[CALL FOR PAPERS] How can Europe be competitive in the field of AI?
15 December 2023
[INTERVIEW] “The Trade Origins of Privacy Law” with Anupam Chander
20 February 2024

[REPLAY] A look back at the Annual Conference 2023: The EU-US Data Privacy Framework

On December 13 th 2023, Sciences Po Chair Digital, Governance and Sovereignty held its annual Conference on: “The EU-US Data Privacy Framework: what future for transatlantic data transfers?” directly from the French Parliament in Paris.

On July 10, 2023, the European Commission definitively adopted the adequacy decision on the Data Privacy Framework (DPF). The Commission found that the safeguards provided by the new US Executive Order 14086 and the following EU-US agreement on the Data Privacy Framework offer an adequate level of protection for personal data transferred from the European Union to the US. It was about time the new framework came into force. Since the invalidation of the Privacy Shield on July 16, 2020, transatlantic data transfers have been mostly based on standard contractual clauses, posing increasingly insurmountable difficulties. Despite the achievement of this milestone, multiple questions and uncertainties remain open circa the legal and technical implementation of the agreement and a third potential invalidation coming from the EU Court of Justice.

Here are the main takeaways from the Conference and the (subtitled) recordings of our speakers’ contributions.

Emmanuel Lacresse – Member of the French Parliament and host of our Conference – launched the day of discussion by stressing the importance of the room Colbert where the event took place, as the venue where societal needs are expressed and democratically discussed. Out of them all, the pressing challenge of balancing opportunities and risks of new technologies. “Western democracies are in front of a regulatory challenge when discussing digital and new tech: choosing self-regulation, mandatory obligations and the right implementation methods to make sure that also the regulators are subject to check and balances”.

The first panel, devoted to the new Data Privacy Framework, about transfers between the European Union and the United States, was introduced by the moderator, Laure Lavorel, Senior Associate General Counsel at Broadcom, and Honorary President of the Cercle Montesquieu.

The first panel, “The new EU-US Data Privacy Framework” was kicked off by Florence G’sell – Chairholder, Professor of Law at the University of Lorraine, Lecturer at the Sciences Po School of Public Affairs, visiting professor at the Stanford Cyber Policy Center – who presented the troubled history of the EU-US Data Transfer. From the invalidation of the Safe Harbor and the Privacy Shield Agreements respectively in 2000 and 2016, to the agreement in principle of the new EU-US Data privacy Framework in March 2022 and the EU Commission Adequacy Provision of July 2023. Section 702 of the Foreign Intelligence Surveillance Act (which allows the US National Security Agency to to conduct surveillance programs) and the Execuritve Order 12333 (the legal text to allow the NSA to govern electronic surveillance overseas) were presented as the two most challenging US provisions to the eyes of the European Institutions and stakeholders.

Bruno Gencarelli – Director of the International Affairs and Data Flows Unit at the European Commission – proceeded to explain what his Unit has done to respond to the complaints of the European Court of Justice with regards to the invalidation of the data flow agreements, elaborating on the complexity of drafting rules that can work with the US system and its national security framework.

To follow was Christiane Féral-Schuhl – Attorney-at-law, Member of the Paris and Quebec Bars, Vice-President of the French National Mediation Council, Former President of the French National Bar Council, Former President of the Paris Bar Association -. She stressed the core differences between the EU and US data systems (starting from the notion of privacy and the principle of proportionality), to then analyze the elements that could possibility invalidate also the newly established EU-US Data Privacy Framework.

Marc Rotenberg – President and Founder of the Center for AI and Digital Policy, Washington – concluded the first Panel by explaining the logic behind US legal access to electronic communication throughout the years, passing from the Foreign Intelligence Surveillance Act of 1978, the Patriot Act of 2001 and the 2022 Biden’s Executive Order. Not only he reminded how the US still doesn’t have a comprehensive Federal Law on data protection, but he also stressed how the relevance of Section 702 originates from the Congress’s role in assessing the scope and limits of the surveillance authorities’ role and reach.

The second panel, “The concrete impact of the Data Privacy Framework on transatlantic data transfers”, was moderated by Martin Pailhès – Member of Cercle Montesquieu and Global Manager Legal Digital & IP of BNP Paribas – soon kicked off the discussions of the later afternoon.

Ilias Chantzos – Global Privacy Officer and Director EMEA Government Affair at Broadcom – in his intervention that focused on the relevance and the evolution of the GDPR and data transfers, said: “In an ever-fragmented world, we need to effectively manage alliances between democracies on data transfer to foster a market place accessible for companies to grow and lead innovation”.

Jean-Baptiste Soufron – Lawyer at the Paris Bar, Cabinet FWPA, Member of the Association for the Defense of Constitutional Liberties – shared a more critical and skeptical view on the efficacy of the DPF, stating the probability of the Agreement of being once again contested by the ECJU.

To follow was Amandine Reix of the French Ministry of Economy, Finance & Industrial/Digital Sovereignty, who discussed the need of embracing and developing trust in the digital era. She presented a qualification label “SecNumCloud” and stressed the need to develop similar solutions at a EU level.

André Loesekrug-Piétri – President of the Joint European Disruptive Initiative – concluded the second Panel by discussing the global role of the EU as a regulatory and innovative power (especially in a transatlantic perspective) and the opportunities and risks behind cryptography.

Our Annual Conference 2023 was eventually wrapped up by Anupam Chander – Scott K. Ginsburg Professor of Law and Technology at Georgetown University Law Center (Washington DC) – who concluded with an analysis of the future of transnational data transfers, including aspects related to the Brussels Effect and the role of trade. “Framing trade as a threat to privacy is misleading, it’s really quite the opposite”. Countries that want to promote trade, need to establish strong privacy rules. Looking at EU legislations in the field of privacy protection, we can see that free movement of personal data is at the foundation of both the 1995 Data Protection Directive & the 2016 GDPR. What the EU has been doing on privacy is a trade-facilitating project.

See you at next year’s Annual Conference!