The Schrems II decision by the European Court of Justice (CJEU), its second ruling in three years concluding that American digital surveillance practices fail to abide by EU privacy law, has made it necessary for the Biden administration to reach a new accord with the EU on how to balance digital surveillance practices with rights to privacy. Until such an accord is reached, the ruling will restrict and potentially disable the mechanisms that American business have relied on to transfer personal data from the EU to the United States. Such restrictions would reduce digital trade and have negative economic repercussions on both sides of the Atlantic.
While restoring a stable basis for U.S.-EU data flows will require further reform of U.S. surveillance practices, the implications of Schrems II go beyond U.S.-EU relations and extends to all countries engaged in digital surveillance practices, who now face an increased risk of not meeting EU rights to privacy and having data flows cut off. Because U.S. and European state-level security agencies engage in extensive data-sharing, the United States must seek agreement with all EU member states on a common approach to balancing digital surveillance with privacy standards. Success here will provide a strong basis for cooperation on other technology issues, including the EU’s proposed joint EU-U.S. tech agenda.
The Schrems II decision
The CJEU’s decision in Schrems II invalidated the European Commission’s decision regarding the adequacy of the EU-U.S. Privacy Shield, which allowed for the transfer of personal data from Europe to the United States. Adequacy decisions provide a legal basis under the EU General Data Protection Regulation (GDPR) for transferring personal data from the EU to the United States. An adequacy decision is a finding by the European Commission that a third country’s privacy law is essentially equivalent to EU privacy standards.
In invalidating the adequacy decision for Privacy Shield, the court concluded that surveillance practices by U.S. national intelligence agencies fail to meet European privacy standards, given the lack of redress provided to those targeted for surveillance and independent judicial review for EU citizens. Following this decision, in September 2020, the Irish Data Protection Authority sent Facebook a preliminary order to suspend data transfers from the EU to the United States. Facebook has secured a temporary freeze on this order and stated that it will be unable to operate in the EU should it be unable to transfer personal data to the United States.
Schrems II also destabilized the other main GDPR mechanisms for transferring personal data from the EU to third countries, namely standard contractual clauses (SCCs) and binding corporate rules (BCRs), by requiring additional safeguards that are not readily available. SCCs contractually bind third parties that receive the personal data of EU citizens to provide privacy protections consistent with GDPR. BCRs do the same, but for entities in a conglomerate receiving such data. As these mechanisms only bind the private entities receiving the data, they do nothing to remedy the types of government surveillance at issue. The CJEU nevertheless held that SCCs remain valid where the parties put in place “additional safeguards”. According to recommendations from the European Data Protection Board (EDPB), “additional safeguards” for SCCs, such as encryption and pseudonymized data, would also require that the data cannot be decrypted by national security agencies. But making such an assurance would require knowledge of the capabilities of other countries’ national security agencies that is so unrealistic as to make such additional safeguards unavailable for most, if not all, businesses.
One standard for the U.S., another for Europe
When it comes to balancing digital surveillance with privacy, the CJEU in Schrems II and other cases has applied one legal standard to assess U.S. surveillance practices, and another more flexible standard to digital surveillance conducted by European governments.
When it comes to European governments, the Lisbon Treaty carves out member state national security laws from EU law. However, recent CJEU decisions found that EU member state measures that require electronic communication providers to forward bulk data to intelligence agencies for surveillance purposes, or to provide intelligence, fall within the scope of the e-Privacy Directive and are subject to EU law. In delineating the legal guardrails applied to EU member state surveillance, the CJEU observed a distinction between access to data to gather evidence for a criminal prosecution and access to data for national security purposes, finding that it would accord greater deference to member state surveillance conducted for national security purposes. According to the CJEU, when it comes to the objective of safeguarding national security, even more serious interferences with fundamental rights such as privacy may be justified.
This willingness of the CJEU to offer discretion to European authorities to balance rights to privacy and security was informed by jurisprudence from the European Court of Human Rights (ECHR), but when it came to the United States in Schrems II, the CJEU rejected ECHR jurisprudence as relevant, leading the court to apply a relatively more rigid application of its “proportionality” principle, requiring that limitations on EU privacy rights be “strictly necessary”.
The greater flexibility shown by the CJEU to EU member state surveillance also stands in contrast with what actually happens in the United States, in particular with respect to surveillance authorized by Section 702 of the Foreign Intelligence Surveillance Act. Under this program, the U.S. government can only acquire the communications data of any person (including an EU citizen or resident) upon a written certification from the U.S. Attorney General and Director of National Intelligence, accompanied by targeting procedures outlining which person’s communications may be acquired. The Foreign Intelligence Surveillance Court (FISC) must approve those targeting procedures, which are then binding on the government. These processes and oversight are considered world class and more robust than in most EU member states.
But additional reform is needed to improve U.S. surveillance oversight, particularly in light of the Justice Department Inspector General’s examination of FBI applications to the FISA court during the 2016 investigation of Russian meddling in the U.S. election. While the focus of the IG report was on surveillance of U.S. citizens, the report documented shortcomings in how applications were prepared and illustrated the need for greater transparency and oversight of the FISA process. Such reforms should improve how U.S. national security agencies engage in surveillance of both U.S. and non-U.S. persons.
The need for U.S.-EU agreement on digital surveillance
While Schrems II was about the consistency of U.S. surveillance practices with GDPR and EU fundamental rights to privacy, the case also makes clear the limits to relying on privacy to address surveillance concerns. There is extensive cooperation among national security agencies, including intelligence sharing among the so-called “Five Eyes”—the United States, United Kingdom, Canada, New Zealand, and Australia—as well as intelligence sharing between U.S. and European intelligence agencies, including those of Germany and France. As a result, absent agreement on national security surveillance standards, applying a stricter proportionality standard to U.S. surveillance practices will be undone by data sharing with European national security agencies, where surveillance practices are subject to less oversight and with fewer rights of redress, than in the United States.
This underscores the need to broaden the U.S.-EU discussion beyond the CJEU and GDPR to include European governments who have jurisdiction over national security, including digital surveillance. The United States needs to take the lead in setting out a model that effectively balances the needs and practices of national security agencies with rights to privacy. In this respect, U.S. requirements, principles, transparency, and judicial review of its national security agencies is already the global benchmark. Further U.S. reform is likely needed, including to meet EU privacy rights, but European governments also need to raise surveillance standards up to what is expected of the United States.
For the United States, reforms to bring U.S. law up to European privacy standards might include legislating into law the 2014 Presidential Policy Directive (PPD) 28, which sets out principles and limits on U.S. data collection aimed at balancing national security needs and securing privacy. U.S. policymakers might also make the State Department’s ombudsperson charged with handling requests related to the Privacy Shield fully independent and provide more effective remedies to EU citizens targeted by U.S. surveillance activities. Such reform should be the basis for a U.S.-EU Agreement on digital surveillance.
More broadly, how the United States and the EU resolve how to balance national security needs with expectations of privacy will have both bilateral and global impacts. Failure to resolve these tensions will undermine efforts to build a new transatlantic partnership on technology, and instead could accelerate the splintering of the global internet into two spheres dominated by the United States and China, with the possibility of a third governed by the EU. Data flows between each bloc would be increasingly restricted, with negative implications for international relations, innovation, and trade.
Joshua Meltzer is a senior fellow in the Global Economy and Development program at the Brookings Institution.
Facebook provides financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.
Commentary
Why Schrems II requires US-EU agreement on surveillance and privacy
December 8, 2020