The infamous Schrems II judgment issued by Europe’s highest court in July has certainly vexed international commerce, but it also has the potential to disrupt the intelligence-sharing consortium known as “Five Eyes.”
Formed in the wake of World War II to facilitate the sharing of intelligence information among the U.S., Canada, the U.K., Australia, and New Zealand, the alliance of five English-speaking countries likely faces an uphill challenge to declare a new sort of “Victory in Europe” more than seven decades later.
The July 16 judgment from the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, a popular mechanism for transferring personal data from the EU to the U.S., and imposed new obligations on those who incorporate specific contractual language (known as standard contractual clauses, or SCCs) in agreements to transfer data from the EU.
The crux of the problem, according to the court, is that U.S. law fails to offer a level of protection “essentially equivalent” to that afforded by EU law, which requires both “minimum safeguards” (so that individuals have sufficient guarantees to protect their personal data against the risk of abuse) and a right to an effective remedy. Given the breadth and scope of U.S. surveillance, the U.S. comes up short on both fronts, the CJEU held.
But if information collected by U.S. intelligence is shared with Canada and New Zealand, for example, and if those countries in turn share their intelligence with the U.S., how can Canada and New Zealand continue to be regarded as “adequate” countries under Art. 45 of the General Data Protection Regulation (GDPR)?
Something’s gotta give.
Rohan Massey, who heads the Data, Privacy, and Cybersecurity practice at Ropes & Gray, says the tension arises from applying a single EU law — the General Data Protection Regulation — to both commercial activity and intelligence activity. And even though the GDPR expressly exempts the EU’s own intelligence activity from its scope, intelligence gathering by other countries is fair game.
“There’s no way an organization can know what its nation-state is doing on the infrastructure that it has,” says Massey. “And yet Schrems II seems to say that that’s what you’re supposed to understand and know in order to protect the data.”
Data-sharing among the Five Eyes alliance was not addressed by the CJEU, but a U.S. government white paper — issued jointly by the Department of Commerce, the Department of Justice, and the Office of the Director of National Intelligence — notes that the U.S. “frequently shares intelligence information with EU Member States ... [which] undoubtedly serves important EU public interests by protecting the governments and people of the Member States.”
Indeed, as Massey rhetorically asks, “What politician wishes to stand in front of a church where someone has been beheaded and says we could have stopped this tragedy had we used information gathered by other governments, but we said no?”
With the U.K. officially scheduled to leave the EU at the end of the year, the fate of its own adequacy decision is questionable, given the scope of U.K. surveillance.
Of course, all adequacy decisions (save Japan’s) predate the GDPR, so it’s likely that all are due for a reassessment. In fact, the European Commission has already stated (following the Schrems I judgment) that it would, “on an ongoing basis, monitor developments, both in law and in practice, that could affect the functioning of [adequacy] decisions, including developments concerning access to personal data by public authorities” (see Implementing Decision 2016/2295/EU), so there’s a good chance that the Commission will issue a similar statement responsive to Schrems II.
It’s conceivable, therefore, that all adequacy decisions — not just those pertaining to countries in the Five Eyes alliance — are vulnerable.
Tania Goatley, a partner at Bell Gully in Auckland, confirms that New Zealand’s adequacy status is soon to be reviewed. “New Zealand’s recently enacted Privacy Act 2020 puts in place some additional privacy protections which the Commission is likely to view favorably,” she says. “These include the new data breach notification regime and the introduction of Information Privacy Principle 12, which requires that personal information being sent offshore be subject to comparable privacy safeguards as those that apply in New Zealand.”
Goatley notes, however, that “the Schrems II decision does give rise to some additional concern that European regulators are taking a narrower view of what will constitute adequate protection and ‘essential equivalence’ with EU law — particularly where the country in question allows significant law enforcement access to personal data and limited individual redress against national intelligence agencies.”
She concludes that the sharing of intelligence data among the Five Eyes alliance “is likely to be considered by the European Commission in its review of existing and future adequacy decisions, although the weight to be placed on this consideration remains uncertain.”
Recommendations published on Nov. 10 by the European Data Protection Board (EDPB) elaborate on the “European Essential Guarantees” (EEG), which are elements to consider when determining whether surveillance measures in a foreign country can be regarded as a “justifiable interference” with fundamental rights. The EEG Recommendations clarify that such measures can be justified, provided: (1) they are based on clear, precise and accessible rules; (2) they are necessary and proportionate to protect the rights and freedoms of others; (3) they are subject to an effective, independent, and impartial oversight system; and (4) they offer an effective legal remedy for individuals.
While the EEG Recommendations do not address adequacy decisions per se, the EDPB published complementary guidance the same day. That guidance principally discusses the assessment of appropriate supplementary measures to protect data transferred under GDPR Art. 46, but it also expressly states that data exporters must continue to monitor whether adequacy decisions are revoked or invalidated.
Massey anticipates that countries will remain adequate so long as data subjects have concrete privacy protections and a right of judicial redress; any regime meeting that threshold should provide a sufficient level of comfort to EU authorities.
In the meantime, however, commercial data flows will continue, and intelligence information will be shared. “We must be pragmatic,” says Massey. “We’ve built global commerce via electronic data transfers, and it’s impossible to restructure the internet in such a way as to prevent those transfers from crossing borders.”
The new “VE Day” will likely be the day the CJEU recognizes that fact.
Access additional analyses from our Bloomberg Law 2021 series here, including pieces covering trends in Litigation, Transactions & Markets, the Future of the Legal Industry, and ESG.
Bloomberg Law subscribers can find related content on our In Focus: Schrems II page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.