Transatlantic Data Transfers

Introduction

Data transfers are at the heart of the robust transatlantic economy, but they have long been plagued by Europe’s doubts about privacy protections in the United States.

The economic stakes are high. Information and communications technology (ICT) services such as social networks and cloud service providers depend on cross-border data transfers, as do other services that can be delivered over ICT networks, including engineering, software, design, and finance. Although trade in digital services is hard to measure precisely, it has become one of the fastest-growing areas for the United States internationally. In 2017, digital services constituted 55 percent of U.S. services exports, yielding 68 percent of the U.S. global surplus in services trade, according to a transatlantic trade study [PDF]. U.S. exports of digital services to Europe that year amounted to $204.2 billion, generating a surplus of more than $80 billion. The transatlantic is the world’s largest area for digital trade.

In order to maintain and expand this trade, U.S. policymakers should develop a strategy to address the European Union (EU)’s concerns and promote cooperation with other democracies at a multilateral forum, such as the Organization for Economic Cooperation and Development, to develop a shared legal framework for government access to personal data.

Background

In mid-July 2020, in a case known as Schrems II, the Court of Justice of the European Union (CJEU), the EU’s highest judicial body, threw into doubt whether companies could continue to transfer personal data to the United States.

The headline from the CJEU ruling was that Privacy Shield, a data transfer arrangement between the United States and the European Union, was invalidated with immediate effect on more than 5,300 companies. However, the court endorsed the continued use of so-called standard contractual clauses (SCCs), an alternative, contractual set of privacy guarantees that ensure that data importers in the United States and in other countries accord European-origin data the same level of privacy protection that it would enjoy within the EU. Companies that rely on SCCs initially believed they had dodged a bullet.

Indeed, the Schrems II ruling did not immediately change the situation for companies exporting data to the United States. A survey conducted by a European law firm revealed that only 12 percent of companies intend to reduce their data exports to the United States, and hardly any plan to cease them entirely. But as companies have considered the full logic of the judgment, a more alarming reality has emerged. The CJEU gave SCC-reliant companies a reprieve, but likely only a temporary one. Soon after the CJEU ruling, the Irish Data Protection Commission (DPC) notified Facebook of its proposed decision to suspend SCC use for massive data transfers from Europe to the United States. Facebook won a temporary injunction against the DPC order, starting yet another phase in its legal battle to sustain its business model in Europe.

At the EU level, the European Data Protection Board (EDPB), made up of member state data protection authorities that are responsible for enforcing EU privacy law, recently issued a draft recommendation [PDF] that casts doubt on the continued European use of U.S. cloud service providers in certain circumstances, and even intercorporate transfers of personnel data to the United States. The European Data Protection Supervisor has similarly issued guidance that “strongly encourages” EU institutions considering new contracts with service providers “to avoid processing activities that involve transfers of personal data to the United States.” A slow-motion crisis over transatlantic data transfers is unfolding.

While European activists and policymakers have long been skeptical of U.S. privacy protections, their concerns about transatlantic commercial data transfers intensified with the 2013 revelations from National Security Agency (NSA) contractor Edward Snowden about the extent of U.S. government surveillance programs in Europe and the compelled or unwitting cooperation of U.S. firms in those programs. Snowden’s disclosures formed the immediate backdrop for a 2015 CJEU decision (Schrems I) that invalidated data transfers made pursuant to Privacy Shield’s predecessor, the Safe Harbor Framework, on grounds that the European Commission had failed to properly consider the scope of U.S. surveillance activities.

Five years later, the CJEU’s Schrems II judgment examined whether additional privacy safeguards for data transfers from the EU to the United States incorporated into the Privacy Shield in response to the Schrems I ruling were “essentially equivalent” to those stipulated under the EU Charter of Fundamental Rights and its General Data Protection Regulation (GDPR). The CJEU found that they were not: persons in EU territory whose transferred personal data was obtained by U.S. intelligence agencies still did not, contrary to EU law, enjoy “effective legal remedies” before an “independent and impartial court.”

Part of the difficulty, the court observed, is the secrecy of U.S. government surveillance. If foreign persons can only suspect that information about them has been gathered, they have little prospect of proving the “injury in fact” that is the prerequisite for suit in U.S. court. The Privacy Shield negotiators attempted to circumvent this dilemma by allowing a European person who suspects surveillance to complain directly to a designated senior official in the U.S. Department of State, who would refer the matter to U.S. intelligence agencies to investigate. The CJEU found this mechanism insufficient, however, since it lacked both independence from the U.S. executive branch and the power to make corrective decisions binding the intelligence community.

Moreover, U.S. surveillance law also lacked a “principle of proportionality,” the CJEU claimed, to ensure that data collection and use by the government only occurred when “necessary” to meet legitimate interests. It pointed in particular to NSA bulk data collection programs. These shortcomings—lack of individual redress and of proportionality—rendered the Privacy Shield inadequate as a means of protecting European individuals’ privacy in commercial data transfers to the United States.

While the court endorsed SCC use as an alternative for protecting privacy interests in principle, it also insisted that companies using them adopt additional safeguards against the risk of NSA surveillance. One potential safeguard the CJEU suggested was for a data exporter to suspend or terminate data transfers to the United States if the NSA levies a data demand upon it.

U.S. Firms After Schrems II

With the future of SCCs uncertain, companies have begun to consider a range of options to appease EU regulators. Internally, they are assessing the extent to which their data transfers have been the subject of past NSA demands or could be in the future. The number of companies that publicly disclose the scale of government data demands upon them in annual corporate transparency reports is likely to increase. Some are considering undertaking commitments to challenge government data demands or to decline to respond to them unless compelled to do so. Additionally, many companies could adopt some form of pseudonymization or encryption for data transfers, which in some circumstances could frustrate U.S. intelligence. A further option would be data localization, or simply keeping data in Europe and processing it there, avoiding transfers to the United States entirely. Data localization can be costly and inefficient, and is not technically feasible for all types of data processing activities. A further splintering of the internet along regional lines is one likely consequence of Schrems II.

European regulators are beginning to release guidance on how companies should implement the Schrems II holding on SCCs. The European Commission has issued for comment an implementing decision substantially revising the language of SCCs, while the EDPB has developed a draft recommendation specifically identifying transfer tools for companies to use in frustrating foreign government surveillance. The EDPB’s guidance has the potential to upend the transatlantic business models of companies, including European ones, that rely on U.S. cloud service providers, or share data internally for personnel or customer service purposes, if data is not encrypted at all times. Pressure on SCC use is building through litigation as well as regulatory pronouncement, as the rapid Irish Data Protection Commission decision to move against Facebook’s use of SCCs shows. Further stress is being exerted by legal actions initiated by the privacy advocacy group None of Your Business. Soon after the Schrems II ruling, it filed 101 complaints in thirty European jurisdictions against companies that use Facebook Connect or Google Analytics to transfer data to the United States. In October, a German privacy advocacy group brought a similar suit against Amazon for its transatlantic data transfer practices.

The future of SCCs in transatlantic data transfers is clouded in doubt. It will be determined through a series of administrative and judicial proceedings playing out gradually in a decentralized fashion across the EU. Harmonization of law may be the EU’s watchword, but in this case the CJEU has delivered a recipe for fragmentation.

No sooner had the Schrems II judgment been issued than the U.S. government and the European Commission pledged to “explore” ways in which the defects of the invalidated Privacy Shield could be remedied in a new accord. However, neither side expects to reach a new accord in the immediate future. The U.S. government also issued a white paper [PDF] intended to help companies meet the national security concerns the CJEU highlighted. It included the reassurance that “companies whose EU operations involve ordinary commercial products or services, and whose U.S.-EU transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.”

Washington has not embraced national security hawks’ suggestions that it fight back against European regulation. The Office of the U.S. Trade Representative (USTR) has reportedly studied whether the disproportionate challenges of the Schrems II judgment for major U.S. technology companies amounts to a colorable case of trade discrimination, but so far there is no indication that it could move in this direction. The U.S. government has stated that while it is “actively considering its options,” it seeks a “durable political solution.”

Recommendations

It will take an orchestrated, three-part strategy for the United States to achieve a lasting resolution to the privacy and surveillance conundrum with the EU. One prong entails expanding possibilities for individual redress under U.S. surveillance law and, separately, adopting the long-mooted comprehensive domestic privacy law. A second would be to create a firmer legal foundation for unrestricted transatlantic data flows through negotiation of a digital trade accord with the EU. The third would be for the United States to cooperate with other democratic states at a multilateral organization in a search for legal principles common to government access to personal data.

U.S. Legal Reform

Establishing a judicial remedy in U.S. courts for non-Americans aggrieved by U.S. electronic surveillance could require changes to intelligence law statutes. Proposals for how to do this have begun to appear publicly and have sparked interest within the U.S. executive and legislative branches. Congress could adapt the current roles of officials and bodies charged with privacy protection within the national security community, such as the Privacy and Civil Liberties Oversight Board and the Foreign Intelligence Surveillance Court, to meet the standard set by the European court. Alternatively, the executive branch could order similar changes without statutory change. The task is legally complex as well as politically charged: a remedy should overcome the standing hurdle that has stymied litigants in the past without deluging U.S. courts with frivolous, hypothetical claims.

Passage of a comprehensive U.S. privacy law could also respond to the criticisms underlying Schrems II. Such a law would establish baseline rights for individuals on the use and handling of their personal data, generally parallel to those contained in the EU’s GDPR, and similarly empower an independent regulatory agency to enforce them. More broadly, the U.S. government would send a signal that it has finally entered the global privacy law mainstream. It would thereby gain desperately needed credibility for its future privacy law collaborations with the EU.

U.S.-EU Digital Trade Agreement

In recent years, the USTR has successfully included protections for unrestricted data flows in a series of bilateral trade agreements, including the U.S.-Mexico-Canada Free Trade Agreement and a digital trade agreement with Japan [PDF]. A digital trade chapter is also under negotiation in the proposed free trade agreement with the United Kingdom (UK).

A core provision in all these digital trade agreements would secure cross-border transfer of electronic data for business purposes by importing disciplines from World Trade Organization law that guard against protectionism and discrimination. Governments would be allowed to impose transfer restrictions based on their privacy laws, but only to the extent that they are not arbitrary or disguised restrictions on trade and are narrowly tailored to achieve a public policy objective. A formal dispute settlement system would address alleged breaches of the rules.

The EU, during the failed negotiations on a Transatlantic Trade and Investment Partnership, adamantly refused to consider a U.S. proposal along these lines, but the U.S.-UK free trade agreement talks offer a promising opportunity to revisit the topic with a more sympathetic European partner. While the post-Brexit United Kingdom has closely aligned its privacy laws with the EU’s, it also wants to buttress Anglo-American digital trade. If the United Kingdom can reconcile these equities and agree on a data transfer provision with the United States, the precedent could eventually help inspire a similar U.S.-EU reconciliation.

Multilateral Cooperation on Government Access to Data

For many years, Europe has principally associated foreign government access to its citizens’ personal data with one country—the United States. Increasingly, however, aggressive Chinese and Russian surveillance activities in Europe have begun to change that perception. Schrems II accelerates this trend, by insisting that private companies safeguard data transfers from the EU to any country with a government surveillance apparatus, whether democratic like Israel or authoritarian like China or Russia. The ruling also forces attention to EU member states’ own foreign surveillance regimes. The CJEU recently expanded its purview [PDF] to discipline member states’ national security surveillance programs, and other courts in Europe, such as Germany’s Federal Constitutional Court, are beginning to examine whether their governments’ foreign surveillance activities observe requisite privacy protections.

The broadening judicial lens on government surveillance has in turn stimulated efforts to convene multilateral dialogues on comparative practices. Such a discussion is already underway at the Organization for Economic Cooperation and Development in Paris, with U.S. government participation, and the Council of Europe in Strasbourg is also bidding to undertake work on the subject [PDF].

No one expects that a multilateral “no spy” pact is imminent, but discussions on comparative government surveillance regimes nonetheless place U.S. practices in an international context. National security officials in Washington are firmly convinced that the legal constraints under which the U.S. foreign surveillance system operates are at least as transparent and rigorous as those of European counterparts. A broad consensus on the types of legal controls on foreign surveillance needed in democratic societies should be achievable. Successful multilateral cooperation could in turn improve the political atmosphere for transatlantic data transfers.

All of these initiatives would take time. Meanwhile, data transfers from Europe continue in an atmosphere of legal uncertainty, with inevitable further shocks from European regulatory and judicial actions. It will take bold and decisive action, political as well as legal, on both sides of the Atlantic to bring this slow-motion crisis to an end.

This Cyber Brief is part of the Digital and Cyberspace Policy program. The Council on Foreign Relations takes no institutional positions on policy issues and has no affiliation with the U.S. government. All views expressed in its publications and on its website are the sole responsibility of the author or authors.