More than a year after the invalidation of the EU-U.S. Privacy Shield, trans-Atlantic data flows are still in choppy waters. Reliance on standard contractual clauses (SCCs) as the next best alternative has been fraught with challenges, not the least of which has been the European Commission’s adoption of new SCCs, triggering a host of time-sensitive updates. Do calmer waters lie ahead?
Yes, if a new Privacy Shield is adopted. Version 2.0 has been in the works since the Court of Justice of the European Union (CJEU) sank the original Privacy Shield in its Schrems II decision. Although the Biden Administration announced an effort to “intensify” negotiations with the European Commission back in March, no additional announcement has been made publicly.
The U.S. Chamber of Commerce, however, made a splash in late September by posting a full-page ad in the Washington Post, highlighting five of its 13 reasons for wanting the U.S. to enter into a new agreement with the EU. Although the ad urges the U.S. and the EU to finalize a new agreement that provides “legal certainty,” legal certainty is something that has proven elusive thus far.
Arguably, a new agreement will not be “Schrems-proof,” for Max Schrems himself will likely challenge the next iteration of the data transfer framework, just as he successfully challenged both the U.S.-EU Safe Harbor (R.I.P. 2015) and the EU-U.S. Privacy Shield (R.I.P. 2020).
The real test instead is whether a Privacy Shield 2.0 could be CJEU-proof. For that to happen, the agreement would need to allay the two principal concerns raised in the Schrems II decision: U.S. federal law and the right of redress.
Regarding U.S. law, the CJEU in 2020 specifically took issue with:
- Section 702 of the FISA Amendments Act of 2008 (50 U.S.C. § 1881a), which authorizes the U.S. Attorney General and the Director of National Intelligence to implement surveillance programs with the assistance of electronic communication service providers;
- Executive Order 12333 (E.O. 12333), which authorizes intelligence collection by a number of federal departments and agencies; and
- Presidential Policy Directive 28 (PPD-28), which establishes principles for conducting signals intelligence, i.e., the collection of foreign intelligence from communications and information systems.
The CJEU’s Schrems II decision concluded that neither Section 702 nor E.O. 12333, read in conjunction with PPD-28, “correlates to the minimum safeguards resulting … from the principle of proportionality.” It also held that neither PPD-28 nor E.O. 12333 grants EU citizens rights actionable in the courts against U.S. authorities.
The proportionality principle―referenced in Article 52(1) of the EU’s Charter of Fundamental Rights―permits limitations on the exercise of fundamental rights “only if they are necessary and genuinely meet objectives of general interest … or the need to protect the rights and freedoms of others.” The U.S. legal regime did not satisfy the principle of proportionality because, according to the court, it allows for the bulk collection of personal data.
The right of redress, described in Art. 47 of the Charter, affords individuals “the right to an effective remedy before a tribunal,” as well as a hearing before an “independent and impartial” body. The Privacy Shield’s creation of an ombudsperson as an oversight and compliance mechanism failed to satisfy Art. 47, according to the court, because the ombudsperson was neither an independent body nor an adjudicatory tribunal.
Thus, to satisfy the CJEU, a new Privacy Shield must be able to set forth a framework “essentially equivalent” to the protections afforded EU citizens in the Charter. Or, in other words, a framework that limits surveillance to what is strictly “necessary” to protect the rights and freedoms of others from terrorist and criminal threats, yet still provides a means for affected individuals to seek judicial redress.
Could such a framework be accomplished?
Rob Corbet, a partner with Dublin-based Arthur Cox, thinks so. He recently told me that the CJEU has left “just enough room for manoeuvre” that a breakthrough is possible.
Admittedly, the prospect of Congressional action is slim, so Section 702 will likely remain as is. But the Biden Administration certainly has at its disposal its tool of choice: the executive order. (President Biden has already issued 66 executive orders in the first nine months of his presidency, not counting 65 other pronouncements classified by the Executive Office of the President as “Memoranda, Notices, or Presidential Orders.”)
With the power of the pen, the Biden Administration could craft a new executive order that amends (or rescinds) the provisions of E.O. 12333 and PPD-28 that the CJEU finds most troubling. And the administration could craft a new “tribunal” that would afford EU citizens a level of protection “essentially equivalent” to that guaranteed by Art. 47 of the Charter.
While some may question whether the president has the power to create a new tribunal under Art. II of the U.S. Constitution, so-called “Article II courts” have been created in the past. See, for example, Professor David Bederman’s Mercer Law Review article on Article II courts, where he notes that such courts have been established pursuant to the president’s war-making powers, principally in occupied territories in the wake of armed conflict.
While the exercise of such powers in the context of international data transfers is undoubtedly an open question, who would raise it? Max Schrems?
Granted, an Article II tribunal may not provide “legal certainty,” constitutionally speaking, but it would afford data subjects like Schrems “the right to an effective remedy before a tribunal” and therefore assuage the concerns of the CJEU.
Once trans-Atlantic transfers secure “fair winds and following seas,” the pond, at least, should be more navigable. But businesses will still need to monitor the barometric pressure until bilateral negotiations are replaced with multilateral ones, ushering in a global solution that satisfies commerce across the world.
Access additional analyses from our Bloomberg Law 2022 series here, including pieces covering trends in Litigation, Regulatory & Compliance, Transactions & Contracts, and the Future of the Legal Industry.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.