.png)
_p.png){kind=small}
A clear legal framework for the transfer of data between the EU and the US seems like an undisputed necessity since the transatlantic is the largest area in the world for digital trade. Providing digital services depends on cross-border data flows.[1] However, transferring data between the United States and the European Union has been subject to uncertainty, as the US has been unsuccessful at providing a sufficient level of protection for data subjects in the EU. The EU has acknowledged that ensuring such data flows is a necessity for the expansion of international trade and cooperation.[2] Yet, the difficulties in the balancing of trade and national security interests with the rights guaranteed in the General Data Protection Regulation (GDPR) have come in the way of creating a sustainable mechanism to apply to EU-US data transfers. Further, European case law is developing into a direction that creates further doubts on transatlantic data transfers.
This blog aims to provide an overview of how transatlantic data flows have become the subject of extreme ambiguity and anticipate the developments for the coming months.
Safe Harbor and Privacy Shield
Under the Data Protection Directive, data transfers to third countries were prohibited unless an adequate level of data protection could be ensured through an adequate decision or other appropriate safeguards. In 2000, the Commission issued an adequacy decision to enable data transfers between the US and the EU. The decision concerned the Safe Harbor mechanism: an opt-in program whose participants could self-certify their commitment to protecting the data of European citizens in the United States.[3]
In 2013, Austrian law student and activist Max Schrems challenged the Safe Harbor scheme by lodging a complaint with the Irish Data Protection Commissioner. The complaint concerned Facebook Ireland’s use of the Safe Harbor mechanism for transferring Schrems’s data to the US, where Edward Snowden’s revelations about mass surveillance had raised doubts about the level of protection enjoyed by the transferred data.[4] The case ended up before the Irish High Court and was referred to the Court of Justice of the European Union (CJEU), whose conclusion was that the Commission’s Safe Harbor adequacy decision was invalid. Firstly, the scheme did not apply to US public authorities, and secondly, US actors could disregard all of the protective rules based on US national security, public interest, and law enforcement requirements in a case of conflict. The ability of the US authorities to access the transferred personal data, and their processing of that data, was incompatible with the purposes for which those data were transferred. Thus, the US authorities went beyond what was strictly necessary and proportionate to protect national security.[5] Lastly, European data subjects had no access to effective remedy regarding the interference of US public authorities with their fundamental rights.[6]
After the Safe Harbor decision was invalidated, most companies relied on standard contractual clauses (SCCs) to carry out data transfers to the US. At the same time, the Commission developed a new scheme, the Privacy Shield. SCCs approved in standardized form by the Commission are adequate safeguards under EU data protection law[7] and have essentially become the only practical solution for transatlantic data transfers. However, Schrems filed a new complaint about Facebook’s use of controller-processor SCCs, as well as the new Privacy Shield. Schrems claimed that, even when bound by the SCCs, US law required Facebook to allow US authorities access to his data in a manner that violated European law.
The Irish High Court referred the matter to the CJEU, which held again that the mass surveillance enabled by US law exceeds what is necessary, meaning that the level of protection of the Privacy Shield was still not equivalent to what was required.[8] The Privacy Shield program was found to violate Articles 7, 8, and 47 of the Charter of Fundamental Rights and Article 45(1) of the GDPR. The controller-processor SCCs remained valid, but the Court stated that controllers are responsible for verifying that the transferred personal data is adequately protected. Furthermore, controllers must suspend or prohibit transfers where protection is inadequate.[9]
Post-Schrems era
Following the Schrems cases, the data transfer landscape has been confusing and uncertain for both EU and US companies. Furthermore, the Union’s position on mass surveillance seems to grow more complicated: the CJEU has recognized mass surveillance as a legitimate interest for the purposes of national security within the EU, while the Schrems cases enforce a stringent opposition on the matter. After the Schrems II case, the Commission published a revised set of SCCs that assign more accountability to data importers.[10] Yet, the nature of the SCCs implies that data importers must still abide by the problematic US laws. Hence, the future of SCCs remains uncertain.[11]
In the absence of a fixed mechanism for data transfers, European case law has started to add pressure to the negotiations, again with Max Schrems as the driving force. His organization, NOYB, lodged 101 complaints across Europe against websites utilizing the analytics tools of Google and Facebook. The Austrian Data Regulator has already stated that the website NetDoktor’s use of Google Analytics violated the GDPR. In addition, the French privacy regulator CNIL recently ruled in a landmark decision that the use of Google Analytics by an unnamed website was incompliant with the GDPR.[12]
The uncertainty and instability regarding transatlantic data transfers put both US and EU companies in a difficult position. Alex Greenstein, the Director of the EU-US Privacy Shield Program, acknowledged the problem at the State of the Net Conference on the 28th of February 2022. According to Greenstein’s speech, there is a strong push to finish the negotiations as soon as possible. While he could not provide a timeline, an agreement to simplify the exchange of personal data could be announced as early as the coming spring.[13] In addition, according to Sean Heather, the senior vice president of regulatory affairs for the US Chamber of Commerce, Russia’s invasion of Ukraine has further driven the sense of urgency for international cooperation.[14]
Thus, a much-needed solution for the ambiguities regarding data transfers between the EU and the US is hopefully underway. In the meantime, companies ought to keep an eye out for the outcomes of the fragmented administrative and judicial proceedings transpiring in Europe while relying on SCCs to transfer data.
[1] Kenneth Popp, ‘Transatlantic Data Transfers’ (Council on Foreign Relations, 13 January 2021) <https://www.cfr.org/report/transatlantic-data-transfers> accessed 6 March 2022.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), recital 101.
[3] Samuel Gibbs, ‘What is 'safe harbour' and why did the EUCJ just declare it invalid?’ The Guardian (6 October 2015) <https://www.theguardian.com/technology/2015/oct/06/safe-harbour-european-court-declare-invalid-data-protection>.
[4] Janvier Parewyck, ‘Data transfers to the U.S. since the Schrems II judgement: An analysis seeking to integrate GAFAM and major providers in the E.U. enforcement strategy’ (LLM thesis, Tilburg University 2020) 14.
[5] Court of Justice of the European Union PRESS RELEASE No 117/15, https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf accessed 5 March 2022.
[6] Janvier Parewyck, ‘Data transfers to the U.S. since the Schrems II judgement: An analysis seeking to integrate GAFAM and major providers in the E.U. enforcement strategy’ (LLM thesis, Tilburg University 2020), 15.
[7] C Kuner,”Territorial scope and data transfer rules in the GDPR: realizing the EU’s ambition of borderless data protection” University of Cambridge Faculty of Law Research Paper No 20/2021, 15.
[8] Janvier Parewyck, ‘Data transfers to the U.S. since the Schrems II judgement: An analysis seeking to integrate GAFAM and major providers in the E.U. enforcement strategy’ (LLM thesis, Tilburg University 2020), 18-20.
[9] Richard Cumbley, Tanguy Van Overstraeten, Georgina Kon, ‘The Schrems judgment –
Transfer Impact Assessments for international data transfers?’ Linklaters
<https://www.linklaters.com/en/insights/blogs/digilinks/2020/july/the-schrems-judgment>
accessed 3 March 2020.
[10] C Kuner,”Territorial scope and data transfer rules in the GDPR: realizing the EU’s ambition of borderless data protection” University of Cambridge Faculty of Law Research Paper No 20/2021, 18.
[11] Janvier Parewyck, ‘Data transfers to the U.S. since the Schrems II judgement: An analysis seeking to integrate GAFAM and major providers in the E.U. enforcement strategy’ (LLM thesis, Tilburg University 2020), 59.
[12] Laura Kayali, ’French privacy regulator rules against use of Google Analytics’ (Politico, 10 February 2022) <https://www.politico.eu/article/french-privacy-regulator-rules-against-use-of-google-analytics/> accessed 4 March 2022.
[13] Kelcee Griffis, ‘US-EU Privacy Shield Talks Inching Closer To A Deal’ (Law360, 28 February 2022) <https://www.law360.com/consumerprotection/articles/1468909/us-eu-privacy-shield-talks-inching-closer-to-a-deal> accessed 4 March 2022.
[14] Ibid.