Cameron F. Kerry
In a July 2020 judgment, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield Framework, the main vehicle to allow transfers of personal data from the European Union to the United States. This decision focused on transatlantic transfers, but it has reverberations for EU digital trade everywhere.
This ruling was the second time in five years that the CJEU considered U.S. intelligence surveillance on the basis of the EU’s Charter of Fundamental Rights, which enshrines both “private life” and “protection of personal data” into basic law. In 2015, the CJEU invalidated the predecessor of the Privacy Shield, the U.S.-EU Safe Harbor agreement, faulting the European Commission for failing to assess the potential impact of American government surveillance on personal data transferred from the EU. After the U.S. Department of Commerce and European Commission arrived at the Privacy Shield to address the CJEU’s first judgment, the CJEU ruled that legal authorities, limitations, and remedies for surveillance under U.S. law do not comply with those required by the Charter and invalidated the Privacy Shield as well.
The CJEU’s Privacy Shield decision (known as Schrems II after the Austrian lawyer-activist Maximilian Schrems who initiated the series of cases) reflects the CJEU’s use of its authority as the final arbiter of EU legislation and Commission decisions as an instrument to curb government and private sector surveillance. The court has accorded privacy and data protection primacy among EU fundamental rights, comparable to American reverence for the First Amendment to the U.S. Constitution (or the Second Amendment by some lights). Even though the Charter and the EU’s foundational treaty both circumscribe the EU’s authority over member states in matters of national security, in Schrems II the CJEU invoked the Charter to interpret EU data protection legislation as applying to U.S. surveillance of communications for national security and law enforcement purposes.
“In all, the Schrems II judgment extends the bounds of the EU’s exceptionalism regarding data protection.”
In all, the Schrems II judgment extends the bounds of the EU’s exceptionalism regarding data protection. It overrode the Commission’s accommodation of EU interests in sustaining the Union’s most important trading relationship, sovereign interests of the U.S. and other governments in protecting security, and differences between American and European legal systems. The outcome sets a high bar for any new data transfer arrangement between the U.S. and EU.
The judgment also raises questions for other mechanisms widely used by companies in Europe to transfer personal data all over the world. Regulators have begun to address these questions and their actions indicate that, while data flows may continue to certain countries and in some circumstances, others may be deemed too risky. This perception of risk will lead regulators and companies to keep the data within the EU—de facto and at times explicit data localization. The resulting trade friction will be felt in EU relations not only with the United States but also with other trading partners.
The CJEU has greater leverage over U.S. intelligence practices than those of member states by virtue of the EU’s far-reaching General Data Protection Regulation (GDPR). The GDPR generally limits transfers of personal data from EU member states to non-EU states, or “third countries,” unless the Commission has issued an “adequacy” decision—a finding that the legal protections afforded to the transferred data in the third country are “essentially equivalent” to those in the EU.
The Privacy Shield and its predecessor, the 2000 Safe Harbor framework, were more limited adequacy decisions tailored to the U.S. Because the U.S. has only sectoral federal privacy and various state laws with no comprehensive federal privacy law comparable to the GDPR, the European Commission and U.S. Department of Commerce filled in the gaps with principles that reflect EU data protections. Subscribing companies incorporated these principles into their privacy policies, making them legally enforceable by the U.S. Federal Trade Commission. This enabled such companies to transfer EU personal data to the U.S. without an across-the-board adequacy determination.
The challenges to the Safe Harbor and Privacy Shield reflect intense European reaction to the Edward Snowden leaks about U.S. surveillance. The 2015 case amounted to a hypothetical opinion—based on bare allegations derived from news stories about the leaks, with no party appearing to contradict these allegations. In its decision, the CJEU postulated that legislation permitting collection of “all the personal data of all the persons whose data has been transferred from the European Union to the United States” or not providing “any possibility for an individual to pursue legal remedies in order to have access to personal relating to him” would clearly violate the “essence” of the fundamental rights of private life and data protection. Rather than finding that U.S. legislation is actually so sweeping, though, the court faulted the Commission for failing to investigate and exclude such possibilities in approving the Safe Harbor framework.
The second time around, the CJEU was presented with extensive facts. For its decision approving the Privacy Shield in 2016, the European Commission developed a sophisticated understanding of U.S. law, and incorporated submissions from the U.S. that describe in detail legal authorities, practices, and safeguards for government surveillance. The late and revered Giovanni Buttarelli, as the EU’s top data protection official, later called these disclosures a “remarkable” statement unlike anything another government has done.[1] In addition, multiple parties joined the case, including Facebook (a defendant), an international array of business and civil society organizations, and the U.S. government. The record before the CJEU included hundreds of pages of testimony from experts in U.S. law and lengthy findings from the referring court in Ireland.
“For its decision approving the Privacy Shield in 2016, the European Commission developed a sophisticated understanding of U.S. law”
Against this backdrop, the CJEU ruled, first, that legal authorities for U.S. governmental intelligence collection “cannot be regarded as limited to what is strictly necessary” in accordance with a Charter requirement that restrictions on fundamental rights be “necessary and proportionate in a democratic society,” and second, U.S. law does not provide a judicial remedy for individuals to challenge or investigate surveillance that involves them.
At the time of this decision, some 5,300 U.S. and European companies were using the Privacy Shield to transfer data to the U.S. Even more relied on “standard contractual clauses” (SCCs), also addressed in the CJEU judgment, which attach legal obligations to personal data exported to third countries without adequacy decisions. These are the most widely used mechanism for data transfers, employed by a great majority of companies doing business in the EU, with European companies comprising 75% of the users. In the absence of the Privacy Shield or any replacement, U.S. companies and others will have to rely on SCCs and similar mechanisms for data transfers to the U.S.
The CJEU upheld the basic validity of the SCCs. But there is a catch: companies themselves have to evaluate the risk that data will be subject to government surveillance. The CJEU interpreted the GDPR as obligating companies that use SCCs to export and import personal data from the EU to any third country without adequacy must consider, on a case-by-case basis, whether they are able to comply with SCCs in light of third country laws on governmental access. If not, these companies—and ultimately member state data protection authorities—are obligated to suspend or terminate the data transfers involved.
The CJEU blithely concluded that giving immediate effect to its invalidation of the Privacy Shield would not result in any “legal vacuum.” Nonetheless, the combined reality of abruptly throwing Privacy Shield transfers into legal limbo and the need for wholesale review of SCCs by regulators as well as companies leaves data exporters dangling as they sort through how to square their data transfers with Schrems II. Since then, EU data protection commissioners, the European Commission, and U.S. government all have sought to provide this case-by-case assessment, but these are not final and many companies lack the resources and capacity to evaluate the laws of foreign countries.
Both the U.S. and the European Commission have responded matter-of-factly, announcing that they are discussing an “enhanced” data transfer framework to replace the Privacy Shield. As the EU’s lead negotiator subsequently put it, there are “no quick fixes.” In the meantime, however, the CJEU’s rulings on existing U.S. intelligence collection authorities, remedies, and subsequent actions by data protection authorities raise doubts about whether compliance with SCCs for many transfers to the U.S. are possible.
“the CJEU’s rulings … raise doubts about whether compliance with SCCs for many transfers to the U.S. are possible.”
First, the Irish Data Protection Commissioner initiated a proceeding that question whether Facebook—and perhaps any company—can store personal data from EU residents in the U.S. Then, the French data protection regulator recommended against storage of a national health data aggregation on Microsoft’s Azure cloud service on the basis of Schrems II and, while the French State Council allowed the contract, it relied largely on a contractual agreement by Microsoft not to transfer health data outside the EU and the government’s announcement that it wants to transition to a provider from France or elsewhere in the EU. The EU’s data protection law and Schrems II have been described as “soft data localization”; the French health data case steps over into hard data localization.
Finally, the collective body of EU data protection authorities, the European Data Board (EDPB), issued recommendations on “additional safeguards” that the GDPR and Schrems II permit for transfers to countries without adequacy determinations. This complex bundle of compliance steps, use cases, and suggested contractual measures leaves a door open for some transfers to the U.S. and elsewhere provided the data is secured with tools like encryption. But it also lays out scenarios that “would not be effective” and twice cites the CJEU’s ruling that Section 702 of the Foreign Intelligence Surveillance Act (FISA) “goes beyond what is necessary and proportionate in a democratic society” in terms that imply that any transfer where there is the slightest risk that data transferred might fall into the hands of governments agencies would violate EU law, including a range of cloud services hosted in the U.S. that are used in the clear.
This categorical approach appears at odds with proposed revised SCCs that the Commission issued one day after the EDPB’s recommended measures, which incorporated a more nuanced risk-based approach. To inform risk assessment, the U.S. government earlier issued a white paper to give some clarity on categories of data that are unlikely to be targets of surveillance and on safeguards under FISA. The EDPB may have been reacting to these in dismissing “subjective factors” such as the likelihood of government access to particular data.
The GDPR confers decisionmaking power on adequacy and any new EU-U.S. framework on the Commission, and this would not be the first time the Commission and the data protection regulators have disagreed. In both Schrems cases, though, the CJEU has sided with the regulators. In this light, their restrictive interpretation has to be regarded a harbinger of how the CJEU is likely to treat data transfers to the U.S. as well as other nations with active intelligence programs.
In the end, the continuation of important data flows across the Atlantic will require a new U.S.-EU framework to take the place of the Privacy Shield. Arriving at a framework that can satisfy the CJEU will challenge both the European Commission and the U.S., but neither can afford a third strike in court. Even if the U.S. and European Commission are able to reach a political agreement on a framework before January 20, 2021, the process of review and final adoption will carry over into 2021 and will be high on the agenda for U.S.-EU relations for the Biden-Harris administration.
The United States is not alone in dealing with the impact of the Schrems II decision. The ruling gives rise to uncertainty for many EU trading partners and any EU companies involved in international commerce.
“The ruling gives rise to uncertainty for many EU trading partners and any EU companies involved in international commerce.”
Countries that have existing adequacy determinations and also operate intelligence programs (such as Argentina, Canada, Israel, and New Zealand) have already faced reviews of these determinations in the wake of the 2015 decision. Now such reviews will be shaped by Schrems II. In addition, both South Korea and the UK (now that it is separate from the EU) are currently pursuing adequacy determinations, a path which India and other countries also have been exploring. Any further adequacy decisions will require the same scrutiny of government intelligence programs. For Canada, New Zealand, and the UK, this inquiry will encompass their cooperation with the U.S. in the Five Eyes intelligence alliance.
The decision also raises open-ended questions for transfers of data from the EU to most of the rest of the world, which also rely on SCCs and other mechanisms subject to the same obligations. Under the GDPR, these enable cross-border data transfers in the absence of an adequacy determination. Even so, the CJEU’s ruling declared that companies and data protection authorities must ensure that these mechanisms sustain “a level of protection essentially equivalent to that guaranteed within the European Union ….” This grafts the same high standard for adequacy determination onto mechanisms that, by their terms, are meant for transfers to countries that have not been found adequate—thereby injecting the EU’s adequacy requirement into all data transfers to all countries in the world.
Transfers to China, Russia, and other repressive and authoritarian states raise obvious questions. The EU, notably, is China’s largest trading partner. The resulting data flows can include the personal data of EU employees of Chinese companies, of travelers, and of the increasingly global users of WeChat, TikTok, and other applications developed in China. It is difficult to assess foreign laws, especially those that are state secrets, and it is absurd to expect that any data exporter can achieve a fraction of the understanding necessary, or that an importer in China or Russia will declare that its government’s intelligence collection inhibits compliance with SCCs. Yet China’s surveillance state has become so notorious that it would take willful blindness on the part of an EU data exporter to avoid questioning if it can protect that data from the Chinese government. EU companies and regulators have to consider the extent to which data flows to such countries are sustainable in light of Schrems II, and language in the EDPB’s recommendations about taking into account “technical, financial, and human resources” at governments’ disposal seem directed at China or Russia as much as the United States.
The CJEU also altered the decisionmaking process for adequacy decisions. In the Safe Harbor decision, it took pains to say its “essentially equivalent” standard to judge adequacy does not equate to “a level of protection identical to that guaranteed in the EU legal order.” In Schrems II, however, adequacy equated to “compliance” with provisions of the Charter of Fundamental Rights. In addition, as leading EU privacy expert Christopher Kuner has pointed out, although the GDPR delegates adequacy decisions to the European Commission, the CJEU shifts this decision for SCCs from the Commission to the companies that export and import data, and ultimately the data protection authorities.
Furthermore, Schrems II has implications for EU member states that engage in surveillance of their own. The CJEU found that judicial warrants issued under FISA for authorizing “programs” based on selection criteria rather than targeting of specific individuals, and the U.S. reservation of the potential to collect “bulk” signals intelligence in circumstances where it cannot target as too open-ended “cannot be regarded as limited to what is strictly necessary.” Yet a thorough review by the EU’s Fundamental Rights Agency (FRA) shows that many EU member states conduct national security and law enforcement surveillance at least as broad as that of the U.S., and often with fewer safeguards. These include “large-scale technical collection of intelligence,” collecting streams of communications to which they apply “search terms” and “catchwords” rather than target specific individuals.
Courtesy: (brookings.edu)
