A section of the framework allowing US surveillance abroad was renewed last month, meaning Europeans are still prone to being spied on.
US President Joe Biden renewed a section of the US surveillance framework in April, extending by two years the authorisation to monitor and collect data without warrants from non-Americans across the world, including Europeans.
The renewed section 702 of the 1978 Foreign Intelligence Surveillance Act (FISA), was first introduced in 2008 to adapt to “the evolution of technology” and target individuals outside the US, according to a briefing by the Office of the Director of National Intelligence.
Section 702 provided the legal basis for the NSA’s international mass surveillance programme PRISM, the existence of which was leaked by whistleblower Edward Snowden in 2013.
FISA-approved programmes such as PRISM, which is still operational, require US tech companies such as Microsoft, Amazon and Google to give access to the accounts of non-Americans being investigated. No judge order is required.
Europeans might think the General Data Protection Regulation (GDPR) protects them from the US legislation, but the “toughest privacy and security law in the world” is currently moot against programmes authorised under FISA, activists say.
“The data of Europeans is basically available to US surveillance services if they choose to have it, and that’s the reality of what is going on right now,” Austrian lawyer and privacy activist Max Schrems told Euronews Next.
Data privacy as a human right
Data privacy is a fundamental human right in the EU. GDPR imposes strict restrictions on personal data, prohibiting it from being shared with countries that don’t have an equivalent level of protection – a provision that has been in place since the 1995 Data Protection Directive, a predecessor of the GDPR.
In 2000, the EU decided that Switzerland offered an “adequate level” of data protection, a decision that was renewed earlier this year. This means that the data of European citizens can safely and smoothly be transferred from within the bloc to entities in the alpine country.
The US also received “essentially equivalent” status in 2000, but that decision was invalidated in 2015 by the Court of Justice of the European Union (CJEU) after Schrems challenged the EU’s data protection commissioner.
In 2016, the European Commission decided to reinstate the US’ status, but in 2020, the highest European court again ruled in favour of Schrems, who lent his name to the two annulments.
Schrems claims a “political decision” led the Commission to once again give US data privacy laws, which he says are inexistent, equivalent status to GDPR on March 25, 2022.
“The Supreme Court of the European Union says ‘you can’t do that, that’s unlawful, even unconstitutional’, and the Commission just issues (the agreement) again and again and again,” said Schrems.
According to the activist, on the day Ursula von der Leyen and Joe Biden announced the new Trans-Atlantic Data Privacy Framework, the Commission and the US also said they would be “working together to support Europe’s energy security for the coming winters and to sustainably reduce Europe’s energy dependency on Russia”.
European Commission spokesperson Christian Wigand was very clear there is no connection between the two events.
Instead, he told Euronews Next that talks were motivated by “the benchmark” set by the European Court of Justice in 2020: if countries don’t have equivalent status to the EU, they can adopt “additional measures to compensate”.
A decision with ‘huge consequences’
The US officially regained its “adequacy” status in July 2023, after the US government issued an executive order (a law that can be passed and annulled by a president) to limit EU data collection to “necessary and proportionate” levels. For the Commission, the Framework has measures to “address all the concerns raised by the European Court of Justice”.
Schrems’ non-profit organisation defending European digital rights NOYB, argues that the two countries have never agreed on a definition of the word “proportionate” and the new deal is the same as the previous two.
According to Kenneth Propp, associate fellow at the American think tank The Atlantic Council, the US is “never going to agree to a definition of necessity and proportionality that is set according to EU law”.
But, he said, “the US did make some significant changes,” with the executive order and the creation of a new judicial redress system for Europeans.
“There’s an interesting difference of opinion on this depending on which side of the ocean you’re on. If you’re in Washington, people in the US government will say ‘the US government tried very hard to do things within the scope of its laws that would satisfy the Europeans’,” the expert in cross-atlantic data flows said.
“If you ask people in Brussels, they will say, ‘This is somewhat better, but still short of what we think the standard is’. Ultimately this is going to be a question for the Court of Justice,” he added.
NOYB has already called on all those affected by the new deal to “bring a challenge with Data Protection Authorities or Courts,” but warned that a decision by the CJEU would “likely be by 2024 or 2025”.
If the court judges the current agreement invalid, as it has the previous two, the US and the EU could be in a “difficult situation,” according to Propp.
“The willingness of the US government to devote considerable resources to negotiating and renegotiating this agreement, I don’t think it’s limitless,” he said.
A lack of agreement won’t stop countries from conducting mass surveillance, according to the expert, but if companies based in the US and EU can’t transfer data for commercial purposes, there could be “huge economic consequences”.
“How will companies be able to conduct their businesses if there’s no agreement between the US and Europe? They won’t have the level of legal certainty that they need, and that’s not a sustainable situation over the long term,” Propp said.