Behind the Curve: Schrems II and the Need for Increased U.S. Data Protections in a Global Economy.

• Author: Carlson, Micah

1. INTRODUCTION 198 II. BACKGROUND 199 A. Data as a Commodity 199 B. The Emergence and Evolution of Data Protections 200 C. The European/American Relationship 202 D. Schrems II and the Aftermath 203 III. ANALYSIS 204 A. Potential Solutions 204 B. A Privacy Shield Replacement 205 C. Standard Contractual Clauses 206 D. Derogations, Including Data Subject Consent and the Fulfillment of Contracts 208 E. Data Localization 209 F. GDPR-Esque Protections in the U.S. 210 IV. RECOMMENDATION 211 A. The Passage of Federal Legislation That Would Satisfy the EU's Adequacy Requirements is Exceedingly Unlikely 212 B. FISA Section 702 and EO12333 Must be Addressed 212 C. FISA Section 702 and EO12333 Would Still 117 Retain their Effectiveness D. Giving the Exemptions Legally Binding Force 213 V. CONCLUSION 214 I. INTRODUCTION

   The United States (U.S.) and the European Union (EU) have long enjoyed a prosperous and peaceful relationship that has mutually benefitted both parties. With their shared Western values, their economic influence, and their cultural relevance, the American/European relationship has only rarely been tested throughout the 20th and 21st Centuries. Despite this, there is one area of the law where the two jurisdictions seem incapable of seeing eye-to-eye: data protections.

   While the EU has served as the global leader in the realm of data protections, the U.S. has regrettably lagged behind. (1) While the EU has passed directives and legislation aimed at providing their citizens with strict data and privacy protections, the U.S. has failed to do so. (2) In order to facilitate legal data transfers between the two jurisdictions, the EU and the U.S. have been compelled to establish agreements where U.S.-based businesses can choose to adhere to European data law. (3) Through these legal mechanisms, U.S. businesses have been granted a legal avenue to import European data. (4) In an increasingly data-centric global economy, the ability to transfer data between two of the world's largest economic powerhouses is of the utmost importance.

   In July of 2020, the EU's highest court struck down the legal mechanism that allowed data transfers between the EU and the U.S. (5) The court's reasoning was based on the U.S.'s ongoing surveillance programs; although U.S. businesses could bind themselves to adhere to European law, there existed no guarantee that U.S. intelligence would not collect, store, or handle European citizens' data. (6) Consequently, the framework was struck down as illegal under EU law. (7)

   It is imperative that data transfers between the U.S. and the EU are granted a legal mechanism to resume. Today, the U.S. and the EU are negotiating a legal framework for data transfers to succeed the invalidated legal framework. (8) Despite this, any replacement will inevitably be short-lived if the new deal does not address the primary concerns of the European courts. To ensure the longevity of the EU-U.S. alliance and the economic future of the two jurisdictions, the new legal framework must address U.S. surveillance programs. Most notably, the participants of the new legal framework must be exempted from surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA Section 702) and President Reagan's Executive Order 12333 (EO12333), two legal bases for widespread U.S. surveillance that have been highlighted as especially problematic by EU courts. (9) To best achieve this, Congress should amend FISA Section 702 to exempt business participants of the new framework, and President Biden or Congress should amend or eliminate EO12333.

2. BACKGROUND

   1. Data as a Commodity

      Through the rapid globalization and technological advancements of the 20th Century, data has been established as a recognized commodity. (10) But why do companies desire consumer data? Why would a business allocate part of its resources to collecting and processing seemingly worthless masses of consumer information? Simply put, consumer data is not worthless; indeed, it has been estimated that the global market for data will be $229.4 billion in 2025. (11) Companies are willing to pay money for data because, among other benefits, consumer data can be invaluable when forming a marketing strategy. (12)

      While collecting names, addresses, phone numbers, and email addresses has its obvious utility, data collection has become far more sophisticated and far-reaching. (13) Data collection now includes categories such as purchase patterns, gender, location, electronic devices used, driving history, and many more. (14) This sophistication has led to staggeringly accurate and effective marketing efforts. For example, in an unprecedented marketing objective, Target Corporation used data analytics professionals to develop a "pregnancy prediction score" for its customers. (15) This score purported to estimate the likelihood that a female shopper was pregnant, even predicting how far along the pregnancy was. (16) By catering their marketing strategies to such an individual, Target hoped to capture pregnant women as loyal pre-birth and post-birth customers. (17)

      To acquire consumer data, companies like Target often purchase consumer data through so-called data brokers, entities that specialize in the realm of collecting and selling consumer data. (18) Data brokers' influence has become more far-reaching in recent years, as they have adapted from collecting data on a case-by-case basis to instead collecting large pools of consumer data on many data subjects en masse. (19) Additionally, the market has experienced pressure to produce immediate results. (20) For example, suppose a company wishes to conduct a background check to determine whether a job candidate is fit to fill a newly vacant, essential position within the company. In this case, the company will likely demand the background check be completed as soon as possible. This desire for immediate results has led data brokers to continue growing their databases, rarely deleting any information previously collected. (21)

      This mass collection of data has presented emerging risks to consumers. With more entities gathering greater masses of data from an ever-expanding list of data categories, the potential for data leaks, improper usage of consumer data, data breaches, and perpetual retention of consumer information has only increased. In an increasingly digital world where more data is collected, the number of contact points with such data has increased in tandem. Each employee with access to consumer data, each email containing consumer data, each server storing consumer data, and every single other contact point that interacts with consumer data is a potential point of failure in the chain that could ultimately harm consumers. A disgruntled employee could purposefully leak data, an email may be sent to the wrong person, or hackers could tap into a server. Throughout our digital revolution, the risks presented to consumers have increased exponentially, though American consumers' control over such risks has remained mostly stagnant. (22) Consequently, the potential for abuse and privacy violations has, understandably, lead many to conclude that data protections and increased regulations are needed. (23)

   2. The Emergence and Evolution of Data Protections

      With data collection growing in popularity while also possessing potential for abuse, some governments have sought to regulate the data market and recognize data subjects' rights to their data. (24) For example, the Canadian government passed the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, which provides federal protections for Canadian residents' data when their province or territory does not provide substantially similar protections. (25)

      On the other side of the Atlantic, the EU adopted the Data Protection Directive in 1995, which instructed EU states to provide data protections to their residents. (26) Most importantly, the Data Protection Directive directed EU states to only allow the export of European personal data to other jurisdictions when they knew the data would be protected by law. (27)

      In 2016, the EU adopted the General Data Protection Regulation (GDPR) which sought to further enshrine protections for European residents' personal data, ultimately replacing the Data Protection Directive. (28) Most critically, this law defines "personal data" quite broadly:

      Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (29) Any information that falls under this broad definition is subject to GDPR protections. Consequently, any "controller" or "processor" of such data must implement "appropriate technical and organi[z]ational measures." (30) These requirements apply to any entity wishing to control or process EU residents' personal information, regardless of their location. (31) This means that GDPR applies to foreign entities that process EU nationals' data. (32) Furthermore, the GDPR stipulates that personal data is not to be processed unless it is legitimized by one of six possible justifications: consent, contract, public task, vital interest, legitimate interest, or legal requirement. (33) If the justification is based on consent, the resident in question retains his or her right to revoke consent at any time. (34) Additionally, other requirements under GDPR include the appointment of a data officer and making proper public disclosures regarding data collection practices. (35)

      The American approach to data privacy has been markedly different. Currently, the U.S. does not have a central federal privacy law. (36) Instead...