Privacy—Heading for Schrems III?
The Biden administration issued two important documents last week: an executive order to establish new procedures intended to conform to the European Union’s General Data Protection Regulation (GDPR) and new rules further controlling exports to China. I had been planning to discuss the second, but once I discovered the new rules were 137 pages and very complicated, I decided to wait until more research on them was done and stakeholder reactions gathered. Besides, I recently wrote about the change of policy the new rules are intended to implement.
Instead, today’s column will take a look at privacy developments. The European Union’s GDPR sets up criteria other countries must meet in order to permit cross-border data flows. If the criteria are met, the European Union issues an “adequacy” finding with respect to the other country and permits data to be transferred. The United States has never obtained an adequacy determination and instead has negotiated procedures that the European Union would deem essentially equivalent to its own procedures. While agreement with the European Commission has been reached twice—first on a process known as Safe Harbor, and second on one called Privacy Shield—in both cases the European Court of Justice rejected the agreements as inconsistent with EU principles and concluded that they permit collection of data that is neither necessary nor proportionate. Those cases are known as Schrems I and Schrems II, named after Max Schrems, the Austrian activist who initiated the litigation.
The third try appeared in last week’s executive order. The new version is called the EU-U.S. Data Privacy Framework (DPF). It attempts to address the two key issues that emerged from the previous litigation—whether U.S. signals intelligence gathering activities are “necessary and proportionate” and whether there is an objective and independent process for individuals to seek redress from the U.S. government if they believe their personal data has been improperly collected or used.
With respect to the first issue, a White House statement summarizes how the new DPF will meet a necessary and proportionate standard:
In particular, the Executive Order: Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
On the second issue, the executive order sets up a process that permits individuals to obtain independent and binding review and redress of claims that their data has been improperly collected or handled. The process consists of several steps, but the key one is a Data Protection Review Court (DPRC) set up in the Department of Justice, which is supposed to provide independent and binding review of lower-level decisions on individual complaints. Judges on the court are to be appointed from outside the government, must have relevant experience, and will receive protection against removal.
The process leaves two questions: Will it do the job (meaning satisfy the European Union) and is it sound policy? On the first, remember that the argument is between the U.S. government and the European Court of Justice, not between the U.S. government and the European Commission. The executive order implements an agreement announced by President Biden and European Commission president Ursula von der Leyen last March. The European Union must still approve it, but having previously agreed to its outline, that is likely.
Schrems’s response to the executive order was not definitive, but it certainly sounded like he will fight the agreement, and the court will have to deal with Schrems III. While Schrems himself likely opposes general U.S. government signals intelligence data gathering, the argument before the court will hinge on whether the new procedures restrict the U.S. government data gathering to what is necessary and proportionate and whether the dispute resolution process is truly independent. The first is hard to predict as the standard is subjective. The second is easier to predict—the fact that the court is inside the Justice Department means it is not really independent, despite the U.S. government’s assertion.
So, we will likely have Schrems III, and he will prevail again, at least in part, which will mean a new negotiation, eventually a new framework, and then a Schrems IV, and a Schrems V and so on. Remember the movie, Groundhog Day? Each new framework, however, buys several years of peace while the litigation plays out, and that may be the best we can hope for.
One interesting new twist this time is the insertion of a provision that give the U.S. government the authority to determine whether European surveillance programs adequately protect the privacy rights of U.S. citizens. This is a long overdue turnabout in my view, since many of the EU member states do pretty much what our intelligence authorities do.
William Reinsch holds the Scholl Chair in International Business at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2022 by the Center for Strategic and International Studies. All rights reserved.