More than a year after a landmark court ruling invalidated the EU-US data transfer agreement, transatlantic commercial data flows exist in legal limbo. Negotiators on both sides of the pond have been hashing out a new solution, but this time the bar is higher, and despite increasing urgency, there are doubts that anything less than an overhaul of US foreign surveillance law will suffice.
Last July, the Privacy Shield – the mechanism for legal data transfers from the EU to the US – was struck down by the European Union Court of Justice (CJEU), because it didn’t adequately protect Europeans’ data from processing by US intelligence agencies.
“The heart of the matter here is really that this agreement necessarily combines commercial and national security-related protections,” says Caitlin Fennessy, research director at the International Association of Privacy Professionals. Although Privacy Shield was a mechanism used by commercial entities to move data, “the challenges that have arisen over quite a number of years now […] are all in the national security sphere.”
The case at the CJEU was based on a complaint filed in 2013 by the Austrian lawyer and privacy activist Max Schrems, who argued that European data is subject to US government surveillance because companies can be made to hand over data from non-US citizens to intelligence authorities under the US Foreign Intelligence Surveillance Act (FISA).
Before the most recent legal challenge came Schrems I, which resulted in the invalidation of Safe Harbor, the EU-US data transfer agreement preceding Privacy Shield. For EU and US negotiators, the prospect of a ‘Schrems III’ legal challenge looms large.
“The reason for the delay in finding an agreement likely lies in the fact that the EU does not want to accept a ‘band aid’ solution – i.e., another agreement similar to the Privacy Shield or Safe Harbor – that would be struck down by the CJEU in a short matter of time due to its fundamental inability to ensure that EU citizen’s data protection rights are respected,” says Paolo Balboni, founding partner at ICT Legal Consulting and professor of privacy, cybersecurity, and IT contract law at Maastricht University.
EU-US data agreement: what will replace the Privacy Shield?
This time around, the CJEU has set demanding standards for what would qualify as adequate protection of European data. One of the trickiest issues to iron out is around redress – the CJEU has said that if an individual in Europe is singled out unlawfully by the NSA, there should be a new procedure in place to protect that individual.
The Privacy Shield agreement introduced a new redress mechanism in the form of an ombudsperson that allowed individuals to challenge government data access issues when they thought that their data had been handled in a way that didn’t align with their data protections. The CJEU’s latest ruling said that this redress mechanism wasn’t sufficiently independent and didn’t have sufficient powers.
“Officials have said redress is the most difficult issue to resolve,” says Peter Swire, privacy professor at Georgia Tech and former US government privacy official, although his understanding “is that the two sides are getting closer on how to build a new redress procedure.”
A couple of remedies to this issue have been floated. The EU reportedly believes that only a non-executive US agency such as the Privacy and Civil Liberties Oversight Board, perhaps acting in conjunction with the Foreign Intelligence Surveillance Court, would be sufficient to head off another CJEU challenge.
Some US privacy groups, on the other hand, have suggested changes to the legal regime so that non-US citizens can use normal, rather than national security courts, to stage a legal challenge if they believe their data has been unlawfully processed by the National Security Agency.
Fixing the Privacy Shield means fixing US surveillance law, which is probably even harder than fixing US privacy law.
Professor Anupam Chander, Georgetown University
“The Biden administration and ultimately the US Congress will likely have to provide more checks and balances in that foreign surveillance system, at least with respect to Europeans,” says Anupam Chander, professor of law at Georgetown University. “So fixing the Privacy Shield means fixing US surveillance law, which is probably even harder than fixing US privacy law.”
Tweaking US surveillance law, particularly at the behest of foreign nations, is considered a politically tricky proposition. One solution to a potential impasse is for US president Joe Biden to enact executive orders instead of changing legislation. “The president has broad powers to require federal agencies to build and implement a new system,” says Swire. “For instance, he could order the intelligence agencies to follow a decision of a new tribunal that requires redress.”
This would potentially pose a simpler path to resolution. “I think that [US officials] recognise that congressional action is not the only path forward and is perhaps a more challenging path forward and are looking at executive authorities as well,” says Fennessy.
Can the US satisfy EU demands?
But whether the CJEU would be satisfied by executive orders is another issue.
EU Commissioner Didier Reynders and the VP of the European Commission for Values and Transparency, Věra Jourová, have both stated that “material changes to how the US treats the data of EU citizens will be a prerequisite for a new agreement,” points out Balboni. “More specifically, this means that the US will need to concretely and legally (via actual legislation) limit access to the data of EU citizens by American national security agencies and ensure that EU citizens have the ability to challenge such access.”
I don’t see how executive orders will replace a data agreement.
Prof. W Gregory Voss, Toulouse Business School
“I don’t see how executive orders will replace a data agreement,” says W Gregory Voss associate professor in Business Law at Toulouse Business School. “I can’t imagine an executive order establishing a framework on how US companies are to handle the personal data of EU persons, and providing that those Europeans will effectively find their data privacy better protected than US citizens.”
Existing data transfer methods could be in jeopardy
Whatever the eventual outcome, the talks have an added urgency now that EU-US data transfer instruments used by American firms also appear to be in jeopardy. Standard Contractual Clauses (SCCs) are the fall-back method for US firms, but a couple of recent developments in the EU have undermined their legitimacy.
Facebook is currently embroiled in a legal battle with Ireland over alleged privacy violations linked to transatlantic data transfers. In May this year, Ireland’s High Court ruled against the social networking giant in the dispute. Although the decision didn’t prevent Facebook from sending data to the US yet, the court endorsed the Data Protection Commissioner’s view that SCCs cannot be used to transfer data to the US in light of the CJEU’s July ruling.
Recommendations from the European Data Protection Board published in July said that some data transfers to third countries will not be possible to legally carry out, despite the existence of legal mechanisms such as SCCs. Instead, companies will have to assess the viability of each data transfer on a case by case basis.
“At this point in time, without an agreement, companies and privacy professionals around the world are put in the position of having to themselves assess and create protections that influence government surveillance, and that that is simply an untenable position for the vast majority of companies who are moving data for very routine commercial tasks,” says Fennessy.
“We know that companies are, in some instances, stopping data flows, localising data or stopping offering related services, due to the challenges that privacy professionals are trying to comply with.”
While some companies are able to apply ‘special measures’ to help protect data from US intelligence agencies, social media and other data-handling firms are subject to Section 702 of the US’ FISA law, which means what they can do is limited in this regard.
“The real problem occurs for companies such as Facebook or cloud providers or email providers, which are subject to US mass surveillance laws and regulations,” says Voss. Zoom and Cloudflare are two companies that have already been caught in the crosshairs.
If a new data agreement is not implemented, it might be that certain US companies are forced to store their data in the EU – a practice known as data localisation. “Without changes to US mass surveillance laws, certain companies subject to those laws could find that they are ordered to cease imports of personal data to the US, thus causing disruptions in flows,” says Voss.