The "Schrems II" decision is the latest — and perhaps most significant — event in a long-running series of issues regarding the appropriate role of surveillance in our society and the inevitable collision of surveillance and privacy. The decision invalidated the EU-U.S. Privacy Shield, raised questions regarding the use of standard contractual clauses (presumably binding corporate rules, as well), created new obligations on data exporters (that data importers will likely have to help address) and, at some level, imposed certain obligations on data protection authorities.
These findings have created uncertainty regarding trans-Atlantic data flows specifically, as well as data transfers from the EU to certain other countries more broadly. That uncertainty is only heightened by the fact that this is the second time the CJEU has invalidated a data transfer mechanism with the U.S.
Ultimately, the "Schrems II" decision examined two issues in U.S. law: the remedies available to Europeans for surveillance in the U.S. and the scope of surveillance authority in the U.S. To understand the decision, as well as chart a path forward, it is critical to understand both issues.
My role in the case was somewhat unique. I drafted a memorandum on U.S. law for Irish Data Protection Commissioner Helen Dixon that provided an independent view on these issues, and this memo was referenced and relied upon in her Draft Decision, the document that started the Irish High Court proceeding. The memo ultimately became part of my Expert Report in the case, and I later testified in the High Court proceeding — a rather interesting experience, to say the least.
That report is linked here, and it examines in some detail the scope of remedies against the U.S. government for Europeans based upon U.S. surveillance. Ultimately, the High Court made findings regarding U.S. law — U.S. law was a fact in the case, not a legal conclusion — and my report is important if one wants to understand the ultimate factual findings made by the High Court regarding U.S. law.
As we move forward and try to assess how data flows will work in the future, it is also important to understand the surveillance authorities in the U.S., including how and when the U.S. government can utilize Section 702, as well as Executive Order 12333, both focal points of the CJEU’s decision. Those issues, PPD-28 and Executive Authority generally, as well as a discussion of the history of surveillance and many other issues, are addressed in a white paper I wrote, which was published by the IAPP and can be found here.
Ultimately, understanding what the U.S. government can do and what remedies exist is in many ways the baseline to understand a path forward, though other factors are relevant when assessing whether data transfers can still occur. After examining and considering the scope of surveillance and remedies that exist under U.S. law, other factors should be considered, including what additional safeguards (such as policies regarding responding to law enforcement and the Intelligence Community and additional contractual undertakings) can be put in place if a data transfer is occurring, whether surveillance is likely given the overall context of the data transfer, including an examination of the type of data that is being transferred, as well as other factors that may be relevant in that particular situation.
Ultimately, we may be at a crossroads in the development of the internet, as well as global privacy protections. There are significant pressures that seem to be moving us away from global data flows and pushing toward fragmented data flows, and this could have a massive impact on the internet, as well as non-internet-based commerce in a much broader sense.
Privacy professionals have always had to try and bridge the gap between the U.S. model, which is more of a property-based approach, and that of Europe, which focuses more on privacy as a fundamental human right. If we want to continue to enable cross-border data flows, which are in everyone’s interest, it is incumbent on privacy professionals to try and address these issues in a way that permits legitimate surveillance to occur while still protecting individuals’ privacy rights.
While I am optimistic this can be done, we have to recognize that Privacy Shield, the solution to the invalidation of Safe Harbor, wasn’t, in fact, a solution at all, and we must be creative in our approach or risk ending up in a world with fractured data flows.
Photo by NASA on Unsplash
