In a sweeping judgment on July 16, the Court of Justice of the European Union (CJEU) summarily demolished the fragile legal peace that has prevailed for the last four years on the subject of transatlantic data transfers. The ruling has major geopolitical implications not only for the EU’s commercial relations with the United States, but also for unrestricted European data flows to other countries with serious surveillance capacities, from the United Kingdom and Israel in the European “neighborhood” to authoritarian states farther afield such as Russia and China.
The case, known as Schrems II, marks the second time in five years that the CJEU has effectively invalidated a major US-EU agreement used by thousands of companies—European as well as American, small as well as large—for transferring personal data in the commercial context from the European Union to the United States. The Court did so after finding a series of deficiencies in privacy protections for non-Americans under US surveillance law.
Privacy Shield is dead
The European Union and the United States had agreed upon the Privacy Shield in 2016, and the European Commission duly found that it provided an adequate level of protection for data transferred from Europe to participating companies in the United States. But the CJEU, which insists that foreign privacy safeguards be “essentially equivalent” to those provided under the EU Charter of Fundamental Rights and the General Data Protection Regulation (GDPR), saw otherwise.
The Court concentrated its attention on the two main US legal authorities for conducting surveillance of foreign persons—Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. Neither of these offer surveilled foreign persons a mechanism to seek judicial redress or review in US courts, the CJEU pointed out. A substitute mechanism included in the Privacy Shield to provide administrative redress (the Ombudsperson) also failed to pass muster with the Court because it was not independent of the US executive and had not been granted the power to order the intelligence community to remedy a foreigner’s complaint.
The Court’s unstated message to the United States was readily apparent: any future agreement to replace Privacy Shield must provide “actionable rights” of redress for Europeans, or it will be similarly struck down. In the meantime, companies participating in the Privacy Shield must scurry to find alternative legal means for their transatlantic data flows.
Standard contract clauses are in danger
Oddly, the Schrems II case was not even supposed to be about the Privacy Shield. Max Schrems, the young Austrian privacy activist who brought the action against Facebook, had asked the CJEU only to determine whether standard contract clauses, the other principal transfer mechanism for commercial data, were consistent with EU privacy law. Another privacy activist, La Quadrature du Net, separately had filed a challenge to Privacy Shield that was pending at the CJEU’s lower instance, the General Court. The CJEU decided to decide the two matters together, however, because of the shared underlying questions relating to US surveillance.
Standard clauses, which are widely used on a global basis, oblige companies embarking on an international transfer to accord the data in question privacy protections that have been deemed sufficient by European privacy authorities. But, like Privacy Shield, these contractual protections do not prevent the receiving state from demanding access to transferred data for national security reasons.
The only good news to emerge for companies from Schrems II was that the CJEU did not simultaneously invalidate the use of standard contract clauses in transatlantic commerce. Instead, it held—rather improbably—that individual companies are in a position to impose “additional safeguards” to ensure adequate protection against surveillance for data they transfer. European national data protection authorities (DPAs), who have jurisdiction over the implementation of standard clauses, are to exercise their powers to suspend or prohibit specific data transfers not meeting this standard.
This theoretical prospect runs squarely into the Court’s holding on Privacy Shield, however: US surveillance laws were conclusively found in that context not to afford judicial remedies for Europeans who believe they may have been surveilled by the National Security Agency (NSA). We now can expect to see a steady stream of challenges by European DPAs to standard clauses, beginning in Ireland with Facebook’s data transfers to the United States that Max Schrems had challenged. The results will be piecemeal and take some time to arrive, but the ultimate conclusion is already obvious—many transfers pursuant to standard clauses will be blocked because of US surveillance law.
What’s a company to do?
The GDPR’s architecture for international data transfers do not offer companies good alternatives to standard clauses. The Court suggests they obtain consent from individuals for every data transfer, but that plainly is unworkable for big companies like cloud service providers that engage in systematic transfers to the United States. Many companies may decide simply to keep European-origin data in Europe; cloud providers, for example, already have invested enormous sums in building server farms on the Continent. At a minimum, data localization will add costs and technical complexity. Max Schrems himself has already suggested that localization is the answer, and the European cloud industry doubtless will trumpet the same message.
Companies now will have to rapidly assess how vulnerable data they send across the Atlantic under standard clauses is to US surveillance. Some categories, such as human resources data, are probably inherently not of much interest to the NSA, but communications records are presumably in a different category. Encrypting data also could frustrate the NSA, at least in certain circumstances.
For the time being, data transfers from Europe to the United States likely will continue unaffected under standard clauses. The EU’s Data Protection Supervisor (EDPS) has pledged to quickly develop guidance for companies on the changed legal environment. National DPAs could launch investigations against prominent US companies, but, if past practice holds, may forbear from definitive enforcement action until the US government and the EU can jointly figure out a way forward. US companies will need steady nerves during this uncertain interim period, since DPAs possess the eye-popping power to impose fines of up to 4 percent of a company’s global revenue for violations of the GDPR.
It’s not the first time that companies find themselves in this spot: something similar occurred in 2015 after the CJEU overturned the US-EU Safe Harbor Framework, the predecessor to Privacy Shield. Being caught between expansive US surveillance laws and expansive EU privacy norms is, in any event, not a comfortable spot for companies. They also have reason to feel aggrieved that the CJEU essentially has commanded them to undertake private reconciliation of these conflicting legal requirements.
Geopolitical implications
The US government and the European Union face a hard road ahead in responding to the Schrems II judgment. Transatlantic commerce, already reeling from the pandemic, now faces another potential severe challenge. US industry and Congress will press the administration hard to seek yet another negotiated solution, but the COVID-19 pandemic will impede face-to-face discussions with Brussels. More fundamentally, the administration may balk at complying with what amounts to a foreign judicial demand to change US surveillance law. National security hawks may see an opportunity, in an election season, to call for an aggressive US response. The domestic timing could hardly be worse.
The view from other states with robust surveillance apparatus is also ominous. The United Kingdom urgently needs a data transfer deal with the EU before the Brexit transition period expires at the end of the year. Its surveillance authorities surpass those of the United States in some respects, and—unlike in most of continental Europe—they are transparently written into law. EU negotiators now have additional ammunition to demand that the UK change its law to improve redress possibilities for surveilled EU citizens.
Israel already enjoys an EU adequacy finding, conferred at a time when the European Commission did not look closely into foreign surveillance laws. At some point, the Commission will have to revisit that decision in light of Schrems II. Data transfers to Israel under standard clauses could be challenged before DPAs at any time.
The hardest case for the EU will be China. Commercial data flows from the EU to China are already large, with annual exports of more than €200 billion. Chinese cloud providers and social media are deepening their European presence, and European manufacturers are constantly exchanging data with their Chinese facilities. Yet China’s privacy protections are not at Western level, and its surveillance authorities enjoy wide-ranging powers. Can a German car manufacturer really be expected to assess China’s surveillance laws and interrupt data flowing there under standard contract clauses? Is a German state data protection authority any better placed to make that decision? Clearly, Brussels ultimately will have to balance the CJEU’s strict privacy jurisprudence against the economic and diplomatic costs.
If there is a silver lining, it is that the European Union eventually will have to refashion an accommodation between privacy and surveillance that does not impede commerce—and do so on a global basis. In 2013, Edward Snowden turned the spotlight on US surveillance, and Washington and Brussels since have struggled to find a privacy equilibrium. China’s economic dominance, together with its newly-assertive foreign policy, means that the EU cannot any longer consider data transfers to be just a transatlantic quarrel. The global geopolitical consequences of the Schrems II judgment are just beginning.
Kenneth Propp is a nonresident senior fellow in the Atlantic Council’s Future Europe Initiative.