In a letter obtained by Brussels Signal, French MP Philippe Latombe has urged European Commission President Ursula von der Leyen to suspend the US-European Union Data Privacy Framework (DPF) before President-elect Donald Trump assumes office on January 20.
According to the French MP, who is a member of the centre-right Democratic Movement party, the DPF no longer serves EU interests because of Trump’s protectionist tendencies.
“As the new American President, driven by a desire to protect the economic interests and security of his own country, will, by temperament, be inclined to exploit to his advantage any weaknesses in the various agreements that may have been signed with the European Union,” he wrote on November 13.
Latombe argued that with what he called Trump’s “impulsive personality”, the framework should be suspended.
“In a context worsened by the impulsive personality of the American executive leader, who is willing to do anything to boost his country’s economy, it is more urgent than ever to revise the data exchange system between the United States and Europe, and, while awaiting a version that satisfies both parties, to suspend it,” he said.
The DPF was designed to make it easier for companies to transfer personal data such as names, addresses and browsing history from the EU to the US.
In his letter, Latombe raised concerns about the DPF and criticised its ability to protect European data from potential misuse by the US government.
That disquiet is not new. In 2020, the European Court of Justice annulled the DPF’s predecessor, known as the Private Shield agreement.
The judges argued that under the agreement, US intelligence agencies could pry on EU citizens.
It is a fear that Latombe, former member of the French national data protection regulator Commission Nationale de l’informatique et des Libertés (CNIL), still has.
He is mainly concerned about the Foreign Intelligence Surveillance Act (FISA), section 702.
Under this act, the US Government allows US intelligence agencies to access foreign data for national security reasons.
Latombe said he believed that provision undermined data privacy because, in his view, it enabled broad surveillance without sufficient safeguards.
In a previous letter sent to von der Leyen in April 2024, the French MP voiced anxiety about the renewal of the Foreign Intelligence Act, which extended the scope of the category of companies that must co-operate with US intelligence agencies.
In January 2024, the French MEP Mathilde Androuët, a member of right-wing National Rally, questioned the commission about that.
“Does the proposed reform and reauthorisation of the Foreign Intelligence Surveillance Act cast a doubt over the Commission having signed the Data Privacy Framework?,” she asked.
“The Commission had signed the DPF, an agreement on data between the US and Europe, on the basis that the FISA was going to be less far-reaching,” Androuët argued.
According to the response sent by European Commission Vice-President Jourova, some safeguards have been put in place in the context of the EU-US Data Privacy Framework fully applying to surveillance under Section 702 FISA.
According to the commission’s implementing decision concerning the DPF, the US Privacy and Civil Liberties Oversight Board (PCLOB) serves as a watchdog for FISA.
Nevertheless, for Latombe the issue went beyond personal privacy; it was about maintaining trust, safeguarding fundamental freedoms and ensuring fair economic competition between the EU and the US.
“Apart from the risks to the individual freedoms of European citizens, the protection of sensitive data represents a major challenge for the internal security security and the economy of the Union and its Member States,” he said in his letter to von der Leyen.
In August the US company Uber was fined for violating EU general data protection regulations by storing Uber drivers’ sensitive information on servers in the US.
Uber collected sensitive information from European drivers over a two-year period and stored it on servers in the US without using proper transfers tools, thus violating the European Union’s General Data Protection Regulation (GDPR).https://t.co/ZAdhr0jD45
— Brussels Signal (@brusselssignal) August 27, 2024
