Government monitoring capabilities of the National Security Agency (NSA) are limited under the USA Freedom Act's latest regulations
The European Union and the United States have been navigating a complex saga regarding the protection of personal data, with the latest development being the adoption of the EU-US Data Privacy Framework (DPF) in July 2023. This framework aims to address concerns raised by the European Court of Justice in the Schrems II ruling by including new U.S. commitments to limit government surveillance and establish redress mechanisms for EU citizens.
The DPF, formally adopted on July 10, 2023, reinstates a basis for certified companies to transfer personal data from the EU to the US in compliance with EU data protection standards. However, despite its adoption, the DPF faces ongoing legal challenges. Privacy advocacy groups like NOYB are preparing new court actions to challenge its adequacy, and Meta’s €1.2 billion GDPR fine related to EU-US transfers illustrates persistent scrutiny.
Organisations transferring data from the EU to the US are advised to maintain well-documented Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments (TIAs) as safeguards in case the framework is invalidated again.
On the US side, regulators have implemented new rules affecting data transfers generally, such as the U.S. Department of Justice (DOJ)’s rule effective April 8, 2025, restricting transfers of sensitive personal data to certain "countries of concern" (China, Cuba, Iran, North Korea, Russia, Venezuela). While this is a separate but related aspect of data transfer regulation, it highlights increasing US regulatory scrutiny.
Meanwhile, the EU's Highest Court has already invalidated the EU-US Safe Harbor, and the Court of Justice of the European Union has invalidated a EU-US pact that allowed for easy data transfers from the EU into the US. The Irish High Court in Dublin is hearing a case about US privacy protections and surveillance policies, adding to the ongoing debate.
In the US, the USA Freedom Act was signed by President Obama on Tuesday, banning bulk collection of U.S. cellphone and Internet data by the National Security Agency. However, the new law does not address the NSA collection of foreign Internet data from U.S. sources. The NSA can obtain information about targeted individuals with permission from a federal court, and the Foreign Intelligence Surveillance Court is now required to declassify its most important decisions.
Elsewhere, Edward Snowden, the former National Security Agency contractor who exposed top-secret American surveillance systems, has been granted Russian citizenship by President Putin. Under Russian law, Snowden could potentially be drafted to fight in Ukraine, unless he has health problems or falls under one of the rare exceptions.
In summary, the EU-US Data Privacy Framework (DPF) is currently the main valid legal basis for personal data transfers from the EU to the US after the failure of Safe Harbor and Privacy Shield, but it remains subject to legal uncertainty and ongoing challenges. Businesses must therefore implement comprehensive safeguards like SCCs and TIAs and remain vigilant to evolving legal risks on both sides of the Atlantic. The ongoing debate and legal challenges underscore the importance of robust data protection measures and transparency in the digital age.
- The EU-US Data Privacy Framework (DPF) is a policy-and-legislation development in the realm of general-news, as it addresses the transfer of personal data from the EU to the US and faces ongoing legal challenges.
- The ongoing debate about US privacy protections and surveillance policies is a significant aspect of politics, with the Irish High Court in Dublin hearing a case about these issues, and the EU's Highest Court having already invalidated previous EU-US pacts related to data transfers.
%20are%20limited%20under%20the%20USA%20Freedom%20Act's%20latest%20regulations){kind=link}