Is the NSA really after you?

EU-US data transfers

Think about the vast amount of information you are sharing through social networks. Even if you consider yourself an introverted person, or if you’re conscious on where you share your data and how you present yourself to the public, you might share a lot of information about yourself without being fully aware of it. Consider that you – wherever you reside in the world – may give access to a secret agency in the US by just texting with your loved ones, doom-scrolling, liking what you see, posting about your travels, and so on.

You might say—as so many people do when arguing against privacy concerns—that you have nothing to hide. However, imagine that you live in a less safe corner of the world, such as in the very East of Europe or in the Middle East these days, where it matters a lot who can access your data. We don’t have to look that far; even having certain political or religious interests can already change the context.

If you're from the safer part of the world, such as the EU, the issue with this transparency still remains: why can US security agencies access my data? Where do you exactly draw the line between the persons to be under surveillance and not? Who determines these rules?

How the law on EU-US data transfers was formed

From a European legal perspective, the so-called Schrems decisions¹ were addressing this issue. The story began with a scandal started by Edward Snowden, an employee of the National Security Agency (NSA). According to his findings – which even led to a movie² and reached mainstream media³ around the world – the NSA was accessing private conversations and other information for example on Apple and Microsoft products, Facebook, Google and Yahoo. The agents could enter certain keywords or topics and check on messages, posts, etc. of private users around the world – and this was in 2013 already.

After discovering this, an Austrian privacy activist, Maximilian Schrems submitted a complaint against Facebook based on the old Data Protection Directive⁴, the predecessor of the GDPR⁵. This complaint later escalated as a lawsuit at the European Court of Justice, which first invalidated the EU-US Safe Harbour agreement in 2016, and then the Privacy Shield in 2020, leading to a legal loophole with no satisfying solution to this date⁶. This was partly resolved by the Biden administration in 2022, when an executive order⁷ and the subsequent new Data Privacy Framework⁸ were set up.

The current EU-US Data Privacy Framework in a nutshell

This was new in a sense that the US administration changed its internal legislation to conform with European law, and a two-level redress mechanism was set up:

• the first level for complaints is the Civil Liberties Protection Officer (CLPO),

• the second level of appeal is a new institution called the Data Protection Review Court (DPRC), and

• the already existing Privacy and Civil Liberties Oversight Board (PCLOB)⁹ is supposed to review the DPRC and US intelligence agencies.

Before you would rush to the CLPO to find out if the NSA is really after you, you only need to submit a template¹⁰ at the data protection authority of your EU member state, who will transfer your complaint to the European Data Protection Board (EDPB) in Brussels, and then your complaint will hopefully reach the CLPO in the US after a couple of months.

If you’re puzzled about this army of institutions, don’t worry, so as privacy professionals. So far there is no tangible practice on how this complaint mechanism works exactly, and even the EDPB’s complaint template was created only in 2024.

However, to highlight some of the achievements under the different frameworks so far, some larger US companies started publishing transparency reports with specific pages on the number of national security orders. This means we can get an idea at least of how real the issue it is, although mostly in terms of the volumes of the requests. For example, in half a year in 2023-2024, 324,000 from Meta (the company owning Facebook, Whatsapp, Instagram, etc.)¹¹, up to around 25,000 requests from Microsoft¹², close to 45,000 from Yahoo¹³¹⁴.

And how all of this probably won’t matter under Trump

The Trump administration promised to review executive orders related to national security, fired half the members of the PCLOB, rendering the Data Privacy Framework essentially ineffective¹⁵. As Trump appeared in the company of several Big Tech CEOs¹⁶, it is a question how the current framework will change, if it will survive at all.

So can the NSA really access my data even in the EU?

13 years after the Snowden-scandal, after invalidating two EU-US agreements, and now with the new Trump administration, the question remains the same.

Although this framework and these obligations are definitely an improvement compared to the situation where US surveillance agencies could search our private data as if it was Google, it is questionable in the current political situation if this framework will stay in place.

In addition, due to the nature of surveillance agencies in any country, you will never know if the NSA or a similar authority is actually accessing your data, as this would be considered tipping off information about their investigations. This is acceptable as long as there is legal certainty related to national security by one of the most powerful countries in the world.

The initial demand – i.e. that at least European citizens do not want to be tracked by US intelligence agencies, even hypothetically – is simple and justified. However, the legal loopholes, the ever-changing political situation, and several ongoing procedures at the EU Court of Justice leads us to a situation where even privacy experts cannot predict the next step with certainty.

To answer our initial question: no matter the legal context, we will never really know it the NSA is actually accessing our personal data.

1

Schrems I, Case C-362/14, Schrems II, Case C-311/18

2

Snowden, 2016

3

Edward Snowden: Leaks that exposed US spy programme, BBC, 17 January 2014

4

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

5

General Data Protection Regulation or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

6

A more detailed analysis of this legal loophole: dr. Szikszai Marcell: The Loophole of International Data Transfers, University of Miskolc, Hungary, 2022,

Also an essential read from Mr. Schrems’ organisation, noyb (“none of your business”): EU-US Data Transfers.

7

Executive Order 14086 of October 7, 2022.

8

See the European Commission’s summary: Q&A on the EU-U.S. Data Privacy Framework, 7 October 2022. Self-certified US companies are publicly listed here. These companies in principle have in place sufficient safeguards for transferring data from the EU to the US.

9

A short summary on PCLOB’s Legal Authorities related to Executive Order 14086: https://www.pclob.gov/About/HistoryMission.

10

Template Complaint Form to the U.S. Office of the Director of National Intelligence’s Civil Liberties Protection Officer (CLPO), EDPB, 17 April 2024.

11

A good summary on why is this an issue: Silvia Lorenzo Perez, What the PCLOB Firings Mean for the EU-US Data Privacy Framework, 14 February 2025.

12

See the billionaires and CEOs who attended Trump's inauguration, Business Insider, 21 January 2025,

13

Government Requests for User Data from Meta.

14

U.S. National Security Orders Report, Microsoft.

15

Government data requests at Yahoo.

16

A comprehensive report on most Big Tech was issued by the OECD in 2021, Transparency Reporting - Considerations for the Review of the Privacy Guidelines, OECD Digital Economy Papers, April 2021 No. 309, https://www.oecd.org/content/dam/oecd/en/publications/reports/2021/04/transparency-reporting_94de5b00/e90c11b6-en.pdf.