On Thursday, the European Court of Justice (CJEU) dealt a blow to the free flow of data across borders in the name of protecting privacy — with global implications.
The case, known as Schrems II, is the second time in five years that the CJEU struck down a key EU-U.S. agreement that companies rely on to lawfully transfer personal data from the European Union to the United States. In the 2015 Schrems I decision, the Court invalidated the then-existent Safe Harbor Provision. This time, it struck down the Privacy Shield Agreement — which some 5,300 companies, big and small, depend on.
The reason: insufficient privacy protections in U.S. surveillance law.
U.S. Secretary of Commerce Wilbur Ross responded with haste, emphasizing that the United States will work with its European counterparts to try to protect transatlantic data flows. But the case has wide-ranging repercussions beyond the EU-U.S. relationship. And the demands on both private companies and foreign governments are far reaching.
Striking Down Privacy Shield
EU law sets a number of limits on the transfer of personal data outside the EU, designed to protect personal privacy. The Privacy Shield system, put into place in 2016, was conditioned on a European Commission finding that the United States provide an “adequate” level of protection for personal data transferred to the covered companies. The CJEU, however, disagreed with that assessment, instead finding U.S. protections inadequate — meaning that they are not “essentially equivalent” to what is provided for under EU law.
Of particular concern to the Court: the absence of sufficient ex ante and ex post review.
Pursuant to Section 702 of the FISA Amendments Act of 2008, the Foreign Intelligence Surveillance Court reviews and approves categories and programs of foreign intelligence surveillance targeting non-U.S. persons, such as Europeans residing in Europe. But it does not review the individualized targeting decisions.
Meanwhile, surveillance conducted overseas, including of the cables that transmit data from the EU to the United States, is not subject to FISA review at all. Rather, it is governed by Executive Order 12333. While that order prohibits the targeting of U.S. citizens and legal permanent residents, it allows for what is often described as “bulk” collection, including the potential scooping up of all the data that crosses the wires from Europe to the United States. Such data is subject to limits on dissemination and retention, pursuant to what is known as Presidential Policy Directive 28 (PPD-28), but there is no judicial oversight of the collection.
In finding the U.S. system lacking, the CJEU emphasized in particular the insufficiency of ex post reviews. Critical to the Court, foreign targets of U.S. intelligence surveillance lack a mechanism to seek judicial redress or review in the U.S. courts. The Court further concluded that the appointment of a privacy ombudsperson within the U.S. State Department — to whom individuals could raise concerns — did not solve that problem. An ombudsperson is, according to the Court, not sufficiently independent and can only issue non-binding advisory recommendations to the intelligence communities.
Many are celebrating this part of the opinion as something that will push the United States to strengthen privacy protections with regard to the collection of foreigners’ data. And as I and others have written previously, there are strong legal and policy reasons to do so, even under U.S.-centric policy and doctrine. Among many other considerations, such collection almost inevitably yields significant “incidental” collection on U.S. persons that U.S. law and policy otherwise seek to protect.
That said, the Court glosses over the minimization and oversight protections that are in effect. And much of what the Court is demanding goes far beyond what European countries provide Americans and other foreigners — raising, among other issues, key questions about reciprocity. Whereas the Court says that it is demanding “essentially equivalent” protections to what is provided for by EU law, the kind of ex post, individualized judicial review of foreign intelligence agencies’ surveillance practices demanded by the CJEU is not something that governments, including European governments, typically provide. Peter Swire put it this way: For national security experts, it is “puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries.”
This Is More Than Just Privacy Shield
The CJEU’s press release suggests a split opinion: Privacy Shield struck down. Standard Contractual Clause (SCC) mechanism — an alternative basis pursuant to which many companies transfer data outside the EU — valid. But dig a bit deeper and SCCs were hit hard as well, in ways that will have ripple effects across the globe.
As the Court notes, SCCs are agreements between the EU and companies. SCCs do not bind foreign governments. Nor can they dictate how foreign governments conduct law enforcement and foreign intelligence surveillance. To get around this problem, the Court says that companies that enter into SCCs need to “verify,” prior to transfer, that the laws of the destination government are “adequate” — meaning essentially equivalent to what EU law demands.
But the Court has just ruled that U.S. law is inadequate. Given that ruling, how companies can continue to rely on SCCs as a mechanism for transfer?
One possibility suggested by the Court itself is that companies put in place “additional safeguards” to ensure an adequate level of protection. And there are in fact steps that companies can take. They can ensure that all the data is encrypted in transit, applying the strongest encryption protocols possible — so that it cannot be deciphered if acquired as it crosses underseas cables. They can challenge — and demand individual reviews of — all intelligence community demands for EU citizen and resident data. But there is no guarantee that the companies will win such challenges; they are, after all, ultimately bound by U.S. legal obligations to disclose.
And even more importantly, there is absolutely nothing that companies can do to provide the kind of back-end judicial review that the Court demands.
Meanwhile, this is not just an EU-U.S. issue. SCCs provide a basis for companies to transfer data not just to the United States, but to countries around the world. Of course, they are not the only basis for such transfers. Other options include: (i) binding corporate rules, which many describe as the gold standard, but are onerous to negotiate and implement — meaning that they generally only make sense for big companies that engage in big data transfers; (ii) consent of the data subject; and (iii) if necessary for completion of a completion of a contract. But the European Data Protection Board has made clear that the latter two categories cannot be used for routine, ongoing transfers. As a result, SCCs remain the transfer protection of choice for many — not just with respect to transfers to the United States, but around the world.
Companies will now have to evaluate whether each of the countries to which it transfers data has “adequate” legal protections in place. Depending on how stringently these requirements are interpreted, the ruling could effectively shut down the vast majority of data transfers out of the EU.
Is This the Right Role for Business?
This is not the first time the CJEU has issued a broad ruling with dramatic legal and policy consequences and then basically delegated the arbiter of facts role to companies.
In Google v. Spain, the Court announced a right to be forgotten, based in privacy but also balanced against what the Court acknowledged was the potentially countervailing interest of other internet users in information being made publicly available. It then effectively delegated to Google (and other search engines) the responsibility of deciding the complicated questions of if and when the public interest trumps the individual right to privacy.
But as I have written previously, this was not the only way to design such a system. The Court could have instead required an initial administrative review of right to be forgotten claims, rather than delegating the initial decision-making to private entities. And, notably, only a subset of these private-sector decisions are appealable to any sort of public body. Decisions to reject an asserted right to be forgotten can be appealed to Data Protection Agencies. But there is no mechanism for a member of the public to know, let alone complain, if the private entity adheres to the request to delist but does so in an arguably excessive manner.
Here, too, companies big and small are thrust into the position of having to assess whether an array of governments around the world provide privacy protections “essentially equivalent” to the EU. And if they transfer EU data to countries that fail to provide such protections, they face sanctions and significant fines. At a point in time in which Europe and so many others are battling the power of big tech, there is a bit of irony in the delegation of so much responsibility — and as a result power — to the companies themselves.
Ratcheting Up or Accelerated Balkanization?
The pro-privacy take on the opinion presumes what Professor Anu Bradford has coined the “Brussels effect.” The EU demands higher data protections. And governments around the world put in place greater protections around law enforcement and other surveillance activities in order to preserve the free flow of data.
But it is not evident that it will work that way. It seems unlikely that U.S. intelligence agencies would ever agree to the kind of ex post reviews that the CJEU appears to be demanding. In that case, either the data protection authorities will need to interpret flexibly or look the other way, otherwise companies that want to do business in Europe will have to store all European data in Europe — a costly requirement that may make it impossible for small businesses and nascent start-ups to reach European markets. And to reiterate, this is not just an EU-U.S. issue. If the U.S. system is inadequate, what about China? Or another powerhouse, India? Or any number of other countries to which companies may have a need to transfer or interest in transferring personal data, whether for human resources, economic, or other reasons? Importantly, this is not just something that affects big tech, but just about any company that does international business and thus has to manage its international data flows.
Meanwhile, there is a fundamental question about whether and how to use market power for the important goals of protecting privacy and core rights while also respecting difference across borders. It is, in effect, the same argument I and many others have been having for years with respect to the U.S. CLOUD Act. What does it mean to demand “essentially equivalent” protections when dealing with widely divergent legal regimes around the globe? By taking one single criteria in isolation, one may miss how a system operates as a whole — and either does, or does not, provide the protections that are demanded.
The decision takes effect immediately. But as stated already, the U.S. Department of Commerce says it is going to reach out to EU counterparts to try to find some sort of workaround. And Věra Jourova, the EU commissioner with responsibility for trust and transparency, gave a press conference on Thursday where she emphasized the need to preserve transatlantic data flows and the continued availability of standard contract clauses, among other means to preserve data transfers. Last time around, when Safe Harbor was invalidated, EU Data Protection Authorities slow-rolled enforcement, effectively giving companies time to figure out how to respond.
That said, given the CJEU ruling, it seems unlikely that a new EU-U.S. agreement designed to ensure the adequacy of transfers will be entered into any time soon, absent a change in U.S. law. Additional protections will strengthen the U.S. hand; they will also help U.S. companies by protecting them in the event their reliance on SCCs is challenged by Member State Data Protection Authorities. Such protections need not, and should not, go so far as ensuring full-throated judicial review for any and every foreigner seeking to challenge U.S. surveillance laws. But more explicit limits on the acquisition, dissemination, and retention of foreigners’ data, coupled with additional oversight protections, would help.
Meanwhile, the key question is not so much what happens with the United States. But what about data transfers elsewhere? Do the same concerns apply to transfers of data to places like China, or is this simply an exercise in the flexing of the Court’s muscles vis-à-vis the United States?
And in the interim, it is the companies that are caught in the middle — subject to a whole lot of uncertainty and told to play the policy role of “verify[ing]” adequacy, without clear criteria as to what that actually means.