SCHREMS II: THE EU'S INFLUENCE ON U.S. DATA PROTECTION AND PRIVACY LAWS.

• Author: Calia, Donna

INTRODUCTION

The United States and European Union (1) have been deeply connected since the EU's formation in 1957. (2) Although international trade is a hallmark of the U.S. and EU's relationship, the two have struggled throughout history to align their laws and objectives, despite a collection of evolving international trade agreements. (3) That said, the U.S. and EU's trade relationship is considered to be the "world's largest and most important bilateral commercial relationship." (4) The Transatlantic Economy accounts for 16 million jobs, trillions of dollars in total commercial sales, and one third of the total gross domestic product in terms of purchasing power. (5) More recently, the digital revolution has posed a threat to the Transatlantic Economy, revealing fundamental differences in U.S. and EU law. (6)

To harmonize U.S. and EU law, the respective countries have entered into numerous trade agreements to maximize transatlantic data transfers. (7) The EU leverages the importance of the Transatlantic Economy to encourage the U.S. to comply with EU law through numerous court decisions (8) directly targeting the inadequacy of U.S. domestic law compared to the General Data Protection Regulation ("GDPR") and EU Charter. With each international trade agreement and landmark decision, the EU has influenced the U.S. to alter its approach, proving the EU's power as a progressive leader in data protection and privacy laws. This note chronicles previous U.S.-EU trade agreements and the landmark cases ordering their invalidations to demonstrate the EU's influence on the advancement of U.S. data protection and privacy law.

1. UNDERSTANDING THE GAP: U.S. AND EU LAW

   1. U.S. Approach to Data Privacy and Protection

      The U.S. approach to data privacy and protection consists of state and federal laws in a "patchwork" system. (9) There is no general data privacy protection or all-encompassing law. (10) Further, the U.S. Constitution contains no express right to privacy. (11) Data protection and privacy rights are thus statute and state specific. (12) There is no single authority tasked with enforcing data protection and privacy rights. Instead, the U.S. relies on the broad power of the Federal Trade Commission (FTC), administrative agencies, (13) and the few state judicial systems (14) with established laws for enforcement.

      At the federal level, data protection and privacy laws are organized by sector and are industry-specific. (15) For example, the U.S. Privacy Act of 1974 (16) was adopted in response to growing concerns of government surveillance. (17) The Act restricts disclosure of personal data held by federal agencies, guarantees individuals the right to access the agency records and the right to amend them, and establishes overarching "fair information practices." (18) It also protects personal data collected by federal agencies (subject to exceptions), (19) prohibits the disclosure of the collected personal data without written consent, (20) and requires agencies to publish a notice of their records. (21)

      At the state level, data protection and privacy laws vary. (22) Some states are more progressive and stricter on data protection than others. Currently, California, Virginia, and Colorado are the only three states with privacy laws in effect. (23) For example, the California Consumer Privacy Act of 2018 ("CCPA") and California Privacy Rights Act of 2020 ("CPRA") provide protection for the most Consumer Rights out of all state law in the U.S. (24) The CCPA and CPRA, together, guarantee California residents eight affirmative consumer rights, including the right to restrict processing of their personal data. (25) Virginia and Colorado follow the CCPA and CPRA closely, but do not afford its citizens the right of restriction or even a limited private right of action like the CPPA and CPRA provide to California citizens. (26)

   2. EU Approach to Data Protection and Privacy

      The EU's approach to data protection and privacy is the antipode of the U.S. approach. Not only does the EU have uniform, all-encompassing data protection and privacy laws, it explicitly recognizes privacy and data protection as fundamental human rights. (27) Each of the independent countries that make up the EU have coordinated their laws on enforcing data protection and privacy to create a uniform approach. (28) Further, the EU has independent enforcement bodies, such as the Article 29 Working Party (29) and a Data Protection Officer. (30)

      EU data protection and privacy laws have evolved rapidly, beginning with the Data Protection Directive ("DPD") implemented in 1995. (31) To enforce the key principles of the DPD, (32) the EU established an advisory body known as the "Article 29 Working Party." (33) In 2016, the EU replaced the DPD with the General Data Protection Regulation ("GDPR"). With this change came heightened and expanded protection. (34) For example, the GDPR expanded the definition of "personal data" to include electronic identification such as IP addresses, mobile device identifiers, geolocation, and biometric data. (35) Thus, the GDPR replaced the DPD to respond to technological advancements and the internet.

      The EU's approach to data protection and privacy laws is international in scope and coverage. (36) The European Commission enforces the GDPR throughout the Union, allowing international transfers of EU citizen's personal data without further safeguards only to countries outside the EU deemed to have an "adequate" level of protection. (37) If countries cannot satisfy an "adequate" level of protection, data transfers are suspended or postponed until an adequate level of protection is guaranteed. (38) The GDPR provides several options for international data transfers without an adequacy decision but with additional safeguards including: Binding Corporate Rules ("BCRs"), (39) Standard Contract Clauses ("SCCs"), (40) Article 49 derogations, (41) or international trade agreements to transfer personal data. (42) BCRs are usually utilized by businesses established in the EU for transfers of personal data outside of the EU within their business enterprise. (43) SCCs, however, can be utilized by both EU-based businesses and business outside of the EU to maintain compliance with the GDPR. (44) Article 49 derogations have a limited application and can only be used in specific circumstances where no other mechanism of compliance is applicable. (45) Lastly, international trade agreements, such as the Safe Harbor and Privacy Shield agreements, can take the place of an adequacy decision, allowing the free flow of personal data between the EU and the third-party country. However, the EU maintains the authority to reassess and redetermine the adequacy of the agreement, potentially compromising perceptions of the permanence of these international trade agreements and the ability to rely completely on their terms. (46) As a result, third-party countries with international trade agreements may still implement multiple alternative means of compliance with the GDPR to mitigate the consequences of complete reliance.

      Because of its expansive coverage and flexible nature, the GDPR is considered the "gold standard" of data protection and privacy. (47) Although the GDPR is not perfect, it is the most progressive and protective approach to data protection and privacy in the world. As a result of its international application, the EU forces other countries wanting to exchange, collect, or maintain personal data with the EU to meet their high standard.

2. BRIDGING THE GAP: PREVIOUS TRADE AGREEMENTS

   1. The Safe Harbor Framework

      After the implementation of the DPD in the EU and numerous negotiations, the U.S. and EU established the U.S.-EU Safe Harbor Framework ("Safe Harbor Framework"). (48) This international trade agreement provided a mechanism by which the U.S. ensured an adequate level of protection without disrupting transatlantic data flow and the transatlantic economy. (49) This framework was necessary for the U.S. to continue receiving personal data from EU citizens, as U.S. domestic law alone did not guarantee a standard of protection equal to what is required in the EU. (50)

      The Safe Harbor Framework required U.S. companies to annually self-certify their compliance with seven basic data protection and privacy principles and requirements necessary to meet the EU's adequacy standards. (51) Enforcement of these standards in the U.S. was handled through federal and state authorities that were already tasked to protect against unfair and deceptive practices, such as the Federal Trade Commission. (52) Over 5,000 U.S. companies self-certified and utilized the Safe Harbor Framework to transfer the personal data and maintain the privacy of EU citizens. (53)

      However, the Safe Harbor Framework was not ironclad. Under the Safe Harbor Framework, U.S. compliance with the principles was limited. (54) Therefore, U.S. companies could disregard the principles of the Safe Harbor Framework to the "extent necessary to meet national security, public interest, or law enforcement requirements." (55) Ultimately, this limitation provision was called into question by the Court of Justice of the European Union ("CJEU"), (56) highlighting the EU's concern over U.S. government surveillance (57) and the EU's commitment to their data protection and privacy standards.

   2. Schrems I & Invalidation of the Safe Harbor Framework

      While attending law school in the United States, Austrian-born Maximillian Schrems began investigating Facebook's compliance with EU law after hearing one of Facebook's lawyers speak about data privacy at his school. (58) He requested Facebook to release their personal record on him and received over 1, 200 pages of data. (59) After the Snowden revelations, (60) Schrems was concerned about the amount of personal information Facebook maintained in the U.S. He sued Facebook Ireland for keeping its users' data on servers located in the U.S., arguing that U.S...