On July 16, the Court of Justice of the European Union (CJEU) invalidated one principal legal method for the transfer of personal data from EU territory to the United States and cast substantial doubt on the validity of the other.
U.S. intelligence agencies can utilize personal data initially transferred for commercial purposes to the U.S. from Europe. Consequently, the CJEU insisted that the United States provide persons in Europe with “actionable rights” of challenge before U.S. courts that are “essentially equivalent” to privacy rights enjoyed within the EU. The Luxembourg-based CJEU, the EU’s judicial branch, found U.S. intelligence law lacked such individualized protections.
The immediate result is that more than 5,300 companies—European as well as American, small as well as large—no longer may rely on the U.S.-EU Privacy Shield as a basis for transferring personal data from Europe to the United States. The Privacy Shield is a 2016 agreement that allows companies to transfer data while ensuring compliance with privacy laws on either side of the Atlantic. Companies may continue, for now, to conduct data flows on the basis of standard privacy protection clauses built into international data transfer contracts—a second principal method that is used widely not only for transatlantic commerce but also globally. But the CJEU ruling may threaten the long-term future of this second legal method for data transfer.
In this post, we provide background on the case and describe its holdings, explore issues for the near term, and highlight geopolitical implications for data flows between Europe and other parts of the world that do not necessarily share a rule-of-law culture. This post builds on previous Lawfare posts by the authors that provide further background on the litigation.
From Edward Snowden to Luxembourg
The case, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (colloquially known as Schrems II), is but the latest chapter in a long and tangled history of litigation before Irish and European courts about the intersection of EU privacy rights and U.S. surveillance law.
Schrems II’s origin lies in the voluminous disclosures by former National Security Agency (NSA) contractor Edward Snowden in 2013 about the nature and scope of U.S. national security surveillance programs. Maximillian Schrems, an Austrian privacy activist, soon complained to the Irish data protection commissioner that Facebook, which has its European headquarters in that country, could be ordered by the U.S. government to send the NSA his personal communications. Schrems asked that the Irish data watchdog overturn a European Commission decision on the validity of the underlying commercial data transfer mechanism, the U.S.-EU Safe Harbor Framework. Schrems’s first case made its way to the CJEU, which held in October 2015 that the Safe Harbor privacy protections to which Facebook was bound did not measure up to rights of redress conferred under the EU’s Charter of Fundamental Rights and its privacy legislation. This first ruling effectively invalidated the Safe Harbor Framework.
A year later, the U.S. and EU governments hastily put in place a successor, the Privacy Shield Framework, with strengthened protections designed to answer the CJEU’s criticisms. Undeterred, a group of European privacy activists (La Quadrature du Net) quickly filed a challenge to Privacy Shield at the European court. Max Schrems, meanwhile, launched a judicial attack in Ireland against the standard contractual clauses to which Facebook, like other companies, had turned in the wake of the sudden collapse of the Safe Harbor and before the adoption of the Privacy Shield. He pointed out that the U.S. intelligence community was just as likely to claim his Facebook data transferred under standard clauses as under the intergovernmental Safe Harbor arrangement. The CJEU eventually decided to consider together the parallel questions about the U.S. surveillance regime raised in the two separate cases.
The Schrems II Ruling
Stung by the ruling in the first Schrems case, both the U.S. government and business groups whose members rely heavily on transatlantic data transfers intervened in the successor proceedings. The Irish High Court and the CJEU had the benefit of numerous independent expert opinions (including one by Swire) detailing U.S. privacy protections in the surveillance context and the comparable practice of EU member states. The result of the second Schrems case, however, was arguably worse than that in the first: not only invalidation of a foundational transatlantic data transfer arrangement but also probable destabilization of the main alternative transfer method.
In its ruling, the CJEU first asserted its own primacy over the subject matter. It confirmed that EU privacy protections travel abroad with personal data originating in the territory of the EU, even when a foreign state’s national security organs subsequently claim access to that data—a nakedly extraterritorial assertion of EU jurisdiction. The court took the standards established in the EU Charter and its privacy legislation as the sole reference point for assessing a third country’s surveillance law protections for personal data. It opted for these stringent rules instead of either the more nuanced standards contained in the jurisprudence developed by the European Court of Human Rights (ECHR), the Strasbourg-based judicial arm of the Council of Europe, or those contained in member state constitutional law.
Standard clauses—which typically apply EU-style privacy requirements to data even after it goes outside the EU—can serve to vindicate Europeans’ privacy rights, the CJEU then found. The court stated that these clauses create the possibility for the parties to the contract, or for an EU member state data protection authority (DPA), to assess the privacy protections accorded under foreign surveillance law. Specifically, the company or DPA must determine that legal requirements (in the country receiving the data transfer) do not go beyond what is “necessary in a democratic society” to safeguard national security, defense and public security. Although a company or European DPA obviously lacks the ability to block surveillance by a foreign authority, it does possess the power to prohibit or suspend a particular international data transfer if it concludes that the standards of EU law are not met. This decentralized system of privacy protection could yield divergent rulings on foreign states by different European DPAs, but the CJEU expressed confidence that the new EU-level European Data Protection Board (EDPB) could harmonize practice in this respect.
The CJEU could have limited its judgment to standard clauses but instead chose also to decide the validity of the Privacy Shield decision, because of the shared underlying issues. In particular, it examined whether individuals whose personal data had been transferred to the U.S. under Privacy Shield and then accessed by the NSA enjoyed rights of redress in U.S. courts. While surveillance programs conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) must be authorized by the Foreign Intelligence Surveillance Court, the CJEU noted, that did not amount to judicial review in each individual case. Nor, it found, did surveillance conducted outside the United States, on the basis of Executive Order 12333, confer actionable rights, even when the additional protections for foreign persons under Presidential Policy Directive 28 are taken into account.
Finally, the CJEU found insufficient the administrative remedy—the designation of an ombudsperson—that the United States and the European Union had developed for both Privacy Shield and standard clauses as a way of affording Europeans at least some means of redress for alleged improper national security access to their personal data. The ombudsperson, an undersecretary of state, was not independent of the U.S. executive branch, the court pointed out, and lacked the power to take corrective decisions that would bind the intelligence community.
What Happens to Transatlantic Data Transfers Now?
Although some observers had predicted this sort of outcome, there is considerable uncertainty in these early hours about what level of change will be expected immediately. Secretary of Commerce Wilbur Ross immediately issued a statement for the administration, using measured words: “We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship.” After the 2015 Schrems decision, European regulators provided a grace period for transition, and at a practical level companies that were relying on the Safe Harbor Framework were allowed to continue data transfers on that basis until the new Privacy Shield came online. It is unclear whether that will happen again, as European data protection regulators have already begun to issue guidance, with varying interpretations of the implications of the new decision.
The CJEU’s decision sends mixed signals about how quickly companies must change their data flows. The court expects companies that export personal data to assess whether each of their data transfers has adequate protections; if they do not, the data protection supervisor in the EU member state from which the data is sent could then begin an enforcement action, which presumably could take a substantial amount of time. At the same time, the court flatly held that the EU Commission’s approval of the Privacy Shield “is invalid,” with no discussion of a transition period to enable companies to come into compliance.
One response from companies could be data localization—companies deciding to store in the EU all personal data originating there, due to the possible lack of a lawful way to export it. This would be a stricter version of data localization than other foreign jurisdictions demand, under which only a copy of the data must remain in the country, such as for access during law enforcement investigations. Keeping all personal data in Europe would be expensive, and cause numerous technical problems. But more fundamentally, it is hard to imagine how multinational companies and services could carry out their business if data entering the EU cannot emerge from it. The CJEU judgment does not concern itself with these sorts of practical difficulties.
Another response from companies could be to sit back and watch what develops. In other cases, the CJEU has issued strict privacy holdings, such as limiting the ability of law enforcement to engage in “data retention”—the practice of keeping government records of communications on the internet. Although the court ruled against such data retention in the 2014 Digital Rights Ireland case and the 2018 Tele2 Sverige AB case, some member states, in our understanding, have continued to utilize this information-gathering technique. A third data retention case is expected to be decided this fall, and that ruling will test the extent to which national security services can engage in the same type of data retention that the court did not permit for law enforcement purposes. In light of the slow pace of EU rulings and begrudging compliance by member states, one strategy for companies in the face of Schrems II may be to continue with business as usual and wait and see if consequences follow.
The risk of this approach, however, is the enormous level of fines that may now be imposed by data protection authorities under the General Data Protection Regulation (GDPR), which came into effect in 2018. The maximum fine for violations is 4 percent of a company’s revenue—based not on its EU economic activity but on its global revenue. Even though these fearsome penalties have not been imposed to date, corporate leaders face considerable risk if they decide to sit back and do nothing in the face of the Schrems II decision.
One further possibility is that companies can examine the facts of their actual data transfers and conclude that the risk of NSA surveillance is very low for their data. For instance, a company that transfers only routine human resources data might conduct due diligence and learn that it has never been the subject of a National Security Letter or FISA request. In such instances, the company might reach the conclusion that standard contractual clauses provide legally adequate protection for personal data transferred from the EU. Although this option may be worth exploring for some companies, the theory is untested, and it is far from clear which EU regulatory authority can provide comfort that such transfers are lawful.
Thus, there is great uncertainty in these early days about how data transfers should—or should not—proceed. As a minimum initial step, European officials should provide an ample transition period before taking any enforcement action.
The Global Impact of the Ruling
From a geopolitical perspective, Schrems II quite possibly will have a more severe effect on data flows to China, Russia and other authoritarian states than on flows to the U.S. The CJEU instructs companies, when exporting personal data under standard contractual clauses, to assess protections “as regards any access by the public authorities of that third country to the personal data transferred [and] the relevant aspects of the legal system of that third country.” Unless the protections in China or some other country are “essentially equivalent” to protections in the EU, the company is supposed to cease the transfers. In addition, “the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence.”
The top privacy regulator for the EU, European Data Protection Supervisor Wojciech Wiewiórowski, recently commented to Politico that the U.S. is “much closer” to the EU than China in terms of shared values. He added: “I have never hidden that we have a preference for data being processed by entities sharing European values.” The EU and U.S. have a shared tradition of fundamental rights protections and the rule of law. The United States, especially after the 2015 passage of the USA Freedom Act and other post-Snowden reforms, has been rightfully described by Oxford expert Ian Brown as “the baseline for foreign intelligence standards.” Although advocates and experts will always disagree about the precise contours of safeguards, the U.S. undoubtedly has established an extensive, multilayered set of safeguards to govern national security surveillance.
By contrast, Freedom House reported: “China was once again the worst abuser of internet freedom in 2018.” (The United States ranked sixth best of the 65 countries surveyed.) In addition, data flows from the EU to China are much larger than many people realize, with EU annual exports of 200 billion euros, including via TikTok, Alibaba, and TenCent. If there is an open question whether data transfers from the EU to the U.S. comply with new European law, there is a clear answer on China and other authoritarian regimes—their safeguards bear no “essential equivalence” to EU standards of privacy.
It is time for Europe to shine an enforcement spotlight on data transfers from its territory to authoritarian countries and other countries that lack the rule-of-law safeguards present in the U.S. system. Such an approach is compelling as a matter of privacy and fairness—focus on the countries that have the worst laws. Broader enforcement also would help the EU understand more fully the global economic implications of its stringent privacy jurisprudence. Once these practical implications become more apparent, a greater willingness could emerge among the various European actors to find approaches that work for national security and global trade as well as for privacy.
The Schrems II ruling also has implications for the EU’s own neighborhood. Numerous independent analyses, including by the EU’s own Fundamental Rights Agency, have documented great variations in rigor among privacy safeguards against surveillance conducted by EU member states under domestic legal authorities. Even states with deep commitments to the rule of law, such as the United Kingdom and Israel, conduct extensive surveillance for national security purposes, potentially running afoul of the CJEU’s rigorous standards.
In a future post, we plan to explore whether and how the U.S. and the EU might negotiate a successor agreement to Privacy Shield. For the moment, the Schrems II judgment has created enormous uncertainty about how companies in good faith should proceed with their cross-border data activities. More encouragingly, the court has opened the door for an examination of the sufficiency of privacy protections in standard contract clauses not just in relation to the United States but also across the globe. What began as a simple request to Facebook from student Max Schrems has turned into a geopolitical phenomenon.