The recent Court of Justice of the European Union (CJEU) decision in Schrems II finding that the EU-U.S. Privacy Shield is invalid and its additional findings with respect to standard contractual clauses, closes off key mechanisms for transferring persona data from the EU to the U.S., with important impacts on trade and the development of technologies such as cloud computing and artificial intelligence (AI).
This is the second time the CJEU has found that the General Data Protection Regulation (GDPR) mechanisms for transferring personal data from the EU to the U.S. is invalid.1 The earlier CJEU decision in Schrems I found that the European Commission adequacy decisions with respect to the EU-U.S. Safe Harbor was invalid.2 An adequacy decision is a finding by the European Commission that a third countries privacy laws are essentially equivalent to the rights and obligations under the GDPR.3 The importance of data flows for transatlantic economic relations necessitates that the U.S. and EU engage in a third attempt to develop a mechanism that can enable data flows and pass muster with the CJEU. However, whether this remains a fruitful path forward is uncertain in light of what we now know about the approach of the CJEU to adequacy under GDPR. In particular, the focus on how government agencies access data for national security purposes is becoming the key barrier to data flows between the EU and the US. More broadly, the CJEU decision makes clear that all the key GDPR mechanisms for transferring personal data from the EU to third countries are unstable, namely adequacy decisions, standard contractual clauses (SCCs) and binding corporate rules (BCRs).4 In this respect, the CJEU decision will have ramifications beyond its immediate impact on data flows between the EU and the U.S. The following addresses the explicit CJEU findings on adequacy and SCC as well as the broader issue of how to balance national security and privacy. The paper concludes with observations about the potential impact of the decisions for the U.S. and beyond and suggests some ways forward.
In this column I focus on two key issues at play in this most recent Schrems case: (1) the disconnect between application of EU law to national security agencies in third countries compared with domestic security agencies; and (2) and the severe limits the decision places on existing GDPR mechanisms for transferring personal data from the EU to third countries. I also offer observations on what this will means for data flows, and in particular the implications for small and medium-sized enterprises (SMEs).
A core issue in both Schrems cases was how national security agencies operate to preserve security and also ensure sufficient levels of privacy, and whether this is consistent with GDPR. The attempt by GDPR to extend EU privacy rights and obligations to countries and entities receiving EU personal data reflects a broad dynamic, which is that as the global free flow of data increases the scope for national security agencies to access the personal data of everyone, national privacy standards need to be globalized as well to be effective. Yet, governments often provide different levels of privacy protection and redress depending on whether a person is a citizen and where they are located. Under the Fourth Amendment to the Constitution, the U.S. provides different levels of legal redress to people in the U.S. compared to those outside the U.S., including access to U.S. courts. GDPR in effect seeks to extend the full suite of rights and obligations available in the EU under GDPR, to any country receiving EU personal data.
Underlying the CJEU decision in Schrems I and Schrems II that invalidated the EU-U.S. Safe Harbor agreement and in this most recent case, has invalidated the EU-U.S. Privacy Shield, is a disconnect between the GDPRs international impacts, and its domestic application to member state national security agencies. In both Schrems cases, the issue was U.S. government access to personal data for national security purposes and the rights of EU citizens in the U.S. to judicial review and redress. In both cases the CJEU found that the U.S. fell short in that the U.S. was not according EU personal data the protection and rights of redress available in the EU. When it comes to access to data for national security purposes, under EU law, including GDPR, any limitation on EU rights to privacy must be necessary and proportionate.5At the same time, national security is the sole responsibility of member states.6In effect, each EU state is given the discretion to balance national security needs with data privacy rights. Yet, the EU is not according a similar discretion to third countries. In fact, GDPR uses the threat of withdrawing access to EU personal data as a tool to seek reform of other countrys security agencies to reflect the CJEU notion of proportionality, while exempting member state governments from similar expectations or threats. This effectively sets up the CJEU as the arbiter of whether other countries approaches to accessing data for national security purposes are proportional.7
This disconnect between GDPRs international and domestic application when it comes to national security also risks EU demands becoming increasingly detached from the reality and practices of national security agencies. On the one hand, the outcome in the U.S. between security and privacy reflects U.S. constitutional constrains, national security needs and privacy concerns. In the EU, it does not appear that any such balancing took place, leaving the EU approach to privacy untouched in important ways by the equities and needs of member state national security agencies. The result is a set of demands on third country national security agencies that the EU does not, and could not, make of its own national security agencies. This dissonance between what the EU is expecting of other governments and what it is able to ask of its member states is compounded by various findings that EU data may in fact be safer and accorded better due process when in the U.S. than in the EU.8
The issue with how the U.S. government accesses data for national security is what lead the CJEU in both Schrems cases to invalidate the European Commissions adequacy finding with respect to the U.S. This Schrems decision also makes clear that not only adequacy decisions but also SCC and BCRs are much more limited than originally thought. Another consequence of the Schrems decision is to underscore the fragility of these GDPR data transfer mechanism. As the Irish High Court and CJEU overturns a second adequacy finding by the Commission, the CJEU has made clear that SCCs (and BCRs) may require data flows to be terminated at any point should the processor in the third country be unable to comply with GDPR, either due to requests from a third government for access to data or due to changes in legislation. These outcomes will inevitably increase risk for businesses that rely on cross-border transfers of personal data. This will affect not only the large tech companies but also those in manufacturing and services that are increasingly data driven.
To understand the implications of this decision for these GDPR transfer mechanisms, it is helpful to reflect on the institutional incentives and priorities driving the different finding by the European Commission on the one hand, and EU domestic courts and the CJEU on the other. The European Commission in making an adequacy decision weighs a range of goals that are in tension with each other. While focused on assessing whether U.S. laws and practice are adequate under GDPR, the Commission also takes into account the impact of stopping flows of personal data on international trade, investment and diplomatic relations. In contrast, the process for challenging an adequacy finding rests upon findings by a National Data Commissioner, findings by domestic courts, and finally the CJEU. None of these bodies is expected to consider the range of issues at play for the Commission. Instead, the question is more narrowly whether the third country provides a level of privacy protection consistency with the Charter of Fundamental Rights of the European Union. It is these competing institutional incentives and focus that helps explain the different conclusions as to whether the U.S. confers adequacy.
These internal institutional tensions raise several issues for the EU. First is the validity of other adequacy findings. For instance, what does the Commission really know as to how national security agencies in Israel, Japan or Argentina collect, use or share EU personal data. Second is the stability of any adequacy findings. The narrow focus of the CJEU on consistency with the EU Charter and demand for essential equivalence leads very little room for different approaches to privacy in other countries, reducing scope for adequacy findings and to using any transfer mechanism under GDPR. When it comes to determining whether the actions of other governments in collecting data for national security purposes are consistent with GDPR and the EU Charter, the vague standard of proportionality has led the Commission and CJEU to different conclusions regarding the adequacy of U.S. limits and safeguards.9Taken together, this suggests that all adequacy decisions by the Commission must be treated as potentially suspect and open to being declared invalid by the CJEU.
Another impact of this Schrems case is to limit the availability of SCC (and BCRs).10The issue with SCC (and BCRs) is that it is a contractual obligation that does not bind other governments. Therefore, where practices by national security agencies for accessing personal data are inconsistent with GDPR, SCCs do not obviously remedy this problem. The CJEU nevertheless held that SCCs remain valid where the controller adduces additional safeguards that rectify these gaps.11It is not clear what these safeguards are or how they could work in practice. Another wrinkle here is the finding by CJEU of the accountability for processors in the EU to ensure that the legislation in the third country allows the data processor to comply with the SCC, before transferring personal data.12It is not clear whether this merely requires comparing third party laws with GDPR or also the practice of national security agencies, which is harder to assess but arguably what should matter the most.
The result is that after Schrems II, all GDPR mechanisms for transferring personal data to third countries are much more limited in scope, durability and stability.
The first thing this Schrems case makes clear is the extent of the tension created by GDPR between balancing access to and use of data, and the privacy rights and obligations in GDPR (Mattoo and Joshua Meltzer 2018). The EU view is that they can have strong privacy and a strong digital economy, including cross-border data flows, and this is likely correct at a certain level of abstraction. However, the details of GDPR now make clear how GDPR sets up real tensions and trade-offs in terms of getting what the EU wants under GDPR in terms of privacy, and access to and use of data consistent with a robust engagement in the digital economy and digital trade (Jia et al. 2019).
In practical terms, Schrems II calls into question the availability of adequacy findings, SCCs (and BCRs) as reliable and stable mechanisms for cross-border data transfers. If the U.S. is still not adequate, then it must be the case that other countries, including China will never be adequate and not only that, but it is hard to see how any Chinese company collecting EU personal data can transfer it back to China consistently with GDPR. Large companies may have to localize data storage and process in the EU.
Yet for small companies, the impacts are most pronounced. For many, setting up in the EU is not an option. There are SCCs, but depending on the government, additional safeguards may be needed for SCCs to be viable. Again, it is unclear what such safeguards may be or whether SMEs could implement them even if they exist. The CJEU decision also establishes an obligation on processors in third country to notify controllers in the EU of changes in legislation that prevent compliance with a SCC. This is an additional monitoring burden on SMEs in third countries and failure here can expose these companies to liability for harm caused to EU data subjects. The difficulties with SCCs also create additional costs and disincentives for EU companies to develop digital supply chains with SMEs in third countries.
As discussed, another issue at play is the balance between how security agencies use data for security, and also protect personal privacy in a globalized world. It is likely that GDPR is too unilateral and too EU-specific, and that national security is too important, for GDPR to lead to the types of changes the EU needs for an adequacy finding to work. The EU bet with GDPR has been that the economic importance to U.S. companies of allowing cross-border data flows of EU personal data will be enough to force the U.S. to reform how its national security agencies collect and use data. This has been a somewhat reasonable bet so far in that the U.S. has shown a willingness to negotiate and engage in some reform. But even here, U.S. reforms in order to obtain an adequacy decision have been limited and as we now know, not enough. It is also the case that the trend is not in the EUs favor. For while the economic importance of data grows, so do the security issues related to data flows. In fact, the trend is arguably towards security becoming a more important organizing principle for how digital economies develop and where data flows. Given this, the risk is that GDPR fails to lead to enough U.S. reform that can justify another adequacy finding, forcing the EU into self-imposed data isolation. In such an outcome, large U.S. and other companies will still service the EU market but the EU will become increasingly closed, reducing access to large global data pools and the opportunities for insights and the machine learning that underpin AI developments that the EU seeks to develop (European Commission 2020).
Given these risks and developments, what is needed is an international agreement on how to balance national security and access to data, with other key goals such as privacy. Such an outcome could be deemed an international agreement under GDPR article 45(2(c) that would support an adequacy finding and by extension, short up access to SCC and BCRs.
Authors note: The author was an expert witness for Facebook in the latest proceedings before the Irish High Court.
European Commission (2020), White Paper on Artificial Intelligence A European Approach to excellence and trust, COM(2020) 65 final.
Jia, J, G Jin and L Wagman (2019), The short-run effects of GDPR on technology venture investment, VoxEU.org, 7 January.
Mattoo, A and J P Meltzer (2018), Resolving the conflict between privacy and digital trade, VoxEU.org, 23 May.
See the original post:
- WMU Law professor says if federal probe is opened, the 4th and 5th amendments will be key in Lyoya case - FOX 17 West Michigan News - April 28th, 2022
- NJ Appeals Court: Lower Court Mixed Up 4th And 5th Amendment And Either Way, Phone Passcodes Can Be Compelled - Techdirt - April 28th, 2022
- Department of Justice reaches agreement with Springfield about policing - Reminder Publications - April 28th, 2022
- Op-ed: The Constitution in a time of change - Courier & Press - April 28th, 2022
- Sinclair Closes Refinancing and Extension of STG Credit Facilities - Business Wire - April 28th, 2022
- SP PLUS CORP : Entry into a Material Definitive Agreement, Creation of a Direct Financial Obligation or an Obligation under an Off-Balance Sheet... - April 28th, 2022
- 'You Have The Right To Remain Silent JUST KIDDING!' Says Biden Administration - Above the Law - April 28th, 2022
- In review: key recent IP developments and trends in China - Lexology - April 28th, 2022
- Syracuse police had other options for dealing with 8-year-old accused of stealing. They didn't use them. - City & State - April 28th, 2022
- Jon Bernthal embedded with Baltimore police to play city's dirtiest cop in HBO's "We Own This City" - Salon - April 28th, 2022
- When the government hides spy cameras on your land, fight back in court | Opinion - Tennessean - December 14th, 2021
- Comparing drug patent linkage in China and the US - Lexology - December 14th, 2021
- Rockford Black Lives Matter case over bond hearings is now in hands of US Court of Appeals - Rockford Register Star - December 14th, 2021
- Man convicted of raping two lifeguards appeals to Va. Supreme Court over DNA collected from drinking straws - WTOP - December 14th, 2021
- We Hear You: Parents Must Fight to Save Public Schools - Daily Signal - December 14th, 2021
- Judge Denies Motion to Suppress DNA Evidence on Cup Used by Accused in Police Interview; Defense Claimed Client Denied Water on 6-Hour Trip, then... - November 29th, 2021
- European Union: COVID-19 State aid update - State aid Temporary Framework prolonged and additional aid for recovery possible (6th Amendment) -... - November 29th, 2021
- Govt That Spies Has Insatiable Appetite - KMJ Now - February 4th, 2021
- No-knock search warrants began in Wisconsin, Rep. Myers wants to end them here - Wisconsin Examiner - February 4th, 2021
- Close the Gaps - East Bay Express - February 4th, 2021
- Is Americas Approach to Cannabis Racist? Study Shows Its Worse Than You Think - GreenState - February 4th, 2021
- Federal appeals court allows reporters to sue SWAT officer who tear-gassed them during Ferguson protests - JURIST - February 4th, 2021
- Invoking Scalia, Sotomayor Presses for Broad Fourth Amendment Protections - Reason - October 30th, 2020
- EFF Files Amicus Brief Arguing That Law Enforcement Access to Wi-Fi Derived Location Data Violates the Fourth Amendment - EFF - October 30th, 2020
- Main Points Of The Fourth Amendment To Chinese Patent Law (Approved On October 17, 2020, Effective From June 1, 2021) - Intellectual Property - China... - October 30th, 2020
- Column: Michigan can bring privacy into the 21st century - The Oakland Press - October 30th, 2020
- IMPD dismissed from Dreasjon Reed lawsuit - WTHR - October 30th, 2020
- The Criminal Justice of Amy Coney Barrett - Washington Monthly - October 30th, 2020
- A guide to the statewide constitutional amendments on the ballot in November 2020 - Yellowhammer News - October 30th, 2020
- RUTHS HOSPITALITY GROUP, INC. : Entry into a Material Definitive Agreement, Creation of a Direct Financial Obligation or an Obligation under an... - October 30th, 2020
- Assembly Committee Clears Verrelli & Benson Bill Protecting Employees from Employer Tracking Device Violations - InsiderNJ - October 30th, 2020
- The tyranny of the experts - Leader & Times - October 30th, 2020
- Mike R. Galli is recognized by Continental Who's Who - PRNewswire - October 30th, 2020
- Mail Voting Litigation in 2020, Part II: Submission of Mail-In Ballots - Lawfare - October 30th, 2020
- In its 4th revision to the SEC, Palantir tries to explain what the hell is going on - TechCrunch - September 20th, 2020
- City of Pierre among South Dakota towns ordered to pay a total of $440000 because of forced catheterizations - Drgnews - September 20th, 2020
- Former Torrington officer seeks to have evidence suppressed before trial - Scottsbluff Star Herald - September 20th, 2020
- Council To Have One-Day Session To Learn About Police - The Rhino TImes - September 20th, 2020
- Things to Know Before Your Neighborhood Installs an Automated License Plate Reader - EFF - September 20th, 2020
- Attorney argues Haynes and his brother bribed witness to recant his testimony in 1999 murder case - Kankakee Daily Journal - September 20th, 2020
- Justice Ruth Bader Ginsburgs Lasting Impact on U.S. Traffic Laws - The Art of Gears - September 20th, 2020
- Editorial, August 10, 2020: Your cellphone might be "Big Brother" - Richmond.com - August 10th, 2020
- Legal Brief: Surveillance and the Fourth Amendment - SecurityInfoWatch - August 10th, 2020
- Common Ways to Fight Against a Drug Possession Charge - Student Assembly of the State University of New York - August 10th, 2020
- Trump Judge Casts Deciding Vote to Grant Qualified Immunity on First Amendment Retaliation Claim: Confirmed Judges, Confirmed Fears - People For the... - August 10th, 2020
- Did Judge Reeves Reach the Correct Result in Jamison v. McClendon? - Reason - August 10th, 2020
- The Police Lie. All the Time. Can Anything Stop Them? - Slate - August 10th, 2020
- Calls for police reform and racial justice spur a flurry of resolutions before the ABA House - ABA Journal - August 10th, 2020
- Reporters Committee amicus brief in Alasaad v. Wolf - Reporters Committee for Freedom of the Press - August 8th, 2020
- Meet the Judge Who Thinks a Black Man Walking Around Is a Crime - Rewire.News - August 8th, 2020
- Who will police Springfields cops? - The Boston Globe - August 8th, 2020
- 'Defund the police' is not a real reform strategy - The Maine Wire - August 8th, 2020
- Assessing Indias obsession with data localisation - Deccan Herald - August 8th, 2020
- How 9/11 and the US Civil War provided the framework for federal agents in Portland - News@Northeastern - August 7th, 2020
- Senators Graham And Blumenthal Can't Even 'Earn' The EARN IT Act: Looking To Sneak Vote Through Without Debate - Techdirt - August 6th, 2020
- The Constitutional Case Against Trumps Use of the Department of Homeland Security - The New Yorker - August 6th, 2020
- 'Trump's Troops Are Breaking the Law and Creating Chaos' - FAIR - August 6th, 2020
- Portland demonstrates that government spying on citizens has become commonplace, and easy - Washington Times - August 6th, 2020
- Plainclothes NYC police grab protester and throw her into unmarked car - WSWS - August 6th, 2020
- Majority of Kingston aldermen view Kingstonian project tax pact favorably, with conditions - The Daily Freeman - August 4th, 2020
- Officers on the street without ID or insignia is dangerous - News-Press Now - August 4th, 2020
- "It's the decent thing to do" - News - Fowler Tribune - August 4th, 2020
- What would the Founding Fathers do? - Smoky Mountain News - August 4th, 2020
- How the president became the deporter in chief. - Slate - August 3rd, 2020
- Want To Reform The Police? Get Rid Of Qualified Immunity - WBUR - August 3rd, 2020
- Who is Zane James, why were his brother and father detained by police in Cottonwood Heights protest? - MEAWW - August 3rd, 2020
- Unpacking DHS's Troubling Explanation of the Portland Van Video - Lawfare - August 1st, 2020
- Capitol Hill grilling of tech CEOs highlights expansion of 'geofence warrants' - WRAL.com - August 1st, 2020
- R Sikoryaks latest project is a word-for-word adaptation of the U.S. Constitution - Boing Boing - August 1st, 2020
- FBI bulletin exposes another crack in ELD mandate - Land Line - Land Line Media - August 1st, 2020
- Analysis: Is Trump stretching the law to deploy federal police power in cities? - wenatcheeworld.com - July 31st, 2020
- NRA and Tea Party: Where are you now? - Greensboro News & Record - July 31st, 2020
- Fourth Amendment | United States Constitution | Britannica - July 30th, 2020
- Fourth Amendment - the Text, Origins, and Meaning - July 30th, 2020
- "It's the decent thing to do" - News - Pueblo Chieftain - July 30th, 2020
- Trump Judge Casts the Deciding Vote to Reverse District Court Ruling to Suppress Evidence Obtained in Violation of the Fourth Amendment: Confirmed... - July 29th, 2020
- Trump Judge Casts the Deciding Vote to Give Qualified Immunity to Officers Who Violated Fourth Amendment: Confirmed Judges, Confirmed Fears - People... - July 29th, 2020
- How does the Fourth Amendment apply to my child while at school? - Lawyers.com Blog - July 29th, 2020
- Ga. voters will decide thorny 'sovereign immunity' issue this fall - Georgia Recorder - July 29th, 2020
- Shot Twice in the Back: A Case Tests the Fleeing Felon Defense - The New York Times - July 29th, 2020