The new Transatlantic Data Privacy Framework fails to make US cloud services GDPR compliant

On Friday, March 25th the White House announced the Trans-Atlantic Data Privacy framework.

The Trans-Atlantic Data Privacy Framework is the most recent scheme on how data privacy should be managed on an international level between the EU and US.

As stated in the official White House Fact Sheet, the Framework “will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union … underlying the EU-U.S. Privacy Shield framework” and “will reestablish an important legal mechanism for transfers of EU personal data to the United States.”

With its message as a beacon of hope in lieu of the Cloud Act, Schrems II, and more, there are still some definite gray areas which critics find to be less than promising.

First off, the fundamental backing of this framework is not bound by law and legislation (yet), but to a US Executive Order.

To provide a quick overview, the US President has the supreme power to create, amend, and revoke an Executive Order at any given time. They can be perceived as “instant” law, however they are not legislation and require no approval from US Congress.

The Executive Order in question, EO 12333 (United States Intelligence Activities), was signed in 1981 by former President Ronald Reagan and is the primary authority under which the NSA collects and analyzes foreign intelligence information outside of the US.

EO 12333 has been amended 3 times (EO 13284, EO 13355, and most recently EO 13470 in 2008), but is still an active Executive Order and is basically what allows the possibility for European data to be collected and obtained by US foreign intelligence agencies.

The inherent fact that the Executive Order is not law, nor the newly introduced framework, the current debate is if it really can be legal under GDPR and in the Court of Justice of the European Union.

Of course, changes within US legislation is the preferred option, as it would be comparable to EU law, however this involves a lot of complexity, time, and international law politics. The fruition of such a legal document adopted by both sides is a goal of the U.S. Government and the European Commission, as stated in a briefing statement, but only time will tell.

Until a bespoke legal agreement, we must assess all we have: the Framework and the Executive Order and determine if both comply with the key articles of the EU charter (7, 8, 47, and 52). Without getting into the legal wording and analysis, these two documents do no fulfill the requirements of the articles.

The announcement of the Trans-Atlantic Data Privacy Framework may have been widespread news, however, it does not solve the problem of the conflicting US and European law, and further, it’s hard to imagine how the the issue can be solved in the future.

As for now, it is encouraged to take data privacy in your own hands, until, or if ever, a transparent agreement or law firmly states that your data is not crossing the Atlantic into the hands of foreign intelligence bodies and sketchy third parties.


Stay informed with Nextcloud as we share all you need to know regarding data privacy, data security and data sovereignty happening around the world. #PrivacyWednesday