The recent decision of the Court of Justice of the European Union in the "Schrems II" case has released a tsunami in the privacy community that threatens to massively disrupt trans-Atlantic commerce if no political solution is found. While the case before the CJEU related only to the United States, the decision could prevent transfers of personal data from the European Union not only to the United States, but to almost every other country in the world.
The CJEU’s decision involved an EU law that prohibits the transfer of personal data out of the EU unless the receiving country has privacy protections that are essentially equivalent to those found in the EU. Because U.S. law differs significantly from EU law, the U.S. and the EU 20 years ago negotiated the Safe Harbor Framework, which was designed to bridge that gap. The court in 2015 struck down the Safe Harbor, and the U.S. and EU negotiated a new agreement called the EU-U.S. Privacy Shield Framework, which permitted companies that certified that they would abide by specific obligations to receive data in the U.S. from companies in the EU.
The CJEU invalidated the Privacy Shield in "Schrems II" because it held that U.S. intelligence agencies can access personal data relating to Europeans in ways that are incompatible with EU law. First, the court criticized a provision of the Foreign Intelligence Surveillance Act that allows the U.S. government to obtain a court order authorizing it to collect from U.S. providers communications from foreigners who are outside the U.S. because those orders do not require any independent approval of the individual targets about whom information will be collected. Second, the court criticized the U.S. government’s alleged collection of data in transit via trans-Atlantic cables without adequate oversight or judicial review. Finally, the court noted that U.S. law does not provide a reliable judicial remedy for Europeans who believe that their data had been improperly collected by intelligence authorities.
In addition to striking down the Privacy Shield agreement, the court discussed another widely used mechanism for international data transfers called the standard contractual clauses. While the court held that the SCCs were valid, it ruled that any company that uses the SCCs (or any other cross-border mechanism) is required to assess the laws of the country to which data is being transferred to determine if those laws sufficiently protect personal data.
That means, for example, that a manufacturing company in Germany that wants to outsource its data center to India must determine whether the laws of India sufficiently protect personal information, a pharmaceutical company in the Netherlands that wishes to share research to fight COVID-19 with researchers in Brazil must determine if the Brazilian government engages in bulk surveillance, and a company in France that wishes to share the names and email addresses of its employees with its parent company in Singapore as part of a global employee directory must determine if those French citizens could obtain appropriate judicial redress for privacy violations in Singapore.
This would be a challenging burden for a large multinational corporation, let alone a smaller business.
With respect to the U.S., by invalidating the Privacy Shield, the court determined that U.S. law does not, in fact, provide adequate privacy protections, leaving the status of any data flows between Europe and the U.S. in legal limbo. Already, German data protection authorities have threatened to immediately suspend all data transfers to the U.S. that are based on the SCCs. And if U.S. protections are deemed insufficient, these DPAs will likely reach the same conclusion with respect to other significant trading partners, such as India, Turkey, Brazil, South Korea, China and Russia.
This is more than an administrative inconvenience; companies that violate EU data protection laws are subject to fines that can equal 4% of annual global revenue.
Prohibiting transfers of personal information to the U.S. and virtually every other country in the world will not protect European citizens from surveillance because many European countries engage in broad surveillance for national security purposes, and it is questionable whether those European countries provide for the transparency and protections that the CJEU suggests are essential. At the same time, if no solution is found, the EU will become an information island, disconnected from the rest of the world. European companies will be severely hindered in competing in the global market; indeed, as COVID-19 hampers physical travel, virtual connectivity will be even more important.
European nations must recognize that the U.S. legal system is different from the EU’s and find ways to analyze U.S. privacy protections on their own, not by comparison to some platonic standard.
The ramifications of this decision are more profound than limiting European citizens’ access to affordable products and services or providing EU companies with inexpensive cloud computing services. Pharmaceutical companies seeking to cooperate globally to find a vaccine for COVID-19 will face obstacles to sharing information. The worldwide public and private sector fight against ever-increasing cybercrime and the European efforts to fight fraud would be impeded. Finally, global efforts by the private and public sectors to prevent terrorist attacks would be significantly degraded.
Dealing with the court’s decision will require sustained attention on both sides of the Atlantic. The U.S. must recognize that it will have to impose some new rules to provide assurances to Europe that data is appropriately protected from improper surveillance; creative thinking will be needed to determine how that can be done without compromising national security interests that are essential not only to the U.S. but to European nations with whom we cooperate. Similarly, European nations must recognize that the U.S. legal system is different from the EU’s and find ways to analyze U.S. privacy protections on their own, not by comparison to some platonic standard.
In these troubled times, affected companies must be willing to engage affirmatively and vigorously with governments on both sides of the Atlantic to help them come together and ensure the continued viability of trillions of dollars and euros for the huge economic impact of trans-Atlantic commerce.
Photo by Benjamin Behre on Unsplash