Writing for the IAPP this summer, in honor of the second anniversary of the EU General Data Protection Regulation, I said that “European law, to assure protection of personal data when sent to third countries, may have backed itself into a corner.” Today’s so-called "Schrems II" decision provides the EU with even less room to maneuver. Especially for transfers of personal data to authoritarian countries, such as China and Russia, it is now difficult to see a lawful basis for many routine data flows.

As IAPP readers likely know by now, the Court of Justice for the European Union today struck down the EU-U.S. Privacy Shield, much as it did the EU-U.S. Safe Harbor in "Schrems I" in 2015, citing a lack of individual redress and lack of proportionality. 

For the standard contractual clauses specifically challenged by Max Schrems in Ireland, the court allowed them to stand as a general matter.  The controller in the EU, however, must now assess in each case the level of protection afforded by the SCCs and also protections “as regards any access by the public authorities of that third country to the personal data transferred (and) the relevant aspects of the legal system of that third country.”  

These company-by-company assessments must be overseen by the data protection authorities: “the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”  If supervisory authorities disagree about transfers, the European Data Protection Board is assigned to resolve disputes; in the event of such disputes, it would be important for the EDPB to have access to the best possible information on how to assess national security and other laws about government access to data in countries outside of the EU.

The CJEU highlighted two aspects of U.S. intelligence law as lacking adequate safeguards. One flaw, according to the court, is the lack of individual redress — an EU person such as Max Schrems does not have access to the courts in the U.S. to review what the National Security Agency may do with his data. For national security experts, it is puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries. Also, the Fundamental Rights Agency has documented the limited individual redress existing in EU member states, including: “In four Member States [out of 27], an expert body’s decision or preliminary assessment can be appealed before a judge.” Although the CJEU avoided comparing member state law or practice with the U.S., it can seem discriminatory to judge third countries by a legal standard that does not apply to the member states.

The second flaw, according to the court, is the lack of proportionality in U.S. intelligence activities, essentially the concern that the U.S. does broader collections, with less clear legal standards, than the court finds adequate. The court leaves a bit of room for national security surveillance, allowing that which is strictly “necessary in a democratic society to safeguard, inter alia, national security, defence and public security.” 

The CJEU, however, declined to address the nuanced jurisprudence, as explained by Professor Théodore Christakis, by the European Court of Human Rights on how to reconcile fundamental rights with national security. As someone who has worked extensively both in privacy and national security, my own view is that the CJEU provides very little room for effective protection against military action, such as the Russian invasion of Crimea in 2014, or the risk of future aggressive action against the Baltic States. As fellow members of the North Atlantic Treaty Organization, the U.S. and many member states have a shared interest in countering threats, including terrorism and nation-state attacks. Better to build layers of safeguards onto needed intelligence activities, such as the broad 2015 reforms in the U.S., than to block those activities.

Going forward, U.S. Secretary of Commerce Wilbur Ross and the EU Commission have indicated a willingness to work together in the wake of today’s decision. If the two sides can reach a new agreement about what constitutes adequacy, then the court’s decision states that the finding of adequacy will ensure the lawfulness of transfers to the U.S. unless some future court decision holds otherwise. I hope and believe innovative approaches are possible to pursue such an agreement.

The court’s decision leaves even less room for transferring personal data from the EU to China and other authoritarian countries. 

Our research shows much larger flows to China than many have realized, with annual exports of 200 billion euros, including via TikTok, Alibaba and TenCent. Wojciech Wiewiórowski, the European Data Protection Supervisor, recently commented to Politico that the U.S. is “much closer” to the EU than China in terms of shared values. He added, “I have never hidden that we have a preference for data being processed by entities sharing European values.” The EU and U.S. have a shared tradition of fundamental rights protections and the rule of law, so it is difficult to see how many of the transfers to third countries lacking those protections will be lawful after the court’s decision.

In conclusion, the EU faces the legal challenge I addressed previously for the IAPP — how can global data flows continue, including with the EU’s largest trading partners and closest allies? The court’s legal doctrine appears to back the EU into a corner. Next, how will it get out, protecting both privacy and the other values necessary in a democratic society?

Photo by Christian Wiediger on Unsplash