The Trans-Atlantic Data Privacy Framework: The Court Decision That Kicked the Hornet's Nest - Fordham Intellectual Property, Media & Entertainment Law Journal

May 25, 2022 In Blog, Data, Data governance, European Union, Privacy, Technology By Vertis McMillan

The Trans-Atlantic Data Privacy Framework: The Court Decision That Kicked the Hornet’s Nest

On March 25, 2022, United States President Joe Biden and European Commission President Ursula von der Leyen announced an agreement “in principle” on a new Trans-Atlantic Data Privacy Framework between the European Union (“EU”) and the United States (“U.S.”).^[1] This agreement may once again let the European Commission authorize trans-Atlantic data flows which enables the U.S.’ $7.1 trillion economic relationships with the EU.^[2] The agreement looks to “enable predictable and trustworthy data flows between the EU and U.S., [while also] safeguarding privacy and civil liberties.”^[3] This announcement comes with plenty of enthusiasm and support.^[4] However, there is a lot to be skeptical about.^[5]

First, the agreement is only “in principle”; therefore, there is currently no final text to review.^[6] Many details are yet to be determined, and the White House has indicated additional information is still to come.^[7] At this point, the announcement is not an agreement but instead a vague description of intent.^[8] Maximilian Schrems, an Austrian privacy advocate and main challenger to the previous trans-Atlantic data agreements, stated that the announcement was solely “a political announcement[.]”^[9] While, on April 21, the EU commission decided to fast-track the new agreement to replace the previous EU–U.S. Privacy Shield, the framework could be months away from implementation.^[10] The process for the EU to adopt the new framework may begin before this summer, but the final adequacy decision can be made within six months at the earliest.^[11] Second, if a new agreement is ultimately finalized, there is likely to be another legal challenge to the agreement in the EU and could be the setup for another Schrems showdown.^[12] Both the agreements were rejected by the courts in Schrems I and Schrems II because a safe harbor provision was seen to inadequately protect EU citizens from U.S. government surveillance.^[13] Organizations who are relying on an agreement for trans-Atlantic data flows hope this third try will work.^[14] However, Schrems indicated that if these issues are not resolved, he is “likely to challenge” it for a third time, stating “[w]e expect this to be back at the Court within months from a final decision.”^[15]

Generally, two obstacles are preventing an agreement in the wake of the Scherms II decision; (1) “building a workable redress mechanism for EU citizens in the US,” (2) and “whether the U.S. can meet the… standards for necessity and proportionality.”^[16] From the announcement, it remains uncertain whether the eventual executive order will be clear and precise on its scope and application and whether the U.S. intelligence services’ surveillance will a be restricted to what is “absolutely necessary” as required by Europeans.^[17] To further complicate the matter, the Supreme court’s decision in Federal Bureau of Investigation v. Fazaga provides more leeway for the U.S. government to invoke “state secrets” as a defense in spying cases.^[18] An opinion piece for The Hill written by Patrick Toomey and Ashley Gorski of the American Civil Liberties Union argues that the decision “will make it significantly harder… for U.S. and EU negotiators to secure a lasting agreement for transatlantic transfers of private data.”^[19] Even though this decision allows plaintiffs to pursue claims based on public information about the government’s surveillance, these cases are likely to fail since it is easier for the government to shield sensitive information, which is needed from the government to demonstrate its surveillance was illegal.^[20] These safeguards are likely to fail to meet the EU’s minimum privacy rules.^[21] Thus, no data-transfer agreement will survive unless the U.S. narrows the scope of its surveillance and ensures that individuals have a meaningful way to pursue accountability.^[22] Adding frustration to this point of controversy, EU member states are not held to this same standard as the US.^[23] Although U.S. surveillance law is set against “an idealized, formal standard set forth primarily in EU constitutional law[,]” Professor Kristina Irion from University of Amsterdam explains that “an EU member state’s own national security agency need not meet this standard, because the Union’s governing treaties state that ‘national security remains the sole responsibility of each member state.’”^[24] Stewart Baker, a contributor for Lawfare, refers to the matter as a “mix of judicial imperialism and Eurocentric hypocrisy.”^[25]

Regardless, the U.S. seems to be attempting a workaround. IAPP Chief Knowledge Officer Caitlin Fennessy suggested that “[w]hile we have yet to see the details, it seems both sides [are] working toward a lasting solution.^[26] If they wanted a temporary fix, they could have wrapped up talks months ago.”^[27] Over 5,300 companies are relying on the U.S. and EU to find a more permanent solution,^[28] and alternative proposals outside of a data transfer pact, such as data localization, are argued to make matters worse.^[29]

One of the more tangible workarounds suggested by Kenneth Propp and Peter Swire involves changing existing U.S. surveillance law and institutional mechanisms that can be adapted to the EU requirements.^[30] In response to the shut down of the original Safe Harbor Framework in 2015 by Schrems I, the U.S. and EU implemented the “Privacy Shield.”^[31] In this agreement, the U.S. designated the Secretary of State to receive requests and facilitate action from Europeans to access their personal data involving national security clearance.^[32] However, this required inadequate changes to U.S. surveillance law and the agreement was again shut down by Schrems II in 2020.^[33] This was because the Secretary of State did not have independence from the executive branch and consequently “lacked [the] power to take corrective decisions that would bind the intelligence community.”^[34] Therefore, there was no possibility of appealing to an independent and impartial court as required by the EU (i.e., lack of individual redress).^[35]

Propp and Swire’s solution involves two parts: (1) implementing a credible fact-finding inquiry into classified surveillance activities to ensure the protection of the individual’s rights, and (2) requiring the possibility of appeal to an independent judicial body that can remedy any violation of rights should it occur.^[36] They suggest a new statute to define the standard for these investigations that would apply both to U.S. and EU citizens.^[37] The statute would subject an agency’s decision-making to review by an independent Article III federal judge to solve the issue of redress.^[38] They then suggest two organizations to be subjected to this review: either (a) existing privacy and civil liberties officers (“PCLO”), or (b) the Privacy and Civil Liberties Oversight Board (“PCLOB”).^[39] The PClOB is already charged with protecting similar interests in relation to U.S. counterterrorism programs.^[40] However, PClOB’s statutory purposes are limited to oversight and policy of anti-terrorism at the programmatic level and not investigations of individual complaints.^[41] The PCLO already has responsibilities comparable to the corporate data protection officers under Articles 37 to 39 of the General Data Protection Regulation^[42] to investigate and address complaints regarding violations of privacy and civil liberties, therefore making them the best candidates.^[43]

Despite how these negotiations turn out, they are just one part of wider negotiations around data transfers at a global level. Similar to the woes suffered by the U.S. and EU, other countries and regions also have their differences regarding international data transfers.^[44] One step towards resolving this occurred on April 21, 2022, when the U.S. Department of Commerce (“DOC”) announced, along with Canada, Japan, the Republic of Korea, the Philippines, Singapore and Chinese Taipei, the establishment of the Global Cross-Border Privacy Rules Forum.^[45] The announcement outlines the forum’s objective to create Global Cross Border Privacy Rules and Privacy Recognition for Processors Systems “to promote interoperability” and to “bridge different regulatory approaches to data protection and privacy.”^[46] The announcement details the forum’s principles, scope of activity, mode of operation, participation, and organization.^[47] Importantly, the forum looks to introduce an international certification system based on the Asia-Pacific Economic Cooperation CBPR and PRP Systems.^[48] Secretary Gina M. Raimondo of the DOC highlighted that this announcement “reflects the beginning of a new era of multilateral cooperation in promoting trusted global data flows that are critically important to our modern economy,” which is currently plagued by differences in privacy and security regulations between nations and help produce “more flexible mechanisms” countries can turn to.^[49]

Footnotes[+]

Footnotes
1	Press Release, White House, United States and European Commission Announce Trans-Atlantic Data Privacy Framework (Mar. 25, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/ [https://perma.cc/8AQB-B9M3].
2	Id.
3	Jedidiah Bracy, EU, US Agree ‘In Principle’ to New Trans-Atlantic Data Agreement, Int’l Ass’n of Priv. Pros. (Mar. 25, 2022), https://iapp.org/news/a/eu-us-agree-in-principle-to-new-transatlantic-data-agreement/ [https://perma.cc/E6KE-KNFY].
4	E.g., Letter from U.S. Chamber of Com., to Joe Biden, President, U.S. (Apr. 26, 2022), https://www.uschamber.com/assets/documents/2022.4.26-US-Industry-Letter-on-New-Transatlantic-Agreement.pdf [https://perma.cc/74QP-UWK4]; Press Release, Swedish Authority for Privacy Protection, EDPB Comments on the Trans-Atlantic Data Privacy Framework (Apr. 7, 2022), https://www.imy.se/nyheter/edpb-uttalar-sig-om-trans-atlantic-data-privacy-framework/ [https://perma.cc/BL69-Z7PW]; Karan Bhatia, The Trans-Atlantic Data Privacy Framework: Building for the Long Term, Google: The Keyword (Mar. 28, 2022), https://blog.google/outreach-initiatives/public-policy/trans-atlantic-data-privacy-framework-building-long-term/ [https://perma.cc/AU85-85RW]; Press Release, Norwegian Data Protection Authority, New Agreement on the Exchange of Personal Data Between the EU and the USA (Mar. 29, 2022), https://www.datatilsynet.dk/internationalt/internationalt-nyt/2022/mar/ny-aftale-om-udveksling-af-personoplysninger-mellem-eu-og-usa [https://perma.cc/T5H6-5CT7].
5	See Tom De Cordier & Felix Glocker, EU Commission to Fast-Track Replacement of EU-US Privacy Shield, Lexology (Apr. 25, 2022), https://www.lexology.com/library/detail.aspx?g=41493504-d1dd-41fa-a940-d5a61482c742 [https://perma.cc/P79Q-BGN8].
6	See Bracey, supra note 3.
7	Id.
8	Bart Van den Brande, “Agreement” on a New Privacy Shield: Schrems III in the Making?, Lexology (Apr. 4, 2022), https://www.lexology.com/library/detail.aspx?g=24fe34ab-23cd-493d-b8ac-f09aca5c380e [https://perma.cc/4DZ6-Z2X7].
9	Max Schrems, “Privacy Shield 2.0”? – First Reaction by Max Schrems, NOYB (Mar. 25, 2022), https://noyb.eu/en/privacy-shield-20-first-reaction-max-schrems [https://perma.cc/F9H6-RADF].
10	See Cordier & Glocker, supra note 5; Christian Schröder et al., The United States and European Commission Announce a New Trans-Atlantic Data Privacy Framework, Orrick: Insights (Apr. 5, 2022), https://www.orrick.com/en/Insights/2022/04/The-United-States-and-European-Commission-Announce-a-New-Trans-Atlantic-Data-Privacy-Framework [https://perma.cc/33P8-B8NW].
11	See Cordier & Glocker, supra note 5; see also From Privacy Shield to the Trans-Atlantic Data Privacy Framework, Int’l Ass’n of Priv. Pros. (Apr. 2022), https://iapp.org/media/pdf/resource_center/privacy_shield_trans_atlantic_data_privacy_framework_infographic.pdf [https://perma.cc/63YQ-85HT].
12	See Bracey, supra note 3.
13	Elizabeth E. McGinn et al., U.S., E.U. Announce Trans-Atlantic Data Privacy Framework: What Companies Can Do Now, Lexology (Apr. 13, 2022), https://www.lexology.com/library/detail.aspx?g=029771da-54d0-430c-921d-8b02732114b4 [https://perma.cc/8LV5-NDHW].
14	See Van den Brande, supra note 8.
15	Schrems, supra note 9.
16	Bracey, supra note 3.
17	Cordier & Glocker, supra note 5.
18	No. 20–828, slip op. at 9–13 (2021).
19	Patrick Toomey & Ashley Gorski, The Supreme Court Just Made a US-EU Privacy Shield Agreement Even Harder, Hill (Mar. 21, 2022, 7:00 AM), https://thehill.com/opinion/judiciary/598899-the-supreme-court-just-made-a-us-eu-privacy-shield-agreement-even-harder/ [https://perma.cc/XBT3-2JZT].
20	Id.
21	Id.
22	Id.
23	Kenneth Propp & Peter Swire, After Schrems II: A Proposal to Meet the Individual Redress Challenge, LawFare (Aug. 13, 2020, 7:28 PM), https://www.lawfareblog.com/after-schrems-ii-proposal-meet-individual-redress-challenge [https://perma.cc/WXP6-KS9Y].
24	Id.
25	Id.; see generally Jeffery Atik & Xavier Groussot, A Weaponized Court of Justice in Schrems II, 4 Nordic J. of European L. 2021(2) (2021).
26	Bracey, supra note 3.
27	Id.
28	Cordier & Glocker, supra note 5.
29	See generally Maria Murphy, Assessing the Implications Of Schrems II For EU–US Data Flow, 71 Int’l & Comp. L.Q. 245 (2021); Anupam Chander, Is Data Localization a Solution for Schrems II?, 23 J. of Int’l Econ. L. 771 (2020).
30	Propp & Swire, supra note 23.
31	Id.; Case C-362/14, Maximillian Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650 (Oct. 6, 2015).
32	Propp & Swire, supra note 23.
33	Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd., ECLI:EU:C:2020:559 (July 16, 2020).
34	Propp & Swire, supra note 23.
35	Id.
36	Id.
37	Id.
38	Id.
39	Id.
40	Id.
41	Id.
42	See Regulation (EU) 2016/679, 2016 O.J. L 119/1, available at https://gdpr-info.eu/.
43	Id.; Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. No. 110–53, 121 Stat. 266.
44	Joseph Duball, State of the Transfer: Global Data Flows in Focus, Int’l Ass’n of Priv. Pros. (Apr. 26, 2022), https://iapp.org/news/a/state-of-the-transfer-global-data-flows-in-focus/ [https://perma.cc/N3BN-SHEW].
45	Press Release, U.S. Dep’t of Com., Statement by Commerce Secretary Raimondo on Establishment of the Global Cross-Border Privacy Rules (CBPR) Forum (Apr. 21, 2022), https://www.commerce.gov/news/press-releases/2022/04/statement-commerce-secretary-raimondo-establishment-global-cross-border [https://perma.cc/6ZQ5-KDAV].
46	Id.
47	Press Release, U.S. Dep’t of Com., Global Cross-Border Privacy Rules Declaration (Apr. 21, 2021), https://www.commerce.gov/global-cross-border-privacy-rules-declaration [https://perma.cc/9ULR-3D5J ].
48	Jedidiah Bracy, US Commerce Dept. Announces ‘Historic’ Global CBPR Forum for Data Transfers, Int’l Ass’n of Priv. Pros. (Apr. 21, 2022), https://iapp.org/news/a/us-commerce-department-announces-historic-global-cbpr-forum-for-data-transfers/ [https://perma.cc/KL89-CC64].
49	Duball, supra note 44.

Vertis McMillan

Vertis McMillan is a second-year J.D. candidate at the Fordham University School of Law and a staff member of the intellectual Property, Media & Entertainment Law Journal. He holds a B.S. in Finance from the University at Albany (SUNY).

The Trans-Atlantic Data Privacy Framework: The Court Decision That Kicked the Hornet’s Nest

The Trans-Atlantic Data Privacy Framework: The Court Decision That Kicked the Hornet’s Nest

Share this:

Related

Vertis McMillan