USA (Washington Insider Magazine) — US President Joe Biden renewed a section of the US surveillance framework in April, extending by two years the authorisation to monitor and collect data without warrants from non-Americans across the world, including Europeans.
The renewed Section 702 of the 1978 Foreign Intelligence Surveillance Act (FISA), was first introduced in 2008 to adapt to “the evolution of technology” and target individuals outside the US.
Impact on European Data Privacy
Section 702 allows FISA-approved programs, such as PRISM, to require American technology companies like Microsoft, Amazon, and Google to provide access to accounts of non-Americans under investigation without a judge’s order. This has sparked concerns among Europeans who believe the General Data Protection Regulation (GDPR) protects them from such US laws. However, activists argue that the “world’s toughest privacy and security law” is currently ineffective against FISA-sanctioned programs.
“Europeans’ data is basically at the disposal of American surveillance services if they choose to have it,” stated Austrian lawyer and privacy activist Max Schrems.
Data Privacy as a Fundamental Right
According to Euronews,, data privacy is considered a fundamental human right in the EU. GDPR imposes strict restrictions on personal data, prohibiting it from being shared with countries lacking equivalent protection levels. This principle has been in effect since the 1995 Data Protection Directive, the GDPR’s predecessor. For instance, Switzerland offered an “adequate level” of data protection in 2000, a status reaffirmed earlier this year, allowing secure data transfer from the EU to Swiss entities.
Legal Challenges and Political Decisions
According to Noticias, the United States received “essentially equivalent” status in 2000; however, this decision was invalidated by the Court of Justice of the European Union (CJEU) in 2015 following a challenge by Max Schrems. Schrems contends that the European Commission’s decision to grant the US equivalent status again in 2022 was politically motivated.
“The Supreme Court of the European Union says ‘you can’t do that, it’s illegal, even unconstitutional,’ and the Commission just issues the agreement over and over again,” Schrems noted.
Transatlantic Data Privacy Framework
On the day that Ursula von der Leyen and Joe Biden announced the new transatlantic data protection framework, it was also declared that the EU and the US would work together to improve Europe’s energy security. However, European Commission spokesperson Christian Wigand stressed that these events were unrelated and depended on the 2020 recommendation of the European Court of Justice, which requires additional measures for non-equivalent countries.
Ongoing Legal Battles
The US regained its “adequacy” status in July 2023 after issuing an executive order to limit data collection in the EU to a “necessary and proportionate” level. However, Schrems’ non-profit organization NOYB, which campaigns for European digital rights, argues that the new agreement is no different from previous agreements that have been declared invalid.
Kenneth Propp of the Atlantic Council explained that the US “will never accept a definition of necessity and proportionality that is consistent with EU law”,” even though the new implementing regulation makes some important changes, including a new judicial recourse system for Europeans.
Future of Transatlantic Data Flows
NOYB has urged those affected by the new agreement to appeal to data protection authorities or the courts, anticipating a decision by the CJEU in 2024 or 2025. If the court invalidates the current agreement, it could create a “difficult situation” for the US and EU.
“The willingness of the US government to devote considerable resources to negotiating and renegotiating this agreement is not unlimited,” Propp stated.
Without an agreement, countries may still conduct mass surveillance, but the inability for US and EU companies to transfer data for commercial purposes could have “huge economic consequences.” Propp warned, “Companies will lack the legal certainty needed for sustainable business operations in the long term.”
