Yesterday, the European Data Protection Board issued guidance that makes it virtually impossible to transfer data from the EU to the US for backup or processing, due to the breadth of US surveillance. It's a big deal: edpb.europa.eu/sites/edpb/fil… 
For context: in July 2020, the EU's highest court struck down "Privacy Shield," an EU-US agreement that facilitated data transfers for more than 5,300 US companies. Its decision was based on the scope of US surveillance and lack of legal remedies for unlawful spying.
Under EU law, companies need a legal basis to transfer data out of the EU. The EU court's analysis made clear that other potential mechanisms for transfers, such as Standard Contractual Clauses (SCCs), would no longer work for the US, given the problems with US law.
But because the court didn't expressly forbid transfers to the US, many lawyers have advised companies to continue to use SCCs, with modifications. Given yesterday's guidance, lawyers and companies will need to dramatically rethink their approach.
In short: systematic data transfers to "electronic communication service providers" in the US are prohibited, with a few narrow exceptions (e.g., the data is encrypted and the US company doesn't have access to the key).
"Electronic communication service provider" is defined broadly, see 50 U.S.C. § 1881(b)(4), and the NSA may not be interested in every ECSP. But the likelihood of US surveillance doesn't matter at all, according to the new guidance. What matters is US law. It's a problem.
The solution to this problem is comprehensive surveillance reform, as @PatrickCToomey, Kate Ruane, and I explained yesterday in @just_security: justsecurity.org/73321/the-futu…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
