CJEU Déjà Vu: Facilitating International Data Transfers and Avoiding Internet Balkanization in the Wake of Schrems II by Enacting Targeted Reforms to US Surveillance Practices
By Jordan Francis. Full Text.
Private and public actors collect and retain vast amounts of personal data. Governments have responded to this data revolution by passing data protection laws, which limit the collection, use, storage, and disclosure of personal data. The most comprehensive data protection scheme exists in the European Union, where the right to protection of personal data is guaranteed as a fundamental freedom. The General Data Protection Regulation (GDPR) gives that right substance by establishing a comprehensive regulatory scheme that applies to any entity processing personal data concerning an EU citizen, whether that entity is located in the EU or not. The GDPR also mandates that personal data meant for processing cannot be transferred to a country outside the EU unless that country “ensures an adequate level of protection” which is “essentially equivalent” to that under EU law. This is a problem for the United States, which does not have a federal data protection law. To get around this, the US and EU negotiated a trade pact and established a program, Privacy Shield, which would allow US organizations to voluntarily comply with the requirements of the GDPR in order to freely import data from the EU to the US.
This delicate international relationship was thrown asunder on July 16, 2020 when the Court of Justice of the European Union (CJEU), in a decision now referred to as Schrems II, ruled that Privacy Shield did not meet the GDPR’s requirements for cross-border data transfers. The CJEU found that the US government’s access to personal data of EU citizens under US national security surveillance laws lacked sufficient safeguards and judicial protections, so Privacy Shield participants could not provide all of the protections required by the GDPR. The short-term effect of Schrems II has been mass confusion for US organizations relying on Privacy Shield to legally import personal data from the EU. The long-term effects could threaten the estimated $7.1 trillion transatlantic economy and the very nature of the global internet, as organizations opt for data localization to avoid incurring the severe financial penalties under the GDPR.
This Note argues that the US’s approach to this problem—working with the European Commission to develop an “enhanced Privacy Shield” program—is a doomed effort because it will not relieve organizations of their obligations under US law. Instead, the US should learn from its mistakes in Schrems I & Schrems II and enact legislative reform. Rather than focusing on crafting a comprehensive federal privacy law, which could solve this problem, it would be more prudent to enact modest reforms to US foreign intelligence surveillance law targeted at the issues raised in Schrems II—a Privacy Shield Enabling Act. These reforms would enable an enhanced Privacy Shield program to survive a legal challenge before the CJEU by including adding safeguards to limit unnecessary collection of personal data concerning EU citizens and providing those data subjects with actionable rights before US courts.