Privacy SOS

Huge Win For Privacy: Europe Highest Court Strikes Down E.U-U.S Data Transfer Pact

Last week, the European Court of Justice in Luxembourg—Europe’s top court— ruled that the agreement that allowed data transfers between the European Union and the United States is invalid under European law.

In a crucial pro-privacy ruling, the Court decided that the E.U. decision to approve the agreement was incompatible with Article 45(1) of the General Data Protection Regulation (GDPR), read in the light of the Charter of Fundamental Rights. The U.S. prioritizes “national security” and law enforcement over the fundamental rights of persons, making the data-sharing partnership unworkable, the Court reasoned.

The now-defunct transatlantic agreement, known as the Privacy Shield, was adopted in 2016. The intention behind it was to provide companies on both sides of the Atlantic with a framework to comply with data protection requirements when transferring personal data from Europe to the United States.

The E.U. Court decision is a huge win for privacy worldwide, and should push lawmakers in the United States to finally institute comprehensive privacy-protective federal law that places the rights of persons over the interests of corporations and secretive, undemocratic government agencies.

European Data Privacy Laws

Dooffy / CC0, https://commons.wikimedia.org/wiki/File:Gdpr_Europe.jpg

In Europe, the protection of personal data is not only subject to a very privacy-protective regulation, the GDPR, but also enshrined in Article 8 of the Charter of Fundamental Rights, together with civil rights and civil liberties like freedom of expression.

Added to strong substantive provisions related to the protection of personal data, the GDPR has specific requirements for the transfer of personal data outside the European Union. Generally, the validity of this transfer hinges on three conditions laid out in Chapter 5.

First, the European Commission—Europe’s executive branch—may find that a third country ensures, because of its domestic law or its international commitments, an adequate level of protection. In a previous case, the Court held that adequacy requires “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.”

Second, in the absence of an adequacy decision, the transfer may take place if the company that transfers the information provides appropriate safeguards, and if data subjects have enforceable rights and effective legal remedies. (These safeguards may be provided for by several methods, including specific standard contractual clauses adopted by the Commission.)

Third, if these safeguards do not exist, the GDPR itself details the conditions under which such a transfer may take place.

The Schrems Saga And The ECJ Decision

By Manfred Werner – Tsui / CC BY-SA, https://commons.wikimedia.org/wiki/File:Filmcasino_Wien_%C3%96sterreichpremiere_Democracy_Im_Rausch_der_Daten_12.jpg

The case decided last week marks the latest episode of the saga that started in 2011 when Max Schrems, an Austrian privacy rights advocate living in Ireland, sued Facebook in the Irish courts. Schrems filed suit to prevent the transfer of his personal information from Facebook Ireland to Facebook in the U.S.

In 2015, after lengthy litigation citing Edward Snowden’s revelations that the U.S. government was illegally surveilling electronic communications, the Court handed down its first decision—Schrems I—invalidating the existing mechanism by which companies transferred personal data across the Atlantic. The Court held that the practice failed to adequately protect European residents under the pre-GDPR Data Protection Directive. (This mechanism was known as the Safe Harbor.)

Schrems I and the implementation of the GDPR prompted the U.S. and E.U. to sign a new agreement in 2016: the Privacy Shield. But Mr. Schrems was not deterred, and once again filed suit alleging the 2016 agreement also violated his rights. After nearly four years of litigation, the primary issue boiled down to whether the Privacy Shield is a lawful agreement in the context of the GDPR, the Charter, and the rest of European law.

Last week, in a long and complicated opinion, now known as Schrems II, the Court negatively answered this question. The Privacy Shield does not comply with the “requirements stemming from the GDPR read in the light of the Charter,” the Court held.

Why? The Court gives two main reasons: the breadth of United States Government surveillance programs, and the lack of enforceable rights against the use of these programs in United States courts.

First, U.S. surveillance programs remain extremely broad and are not limited to collecting only information that is strictly necessary. For example, the Court notes that “Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-U.S. persons potentially targeted by those programmes.”

This reality collides with European law, where the principle of proportionality requires that limitations to fundamental rights (i) have a defined scope, (ii) have clear and precise rules governing that scope and application, and (iii) impose minimum safeguards.

Second, despite the existence of some rules in the U.S., and the creation of the Privacy Shield Ombudsperson reporting to the Secretary of State, American law does not grant persons effective and actionable rights when their privacy rights are violated.

Again, the absence of a private right of action collides with European law, where the Charter requires that everyone whose rights and freedoms are violated have the right to an effective remedy before a tribunal. As the Europeans realize but the United States often fails to, rights don’t mean much if they cannot be enforced.

Finally, in the same ruling, the Court also decided that the standard contractual clauses —non-negotiable legal, contractual clauses drawn up by the Commission if they want to keep collecting and storing personal data from European residents— remain valid.

What Happens Next?

By Diliff / CC BY-SA, https://commons.wikimedia.org/wiki/File:US_Capitol_dome_Jan_2006.jpg

The impact of Schrems II is likely to be enormous. European regulations tend to affect the whole world in a phenomenon known as the Brussels Effect.. And when it comes to data privacy, the size of the European market requires most, if not all, of the biggest companies in the world to adjust their policies and practices accordingly.

The ruling affects big tech companies like Amazon, Facebook, and Google, as well as thousands of other multinational companies that collect data from European residents and routinely transfer personal data to the U.S. or other countries outside the E.U.

On the one hand, if those companies use standard contractual clauses, they will need to seriously consider whether the country of destination provides an “adequate level of protection” for the personal data. If this is not the case, they will have to implement additional safeguards to ensure that data are protected like in Europe.

On the other hand, if companies rely on the Privacy Shield, they need to immediately identify an alternative data transfer mechanism if they wish to transfer personal data to the U.S.

The problem, however, is that what the Court found (i.e., the pervasive government surveillance in the U.S. and the lack of effective remedies) is beyond the control of the companies.

That means in order for companies to do business, public officials and policy-makers on both sides of the Atlantic will have to renegotiate an agreement that protects the cross-border transfer of personal data, and that passes ECJ scrutiny in the future. But, as it seems from the Court’s logic and reasoning in Schrems I and II, this will not be easy.

The big elephants in the room here are the absence of federal privacy regulations in the U.S. and the country’s massive, unaccountable, post-9/11 surveillance programs justified in the name of national security. If the U.S. Congress doesn’t radically reshape U.S. surveillance law, the problems identified in these rulings are not likely to go away. To do that, Congress must both fix FISA and enact a robust federal consumer privacy statute to protect consumers.  

Many states already protect consumer data, student data, and biometric data. As a consequence, any federal legislation Congress contemplates must reject compromises to consumer civil rights and civil liberties and act as a floor, not a ceiling, to privacy protections in the United States. In other words, even if Congress passes a data privacy law, the states should retain the authority to enact more robust protections, if that’s what people in those states want.

As the Schrems cases show, obsolete and dangerous U.S. surveillance laws don’t only harm personal privacy here and worldwide. These bad laws also threaten our relationships with the world.

This blog post was written by Technology for Liberty Program Policy Counsel Emiliano Falcon.

© 2020 ACLU of Massachusetts.