Transatlantic Data Flows: Permanently Broken or Temporarily Fractured?
August 31, 2020
The Schrems II decision handed down by the European Court of Justice last month resulted in the invalidation of Privacy Shield, affecting the $7.1 trillion data transfer relationship between the United States and the European Union. Over 5,300 companies, including tech giants Google, Facebook, Amazon, and Twitter, relied at least in part on the Privacy Shield framework for transatlantic data transfers. The United States and European Union have begun talks to determine whether a new, improved Privacy Shield could be viable, and the private sector has called for a new framework to keep data seamlessly flowing across the Atlantic. But a new agreement will have to emerge out of a historically fragile relationship when it comes to personal data transfer. Privacy Shield’s predecessor, the Safe Harbor agreement, was also declared invalid, in 2015, on similar grounds—regarding privacy rights being put in jeopardy by U.S. surveillance authorities. This continued battle between the privacy rights of EU citizens and U.S. national security policy reveals a fundamental divide between the two economies.
Q1: What was the Privacy Shield framework?
A1: The United States and European Union jointly established the Privacy Shield framework in 2016. The framework enabled over 5,000 companies to transfer EU citizens’ personal data between Europe and the United States if those companies self-certified that they met the principles laid out by the framework. The Privacy Shield itself was not a bilateral agreement but rather a list of principles issued by the Commerce Department on the treatment of EU citizens’ personal data that the European Commission determined provided adequate protection of that data. The Commission’s adequacy determination enabled companies in the United States to use Privacy Shield as a framework for transatlantic data flows.
The United States and European Union negotiated Privacy Shield after the European Court of Justice (ECJ) in 2015 found Privacy Shield’s predecessor, the Safe Harbor agreement, invalid. The ECJ determined that Safe Harbor could not ensure that EU personal data would be adequately protected due to U.S. national security, public interest, and law enforcement practices. The ECJ confirmed that EU citizens’ personal data must be provided “adequate protection” when handled abroad, as was required under the EU’s Data Protection Directive. That standard requires foreign countries to provide essentially equivalent protection to EU citizens’ personal data within and outside the Union. In other words, EU citizens’ privacy rights follow their data globally. The General Data Protection Regulation (GDPR) enshrined that same adequacy requirement. The European Union feared personal information would be accessed by U.S. intelligence agencies and utilized by U.S. companies in ways that breached personal privacy rights. Revelations about U.S. surveillance from the Edward Snowden scandal led to the Safe Harbor agreement being challenged and ultimately invalidated by the ECJ. The Snowden leak and subsequent litigation exacerbated and drew greater attention to the tension between the value of privacy of EU citizens and U.S. national security with regard to data transfers.
After its creation, the Privacy Shield framework allowed large and small companies alike to move personal data between the European Union and United States freely so long as companies in the United States self-certified as meeting the framework’s principles. To comport with EU requirements, Privacy Shield required extra privacy protections for EU citizens. The new safeguards allowed for EU citizens’ control over their personal information, the right to go to U.S. courts over data misuse, and the requirement that the U.S. government would not collect data without reasonable cause. An important innovation was the creation of an ombudsman that handled requests made by EU citizens to the U.S. government about intelligence agencies’ access to their data. Importantly, the United States was not required to change its surveillance laws.
Privacy activists began to protest immediately following the agreement on Privacy Shield. Max Schrems, the Austrian activist who brought the case that took down Safe Harbor in 2015 turned to focus on challenging the standard contractual clauses (SCCs) companies used to deal with EU citizens’ personal data. These alternate tools for transatlantic data flows, Facebook argued, could be used to legally transfer his data, which Schrems viewed to be a privacy violation. This case, known as Schrems II, was tied together with Privacy Shield opposition, and it eventually reached the ECJ, which issued its decision on July 16, 2020.
Q2: What did the ECJ decide about Privacy Shield?
A2: Most importantly for the United States, the ECJ determined that Privacy Shield was invalid. The court also ruled that the GDPR’s “essentially equivalent” standard would be applied to all personal data transfers. SCCs were considered valid because they typically already included EU-style requirements. Instead, the ECJ ruled that SCCs will essentially be subject to individual adequacy decisions, holding data controllers more accountable for understanding whether law in a third country meets the European Union’s required level of protection. If clauses are not followed, or if they do not create adequate protection due to foreign law, transfers must cease.
The first reason the ECJ invalidated Privacy Shield was because U.S. law enforcement and national security powers conflicted with EU data protection requirements. The ECJ found few limitations on U.S. surveillance power, for example. On top of that, there was no remedy for government violations of Privacy Shield in the United States, as the ombudsman mechanism was determined to be ineffective. This mechanism was meant to provide Europeans with a person to contact in the United States if they feared that their data was being misused by the government. In general, surveillance laws aren’t necessarily in breach of EU privacy requirements so long as they adhere to the principle of necessity and proportionality. However, the ECJ determined that domestic surveillance law in United States does not satisfy its personal data protection requirement, and as a result, Privacy Shield could not guarantee compliance with EU privacy rights. The ECJ’s ruling reinforces the directive under the GDPR in which personal information of EU citizens can’t be transferred to countries with fewer protections than the European Union, such as the United States. The ECJ’s decision also suggests that the European Union will be taking a stricter stance on personal data transfer in the future.
Q3: What are the consequences of this ruling?
A3: Officials claim the potential fallout of the ECJ decision will be minimal, as there are plans to prevent commerce disruption. It will initially create more work for legal departments but cause little change in movement of data. However, the United States will have to consider other potential long-term impacts. Commerce Secretary Wilbur Ross said that he is “deeply disappointed,” and the United States intends to reenter negotiations with the European Union for a future deal. Data transfers between the European Union and United States are worth about $7.1 trillion, so the primary goal of the United States is protecting the mechanisms that enable those flows. With Privacy Shield being found invalid, SCCs that provide for transfer of personal data to the United States will likely also be found invalid if and when examined on an individual basis.
These high privacy standards could result in more companies storing data in the European Union instead, which would generate new costs for those businesses and frustrate U.S. efforts to beat back data localization requirements. Max Schrems stated that the United States will need to change surveillance laws to be a part of EU digital market, a commercial priority for many U.S. companies. It is not clear however, what appetite there is in the United States to undertake a revision of its surveillance and other data collection laws to meet EU requirements.
The invalidity of the Privacy Shield highlights how the transatlantic relationship risks fracturing further on economic and digital issues while China advances its own internet and digital values. A transatlantic division will do little to slow China’s push for an internet model that pays little regard to personal privacy or fair competition—values the United States and European Union share, at least in principle, emphasizing the need for a renegotiated deal.
The impact of the ECJ decision will affect other countries as well. The ruling on SCCs suggests potential for worldwide enforcement with a specific impact on certain countries. For example, China is known for regularly violating internet freedom rights. Data flows between the European Union and China are significant: the European Union exports 200 billion euros worth of data to China annually. By enforcing the need for essentially equal protections, data transfer with China may be in danger. While surveillance laws are not inherently problematic, communication between data exporters and importers needs to be clear, and if European authorities determine that foreign surveillance laws do not align with EU privacy requirements, then transfers are supposed to cease. Russia and India have also been listed by commentators as countries with strong surveillance and few limitations that do not provide adequate protections. Other countries the European Union has previously determined to have adequate privacy protection also conduct surveillance for national security, such as Israel and the United Kingdom. SCCs used to transfer EU personal data to those countries could come under new scrutiny going forward.
The United Kingdom is a special case. The Brexit transition will last until the end of 2020. Data transfer is not currently restricted, but after the transition period, the European Commission will need to make an adequacy decision. The United Kingdom wants to have data transfer agreements with the European Union and United States. It was originally thought that the European Union would require an adequacy decision while the U.S.-UK agreement would resemble the Privacy Shield framework. As the Privacy Shield agreement is now considered invalid, if the United Kingdom were to continue pursuing a similar one with the United States, its privacy protection standards might be also called into question. The United Kingdom may need to decide what is more important: data flows with the United States or with the European Union. It appears unlikely it will be able to have both by the end of the transition period.
The ECJ decision can also affect other negotiations going forward. South Korea is currently discussing their data protection adequacy with the European Union after making amendments to better protect personal data. EU provisional approvals are to be released this summer. In a summit between South Korea and the European Union on June 30, it was determined that South Korea had achieved “significant progress.” The Commission is likely to be more hesitant with future adequacy decisions after both Safe Harbor and Privacy Shield fell through. This could make the UK and South Korea negotiations more challenging. However, if expectations are too high, developing countries in particular will be forced to abandon attempts to enter the EU digital market, especially if the ECJ refuses to consider political context. It is not realistic to assume that every country will adopt all EU standards.
Q4: Can transatlantic data flows be secured, or is there a fundamental divide?
A4: In a joint statement, European Commissioner of Justice Didier Reynders and Secretary of Commerce Wilbur Ross announced discussions to determine the viability of negotiations to enhance the Privacy Shield framework, recognizing the importance of data protection and data transfer especially considering recovery from the pandemic. However, a fundamental divide stands in the way of these negotiations.
First, the legal conflict between the United States and European Union is not new and is probably not finished following the Privacy Shield ruling. Schrems has been battling in court against transatlantic personal data flows since 2013, when he argued that U.S. laws did not provide adequate privacy protections for EU citizens. At the heart of the conflict are U.S. national security and law enforcement powers that conflict with the EU’s approach to data privacy.
The United States can take some remedial steps short of changing its laws as it relates to surveillance. For example, the ombudsman could be moved to an independent administration agency instead of being a part of the State Department. This would counter the court criticism of lack of independence and the inability of the ombudsman to bind intelligence agencies to remedies. However, it would require statutory change, making it a heavy lift.
Ultimately, a new deal seems far off, if not entirely out of the question. The United States is likely to claim that EU rights cannot dictate U.S. domestic and foreign policy. On the other hand, the European Union is unlikely to sacrifice privacy rights enshrined in its Charter of Fundamental Rights. That fundamental divide may leave a third personal data transfer framework out of reach.
William Reinsch holds the Scholl Chair in International Business at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Isabella Frymoyer was an intern with the CSIS Scholl Chair in International Business.
Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2020 by the Center for Strategic and International Studies. All rights reserved.