Max Schrems, an Austrian lawyer and privacy activist, first filed a privacy complaint against Facebook in 2011. Nine years and two landmark decisions from the Court of Justice of the European Union (CJEU) later, Schrems won a decisive victory for European citizens’ privacy rights. Yet the court’s second ruling, known as Schrems II, casts a shadow over the transatlantic alliance.
The second ruling effectively calls into question data flows from the European Union to the United States and restricts companies’ storage of EU personal data in the US. The CJEU ruled that American surveillance laws did not meet EU data protection standards. The ruling has ominous implications for the EU and the US’s relationship. In particular, it involves three stakeholders on both sides of the Atlantic Ocean: the national security community, business and economic interests, and privacy advocates. Although the US government could take a number of imperfect steps to address the consequences of the decision, it should pass privacy legislation that appropriately balances all three interests to mitigate the long-term harm that Schrems II could cause.
The CJEU’s July ruling poses a formidable risk to transatlantic business and elicited criticism for overextending EU privacy rights and placing an unfair burden on other countries to meet the Union’s standards. Regardless of whether the Court made the correct decision or overimposed its power over policymakers, Schrems II certainly empowers EU data protection and strikes a blow to US and EU international businesses.
Schrems II fits into a broader pattern of EU data diplomacy. Although cross-border data transfers are a relatively new phenomena and there are few cross-border privacy agreements, the EU has sought to impose its privacy standards on other countries. The General Data Protection Regulation (GDPR), the Union’s privacy regulatory framework, subjects data transfers to “adequacy decisions” from the European Commission. This means the Commission can evaluate the privacy regulations in a country that might receive EU personal data and potentially restrict data flows if their protections do not match EU standards.
This framework collided with data transfers to the US when Edward Snowden’s leaks revealed invasive American surveillance practices. Schrems was then able to argue that the US surveillance regime jeopardizes the privacy rights of EU citizens once their data enters the US.
The CJEU ruling in his favor casts doubt on key legal protections for personal data transfers from the EU to the US. It subjects Standard Contractual Clauses––commitments to handle data according to EU standards once it leaves the Union––to EU Data Protection Authorities’ (DPAs) assessments. This empowers DPAs, authorities whose main priority is privacy rights, to potentially suspend data transfers to another country if they deem the country’s privacy protections insufficient. The ruling also strikes down the US-EU Privacy Shield, which allows for companies to transfer data between the two jurisdictions and ensures privacy compliance. The ruling built on Schrems I, which established that the European Commission’s “adequacy” findings are subject to judicial review. Schrems II invalidates the Commission’s adequacy finding for the US and threatens data transfers across the Atlantic.
The ruling leaves US and European businesses vulnerable to potential lawsuits and data transfer suspensions. Although the economic ramifications of Schrems II are uncertain and difficult to quantify, data transfers affect more than just the digital sector. Service exports, a central piece of the transatlantic economy, rely on millions of data transfers per day. 5,300 companies use the Privacy Shield, 70 percent of which are small or medium size enterprises. Without the shield and other legal protections for data transfers, businesses may lose their ability to operate in the transatlantic market and successfully conduct business across both regulatory environments.
Schrems II marks another step in the history of strong EU data protection provisions. It also serves as an indictment of American surveillance law, which the CJEU deemed insufficient to protect European personal data. US national security practices have long approached security threats as a part of interconnected, global data flows. Schrems II signals pushback for the US not providing privacy protections that acknowledge the interconnectivity of these data flows and defend foreign citizens from unchecked surveillance. Any solution to the issues that the ruling poses should take these national security dynamics into account.
There are a number of potential responses to Schrems II that have significant drawbacks and do not appropriately address surveillance issues. One such approach is that the US government enact trade sanctions against the EU. This would be futile, however, because the CJEU is a judiciary body and will not change its decision based on political or economic pressures, unlike a legislative body like the European Commission. Companies could also use data localization––or storing European personal data in the EU––to avoid legal challenges. Yet this option is both expensive and operationally difficult to execute. The US has a much larger, cheaper, and developed data storage industry than the EU. A shift toward data localization would require the costly construction of an adequate data center capacity in the Union to meet the demands of transatlantic data flows.
Although there are other approaches to the aftermath of Schrems II, it is vital that the US government intervene with a piece of legislation which adequately accounts for European concerns so that the CJEU and EU privacy officials do not inhibit transatlantic data flows. To address the CJEU’s surveillance ruling, a legislative solution would require strengthening privacy protections for EU citizens, or foreign citizens at large, once their data enters the US.
In whatever form this privacy bill comes, it would likely necessitate concessions from the American intelligence community. Although this is a concern, collaboration with the EU on this issue could ultimately strengthen US national security interests in the long run. The US needs the EU for a range of national security issues, particularly in curbing China’s use of Huawei––the world’s largest telecommunications provider––to spy on other countries. American foreign policy cannot credibly demand that the EU protect their privacy interests by avoiding Huawei without accommodating EU privacy concerns in the US.
Regardless of whether or not the CJEU overstepped in its ruling, the US was bound to face pushback eventually for imposing its surveillance practices on allies without restraint. If American lawmakers want to defend the country’s business interests, they must rectify the power imbalance in the US’s national security relationship with the EU.
Ultimately, the US’s response to Schrems II could play a major role in the future of the transatlantic alliance. The relationship already sits in a delicate position as the Trump presidency has alienated European counterparts. A well-calibrated piece of legislation that appropriately addresses privacy, economic, and national security stakeholders on both sides of the Atlantic could serve as an olive branch to begin the Biden presidency and restore this historic relationship.
Image via Flickr (Jean-Etienne Minh-Duy Poirrier)