Data Transfers after Schrems II: The EU-US Disagreements over Data Privacy and National Security.

• Author: Zalnieriute, Monika

TABLE OF CONTENTS I. INTRODUCTION II. SHORT HISTORY OF EU-US DISAGREEMENTS OVER DATA PROTECTION AND PRIVACY A. Early Agreements and Differences B. The EU Adequacy Criterion C. Bridging the EU-US Differences: The Safe Harbor Arrangements D. Schrems' Complaint and the US Surveillance Programmes III. THE CJEU JUDGMENT IN SCHREMS II A. The Opinion of the Advocate General B. The CJEU Judgment IV. THE CJEU PUSHBACK AGAINST DATA SECURITIZATION AND SURVEILLANCE A. CJEU Developing a Principled Stance on Data Protection B. CJEU Pushing Against Data Securitization C. Political Climate Around Privacy Shield: Latest Developments in the US D. Rejecting the 'Contracting Out' of Human Rights Protection to Cover Data Securitization V. IMPLICATIONS OF SCHREMS II FOR INTERNATIONAL DATA TRANSFERS A. Varied Reception of the Judgment B. Impact on Commercial EU-US Data Transfers C. Implications for Other Data Sharing Regimes D. Transfers to Third Countries Generally VI. CONCLUSION I. INTRODUCTION

For national security experts, it is puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries. - Peter Swire, 2020 (1)

It isn't the CJEU's judgment or European privacy policies that need to be revised. What needs to change is how U.S. policymakers think about national security and surveillance in a world of global information networks. For two decades, the U.S. has been able to have its cake and eat it too - behaving like a unilateral, imperialist power in an interdependent world. Schrems II shows how that strategy is reaching its limits. - Henry Farrell and Abraham Newman, 2020 (2)

Never before have data protection, national security, and information privacy been more important for the protection of human rights than today. Indeed, the global COVID-19 pandemic has required governments and citizens to have an open dialogue about contract tracing and data collection for protecting public health during times of a global health crisis and public emergency. Often, personal data collected by COVID-tracing apps in one country can be transferred to another, leaving individuals across the globe vulnerable to commercial and government surveillance practices without any recourse. (3) Lack of recourse is further complicated because there are no truly international--as opposed to regional--agreements on data protection and information privacy to ensure that individuals can seek effective remedy if their fundamental rights have been violated. Despite the increasing importance of personal data processing in running the modern state (as well as business), nations have not yet agreed upon the appropriate regulatory policy and where the limits of private and public data collection lie.

International disagreements in data protection, national security, and information privacy policy between the leading global regulatory actors--the European Union (EU) and the United States of America--have significant implications for the protection of human rights in a world where most aspects of our lives are increasingly surveilled by both private companies and government entities. These disagreements--which entail even more profound human rights implications during the COVID-19 pandemic--date all the way back the late 1960s, when data protection and information privacy first emerged as a policy concern on both sides of the Atlantic. Since then, conflicts over data protection, national security, and global data flows between the EU and the United States have been resurfacing in new forms every few years.

The latest iteration of this decades-long history of transatlantic data "wars," (4) "tensions," (5) and "battles" (6) is the long anticipated Schrems II decision, (7) handed down by the highest court of the European Union--the Court of Justice of the European Union (CJEU), which sits in Luxembourg. On July 16, 2020, the CJEU held that the scope of US surveillance programs and the lack of legal remedies in the United States are fundamental problems under EU law and, consequently, struck down the legal basis for EU-US data transfers. The CJEU invalidated the key mechanism for EU-US data transfers--this time under Privacy Shield arrangements--for the second time in a decade. It held that US laws do not provide "essentially equivalent" protection for personal data to that guaranteed under EU law--an EU law requirement for data transfers to third countries--because of the extensive US surveillance regime. While the CJEU did not invalidate another venue for data transfers--Standard Contractual Clauses (SCC)--its reasoning implies that personal data cannot be transferred to the United States using this legal basis for the same reason: lack of adequate safeguards for personal data in the United States. Schrems II has significant implications for the future of personal data transfers between the EU and the United States, the transatlantic economy, as well as global data law and governance more generally.

While the judgment affects many areas of law and politics, this Article focuses on the human rights protection in EU-US data transfers. It argues that Schrems II illuminates the long-lasting disagreements between the EU and United States over data protection and privacy, and the fundamental differences between the public and private approaches to the protection of personal data. In its decision, the CJEU rejected the approach of "contracting out" the protection of human rights via private arrangements--under schemes such as. through the Privacy Shield or SCCs--where public institutions fail to provide adequate safeguards. The court was clear that no private mechanism, a contractual guarantee, or self-certification scheme would be sufficient to compensate or gloss over the fundamental flaws of public institutions and surveillance laws of a third country in ensuring the "essentially equivalent" to that guaranteed under EU law. The rejection of this approach of "contracting out" human rights, which has been long championed by the United States and the European Commission (EC) alike, is a win for the right to privacy and personal data protection; however, the long-term political impact of the judgment is less certain in the context of the wider historical EU-US disagreements in this area of law and policy since the 1970s.

To understand the role of these disagreements in Schrems II, this Article looks at the institutional preferences of different actors in transatlantic data sharing arrangements via an interdisciplinary lens of international law and international relations. (8) While political science and legal disciplines are organized around distinct goals and addressed at different audiences, there is nonetheless a substantial and burgeoning intersection between the two. (9) In particular, I rely on the historical institutionalist approach, which emphasizes the importance of time and timing (also called process tracing or sequencing), as well as institutional preferences of different actors in causal process, (10) to demonstrate that Schrems II further solidifies and cements the CJEU's strong rejection of data securitization in the post-Snowden era, aimed at rebalancing the terms of international cooperation in data-sharing across the Atlantic and beyond.

Schrems II is the outcome that US tech companies feared. Yet, this Article argues that they are not the only actors displeased with the decision. Historical institutionalist analysis illuminates that the EU is not a monolithic block, and that Schrems II is also an outcome contrary to the wishes of EC. The invalidation of the Privacy Shield will now (again) require the EU to either reorient its data protection policy and priorities or accommodate the institutional preferences of its powerful political ally--the United States. The CJEU decision goes against the European Data Strategy (11) and places a $7.1 trillion transatlantic economic relationship at risk. Historical institutional analysis suggests that structural changes in the US legal system needed to address the inadequacies in the Schrems II judgment are unlikely. Therefore, the EC will act quickly to create a solution--another quick, contractual "fix"--to accommodate US exceptionalism and gloss over the decades of disagreement between the EU and the United States on data privacy and protection. When two powerful actors are unwilling to change their institutional preferences, "contracting out" human rights is the most convenient option.

Part II of this Article provides a background to the Schrems challenge and the disagreements between the EU and the United States over data protection that are at the heart of Schrems's complaint. Part III focuses on the CJEU's decision in depth and explains its reasoning. Part IV evaluates the Schrems II decision, arguing that it is further evidence of the CJEU's pushback against data securitization. Part V discusses the implications of the CJEU's judgment for EU-US data-sharing arrangements as well as international data transfers more generally. The Article concludes by evaluating the prospects for substantial future reforms of another quick "fix," such as the Privacy Shield, to gloss over data securitization and the decades of disagreements between the EU and the United States.

2. SHORT HISTORY OF EU-US DISAGREEMENTS OVER DATA PROTECTION AND PRIVACY

   Schrems II is the second decision stemming from a long-running challenge, based on fundamental human rights, to the legality of EU-US data transfers by data protection and privacy activist Maximillian Schrems. After Edward Snowden revealed US mass surveillance programs in 2013, (12) Schrems lodged a complaint with the Irish Data Protection Commissioner about Facebook Ireland's transfer of data to the United States. At the heart of Schrems's challenge lay disagreements between the EU and the United States over data protection and privacy, which date back to the late 1960s, when data protection first emerged...