Based on a summarized timeline of events, published by the Guardian, the ‘EU-US data transference’ topic spans 20 years, and includes a third-party named Max Schrems (Hern, 2020). All information presented below was gathered from the same Guardian article (Hern, 2020):
June 2000 to August 2011: The Safe Harbor privacy principles were created. These principles basically allowed personal information transfers, without breaching the EU’s data protection rules. US companies were then instructed to self-certify and comply. Austrian lawyer, Max Schrems, filed 22 privacy complaints with the Irish data protection commission. This commission regulates Facebook in the EU, and Schrems filed complaints about the inability to prevent photo-tagging, as well as the company’s refusal to, “fully delete data about revoked friendships.”
June 2013 to October 2015: The Guardian reports on NSA surveillance programs. The report stated how this operation allowed direct access to the systems of companies like Facebook. The Irish high court ceased to pursue Schrems complaints any further, but also decided to send the complaints to the ECJ. The ECJ began considering the case in March 2015, and by October 2015, ruled in favor of Schrems. In light of information about these programs, the ECJ struck down the Safe Harbor principles.
November 2015 to July 2020: Facebook Ireland continues operations with Facebook HQ through “standard contractual clauses.” What this meant was in order to transfer data, Facebook had to agree that processing of EU data must follow EU law. In July 2016, the EU-US Privacy Shield agreement was created. This was a comprehensive replacement for Safe Harbor, and was the most recent attempt to secure EU data outside its borders. More discussions about the validity of standard contractual clauses, and the Privacy Shield, carried on for the next year. Then, finally, the ECJ struck down Privacy Shield, stating that the US still hasn’t, “limited surveillance of EU citizens to that which is ‘strictly necessary.’”
In short, the US and the EU have attempted to establish a common ground, when referring to the data transference landscape. However, over time, relations swayed, and a long-running privacy advocacy campaign fanned the flames that have led to the uprooting of two data protection agreements.
In regards to the UK and the EU, tensions are high. In the midst of the Brexit transition, the UK has been inundated with decisions about how they will maintain their relationship with the EU (Hern, 2020). Specifically referring to the information security sector, relations have not been favorable. According to the Guardian, the UK has committed a couple of EU data protection laws (GDPR) infractions. Firstly, it was discovered that British authorities, “[…] made ‘unlawful’ full or partial copies of the [Schengen Information System] database (Rankin, 2020). The SIS database contains more than 76 million items of information, regarding criminal suspects, missing people, and contraband (Rankin, 2020). This database is shared with EU countries that are members of the border-free travel area; however, the UK was not a member (Rankin, 2020). Thusly, the UK technically shouldn’t have access to, let alone make copies of, the SIS database. However, as it stands now, the UK does have permission to access the SIS database (Rankin, 2020).
Secondly, it was found that a British police national computer error caused one-out-of-three criminal alerts to not be sent to EU member states (Beckford & Boffey, 2020). According to the Guardian, the computer error was revealed in some meeting minutes, and the error was present for over five years (Beckford & Boffey, 2020). In other words, information stores, like the SIS database, were incomplete and dangerous individuals may have traveled freely between EU states (Beckford & Boffey, 2020).
Lastly for this section, the Five Eyes Intelligence Oversight and Review Council (FIORC). The FIORC is an intelligence allegiance comprised of five countries: United States, United Kingdom, Australia, Canada, and New Zealand. According to the Director of Naval Intelligence’s (DNI) official site:
“The Council members exchange views on subjects of mutual interest and concern; compare best practices in review and oversight methodology; explore areas where cooperation on reviews and the sharing of results is permitted where appropriate; encourage transparency to the largest extent possible to enhance public trust; and maintain contact with political offices, oversight and review committees, and non-Five Eyes countries as appropriate.”