The world just received the newest pronouncement from the EU Court of Justice, in a decision known as Schrems II, and the legal opinion extends the data war declared on the United States in the first Schrems decision. Interpreting these decisions together, European privacy regulators are beginning to suggest that there will be no practical manner of transferring EU to the US that meets EU data privacy requirements.
If the Schrems II decision truly leads to a stoppage of data traffic from Europe, 1) this would be a logical conclusion to the dangerous, unnecessary and unprincipled arguments asserted in Schrems I, and 2) it could be disastrous to commerce between two of the world’s largest trading partners.
The Current Decision
Schrems II invalidated the EU/US Privacy Shield program that many US companies use to demonstrate compliance with EU data laws, leaving a scant few options within the control of U.S. companies wishing to serve EU customers – not all of them practical. And the court in Schrems II even raised significant questions on the legally authorized methods of transfer that remained.
Many company data transfers from the EU to the US are effectuated under the Standard Contract Clauses approved for foreign data access by the EU. While the court in Schrems II upheld these clauses as valid, it also threw a wrench in the works, demanding that exporting parties must account for the relevant aspects of the data importer's legal system, in particular any access by public authorities to the data transferred. If the exporter cannot guaranty a level of data protection that would be approved by the EU, the exporter is required to terminate the transfer and possibly be required to terminate the entire contract with the receiving party.
So the EU court is forcing all data controlling businesses to assess the trustworthiness of the U.S. government before any relevant transaction. How does that work? The Court of Justice has specifically held that the US government can’t be trusted to keep its hands off of EU data, so are businesses supposed to find otherwise? Or do companies wait for their local Data Protection Authority to opine on the matter? In addition, the Court of Justice is requiring companies to breach their commercial contracts based on their evaluation – not just of the data protection regime of the contracting company – but of the U.S. government. Expect extensive litigation if this requirement is followed in real life (and EU regulatory attacks if it isn’t).
Who decides whether regular commerce can be conducted with the U.S. now that the Court of Justice has allowed for use of Standard Contract Clause, yet thrown shade on whether the behavior of the U.S. government may invalidate the effectiveness of the clauses? Keep in mind, that unlike the U.S., the EU has a broad and deep privacy-focused system of city, state, and national government bureaucracies who interpret and enforce the data laws. Already, some of these bodies are warning that Schrems II no longer allows transfers of data to the U.S., even under the Standard Contract Clauses.
The Data Commissioner in Berlin suggests that local companies storing personal data in the US immediately transfer the data to Europe and stop sending EU personal data to the US under current US law. The Hamburg data authority welcomed Schrems II castigation of the U.S. and wrote that the Standard Contract Terms are equally unsuitable to the Privacy Shield. The Dutch authority states that the clauses were ruled valid, but also notes they are only valid in places that adequately protect data under EU standards and the U.S. is not such a place. Even Ireland, where many U.S. tech companies are headquartered or have a significant corporate presence, saw its data protection commissioner question whether the Standard Contract Terms or other transfer mechanisms were still available for transfers to the U.S. OneTrust publishes a chart of EU Data Protection Authority reactions to Schrems II, complete with links, as does the IAPP.
Many of the various data protection authorizes wrote in a more business-friendly and conciliatory tone, including the UK, which stands in sort of legal data limbo in regard to EU policy after Brexit. But the logic of Schrems II is unavoidable: the U.S. government is willing and able to access private data, so EU data should not be placed in its clutches.
Shutting off all data EU personal data access to the U.S. follows the clear logic of conclusions offered by the Court of Justice in its first Schrems decision back in 2015. The first Schrems decision killed the EU/U.S. safe harbor system, a leaner predecessor to the Privacy Shield, and while it did not specifically address other forms of data transfer to the U.S., the decision clearly condemned the U.S. government for aggressively protecting its ability to access personal data.
Schrems I was written in the aftermath of Edward Snowden’s disclosures about the depth of spying and data analysis performed by the United States government. The decision reads like the most intentionally boring temper tantrum ever put to paper. Buried deep in the midst of thousands of words of legal citation and analysis, the court found that the United States could not “ensure” that EU data residing in the U.S. would not be accessed for government reasons. It conceded that Mr. Schrems had no evidence that the NSA had accessed information about him, but noted that “Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies.” The court threw out the data privacy safe harbor because it found the U.S. government could access data “beyond what was strictly necessary and proportionate to the protection of national security.”
This decision was troublesome on multiple levels. The court could easily have invalidated the safe harbor simply for not being enforced effectively – the safe harbor wasn’t – or for not providing EU citizens a practical appeal mechanism – the safe harbor didn’t. Decisions on these grounds would have restricted damage to only the safe harbor, which was quickly renegotiated to address some of these concerns. However, by speaking down from its high horse judging the U.S. government’s anti-terrorism activity to be ‘significant over-reach’ the court essentially questioned any method of transferring data to the U.S. If the government of the United States is hell-bent on data over-reach, nothing a U.S. company could do in contract terms or binding corporate rules could counter this deficiency from a European perspective. So the natural conclusion would be that no personal data should flow from the EU to the U.S.
This logic is dangerous in that it threatens the core of billions of Euros of commerce between the EU and the U.S., and it is unnecessary because the same safe harbor invalidating result could have been reached based on a narrower set of reasons. It is also hypocritical and unprincipled because the security services of EU member countries were (and are) taking the same actions toward foreign (and probably local) data as the United States was taking. Immediately after the Schrems I decision was released, the French government enacted a new surveillance law similar to the USA PATRIOT Act that had so disturbed the EU Court of Justice.
According to Vox, the French law allows law enforcement to surreptitiously install keyloggers on suspects’ computers and “requires Internet service providers to install “black boxes” that are designed to vacuum up and analyze metadata on the Web-browsing and general Internet use habits of millions of people using the Web and to make that data available to intelligence agencies.” And “the law allows the government to deploy what are called “ISMI catchers” to track all mobile phone communications in a given area. These catchers are basically designed to impersonate cell towers, but they intercept and record communications data from phones within its range, and can also track the movements of people carrying the phones.” This is the very definition of collecting data indiscriminately 'beyond what is strictly necessary and proportionate to the protection of national security.'
According to Human Rights Watch, the French law provides little political oversight to police and vague triggers to its application. Sounds like “over-reach” to them, but apparently not to the EU Court of Justice, who has not questioned allowing personal data to be housed in France. I have not researched other EU member nation surveillance activities – from the UK’s millions of CCTV cameras to the Belgian general requirements for data to be held by providers for law enforcement – but I am certain dozens of examples could be mined of anti-terror (or even politically-based) surveillance that deeply resembles what the Court of Justice decries about the U.S. system.
So what is the end-game? If the EU stops allowing personal data transfers to the US, what happens to this data? Maybe Europe is moving toward a method to keep the data under its own control. Politico reports that Germany and France have launched a platform of trusted cloud providers called “Gaia-X”. “Launched in June with the backing of Berlin and Paris, Gaia-X is one of Europe’s most far-reaching attempts to assert “sovereignty” over how its data is stored and protected.” The program seeks to “give EU companies and edge” over U.S. and Chinese cloud providers. 22 French and German companies and organizations are founding members of the project and they will write the project’s by-laws and policy rules.
While Gaia-X currently involves some non-EU based cloud providers, its function seems to be the promotion of home-grown solutions. The Schrems logic judging the U.S. inadequate on a standard the EU courts are unwilling to apply to its own governments may be the basis of building an EU-based cloud for EU information.
Maybe the EU just plans to invalidate negotiated agreements with the U.S. twice each decade and then replace them with something more to Europe’s liking. Maybe it simply hasn’t considered (or cared about) how law-abiding companies suffer when the EU changes the size and location of the goalposts at regular intervals during the match. Or maybe the EU just wants to build its own cloud industry with EU data and assistance from the regulators.
Data localization may be the next step.