Sidley Austin has released Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States. The report—authored by a transatlantic team of attorneys and addressed to senior European officials and policymakers—provides a substantive roadmap for the comparative analysis of United States and E.U. member state data protections mandated by the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner. It ultimately concludes that the United States legal order, for both government surveillance and commercial protections, is—at a minimum—“essentially equivalent” to that of the E.U.
As previously covered on Lawfare, the Schrems judgment invalidated the European Commission order approving the U.S.-E.U. Safe Harbor Framework. The Commission must now determine whether the United States’ laws and practices afford an “essentially equivalent” level of data protection as that supplied in the E.U. under Article 25 of Directive 95/46/EC, read in light of the Charter of Fundamental Rights of the European Union. Absent such a finding—or in the case of a particular company, absent the use of certain contractual clauses—data transfers between the E.U. and the United States potentially violate E.U. law.
Despite these significant consequences, the CJEU decision does not specifically define “essentially equivalent,” nor does it set out the E.U. baseline or otherwise engage in the actual analysis. Rather, the CJEU alludes to a European Commission report regarding U.S. surveillance and suggests that “mass and undifferentiated” government surveillance would be inconsistent with the E.U. legal order. The Essentially Equivalent report provides the relevant substantive detail for the United States and the E.U., and compares the legal orders of the United States and eight illustrative E.U. member states objectively.
The report begins by analyzing the Schrems judgment in conjunction with the European Court of Human Rights’ interpretation of the E.U. Charter. It identifies four criteria by which to structure the essentially-equivalent analysis: (1) specific legal authority for the surveillance measures; (2) limitations in scope of surveillance; (3) proper oversight; and (4) the availability of legal remedies and redress.
The report then compares the surveillance and corresponding safeguard regimes in eight illustrative member states with the legal authorities governing U.S. law enforcement (the Wiretap Act and the Stored Communications Act) and the U.S. Intelligence Community (FISA Title I, Section 702, and Section 215). Notably, it debunks the CJEU’s suggestion that U.S. intelligence surveillance conducted on data transferred to and stored in the United States is mass and undifferentiated. Rather, the report highlights and reveals the various levels of judicial, executive, congressional, and independent oversight present in the United States’ legal order. By comparison, none of the eight illustrative member states offer this complete menu of supervision.
Finally, the report contends that the commercial protections afforded data transferred to the United States from the E.U. are also essentially equivalent. This analysis focuses primarily on the statutory law, common law, enforcement and litigation, and data-protection practices within the U.S. system.
Yesterday, the European Union and United States announced an agreement on a new framework for transatlantic data flows, knows as the “E.U.-U.S. Privacy Shield.” Essentially Equivalent showcases how privacy values are deeply embedded in United States law and practice and demonstrates that the United States’ system of protection of fundamental rights and freedoms meets the test of essential equivalency. Sidley Austin hopes this report will provides a basis for further informed discussions of the U.S.-E.U. comparison as the European Commission prepares an “adequacy decision” implementing the new data transfer framework.