Restriction of NSA's surveillance abilities implemented under the USA Freedom Act
The relationship between the European Union (EU) and the United States (US) regarding data privacy and surveillance remains complex, following the implementation of the USA Freedom Act and the invalidation of the EU-US Safe Harbor framework by the Court of Justice of the European Union (CJEU).
The Safe Harbor framework, which previously allowed for easy data transfers from the EU to the US, was invalidated due to insufficient US protections against government surveillance of European data. Consequently, data transfers now rely on more complex mechanisms like Standard Contractual Clauses (SCCs) accompanied by additional safeguards.
The USA Freedom Act of 2015, signed by President Obama, curtailed some broad mass surveillance authorities but did not fully alleviate European concerns about the potential access of US surveillance agencies to EU citizens' data. The absence of a comprehensive US national privacy law equivalent to the EU’s General Data Protection Regulation (GDPR) continues to be a major obstacle.
The EU demands data transfers only to countries with “adequate” data protection, which the US still lacks, given continued European judicial scrutiny. The EU’s GDPR and related initiatives, such as stricter children’s data privacy rules starting in 2025, strongly emphasize data protection, influencing global data privacy norms via the “Brussels effect.” These regulations increase compliance burdens for US companies handling EU persons’ data.
Efforts to negotiate a replacement data transfer framework after Privacy Shield’s invalidation have been ongoing, but no stable, broadly accepted EU-US data privacy adequacy agreement is in place as of mid-2025. Meanwhile, US legislation and policy debates continue, but without a national privacy framework, the fundamental divide remains unresolved.
In the US, the National Security Agency (NSA) can obtain information about targeted individuals with permission from a federal court. However, the new law does not address the NSA collection of foreign Internet data from US sources, which continues to be a point of contention in the EU-US data privacy and surveillance relationship.
The Court of Justice of the European Union's decision to invalidate the EU-US Safe Harbor puts more pressure on the US to tighten up its privacy laws, as the EU continues to enforce its GDPR and related acts strongly, pushing for greater privacy safeguards globally.
The ongoing complexities in the EU-US relationship regarding data privacy and surveillance are influenced by the lack of a comprehensive US national privacy law, equivalent to the EU’s General Data Protection Regulation (GDPR). This absence, coupled with continued European judicial scrutiny, maintains the US as a country without "adequate" data protection in the eyes of the EU.
The Court of Justice of the European Union's (CJEU) invalidation of the EU-US Safe Harbor framework has increased pressure on the US to tighten up its privacy laws, mirroring the EU’s continued enforcement of its GDPR and related acts, which strongly emphasize data protection and influence global data privacy norms.
