authors, consider the central lesson to be drawn from the war against Ukraine, "that software is a strategic enabler — perhaps the principal enabler — for joint and distributed multidomain and combined military operations," and to both act and invest accordingly.
EU-US Data Privacy Framework approved.
Rohan Massey, head of the data, privacy and cybersecurity practice at Ropes & Gray, commented on the effects of the approval. “Almost three years to the day since the CJEU struck down the EU-US Privacy Shield, the EU has approved the EU-US Data Privacy Framework, allowing for a free flow of personal data to certified US organisations. In approving the framework there has been significant change on the US side, including the establishment of a new court for individual redress. The EU-US Data Privacy Framework will be welcomed by many commercial organizations which have spent three years in limbo, unsure if their data transfers were lawful," Massey wrote. "The Framework will also benefit organizations relying on standard contractual clauses for data transfers, as they will be able to cite some of the e EU-US Data Privacy Framework protections as relevant to their requirements for technical and organizational measures needed to protect data outside the EEA." The new arrangement may itself be challenged, but for now the agreement offers some welcome clarity. "It is claimed by some that relief may be short-lived as privacy campaigner Max Schrems has stated he will challenge the new framework, which he sees as too close to the Safe Harbor and Privacy Shield mechanisms, both of which he successfully challenged. However, at this point clarity, even in the short term, will be welcomed by any organization engaged with transatlantic data transfers.”
Erfan Shadabi, cybersecurity expert with comforte AG, also thinks it possible that the issue might be re-litigated. “The recent approval of a new deal by the EU, enabling the free transfer of data between the EU and the United States, marks a significant development that could resolve the three-year legal uncertainty faced by tech giants like Facebook and Google," Shadabi wrote. "This positive step signifies the European Commission's persistent efforts to establish a stable agreement on EU-US data transfers. However, despite this breakthrough, there remains a possibility that the issue could once again find its way back to the Court of Justice (CJEU) in the coming months. A major concern lies in the fact that the fundamental problem with FISA 702, a controversial surveillance law in the US, has, seemingly, not been adequately addressed. This particular aspect could prove to be thorny, potentially leading to legal challenges and further uncertainty in the future. However, it is necessary to exercise patience and observe the forthcoming disclosure of the specific details regarding this new deal, as well as closely monitor its subsequent developments.”
Ani Chaudhuri, CEO of Dasera, explains why the Framework was difficult to negotiate, and why it may wind up back in the courts. "This EU-US Data Privacy Framework, the product of years of negotiation, attempts to balance national security and personal privacy. This feat is as complex as it is critical," Chaudhuri wrote. "On the surface, it's a commendable step. It provides a mechanism for EU residents to challenge perceived infringements on their data by US intelligence agencies and aims to ensure that protections are 'traveling with the data.' Yet, Max Schrems, a leading privacy activist, is already planning to sue, questioning the legality and practicality of the Framework. The situation underscores a fundamental question - is it possible to simultaneously maintain privacy and security in a data-driven world?" Chaudhuri enumerated why the Framework will remain a point of difficulty. "Firstly, let's agree on this: data is the backbone of the modern economy. The absence of this agreement would have created a tumultuous environment for multinational businesses that rely heavily on data flows. However, this pact is a band-aid on a festering wound. It replaces the invalidated Privacy Shield but maintains many of its predecessor’s shortcomings. Why? Because, at its core, the Framework assumes trust between EU citizens and American intelligence agencies. It assumes a complaint-based system backed by an independent review body would provide adequate redress. But let's be real: how many Europeans would feel comfortable voicing their concerns, let alone feel confident that their complaint would be handled fairly and impartially? The primary question, as Schrems rightfully posits, is whether changes in US surveillance law can genuinely ensure Europeans' privacy rights. I would argue that the answer is, as it stands, 'no.'" The Framework represents an advance, but it's not ultimately an adequate solution, Chaudhuri concluded. "The issues run deeper than policy alone. The EU-US Data Privacy Framework marks a step forward but doesn't necessarily solve the problem. The elephant in the room remains the balance between privacy rights and national security concerns. The current paradigm involves mass data collection, necessitating uncomfortable compromises on personal privacy for security. But should we not aspire for a system that allows us to achieve both? Technology, after all, is a great enabler."