UMass Law’s Shaun Spencer presented on the EU-US Data Privacy Framework and the history of US surveillance regulation.
UMass Law Associate Dean for Academic Affairs Shaun Spencer presented at Germany’s Schmalkalden University on the new EU-US Data Privacy Framework. The framework is the third attempt by the US and the European Commission to adopt a framework sufficient to allow data transfers from the EU to the US without violating the European Union’s General Data Protection Regulation. The Court of Justice of the European Union (CJEU) struck down the prior two frameworks on the grounds that they did not provide adequate protection to EU citizens because they were subject to US intelligence collection activities.
Dean Spencer first placed the new framework in the context of the historical regulation of US national security surveillance since the second World War. Prior pressure for surveillance reforms had arisen from domestic politics. That changed, however, after Edward Snowden’s 2013 disclosures of how US intelligence collection activities expanded in the wake of the September 11, 2001 terrorist attacks. The EU-US Data Privacy Framework is the latest attempt by the US to respond to that international pressure and preserve the transatlantic data flows.
Dean Spencer also described how evolving communications technologies have influenced surveillance regulation since the 1970s. In 1978, when the primary US surveillance restrictions were enacted, most international communications were carried via satellite rather than on transatlantic cables. For that reason, US surveillance regulations granted more protection to wire communications than to satellite communications. However, with the advent of fiber-optic cables in the late 1980s, the vast majority of international communications shifted to submarine cables, thus triggering more stringent protections against surveillance than those same communications would have enjoyed in 1978. After the September 11 terror attacks, the US revised its surveillance authorities to allow for more liberal interception of international wire communications. However, these post-9/11 revisions did far more than just restore the balance that had existed in 1978, because international communications in the digital age involve vast amounts of personal data on ordinary citizens’ activities. Access to this type of personal data about foreign citizens would have been impossible, even unimaginable, in the 1970s.
Finally, Dean Spencer discussed whether the CJEU will find that the new framework provides adequate protection to EU citizens as required under the General Data Protection Regulation. The CJEU’s prior decisions have emphasized two flaws in the previous frameworks: (1) the failure to abide by the EU’s principle of “proportionality,” and (2) the failure to provide meaningful redress to EU citizens improperly subjected to US surveillance activities. Dean Spencer suggested that the new framework most likely satisfies the principle of proportionality because it limits collection of EU citizens’ communications to specified national security purposes. However, Dean Spencer described the significant questions that remain regarding whether the CJEU will find that the new framework provides adequate redress.