In the midst of COVID-19 pandemic, on July 16, 2020, the Court of Justice of the European Union (\u201cCJEU\u201d) in Luxembourg handed down a long-awaited judgement on international data transfers in the Schrems II<\/em><\/a> case. The European Union (\u201cEU\u201d) Court found that U.S. law does not provide the \u201cessentially equivalent\u201d protection for personal data to that guaranteed by EU law, and therefore invalidated the key mechanism for EU-United States data transfers\u2014this time known as Privacy Shield<\/a>\u2014for the second<\/em> time in a decade. While the CJEU generally upheld the validity of another legal basis for international data transfers\u2014Standard Contractual Clauses<\/a> (\u201cSCCs\u201d), the Court also implied that these clauses are not an avenue for continued transfers of personal data from the EU to the United States.<\/p>\n Schrems II<\/em><\/a> is a win for human rights in the EU and beyond, yet, the long-term political impact of this judgement in securing human rights in the digital economy is less certain in light of the $7.1 trillion transatlantic economic relationship<\/a> at stake. Until now, U.S. companies, including Facebook, Amazon, and Google, have relied<\/a> on private self-certifications schemes, such as Privacy Shield<\/a>, to assure the EU of \u201cessentially equivalent\u201d protection for personal data of EU residents, despite the extensive scope of U.S. surveillance programs. The U.S. government maintains<\/a> that the protection under its national security laws \u201cmeets\u201d and \u201cexceeds\u201d the safeguards \u201cin foreign jurisdictions, including Europe,\u201d \u00a0suggesting that structural changes in the U.S. legal system are unlikely. Instead, the European Commission<\/a> (\u201cEC\u201d) and U.S. Department of Commerce<\/a> may soon carve out another solution for EU companies to \u201ccontract out\u201d the protection for human rights where public authorities are unwilling to ensure it.<\/p>\n Following the Edward Snowden revelations<\/a> about mass surveillance programs in 2013, various privacy advocates in the EU opposed<\/a> the exposure of their personal data to such regimes. Snowden revealed U.S. surveillance programs including PRISIM and UPSTREAM<\/a>, which collect data directly from undersea cables or from providers. These programs were authorized by executive powers<\/a> under the U.S. legal system and often failed to guarantee the basic constitutional rights for U.S. citizens<\/a>, let alone foreigners. The long-running Schrems saga<\/a> began when Austrian privacy activist, Maximillian Schrems, lodged<\/a> one such complaint with the Irish Data Protection Commissioner<\/a> (\u201cDPC\u201d) about Facebook Ireland\u2019s transfer of data to the United States. His complaint highlighted the incompatibility of U.S. surveillance programs and existing EU law permitting transfers to the United States. Under EU law at the time, the EC\u2019s Safe Harbor<\/a> Decision created an arrangement where U.S. data importers could \u201cself-certify\u201d that they provided \u201cessentially equivalent\u201d to that guaranteed under EU law, including the protection of fundamental rights under the EU Charter of Fundamental Rights<\/a> (\u201cEUCFR\u201d). Schrems challenged the adequacy of these arrangements in ensuring \u201cessentially equivalent\u201d protection in his complaint, which the DPC rejected. Schrems then took his complaint to the High Court of Ireland, which referred two questions to the CJEU in the case now known as Schrems I<\/em><\/a>. In that case, the CJEU invalidated Safe Harbor<\/a>, because it did not afford \u201cessentially equivalent\u201d protection for personal data to that guaranteed under EU law (\u00b6\u00b6 98, 104\u2013106).<\/p>\n Facebook and other companies then relied upon SCCs<\/a>, a mechanism created under another EC adequacy decision (\u201cSCC Decision<\/a>\u201d), which enabled data transfers where contractual arrangements could provide the \u201cessentially equivalent\u201d protection to that under the EU legal order. In 2015, the Irish DPC asked Schrems to reformulate his original complaint in light of the invalidation of Safe Harbor<\/a>. The revised complaint focused on Facebook\u2019s data transfers outside of the EU based on SCCs<\/a> (Schrems II<\/em><\/a> \u00b6\u00b6 151\u2013153), claiming the reliance on SCCs<\/a> could not be valid due to U.S. law obliging private companies to provide access to personal data to public authorities under U.S. surveillance programs. Following the reformulation of his complaint, the EC and U.S. officials replaced Safe Harbor<\/a> with a new version of a \u201cself-certification\u201d regime for EU-United States data transfers\u2014the EU-United States Privacy Shield<\/a>.<\/p>\n Based on Schrems\u2019 revised complaint, the DPC<\/a> raised a number of questions before the High Court of Ireland<\/a>, which then referred 11 questions<\/a> to the CJEU in Schrems II<\/em><\/a>. These questions turned the focus towards the suitability and validity of SCCs<\/a> and, by inference, the validity of Privacy Shield<\/a> under the General Data Protection Regulation<\/em><\/a> (\u201cGDPR<\/em><\/a>\u201d).<\/p>\n The Schrems II<\/em><\/a> judgement challenges the mechanisms for EU-United States personal data transfers based on fundamental inadequacy of U.S. law to ensure the \u201cessentially equivalent\u201d protection to that guaranteed by EU law. The CJEU found that in circumstances where adequate safeguards exist in third countries, or where contractual terms can provide the \u201cessentially equivalent\u201d protection to EU law, the use of SCCs<\/a> is valid. The Court then chose to engage directly with the validity of EU-United States data transfers under Privacy Shield<\/a>, finding it invalid due to the fundamental inadequacy of safeguards for personal data provided by U.S. law.<\/p>\n The CJEU first focused on the standard contractual clauses, finding the SCC Decision<\/a> valid (\u00b6 105). However, the Court stressed that data controllers must assess the level of protection afforded across the agreed contractual clauses between the data controller and the third country importer\/processor, any access by public authorities to the data, and the legal system of the third country (\u00b6\u00b6 93, 105). The CJEU reiterated that the SCCs<\/a> must afford appropriate safeguards, enforceable rights, and effective legal remedies (\u00b6 103), with data controllers\/exporters obliged to act if there is a conflict between the SCCs<\/a> and third country laws, including an incompatibility with national security laws, by suspending data flows (\u00b6\u00b6 134\u2013135). Where SCCs<\/a> cannot provide an \u201cessential equivalent\u201d to EU law, and data controllers have not acted, the CJEU held that National Data Protection Authorities<\/a> (\u201cDPAs\u201d) must suspend, limit, or even ban international data transfers (\u00b6\u00b6 113, 121).<\/p>\n However, the CJEU held that DPAs cannot act to suspend, limit, or ban data transfers where there is an adequacy decision, such as Privacy Shield<\/a>, in place. The Court asserted that DPAs \u201ccannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection\u201d (\u00b6 118). \u00a0The CJEU noted that DPAs must still investigate complaints received, and if concerned about the equivalence of protection under an adequacy decision, bring an action before national courts questioning adequacy. If the national court agrees, it can make reference for a preliminary ruling on the validity of an adequacy decision in question (\u00b6\u00b6 120, 121).<\/p>\n The CJEU then moved on to assess the adequacy of protection under U.S. law to determine the validity of the Privacy Shield<\/a>. The Court held it invalid because of the largely unrestrained surveillance regime, a lack of redress under those regimes, and the lack of independence for the ombudsperson (\u00b6 199). Noting the EC can only make a decision on adequacy if the third country\u2019s legislation provides all the necessary guarantees to ensure an adequate level of protection (\u00b6\u00b6\u00a0129, 162, 167), the CJEU assessed the level of protection afforded by the United States. It found that U.S. surveillance regimes like PRISM and UPSTREAM which collect data directly from undersea cables or from providers like Google and Facebook, permitted under section 702 of the Foreign Intelligence Surveillance Act<\/a> (\u201csection 702 FISA\u201d), were not limited to what was strictly necessary for the purposes of foreign intelligence. In particular, the legislation did not lay down any limitations or scope of the programs nor impose any minimum safeguards (\u00b6\u00b6 179, 180). The CJEU also assessed the Presidential Policy Directive 28<\/a> (\u201cPPD-28\u201d\u2014a response to the Snowden revelations attempting to restrain mass surveillance<\/a>) and Executive Order 12333<\/a> (\u201cEO-12333\u201d\u2014a 1981 order permitting expanded surveillance powers<\/a> authorized by the executive), finding they did not grant actionable rights against U.S. authorities (\u00b6\u00b6 181, 182, 184). The CJEU noted that the EU legal order provides a right to a hearing before an independent and impartial tribunal (article 47<\/a> of the EUCFR) (\u00b6 186), and that Privacy Shield<\/a> created a specific role of an ombudsperson<\/a> for EU data transfers. However, the Court held that surveillance programs based on section 702 FISA<\/a> and EO-12333<\/a>, even when read in conjunction with PPD-28<\/a>, do not provide data subjects with actionable rights, leaving them with no effective remedy (\u00b6 192). The CJEU also highlighted a lack of independence in the oversight systems of Privacy Shield, as the role of the ombudsperson was related to the executive (\u00b6 195). Thus, the Court concluded that the Privacy Shield<\/a> Decision could not provide an \u201cessentially equivalent\u201d protection for personal data to that guaranteed under the EU legal order and, therefore, was invalid (\u00b6 199).<\/p>\n After this pronouncement, many are asking how can data be lawfully transferred from the EU to the United States? The SCCs<\/a> (and for that matter Binding Corporate Rules<\/a>) are also unusable because the CJEU in Schrems II<\/em><\/a> ruled that U.S. law\u2014as a whole\u2014does not provide adequate protection required under EU law for international data transfers. The Court partially answered this question: \u201ctransfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR<\/a> or appropriate safeguards under Article 46 of the GDPR<\/a>.\u201d (\u00b6 202). In other words, the Court has not prohibited data transfers to the United States where \u201cessentially equivalent\u201d safeguards are provided.\u00a0 However, data controllers and exporters now face the very real dilemma of having to contract for the impossible\u2014to form contracts under SCCs<\/a> or article 46 of the GDPR<\/a>, which protect the rights of the data subject despite the scope of the U.S. surveillance programs. With the CJEU\u2019s findings that because of the extensive U.S. surveillance regime, the United States does not afford essentially equivalent safeguards, and confirmation that SCCs<\/a> cannot bind a public authority in the third country (\u00b6\u00b6 123, 125), it now appears impossible to transfer data lawfully from the EU to the United States. Some commentators suggest that not all organizations<\/a> are subject to the U.S. surveillance regime. However, given the scope of the surveillance programs, as discussed by the CJEU, and the possibility of surveillance access even before the data reaches the data importer, such as through the \u201ctapping\u201d of undersea cables<\/a> (\u00b6\u00b6 62\u201363), the adequacy of protection from surveillance by any company is doubtful<\/a>.<\/p>\n In light of the fundamental inadequacy of U.S. surveillance law to guarantee the level protection required by EU law, the remaining avenue for data transfers points to the use of contracts under the SCC Decision. Contractual obligations between businesses can play<\/a> a role in protecting human rights in international law, for example in ensuring workers are protected in supply chains<\/a> and offshore manufacturing. However, these contracts do not bind the government or public authorities in foreign countries, and the local laws in those countries may still over-ride contractual terms. Therefore, contractual clauses to protect data transferred to the United States will not be adequate because of the extensive surveillance powers granted to public authorities under the U.S. legal system, which can easily override those clauses.<\/p>\n The U.S. surveillance regime shows no sign of contracting<\/a>. Often, as the CJEU found, there is little specific legislation which limits foreign surveillance programs, instead, they are authorized by a supervisory body<\/a> or through executive order. While the EU Parliament called to overhaul<\/a> the U.S. foreign surveillance regime following the Snowden revelations, calls for amendment in the United States were reinvigorated<\/a> in late 2019 following reported breaches<\/a> of section 702 FISA<\/a>. However, proposed reforms have now stalled<\/a>. With U.S. comments in response to Schrems II<\/em><\/a> that the U.S. safeguards for data protection under national security programs \u201cmeets\u201d or \u201cexceeds\u201d<\/a> those in European jurisdictions, the stalemate between the EU and the United States is set to continue.<\/p>\n The use of SCCs<\/a> in light of the scope of the U.S. surveillance framework places an impossible burden on data controllers to attempt to \u201ccontract out\u201d the protection of human rights. The Berlin DPC has already issued<\/a> advice to data controllers to cease<\/em> EU-United States transfers, reinforcing the importance of a valid legal basis for data transfers<\/a>. Fines for breaching the GDPR can be up to four percent of a company\u2019s global revenue<\/a>. The CJEU was clear that the DPAs are obliged to act against unlawful transfers, so it seems a risky business for private companies to keep doing \u201cbusiness as usual\u201d after Schrems II<\/em><\/a>. \u201cContracting out\u201d human rights protection will simply not work for the CJEU, where the local laws in third countries, such as the United States, fundamentally violate those rights.<\/p>\n Schrems II<\/em><\/a> has lived up to the hype\u2014the decision will have far reaching effects. In response to the judgement, the EC could act quick to negotiate another agreement with the U.S. counterparts, just like it did earlier with the Safe Harbor and Privacy Shield<\/a>, again authorizing data flows to the United States. However, without changes in the U.S. surveillance regime, we can be certain that any future adequacy decisions will be challenged by privacy advocates, costing DPAs millions of Euros<\/a> in further court costs. Similarly, attempts to \u201ccontract out\u201d human rights protection under SCCs<\/a>, given the inability of the United States to provide \u201cessentially equivalent\u201d protection, expose data controllers to fines under the GDPR<\/a>. Yet, the high stakes of the transatlantic economy weaken the EU position, while the bargaining power of the United States suggests that structural changes\u2014that would bring the United States in line with \u201cessential equivalence\u201d\u2014are unlikely any time soon. Failing U.S. changes, tech companies might have to process personal data in Europe<\/a>, as legally \u201ccontracting out\u201d protection for human rights might be next to impossible.<\/p>\n [hr gap=”30″]<\/p>\n","protected":false},"excerpt":{"rendered":" Genna Churches and Monika Zalnieriute<\/p>\n","protected":false},"author":95,"featured_media":9094,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_FSMCFIC_featured_image_caption":"","_FSMCFIC_featured_image_nocaption":null,"_FSMCFIC_featured_image_hide":null,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[205,121,366],"tags":[42,405,409],"class_list":["post-9092","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-content","category-article-series","category-perspectives","tag-human-rights","tag-security","tag-technology"],"jetpack_featured_media_url":"https:\/\/journals.law.harvard.edu\/ilj\/wp-content\/uploads\/sites\/84\/pietro-jeng-n6B49lTx7NM-unsplash-scaled.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/peZu3S-2mE","jetpack_likes_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/posts\/9092","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/users\/95"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/comments?post=9092"}],"version-history":[{"count":0,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/posts\/9092\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/media\/9094"}],"wp:attachment":[{"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/media?parent=9092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/categories?post=9092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/ilj\/wp-json\/wp\/v2\/tags?post=9092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}International Data Transfers and U.S. Surveillance Law:\u00a0 Schrems I<\/h2>\n
International Data Transfers Continued: Schrems II<\/h2>\n
So How Can Data Be Transferred to the United States Now?<\/h2>\n
Will \u201cContracting Out\u201d Human Rights to the United States Be Possible?<\/h2>\n
Conclusion<\/h2>\n