Both sides must learn to live with the present impasse over transatlantic data transfers.
It’s time to end the charade and stop U.S.-EU negotiations toward a successor to “Privacy Shield.” Instead, both sides must learn to live with the present impasse over transatlantic data transfers and seek progress in other areas as they wait for European judges to reconsider their hard line.
Despite the European Court of Justice’s July 2020 “Schrems II” ruling that declared Privacy Shield illegal, the United States will not change its national security laws and practices. Nor can the European Commission agree to less than the demands made by the continent’s top court. The only true resolution to this conundrum is for European judges to review the issue (or a similar case, perhaps related to China or Russia) and bring a rule of reason to what now stands as an almost theological finding on the “fundamental right” to “data protection.”
No one will like this idea. The U.S.-EU $6 trillion relationship depends on enormous flows of personal data across the Atlantic Ocean. Both sides believe that a replacement for Privacy Shield is essential, especially as Washington and Brussels seek to revive a transatlantic economic relationship stressed by four years of Donald Trump.
Yet the split over Privacy Shield eludes a quick solution. The data dispute could overshadow the inaugural meeting of the Trade and Technology Council (TTC) on September 29 in Pittsburgh, which could otherwise help the two sides move forward on a number of other issues, possibly even resolving the “national security” tariffs Trump slapped on imports of steel and aluminum.
The United States does not understand why the two sides cannot just “tweak” Privacy Shield. Why not just find a new approach to grant Europeans redress should they believe U.S. law enforcement agencies have abused their personal data, Americans ask. Typically, at the September 7 Digital Summit in Tallinn, U.S. Commerce Secretary Gina Raimondo argued the two sides should be able to reach agreement as they have “compatible” approaches to privacy. American officials point out that even the European Fundamental Rights Agency acknowledges that the United States enforces more controls over its intelligence agencies than many EU member states.
But Raimondo’s counterpart, Commission Executive Vice President Dombrovskis, demurs; Privacy Shield is not on the TTC agenda, he insists. As the responsible EU official, Bruno Gencarelli, explains, the only resolution is to “have an arrangement that is fully aligned with the judgements set by the Court of Justice in the Schrems II document.”
That means, the EU insists the U.S. must change its laws. In its judgement, the European Court avers in paragraphs 178-185 that Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (which allows the National Security Agency to access data flows “in transit” through the United States) give U.S. law enforcement and intelligence agencies too much power to access personal data of Europeans held by U.S. companies. The judges further state that, in light of these findings, “standard contract clauses” and other mechanisms are insufficient to protect European data in the United States (paragraphs 93, 99, 101 and 105), and that the responsible EU and member state supervisory authorities have an obligation to “suspend or prohibit” transfers of personal data to the United States (paragraph 121).
This is heady stuff. Even if the Court insists that its ruling does not create a “legal vacuum” because firms can always use “derogations” to allow individual transfers, the European Data Protection Board argues that this practice should only be used exceptionally.
Fortunately, no European data protection supervisor has yet ordered a company to stop sending personal data to the United States and no local court has been put in the position of upholding such an order. Indeed, European data protection supervisors seem to be ignoring the Schrems II ruling, as they have taken no steps to assess the “democratic controls” constraining the ability of the Russian, Chinese, Turkish, or even Israeli government to access personal data sent to their territories. (Israel benefits from a pre-Schrems finding that its data protection practices are “adequate.”) But the supervisors are being pressed to be more assertive in their enforcement, and it is only a matter of time before they act.
The U.S. government and even the European Commission have tried to argue for a rule of reason. Despite the powers the U.S. government has under the law, it can only access personal data with a court order. And companies that have signed on to Privacy Shield will continue to adhere to the obligations they’ve undertaken.
In the end, the clarity of the European Court decision makes it impossible for those negotiations to succeed unless the United States changes its law and practice, which it won’t.
At the same time, enforcing a prohibition on data transfers to the United States (and other countries that pry aggressively into personal data) would bring the European economy – and maybe even society – to a grinding halt. This potential Armageddon may be the only thing capable of convincing Europe’s top court that it needs to be a bit more judicious, and a bit less fundamentalist, in its protection of Europeans’ fundamental rights.
Peter H. Chase, is a former American diplomat and Senior Fellow, German Marshall Fund of the United States.
Photo: U.S. Coast Guard Chief Warrant Officer DeAnna Melleby, Information Systems Security Officer for the Coast Guard Command, Control, Communication and Information Technology unit at Coast Guard Base Boston, peers through a space in a server April 20, 2017. Melleby and her team have a number countermeasures they use to keep the Coast Guard computer network secure, including a 'sniffer' program that identifies when USBs or cell phones are plugged into the system. Credit: U.S. Coast Guard photo by Petty Officer 3rd Class Andrew Barresi
September 29, 2021