*Article originally posted on IAPP.org*
We are all hopeful the U.S. government can reach an agreement with the European Commission and other EU authorities on a so-called “Privacy Shield 2.0” in the near term. Such an updated arrangement is essential to provide certainty to trans-Atlantic business and assure a high level of protection for personal data transfers.
But what’s next?
Over recent years, we have witnessed the Court of Justice of the European Union invalidate one trans-Atlantic commercial data transfer vehicle after another based on U.S. surveillance law and practice. Commercial organizations have no meaningful control over what local laws and courts demand with respect to government access to data. What can be done to establish a long-term solution that helps achieve the objectives of ensuring essential data privacy protections while protecting national security interests? More broadly, how can the Biden administration proactively address comparable cross-border data transfer restrictions emerging in federal data protection laws around the globe?
No doubt, much more can and needs to be developed on this critical topic, but the time has come to move toward a multilateral solution on data protection and government access to data.
The 1995 EC Directive’s cross-border data transfer restriction
When the EU adopted the EC Data Protection Directive in October 1995, it established the world’s first commercially significant cross-border personal data transfer restriction. Articles 25 and 26 provided a controller in the EU could not transfer personal data to a third country, such as the U.S., unless there was “adequate protection” for the personal data in the third country or an exemption or derogation, such as the consent of the data subject, applied. The purpose of the requirement was to assure there was no leakage of personal data to a third country where the fundamental data protection rights of individual data subjects in the EU could be infringed without recourse to the data protection authorities and courts in the EU.
The adoption of this cross-border personal data transfer restriction set off a potential trade conflict with the U.S. and other non-EU jurisdictions. An initial question was whether the EU could actually enforce this new requirement without violating the most favored nation and national treatment obligations under the World Trade Organization and its agreements, including the WTO General Agreement on Trade in Services.
However, the EU had already anticipated and addressed that concern. Specifically, in 1994, the year before the adoption of the 1995 EC Data Protection Directive, the EU had assured the inclusion of a “General Exception” in Article XIV(c)(ii) GATS for “measures necessary for … the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.”
Although this General Exception did not give the EU the right to apply these measures in a manner that would constitute “arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services,” it did give the EU some wiggle room to take action in furtherance of data protection interests.
The early years of US-EU Safe Harbor
Rather than entering a trade war on the issue, which likely would have benefitted neither privacy protections nor commercial interests, a U.S. Department of Commerce official, Barbara Wellbery, initiated a discussion with Sue Binns, an official with the European Commission, to see if they could build a trans-Atlantic bridge on data protection. After three years of increasingly high-profile discussions, the U.S. Department of Commerce and European Commission completed talks on the U.S.-EU Safe Harbor Privacy Arrangement. U.S. companies agreed to adhere to the Safe Harbor Privacy Principles and related FAQs, as well as the authority of the U.S. Federal Trade Commission and/or the U.S. Department of Transportation.
In July 2000, the European Commission adopted its decision finding that Safe Harbor provided adequate protection within the meaning of Article 25(6) of the EC Data Protection Directive. Over the next 15 years, more than 4,000 U.S. organizations participated in the program, and tens of thousands of EU data controllers benefitted from having certainty about the protections for the transfer of personal data to these companies. Individual data subjects also benefitted because reputable U.S. companies, concerned about the threat of FTC/DOT enforcement, maintained rigorous programs implementing the Safe Harbor Privacy Principles.
Safe Harbor to ‘Schrems I’
During the 15 years that Safe Harbor operated as a valid EU-to-U.S. data transfer vehicle, before invalidation by the CJEU in 2015, much happened in the world.
Economically, the world experienced a roller coaster with the dot-com bubble burst, followed by a recovery, a financial crisis driven by a mortgage meltdown, then another recovery. All the while, in the background, we had the internet and personal data steadily assuming a more central role in commerce across all industry verticals.
On a separate thread, we experienced the emergence of deadly terrorist attacks and, consequently, heightened government surveillance. The Sept. 11, 2001, terrorist attacks dominated attention in the U.S., while terrorism spread worldwide with attacks in Bali, Boko Haram, Brussels, Istanbul, London, Mumbai, Paris and, unfortunately, many more cities.
In response, the U.S. adopted the USA Patriot Act and launched a series of threat monitoring initiatives to thwart or mitigate further terrorist attacks. Intelligence agencies in other jurisdictions exchanged information with U.S. intelligence agencies and conducted their own surveillance activities.
Although the noble intent of the intelligence-gathering activities was clear, as with any government action, questions soon emerged about the scope of the activities. In 2013, a former intelligence officer turned whistleblower, Edward Snowden, surprised the world with revelations about U.S. intelligence agency data gathering practices, including using the USA Patriot Act to engage in bulk data collections from the internet, social media and telecommunications companies in the U.S. Some of these companies participated in Safe Harbor and had certified to its principles.
Among others, Snowden’s revelations piqued the interest of Max Schrems, an Austrian data protection activist. Schrems brought claims against a social media company headquartered in the U.S., with lead EU operations in Ireland because its data transfer vehicle — the Safe Harbor — did not actually provide adequate protection for EU personal data. A core aspect of the claims was that Safe Harbor enabled the Irish subsidiary to send personal data to U.S. headquarters, but the onward transfers to U.S. intelligence agencies, while mandated by U.S. law, violated the EC Data Protection Directive’s adequacy requirement, the EU Charter of Fundamental Rights and other provisions.
Schrems’ claims made their way to the CJEU. On Oct. 6, 2015, in a ruling now referred to as “Schrems I,” the CJEU invalidated the European Commission’s decision finding Safe Harbor provided adequate protection. The core of the CJEU’s concerns with Safe Harbor revolved around U.S. intelligence agencies’ access to personal data.
Chaos followed “Schrems I” in the market. Overnight, thousands of U.S. organizations participating in Safe Harbor and thousands of EU companies relying on it to make their transfers were tossed out of compliance. It was bewildering for the great majority of U.S. companies with well-developed commercial privacy programs based on Safe Harbor rules that had never engaged in any data sharing with U.S. intelligence agencies. Those companies suddenly learned the Safe Harbor commercial protections were no longer good enough to protect EU personal data based on some theoretical risk of disclosure to U.S. authorities.
Privacy Shield to ‘Schrems II’
When the CJEU handed down its decision invalidating Safe Harbor, it was not a complete surprise to everyone. The U.S. Department of Commerce and European Commission were already deep into discussions on an upgraded trans-Atlantic data transfer mechanism in light of the pending upgrade of EU data protection rules to the EU General Data Protection Regulation. The new mechanism was later unveiled as the EU-U.S. Privacy Shield Arrangement.
Privacy Shield benefitted from various privacy-friendly enhancements to U.S. law and policy on national security surveillance and was well documented by U.S. government authorities as part of the framework. Shield also embedded other novel features, including an Ombudsperson Office within the U.S. State Department to receive concerns from EU data subjects on intelligence agency surveillance and an annual review process to evaluate how the program was being implemented in practice.
But Schrems was not yet done. He brought another case, again in Ireland, against the same social media platform. This claim focused on the company’s use of EC standard contractual clauses to protect data transfers to the U.S., and again the case was elevated to the CJEU for consideration. Although the claims focused on the SCCs, certain aspects of the case (e.g., the Ombudsperson Office’s availability under Privacy Shield, the law and policy of the U.S. on intelligence surveillance) raised ancillary questions about Privacy Shield.
On July 16, 2020, the CJEU released its decision, which thankfully upheld the use of SCCs for data transfers, so long as certain conditions are met, but unfortunately invalidated the European Commission’s adequacy finding for Privacy Shield. The focus of the court’s decision was once again on perceived inadequacies of U.S. law and policy on intelligence surveillance, including apparently insufficient rights of data subjects and the inability to raise complaints, among other factors. Again, as with Safe Harbor, overnight, thousands of U.S. organizations and many thousands of EU organizations found their legal mechanism for trans-Atlantic data transfers was no longer adequate. And, as with Safe Harbor’s invalidation, companies began right away to transition away from Privacy Shield and implemented SCCs and other approaches to address cross-border data transfers.
Privacy Shield 2.0
Recognizing the criticality of establishing certainty for EU to U.S. data transfers in the digital age, the Biden administration has moved quickly to appoint Christopher Hoff, CIPP/E, CIPP/US, CIPM, to lead the U.S. Department of Commerce discussions with the European Commission on an updated version of Privacy Shield. Hoff has deep experience on these issues and is well qualified to work with U.S. government officials in other agencies on these important negotiations. An expedited process to establish Privacy Shield 2.0 could consider key enhancements to U.S. policy and practice on surveillance and highlight existing privacy rights and protections under current law. It would provide trans-Atlantic commerce with some critical certainty in the short term, help avoid arbitrary enforcement against companies based on “Schrems II” and assure greater commercial privacy protections for EU personal data during the short term.
Long-term solution: A multilateral privacy agreement
But what’s next after Privacy Shield 2.0? What would really stop the CJEU from revisiting the issue in a case down the road and deciding yet again, notwithstanding all the privacy enhancements to U.S. law and policy on surveillance, Privacy Shield 2.0 does not match up to what it would like to see to address the cross-border data transfer restriction under the GDPR and/or the charter or other rules? And what about all of the other countries that are adopting EU-style cross-border data transfer restrictions into data protection laws?
The Biden administration should consider a long-term solution for more certainty on global personal data transfers. Some of the core principles that would underpin this initiative include the following:
- Democratic societies have a common interest in protecting their citizens against international terrorism and must be permitted to obtain, use and share information as necessary to achieve this common interest.
- The rights and responsibilities of democratic societies to protect citizens against international terrorism cannot be applied in a manner that infringes the fundamental human rights of their citizens, including data protection, freedom of expression, religious and philosophical freedom, and other fundamental rights.
- Democratic societies have an obligation to establish and maintain data protection laws and requirements for commercial organizations concerning the collection, use, disclosure and retention of personal data about individuals.
- Commercial organizations have no meaningful control over obligations imposed by local laws and courts to disclose information to government authorities. It is unfair to establish data protection standards that evaluate the adequacy of a commercial organization’s data protection practices based on any mandatory disclosures to government agencies.
- Democratic societies should establish a convention or other multilateral instrument that reflects the fundamental principles through which intelligence agencies can and should obtain, use and share information as necessary to protect against international terrorism while respecting the privacy and other fundamental human rights of the citizens of democratic societies.
- Commercial organizations established in democratic societies that are participating in the Multilateral Privacy Agreement must be permitted to engage in the free flow of personal data between and among internal group operations and third parties in participating democratic societies, without restrictions based on local laws regarding government access to data and/or data protection.
Several international organizations could serve as the forum for the development of such a treaty or multilateral instrument. For example, the Organisation for Economic Co-operation and Development promulgated foundational multilateral principles on data protection in 1980 and has a proven track record with developing and implementing a highly successful binding convention on anti-corruption matters. The WTO has adopted an agreement with minimum standards for local laws on intellectual property rights. It has conditioned participation in the WTO’s multilateral trade framework on each member state’s adoption of such requirements into local laws. The Council of Europe has adopted a convention on cybercrime in which the national security and intelligence agencies of the member states participated directly in the negotiations.
Regardless of the forum, the implementation of the Multilateral Privacy Agreement would be critical.
For example, under the GDPR, the European Commission could issue an adequacy finding for all countries adopting such a multilateral instrument. Or perhaps even better, the GDPR could be updated to clarify that “third country” within the meaning of Articles 44 to 49 does not include jurisdictions that adopt such a multilateral instrument. Other steps would need to be taken to implement the agreement into local laws in jurisdictions around the world. This would set a course to establish a high level of global data protection while allowing the free flow of personal data among the participating democratic societies.
While no solution can offer perfect certainty on these complex issues in the digital age, the Biden administration should certainly “go big” to seek to establish a long-term solution to global data transfers. The benefits to global commerce and fundamental human rights would endure for many years.