Author: Shanzay Pervaiz

Last January, the UK Home Office served Apple with a Technical Capability Notice (TCN) under the UK Investigatory Powers Act (IPA) requiring Apple to create a back door to provide access to encrypted material stored in iCloud for British and non-British citizens. This step was taken following the 2024 amendments to the Investigatory Powers Act … Continue reading A Back Door Update: The Apple and UK Government TCN Dispute

As the trend towards digital sovereignty continues, it is important to revisit whether measures such as data localization and sovereign cloud options are effective in preventing governments from demanding access to data stored abroad. In the US, if an entity has certain“minimum contacts,” then a government agency can likely enforce a data request on that … Continue reading What Canada’s King vs. OVH Case Reveals, and Affirms, About Cross-Border Data Access

On September 3rd, 2025, the EU General Court released its decision affirming the EU-US Data Privacy Framework (DPF) in the Latombe case. A member of the French parliament, Philip Latombe, brought an action to the General Court seeking to annul the DPF arguing that it violated the EU Charter of Fundamental Rights and General Data … Continue reading Where Are We Now on the Transatlantic Voyage

Previously, I wrote about a provision in the Intelligence Authorization Act (IAA) proposing to amend the “electronic communication service provider” definition (ESCP) under FISA Section 702(i). ECSP was expanded in the FISA reauthorization bill to include “any other service provider who has access to equipment that is being or may be used to transmit or … Continue reading Lost in Legal Translation: How Outdated Definitions Shape Today’s Digital Landscape

In June, as part of its annual cycle, the Senate Select Committee on Intelligence (SSCI) approved a bill authorizing funds to be appropriated “for the conduct of the intelligence and intelligence-related activities of the Federal Government” (the Intelligence Authorization Act (IAA) for Fiscal Year 2025). This year’s IAA includes a provision amending Section 702(i) of … Continue reading The IAA Attempts to Narrow Expanded ECSP Definition

In January, the European Commission (EC) released a review of 11 adequacy decisions in accordance with Article 45 of the GDPR. The EC affirmed that each country reviewed had an adequate level of protection, but its justification for the evaluations varied.  In A Diversity of Adequacy: The European Commission's 11-Country Adequacy Review, Privacy Across Borders … Continue reading A Diversity of Adequacy: The European Commission’s 11-Country Adequacy Review

Last June, the United Kingdom (UK) Home Office announced a series of proposed amendments to the Investigatory Powers Act (IPA). Some commentators assert that if passed, the bill will pose “a significant threat to data security and privacy in the U.K. and beyond.” One of the provisions has generated substantial controversy and may have broad … Continue reading The Problem with Advanced Notification: UK Investigatory Powers Act Bill

This was an eventful summer for cross-border data flows. Three years ago, the Schrems II decision struck down Privacy Shield putting transatlantic data flows at risk. After many months of quiet negotiation, there was a succession of key events following the issuance of Executive Order 14086 last October.  On July 3rd, the Office of the … Continue reading An Eventful Season for Cross-Border Data Flows

This was a busy week for those following developments in privacy and cross-border data flows! The European Commission released its highly anticipated draft adequacy decision on the EU-US Data Privacy Framework. The European Commission stated, “that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.” … Continue reading A Busy—and Momentous—News Week at the Intersection of Privacy, National Security, and Data Flows

By: Alex Joel, Senior Project Director and Shanzay Pervaiz, Senior Researcher Submitting and Investigating Complaints under Executive Order 14086 As we laid out in What’s Next for the New Executive Order and the DPRC?, Executive Order 14086 assigns various tasks that must be completed within specified deadlines. One of those is for the Office of … Continue reading Overview of Implementation Procedures for EO 14086

Now that the Executive Order (EO) and DOJ regulations on the EU-US Data Privacy Framework have been released, what do those instruments require the government to do next? There are a few components to think about. First, what is next for the conduct of signals intelligence (SIGINT), and second, what is next for redress? This … Continue reading What’s Next for the New Executive Order and the DPRC?

By: Alex Joel, Senior Project Director and Shanzay Pervaiz, Senior Researcher With the new executive order for the Trans-Atlantic Data Privacy Framework (TADPF) expected soon, now is a good time to revisit the goal that it is intended to achieve: satisfying the legal requirements set out by the Schrems II decision. These are typically thought of as … Continue reading Will the TADPF Executive Order Hit the Target?

Rumors are circulating that the Trans-Atlantic Data Privacy Framework executive order will be released as soon as October 3rd. This follows the Biden Administration's announcement of an agreement in principle this year in March. The highly anticipated order brings exciting news, and questions, about how the framework will satisfy European legal requirements. We want to … Continue reading A Reminder of Where We Are Now

This year brought exciting developments to privacy. In March, the Biden Administration announced the Trans-Atlantic Data Privacy Framework (TADPF) to facilitate transatlantic data transfers following the invalidation of the EU-US Privacy Shield.  In June, the House Committee on Energy and Commerce introduced the American Data Privacy and Protection Act (ADPPA), a promising step toward federal … Continue reading A Comparison of the ADPPA and Privacy Shield

By: Alex Joel, Senior Project Director and Shanzay Pervaiz, Senior Researcher, in consultation with Gabriela Zanfir-Fortuna, Senior Advisor In a previous post, Laila Abdelaziz outlined the path to an adequacy decision after the European Commission (EC) and the United States announce an agreement in principle. Almost two years after the Court of Justice of the … Continue reading Challenging the New Privacy Shield Framework: All Paths Lead to the CJEU

To understand how the Schrems II decision is affecting companies' operations, we analyzed annual 10-K reports.  SEC rules require that 10-Ks provide detailed information on certain key topics, including “Risk Factors.” According to the SEC, under this topic heading a company will provide information "about the most significant risks that apply to the company or to its securities." First, we searched for 10-K … Continue reading Is the Schrems II ruling one of the “most significant risks” facing U.S. companies?

Recently, the Data Protection Conference of Germany requested Professor Stephen I. Vladeck to provide an expert opinion on the scope of FISA Section 702’s application. In particular, the Data Protection Conference seemed interested in FISA Section 702 having an extraterritorial application. In his testimony, Professor Vladek stated that if an EU company has a U.S. … Continue reading When Can a U.S. Court Exercise Jurisdiction Over a Non-U.S. Entity?