Category: Uncategorized

Last January, the UK Home Office served Apple with a Technical Capability Notice (TCN) under the UK Investigatory Powers Act (IPA) requiring Apple to create a back door to provide access to encrypted material stored in iCloud for British and non-British citizens. This step was taken following the 2024 amendments to the Investigatory Powers Act … Continue reading A Back Door Update: The Apple and UK Government TCN Dispute

There is no denying that the widespread use and integration of Artificial Intelligence (AI) is ramping up. Businesses are increasingly incorporating Large Language Models (LLMs) and non-LLMs into their daily functions and products, whether it is an AI image generator, an AI customer service representative, an AI advertising strategy algorithm, or an AI-driven data collection … Continue reading Beneath the Apps: Understanding the AI Stack

The Privacy Across Borders (PAB) team has been exploring how adversaries can use artificial intelligence (AI) to undermine privacy and national security. PAB student research assistant (RA) Natalia Baigorri examined the national security threats posed by adversarial use of AI. In her post, she highlighted how the concerns about Chinese ownership of TikTok, as accepted … Continue reading How are AI Outputs Moderated?

As the trend towards digital sovereignty continues, it is important to revisit whether measures such as data localization and sovereign cloud options are effective in preventing governments from demanding access to data stored abroad. In the US, if an entity has certain“minimum contacts,” then a government agency can likely enforce a data request on that … Continue reading What Canada’s King vs. OVH Case Reveals, and Affirms, About Cross-Border Data Access

By: Alex Joel, Senior Project Director and Marina Thornhill, Research Assistant In the 1970s, a series of scandals involving abuse of government power gripped Washington, D.C. In the wake of Watergate, Senator Sam Ervin, Chairman of the Senate Judiciary Committee, led efforts to protect Americans’ privacy, culminating in the enactment of the Privacy Act of … Continue reading The Department of Government Efficiency and the Privacy Act of 1974

Discussion of cross-border data flows and digital governance often centers on the transatlantic relationship between the U.S. and the EU. While the PAB team follows EU-U.S. developments closely, we also examine how other countries address issues at the intersection of privacy, security, and global data flows. In this article, we turn our focus to BRICS+. … Continue reading BRICS+: Competing for the Digital Future in the Global South

The Trump Administration recently announced that it had reached a “framework agreement” with China for ByteDance’s divestiture of TikTok, which must still be fleshed out and implemented. Until that happens, the legislative divestiture requirement, as embodied in the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA), remains the law of the land. The Supreme Court upheld the constitutionality … Continue reading TikTok v. Garland: What does it mean for DeepSeek and other Foreign-Owned LLMs?

On September 3rd, 2025, the EU General Court released its decision affirming the EU-US Data Privacy Framework (DPF) in the Latombe case. A member of the French parliament, Philip Latombe, brought an action to the General Court seeking to annul the DPF arguing that it violated the EU Charter of Fundamental Rights and General Data … Continue reading Where Are We Now on the Transatlantic Voyage

At the AI Summit in Paris on February 11, 2025, Vice President JD Vance said that “excessive regulation of the AI sector could kill a transformative industry just as it's taken off.” He stated that the Administration “invites your countries to work with us,” but added that “the Trump Administration is troubled by reports that … Continue reading The Administration’s Response to the EU’s Digital Regulations

Image generated by ChatGPT On January 18, 2025, the social media app TikTok went dark for a few hours, complying with the Supreme Court’s upholding of a law requiring TikTok to be sold to a US-based company or be banned for national security reasons. President Trump has since granted TikTok a 90-day reprieve to find … Continue reading How Adversarial Use of AI Amplifies National Security Risks

Previously, I wrote about a provision in the Intelligence Authorization Act (IAA) proposing to amend the “electronic communication service provider” definition (ESCP) under FISA Section 702(i). ECSP was expanded in the FISA reauthorization bill to include “any other service provider who has access to equipment that is being or may be used to transmit or … Continue reading Lost in Legal Translation: How Outdated Definitions Shape Today’s Digital Landscape

In June, as part of its annual cycle, the Senate Select Committee on Intelligence (SSCI) approved a bill authorizing funds to be appropriated “for the conduct of the intelligence and intelligence-related activities of the Federal Government” (the Intelligence Authorization Act (IAA) for Fiscal Year 2025). This year’s IAA includes a provision amending Section 702(i) of … Continue reading The IAA Attempts to Narrow Expanded ECSP Definition

In January, the European Commission (EC) released a review of 11 adequacy decisions in accordance with Article 45 of the GDPR. The EC affirmed that each country reviewed had an adequate level of protection, but its justification for the evaluations varied.  In A Diversity of Adequacy: The European Commission's 11-Country Adequacy Review, Privacy Across Borders … Continue reading A Diversity of Adequacy: The European Commission’s 11-Country Adequacy Review

The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) issued by President Biden in October 2022 spotlighted a consequential position in the Intelligence Community (IC): The Civil Liberties Protection Officer (CLPO) at the Office of the Director of National Intelligence (ODNI). The CLPO and the other Privacy and Civil Liberties … Continue reading The Civil Liberties Protection Officers: The Gateway to Redress

Last June, the United Kingdom (UK) Home Office announced a series of proposed amendments to the Investigatory Powers Act (IPA). Some commentators assert that if passed, the bill will pose “a significant threat to data security and privacy in the U.K. and beyond.” One of the provisions has generated substantial controversy and may have broad … Continue reading The Problem with Advanced Notification: UK Investigatory Powers Act Bill

There are two important considerations to take into account when navigating cross-border data flow issues. First, how do private sector entities foster trust and protect individual rights when processing data? Second, how do governments access data for law enforcement and national security purposes?  When determining the legal requirements for how and whether data can be … Continue reading National Security Exceptions in Latin American Data Protection Laws

This was an eventful summer for cross-border data flows. Three years ago, the Schrems II decision struck down Privacy Shield putting transatlantic data flows at risk. After many months of quiet negotiation, there was a succession of key events following the issuance of Executive Order 14086 last October.  On July 3rd, the Office of the … Continue reading An Eventful Season for Cross-Border Data Flows

At Privacy Across Borders, we have been researching how other countries contend with providing notification to individuals about whether they have been the target of surveillance by their country’s intelligence agencies. In "Without Confirming or Denying": Opaque Notification and National Security Redress, Alex Joel examines the opacity of notification under U.S. law and the practice’s … Continue reading Opaque Notification: A Country-by-Country Review

Executive Order (EO) 14086 establishes an innovative two-tier redress mechanism for individuals with “qualifying complaints” about U.S. signal intelligence activities. One aspect of this mechanism has generated controversy: notification. EO 14086 requires that notification be provided “without confirming or denying that the complainant was subject to United States signals intelligence activities” (section 3(c)(i)(E)). In addition, … Continue reading Without Confirming or Denying

The European Data Protection Board is working on its advisory opinion regarding the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework. We at Privacy Across Borders are working on our own analyses of how well the executive order at the core of that framework—Executive Order 14086—hits the targets of necessity, proportionality, and … Continue reading A System of Many Layers with Many Players

This was a busy week for those following developments in privacy and cross-border data flows! The European Commission released its highly anticipated draft adequacy decision on the EU-US Data Privacy Framework. The European Commission stated, “that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.” … Continue reading A Busy—and Momentous—News Week at the Intersection of Privacy, National Security, and Data Flows

By: Alex Joel, Senior Project Director and Shanzay Pervaiz, Senior Researcher Submitting and Investigating Complaints under Executive Order 14086 As we laid out in What’s Next for the New Executive Order and the DPRC?, Executive Order 14086 assigns various tasks that must be completed within specified deadlines. One of those is for the Office of … Continue reading Overview of Implementation Procedures for EO 14086

By: Alex Joel, Senior Project Director, and Alexandra Cohen, Research Assistant When the Court of Justice of the European Union (CJEU) invalidated the European Commission’s adequacy decision for the EU-U.S. Privacy Shield framework, one ground for their decision was that, with regard to U.S. Government surveillance, “EU data subjects lack actionable judicial redress and, therefore, do not … Continue reading Can a Federal District Court Review the Decisions of the New Data Protection Review Court?

On August 4th, 2022, the Indian Government withdrew the much debated Personal Data Protection Bill, 2019, after deliberating over it for more than two years and receiving comments from various experts and stakeholders across the country. Several recommendations were issued by the Joint Parliamentary Committee on the provisions of the Bill as well. Commentators have … Continue reading Data Localization and “Critical Personal Data” Under India’s Personal Data Protection Bill

Now that the Executive Order (EO) and DOJ regulations on the EU-US Data Privacy Framework have been released, what do those instruments require the government to do next? There are a few components to think about. First, what is next for the conduct of signals intelligence (SIGINT), and second, what is next for redress? This … Continue reading What’s Next for the New Executive Order and the DPRC?

Like much of the privacy community, we at Privacy Across Borders are closely studying the executive order to see whether it will hit the redress and necessity and proportionality targets laid out in the Schrems II ruling. We will soon post our initial impressions on the specific parts of the order that are aimed at … Continue reading Breaking New Ground

By: Alex Joel, Senior Project Director and Shanzay Pervaiz, Senior Researcher With the new executive order for the Trans-Atlantic Data Privacy Framework (TADPF) expected soon, now is a good time to revisit the goal that it is intended to achieve: satisfying the legal requirements set out by the Schrems II decision. These are typically thought of as … Continue reading Will the TADPF Executive Order Hit the Target?

Rumors are circulating that the Trans-Atlantic Data Privacy Framework executive order will be released as soon as October 3rd. This follows the Biden Administration's announcement of an agreement in principle this year in March. The highly anticipated order brings exciting news, and questions, about how the framework will satisfy European legal requirements. We want to … Continue reading A Reminder of Where We Are Now

This year brought exciting developments to privacy. In March, the Biden Administration announced the Trans-Atlantic Data Privacy Framework (TADPF) to facilitate transatlantic data transfers following the invalidation of the EU-US Privacy Shield.  In June, the House Committee on Energy and Commerce introduced the American Data Privacy and Protection Act (ADPPA), a promising step toward federal … Continue reading A Comparison of the ADPPA and Privacy Shield

Written in consultation with Gabriela Zanfir-Fortuna, Senior Advisor. The Irish Data Protection Commission (DPC) has reportedly transmitted a draft order to its European Union (EU) counterparts that would block Meta from transferring any personal data to the U.S. In the meantime, the U.S. government is continuing to work on issuing the executive order and regulations described … Continue reading Blocking Meta in Ireland—Will It Happen?

In my former government career, I recall one of those transformational moments where you realize things are going to be much harder than you could ever imagine.  Ridiculously hard. The moment was in the fall of 2006 and involved meetings between European Union (EU) and United States (US) Government officials on the possibility of a … Continue reading Cross-Border Data Sharing – It Shouldn’t Be That Hard

Now that a new Trans-Atlantic Data Privacy Framework has been announced, it’s a good time to orient ourselves. This is a critical milestone, but it is not the end of the journey. First, it’s important to ask, where are we now? An “agreement in principle” has been reached, but more vital work remains to be … Continue reading Privacy Across Borders: Where We Are and What Lies Ahead

By: Alex Joel, Senior Project Director and Shanzay Pervaiz, Senior Researcher, in consultation with Gabriela Zanfir-Fortuna, Senior Advisor In a previous post, Laila Abdelaziz outlined the path to an adequacy decision after the European Commission (EC) and the United States announce an agreement in principle. Almost two years after the Court of Justice of the … Continue reading Challenging the New Privacy Shield Framework: All Paths Lead to the CJEU

With last Friday’s announcement of a much-awaited cross-border data privacy framework between the EU and U.S., global data flows are once again front and center in the data privacy world. This spring, I’m fortunate to be co-teaching a seminar with Professor Alex Joel at American University Washington College of Law on Privacy Across Borders. At … Continue reading Cross-Border Agreements

To understand how the Schrems II decision is affecting companies' operations, we analyzed annual 10-K reports.  SEC rules require that 10-Ks provide detailed information on certain key topics, including “Risk Factors.” According to the SEC, under this topic heading a company will provide information "about the most significant risks that apply to the company or to its securities." First, we searched for 10-K … Continue reading Is the Schrems II ruling one of the “most significant risks” facing U.S. companies?

In Redress: What is the problem?, Alex Joel and I highlighted the issues under the U.S. Constitution associated with meeting the EU’s “independence” and “binding authority” requirements for redress. The Supreme Court, in Seila Law LLC v. Consumer Financial Protection Bureau, 140 S. Ct. 2183 (2020), was confronted with determining the constitutionality of the for-cause … Continue reading Are Inferior Officers a Superior Solution to the EU Independence Challenge?

The views expressed in this product are the author’s and do not imply endorsement by the Office of the Director of National Intelligence or any other U.S. Government agency. As we witness Russia’s invasion of Ukraine and the world’s response, I am reminded once again that what unites democracies is so much stronger than what … Continue reading We Are, in Essence, the Same

In an earlier blog post, Francesca Oliveira discussed the points made in the article she co-authored with Alex Joel on the redress problem which has been a major sticking point in efforts to preserve transatlantic data flows in the wake of the Schrems II ruling.  As explained in the article, the Court of Justice of … Continue reading FTC as a Model for Independence?

Recently, the Data Protection Conference of Germany requested Professor Stephen I. Vladeck to provide an expert opinion on the scope of FISA Section 702’s application. In particular, the Data Protection Conference seemed interested in FISA Section 702 having an extraterritorial application. In his testimony, Professor Vladek stated that if an EU company has a U.S. … Continue reading When Can a U.S. Court Exercise Jurisdiction Over a Non-U.S. Entity?

As we pointed out in September of last year, redress is a major sticking point in efforts to preserve transatlantic data flows in the wake of the Schrems II ruling by the Court of Justice of the European Union (CJEU). For a country with a well-earned reputation for litigiousness, it may surprise people to learn … Continue reading The Path to Redress

US and EU officials have been negotiating a successor to the Privacy Shield since the Court of Justice of the European Union (“CJEU”) invalidated the adequacy decision in July 2020 in the widely reported Schrems II decision. It remains unclear when negotiations for Privacy Shield 2.0 will actually conclude. A senior US Commerce official said … Continue reading Beyond Schrems II: What Happens After EU and US Officials Conclude Negotiations for Privacy Shield 2.0

The Privacy Across Borders (PAB) team is excited to launch this new site to explore solutions to the challenging issues that arise when data crosses borders, especially those at the intersection of technology, privacy, and security. Initially, this site will focus on our current work to preserve transatlantic data flows in the wake of the Schrems … Continue reading Welcome to Privacy Across Borders!