Cross-Border Data Transfers Between The EU
Cross-Border Data Transfers Between The EU
Cross-Border Data Transfers Between The EU
Citations:
Please note: citations are provided as a general guideline. Users should consult their preferred
citation format's style manual for proper citation formatting.
-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
2021 Santa ClaraJournalofInternationalLaw 19:2
This article deals with the clash between the European andAmerican approach to
transborderdataflows. In the last decades, the discourse has been that the U.S. offers a
market-dominatedapproachwhile the EU was embedded in a right-dominatedpolicy.
General DataProtectionRegulation (GDPR) restrictsdata transfers outside the EU. An
analysis of the meaning of the level of adequateprotection of a non-EU country is
necessary to transferdata beyond the EU. The Court of Justice of the European Union has
invalidatedthe Privacy Shield agreement to transfer commercialdatafrom the European
Union to the UnitedStates, leaving transatlanticdata transfers in a currentpredicament.
Safe HarbourPrinciplespreviously and Privacy Shield recently have been readaccording
to EU dataprotection law, in particularthe GeneralDataProtectionRegulation in
combination with the European CharterofFundamentalRights. The landmark Schrems II
judgement is assessedto point out currentavailableoptions to transfer datafrom the
European Union to the United States and also several implicationson cross-borderdata
flows beyond the EU-U.S. relationship.
* RCC Postdoctoral Fellow at the Harvard Law School Institute for Global Law and Policy.
PhD in Law Complutense University (Madrid). LL.M. College of Europe (Brugge).
1
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
TABLE OF CONTENTS
II. G DP R O PT IO N S ..................................................................................................... 12
A. O btaining an A dequacy D ecision ....................................................................... 12
i. InternationalCom m itm ents ......................................................................... 13
IV . C O N C L U SIO N ...................................................................................................... . . 44
2
2021 Santa ClaraJournalofInternationalLaw 19:2
'See Daniel Castro & Alan Mcquinn, Cross-BorderDataFlows Enable Growth in All
Industries, INFO. TECH. & INNOVATION FOUND. (Feb. 2015), http://www2.itif.org/2015-
cross-border-data-flows.pdf.
2 See Press Release, Department of Commerce, U.S. Secretary of Commerce Wilbur Ross
Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows (July 16,
2020), https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-
wilbur-ross-statement-schrems-ii-ruling-and.
' Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data, O.J. (L 281) [hereinafter Data Protection Directive].
' See Joshua P. Meltzer, Examining the EU Safe HarborDecision and Impactsfor
TransatlanticData Flows, BROOKINGS INST. (Nov. 3, 2015), https://www.brookings.e
du/testimonies/examining-the-eu-safe-harbor-decision-and-impacts-for-transatlantic-data-
flows/.
s See Graham Greenleaf, 'European'DataPrivacy StandardsImplemented in Laws Outside
Europe, 149 PRIVACY LAWS & BUS. INT'L REP. 1 (2017), https://papers.ssm.co
m/sol3/papers.cfm?abstract_id=3096314 (14 of 20 GDPR countries selected outside Europe
have restrictions on data exports based at least in part on the laws of the recipient country).
3
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
persons plus to remove obstacles of data flows throughout the EU. 6 Therefore,
the GDPR establishes free flow of personal data in the geographical space of
the EU (and EEA). 7 Some scholars even go further suggesting that data flows
should be the fifth freedom of the internal market.8 The GDPR model is within
the framework of a particular international organization with aims of political
union.
6 Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April
2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data
and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data
Protection Regulation), 2016 0.J. (L 119) 1.
7 See General Data Protection Regulation art. 1(3) [hereinafter GDPR]. The principle of free
movement of data within the Union for non-personal is established in Regulation (EU)
2018/1807, subject to restrictions on public security reasons. See Regulation (EU)
2018/1807, of the European Parliament and of the Council of 14 November 2018 on a
Framework for the Free Flow of Non-Personal Data in the European Union, 2018 0.J. (L
303) 59; see also PEDRO A. DE MIGUEL ASENSIO, CONFLICTS OF LAWS AND THE INTERNET
128 (2020).
8
See OLIVIER LINDEN & ERIK DAHLBERG, KOMMERSKOLLEGIUM NAT'L BD. OF TRADE
SWEDEN, DATA FLOWS - A FIFTH FREEDOM FOR THE INTERNAL MARKET?, 25-29 (2016),
https://www.kommerskollegium.se/globalassets/publikationer/ rapporter/2016/publ-data-
flows.pdf.
9 See GDPR, supra note 7, arts. 44-50.
10 There are no specifications in the Gramm-Leach-Bliley Act. The California Security
Breach Notifications Law and the California Online Privacy Protection Act does not
address the use of data transfer agreement. Although a regulator may have audit powers to
ensure compliance with the Health Insurance Portability and Accountability Act, there is no
need to approve a data transfer agreement.
" Samuel Gibbs, Gmail Does Scan All Emails, New Google Terms Clarify, THE GUARDIAN
(Apr. 15, 2014), https://www.theguardian.com/technology/2014/apr/15/gm
ail-scans-all-emails-new-google-terms-clarify.
12 Greenleaf, supra note 5, at 2. (China, Brasil and Saudi Arabia are part of the G-20 that do
not have privacy laws meeting OECD standards. Only 4 countries of the 13 non-European
countries in the G20 are in this category).
4
2021 Santa ClaraJournalofInternationalLaw 19:2
with privacy is that private data flows too easily-that it too easily falls out of
the control of the individual." 13 According to the property perspective, privacy
tools will be more developed if users would pay for protecting privacy. In a
comparison with copyright, copyright holders (such as Hollywood industry in
the U.S.) pay to get protection.14 Privacy may not be as well as protected as
copyright because the American society does not "invoke the rhetoric of
property to defend incursions into privacy." 1 5
5
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
22 See Julie Carrie Wong, The CambridgeAnalytica Scandal Changed the World- But it
Didn't Change Facebook, THE GUARDIAN (Mar. 18, 2019),
https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-
changed-the-world-but-it-didnt-change-facebook ("It took five full days for the founder and
CEO of Facebook - the man with total control over the world's largest communications
platform - to emerge from his Menlo Park cloisters and address the public. When he finally
did, he did so with gusto, taking a new set of talking points").
23 CONSENT Act, S. 2639, 115th Cong. @ 2 (2018).
24 Privacy Bill of Rights Act, S. 1214, 116th Cong.
(2019).
25 Consumer Online Privacy Rights Act, S. 2968, 116th Cong. (2019).
6
2021 Santa ClaraJournalofInternationalLaw 19.2
Part II turns to the options that the General Data Protection Regulation
allows to transfer data to a non-EU country. Chapter V of the GDPR together
with the first case on Schrems v. Facebook is analyzed. It broadens the lens to
the first jurisprudence from the Court of Justice of the European Union,
considering the particular challenges of adequacy decisions issued by the
European Commission. Moreover, it assesses the importance of international
commitments by the example of the Council of Europe Modernized
Convention 108, to which non-European countries have committed. A
consideration of the meaning between the EU equivalent level of protection
and an appropriate level of protection is necessary to think about the situation
of the United States in the aftermath of the Schrems II decision by the Court
of Justice of the European Union on July 16, 2020. This part remembers the
Commission warnings on the Safe Harbour Principles, predecessor
mechanism of the Privacy Shield to transfer data from the European Union to
the United States. An in-depth analysis of the Court of Justice of the European
Union in Schrems I on 6 October 2015 reveals that the causes for Safe Harbour
Principles invalidation were not commercial, but related to surveillance
matters, which was not assessed by the European Commission during the
negotiations of the first agreement. The study of provisions of the European
Charter of Fundamental Rights in previous cases is key to understanding the
development of the Court of Justice of the European Union reasoning.
Furthermore, the common contractual alternative of standard contractual
clauses is explained, considering the clarifications of the most recent case
Schrems II.
Part III examines the issues of the invalidation of the Privacy Shield
in detail. It contrasts different previous opinions on the compatibility between
the U.S. and EU law. It explains the absence of compatibility between the
United States and the European Union law, considering the specific U.S. laws
which are problematic from a fundamental rights approach, with special
attention to surveillance programmes and their underlying legal basis. The
proportionality principle is expanded to consider non-legal reasons such as
the intelligence collaboration between the United States and the Member
States of the European Union. Specific risks regarding cross border transfers
to the U.S. arise for non-U.S. citizens, in particular the absence of means of
effective redress, despite the improvements of U.S. laws like the FREEDOM
Act and the Judicial Redress Act. Moreover, it also analyzes the significance
of independence of the Privacy Shield Ombudsperson in relation to the
European legal context and previous case. This part includes an explanation
of the current available options to transfer data from the European Union to
the United States and pointing out further consequences for international
agreements beyond the EU-U.S. relationship.
7
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
28 See Henry Farrell, NegotiatingPrivacy Across Arenas: The EU-U.S. "Safe Harbor"
Discussions,in COMMON GOODS: REINVENTING EUROPEAN AND INTERNATIONAL
GOVERNANCE 101, 105-26 (Adrienne Hdritier ed., 2002).
29 THE WHITE HOUSE, A Frameworkfor Global Electronic Commerce,
https://clintonwhitehouse4.archives.gov/WH/New/Commerce/read.html (last updated
1997).
30 Id.
31 See Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 VAND. L. REV. 1609
(1999); Joel R. Reidenberg & Francoise Gamet-Pol, The FundamentalRole ofPrivacy and
Confidence in the Network, 30 WAKE FOREST L. REV. 105, 113-14 (1995).
32 Compare 1997 Vice President of American Express, "We believe that government
regulation of privacy on the Internet and other online areas is very risky given the rapid
changes in this new technology." Peggy H. Haney, Case Study ofAmerican Express'
Privacy Principles: Why and How They Were Adopted, the ChoicesInvolved and a Cost-
Benefit Analysis, in PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE 209, 213
(U.S. Dep't of Commerce ed., 1997), https://www.ntia.doc.gov/page/chapter-6-corporate-
experiences-privacy-self-regulation.
33 Tony Romm, Amazon, Apple, Facebookand Google Grilledon Capitol Hill over Their
Market Power, THE WASHINGTON POST (July 29, 2020),
https://www.washingtonpost.com/technology/2020/07/29/apple-google-facebook-amazon-
congress-hearing/.
8
2021 Santa ClaraJournalofInternationalLaw 19:2
associated identifier for the device. However, if U.S. are California residents,
they enjoy some rights, like the right of deletion under the CCPA.
Some privacy policy clauses only warn the user that by using our
websites and mobile applications, you consent to the transfer to, the
processing and storage of your information in, countries outside of your
country of residence, which may have different data protection laws than
those in the country in which you reside.34 The residence of the user does not
seem the only factor to take into account. Therefore, data gathered by these
websites do not offer the option to consent or opt-out, basically they are
unilateral provisions not able to negotiate by users or consumers with the
handicap that it is not clear at all which law is applicable to the personal data
of the user. It may be absent in the privacy policy the destination of personal
data and any further guidance to the user.
The connecting factors for the application of the GDPR are offering
goods or services to data subjects in the EU or monitoring their behavior in
34 See e.g., Target privacy policy before July 1, 2020 said: "We are based in the United
States. When we obtain information about you, we may transfer, process, and store such
information in the United States and other countries. By using our websites and mobile
applications, you consent to the transfer to, and to the processing and storage of your
information in, countries outside of your country of residence, which may have different
data protection laws than those in the country in which you reside." The last up-to-date has
deleted this information (last visited Aug. 16, 2020), https://www.target.com/c/target-
privacy-policy/-/N-4sr7p?Nao=0#ContactTarget.
35 See Adil Nussipov, How America and Europe Deal with Data, CMDS (Jan. 7, 2020),
https://cmds.ceu.edu/article/2020-01-07/how-america-and-europe-deal-data.
36
Id.
9
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
The CJEU has confirmed that the high level of protection of natural
persons guaranteed by the GDPR is not undermined abroad,4 3 in particular,
protection of personal data concerning natural persons that are citizens or
residents in the EU.
If social and economic values in the U.S. and the EU are different
(liberal approach and social protection), we should ask ourselves how
37 Regulation (EU) 2016/679 (General Data Protection Regulation), 2016 0.J. (L 127),
Article 3(2).
38 The effect test comes from competition law, see Julia Hornle, Juggling
More than Three
Balls at Once: Multilevel JurisdictionalChallenges in EU DataProtection Regulation, 27
INT'L J. L. & INFO. TECH. 142, 164 (2019).
39
Id. at 165.
40 See Jennifer Daskal, TransnationalGovernment Hacking, 10 J. L. NAT'L SEC. L.
&
POLICY 677, 682 (2020) ("In restricting the transfers of data outside the EU absent a finding
of adequate data protection safeguards, the EU, for example, presumes that location of data
(whether in or out of the EU) dictates control.").
41
See CHRISTOPHER KUNER, TRANSBORDER DATA FLOWS AND DATA PRIVACY LAW 123
(2013).
42
Id. at 160.
43 See Case C-362/14 Maximilien Schrems v. Data Protection Commissioner [2015]
EU:C:2015:650 [hereinafter Schrems I]; Case C-311/18 DataProtection Commissionerv.
FacebookIrelandLtd, Maximilien Schrems [2020] EU:C:2020:559 [hereinafter Schrems
II]. See also CJEU, Opinion 1/15, Draft Agreement Between Canada and the European
Union, (July 26, 2017) EU:C:2017:592 (invalidating the Agreement between Canada and
the European Union on the transfer and processing of Passenger Name Record data).
10
2021 Santa ClaraJournalofInternationalLaw 19:2
different they are and if it would be possible to further them without conflict.
We should recognize that culture influences on both sides of the Atlantic, and
admit legal pluralism as a viable solution, having taken into account there is
not an international aspiration of becoming a political union. We need to
consider the basis of philosophical values in common such as democracy, the
rule of law, liberty, justice and solidarity in order to propose a more realistic
and effective approach to data flows.
11
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
The requirements for a third country to comply with are the core
principles of data privacy: purpose limitation principle, data quality principle,
proportionality principle, transparency principle and security principle.55 In
addition, onward transfers from the third country must also comply with the
52 Reidenberg, supra note 17, at 1337 ("In the absence of comprehensive data protection
legislation, the full range of internationally-recognized principles for fair information
practice may be hard to satisfy; narrow, sectoral laws, policies, ad hoc protections and
practices typically ignore key elements of the First Principles.").
53 EU Commission, Adequacy Decisions, https://ec.europa.eu/info/law/law-topic/data-
protection/intemational-dimension-data-protection/adequacy-decisionsen (last visited June
15, 2020) (Adequacy talks are ongoing with South Korea).
5 See Agreement Between the United States of America and the European Union on the
Use and Transfer of Passenger Name Records to the United States Department of
Homeland Security, EU-U.S., Dec. 14, 2011, T.I.A.S. No. 12-701.
5 See Data Protection Working Party, Working Document (WP 12) of 24 July 1998 on
transfers of personal data to third a country. (DG XV D/5025/98).
12
2021 Santa ClaraJournalofInternationalLaw 19:2
principles. 56 Moreover, the data subject should have the right to access all data
concerning him and the right to rectification and opposition.
i. International Commitments
13
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
62 See Julian Wagner, The Transfer ofPersonalData to Third Countries Under the GDPR:
When Does a Recipient Country Provide an Adequate Level ofProtection?, 8 INT'L DATA
PRIVACY L. 318, 327 (2018).
63 See generally Graham Greenleaf, A World DataPrivacy Treaty? Globalisationand
Processing of Personal Data art. 3, Sep. 28, 1981, European Treaty Series - No. 108
[hereinafter Modernised Convention 108]; see also Proposal for a Council Decision
authorizing Member States to sign, in the interest of the European Union, the Protocol
amending the Council of Europe Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data (ETS No. 108) COM/2018/449 final - 2018/0237
(NLE), Brussels, 5.6.2018.
65 GDPR, art. 57
(1)(a).
66 GDPR, art. 57 (1)(f).
14
2021 Santa ClaraJournalofInternationalLaw 19.2
On the contrary, in the light of Article 8(3) of the Charter and article
28(3) of the Data Protection Directive where the national supervisory
authority considers that the person claim is well founded, the supervisory
authority must be able to engage in legal proceedings.7 1 As a result,
supervisory authorities must have legal capacity to be part of legal
proceedings and bring the well-founded objections before national courts to
enable them to ask the CJEU for a preliminary ruling if required.
The consequences are crucial because when the claimant contends that
the law and practices in force in the third country do not ensure an adequate
level of protection and brings a claim before the national supervisory
authority, the supervisory authority must examine the claim, irrespectively of
the existence of a Commission decision regarding the compatibility with the
data transfers from the EU to a third country.7 2 The right to private life, the
right to data protection and the right to an effective remedy are fundamental
rights under the EU Charter, enlightening the interpretation of personal data
rules. In the Schrems I case, the repealed Directive on data protection was read
together with articles 7, 8 and 47 of the EU Charter. This jurisprudence is alive
and applicable in regard to the section of the GDPR concerning data transfer
beyond the EU.73
15
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
74 Opinion 1/99 of the Working Party on the Protection of Individuals with Regard to the
Processing of Personal Data Concerning the Level of Data Protection in the United States
and the Ongoing Discussions Between the European Commission and the United States
Government (Jan. 26, 1999); https://ec.europa.eu/justice/article29/documentatio n/ opinion-
recommendation/files/1999/wp 15_en.pdf.
75 Without ex-ante verification from the FTC. See FAQ 6, Commission Decision of 26 July
2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequacy of the protection provided by the Safe Harbour privacy principles and related
frequently asked questions issued by the US Department of Commerce, 2000/520/EC, OJ, L
215/7 (Jul. 25, 2000).
76 Commission Decision 2000/520, annex I, 2000 O.J. (EC).
77 Shara Monteleone & Laura Puccio, From Safe Harbourto Privacy Shield: Advances and
Shortcomings of the New EU-US Data Transfer Rules, at 6 (Jan. 2017). Other enforcement
is undertaken by the US Department of Transportation for members who are subject to its
jurisdiction. See Damon Greer, Safe Harbour aframework that works, 1 INTERNATIONAL
DATA PRIVACY LAW, 143, 146 (2011).
78 See Article 29 Data Protection Working Party, Opinion 4/2000 on the level of protection
provided by the "Safe Harbor Principles," adopted on May 16, 2000, CA07/434/00/EN WP
32.
79 Resolution of 4 July 2013 on the US National Security Agency Surveillance Programme,
Surveillance Bodies in Various Member States and Their Impact on EU Citizens' Privacy,
2016 O.J.(C 075) 14.
80 Communication from the Commission to the European Parliament and the Council on
Rebuilding Trust in EU-US Data Flows, 2013 O.J. (C 846); Communication from the
16
2021 Santa ClaraJournalofInternationalLaw 19.2
were opaque, which affected the enforceability by the FTC. Second, there was
not a follow-up of the validity of the SH certification by the U.S. Department
of Commerce. Third, the mechanism lacked means of redress for European
citizens once the data were transferred to the U.S. Interestingly, the first
implementation report of the functioning of SH by the European Commission
on 20 October 2014, also identified that the concerned privacy policies were
not publicly accessible, there was a lack of FTC enforcement and questioned
third party dispute resolution mechanisms. The justification for not renewing
the certification of 20% of companies was that "employees responsible for
managing Safe Harbour compliance have left the organization without a
transfer of duties to new personnel." 8 1 What type of commitment with privacy
have organizations that do not continue with the self-certification method
based on self-assessment? 2 Considering that if cost of non-complying with
privacy law was larger than complying with data protection law, 83 it seems
rare that companies do not train their employees to comply with privacy law.
Some first skepticism regarding the attitude of U.S. companies about how
global businesses operate with privacy laws arose.8 4
Commission to the European Parliament and the Council on the Functioning of the SH
From the Perspective of EU Citizens and Companies Established in the EU, 2013 0.J. (C
847).
81 Greer, supra note 77, at 147.
82 See FAQ 7, Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the adequacy of the protection provided by the
Safe Harbour privacy principles and related frequently asked questions issued by the US
Department of Commerce, 2000/520/EC, OJ, L 215/7 (Jul. 25, 2000).
83 See Ponenom Institute, Cost of Compliance:Benchmark Study ofMultinational
Organizations2 (Jan. 2011),
https://www.ponemon.org/local/upload/file/TrueCost_of_ComplianceReport _copy.pdf
($9.4 million versus $3.5 million).
84 See Mary E. McIntire, How a Law Seminar Inspired a Student to Bring a Case to
Europe's Top Court, THE CHRONICLE OF HIGHER EDUCATION (Oct. 7, 2015),
https://www.chronicle .com/article/How-a-Law-Seminar-Inspired-a/23 3682.
85 Greer, supra note 77, at 145.
86 See Greer, supra note 77, at 144.
87 Schrems I, supra note 43, ¶ 96.
17
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
88 Joe McNamee, Fifteen Years Late, Safe HarborHits the Rocks, EUROPEAN DIGITAL
RIGHTS (Oct. 6, 2015), https://edri.org/safeharbor-the-end/ ("In reality, however, the case
is much deeper than 'just' mass surveillance. The European Commission has never had the
political courage to recognize that Safe Harbor was never safe.").
89 See Letter from Fred H. Cate, Robert E. Litan, Joel R. Reidenberg, Paul M. Schwartz
&
Peter P. Swire to David L. Aaron, Undersecretary for International Trade, U.S. Dep't of
Com. (Nov. 17, 1998), https://cseweb.ucsd.edu/~goguen/courses/268D/agre.safe.html.
90 Schwartz, supra note 31,
at 1699.
91 See European Parliament resolution of 12 March 2014 on the US NSA surveillance
programme, surveillance bodies in various Member States and their impact on EU citizens'
fundamental rights and on transatlantic cooperation in Justice and Home Affairs
(2013/2188(INI)), OJ 2017, C 378/104, (Nov. 2017).
92 EUROPEAN COMM'N, FIRST REPORT ON THE IMPLEMENTATION OF THE DATA
PROTECTION DIRECTIVE (95/46/EC) 18-19 (May 15, 2003).
93 Lee A. Bygrave, PrivacyProtectionin a Global Context: A Comparative Overview, 47
SCANDINAVIAN STUDIES IN LAW 319, 346 (2004).
94 See EUROPEAN COMM'N, supra note 92, at 11.
18
2021 Santa ClaraJournalofInternationalLaw 19.2
19
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
20
2021 Santa ClaraJournalofInternationalLaw 19:2
Thus, the territorial scope of the Charter should be the same as the
GDPR, as this is a European Regulation.1 12
The CJEU did not analyzed the SH principles, but the fact that they
were only binding the self-certified private entities, and not public authorities
was noted as a gap of the mechanism. 1 ' The adequate level of protection is
measured only in relation to what was considered in the Decision 2000/520. "7
Thus, the CJEU did not consider any development in U.S. law. But, should
the CJEU judge U.S. law, a conflict of jurisdiction starts, so judge Lenaerts is
"'i See Christopher Kuner, Reality andIllusion in EU Data Transfer Regulation Post
Schrems, GERMAN L. J. 881, 893 (2017).
112 See Violeta Moreno-Lax & Cathryn Costello, The Extraterritorial Application of the EU
Charter of FundamentalRights: From Territorialityto Facticity, the Effectiveness Model,
in THE EU CHARTER OF FUNDAMENTAL RIGHTS: A COMMENTARY 1657 (Steve Peers et al.
eds., 2014); Case C-617/10, Aklagaren v Akerberg Fransson, 2013 C.J.E.U. ¶ 21.
113 BRUCE SCHNEIER, DATA AND GOLIATH 64 (2015).
114 Communicationfrom the Commission to the EuropeanParliamentand the Council on
the Functioningof the Safe Harborfrom the Perspective of EU Citizens and Companies
Establishedin the EU, at 16, COM (2013) 847 final (Nov. 27, 2013).
"5 Id. at 17.
116 Schrems I, supra note 43, ¶ 82.
117 Schrems I, supra note 43,
¶ 83.
21
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
right when states: "we are not judging the U.S. system here, we are judging
the requirements of EU law in terms of conditions to transfer data to third
countries, whatever they be." 11 8 However, the judgment recognizes that the
Decision 2000/520 establishes a primacy of U.S. law over EU law, in
particular national security, public interest, or law enforcement requirements,
so self- certified United States organisations are "bound to disregard those
principles without limitation where they conflict with those requirements and
therefore prove incompatible with them." 119
In U.S. law there was a distinction between crime and espionage. 125
On the one hand, investigating crimes need to follow the procedures under
Electronic Communications Privacy Act (ECPA). 126 ECPA is a federal law
that requires court orders to start surveillance in order to uncover a crime. On
the other hand, the Foreign Intelligence Surveillance Act (FISA)12 7 regulates
espionage and how U.S. agencies gather foreign intelligence information
within the U.S. 128 Despite court orders are needed and they are granted by a
special federal court, the Foreign Intelligence Surveillance Court (FISC)
SECURITY 71 (2011).
126 Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. @@ 2510-2522,
2701-2711, 3121-3127 (2002).
127 Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. @@
1801-11 (2015).
128 Solove, supra note 124, at 73.
22
2021 Santa ClaraJournalofInternationalLaw 19.2
meetings of the court are secret and orders are issued without the need of
suspicion of wrongdoing. 129 One significant difference in a trial is that
defendants can access the documents justifying the surveillance under ECPA,
but FISA only allow review in camera.130 The order under ECPA can last
longer periods that under FISA and up to 120 days when a non-U.S. person is
the target. 131 During the Bush Administration FISA was expanding and the
subtle line between crime and espionage investigation was eliminated with
the introduction of one word. Instead of "the purpose" of the investigation was
to gather foreign intelligence, the PATRIOT Act introduced "a significant
purpose" of the investigation. 132 Moreover, the FISA Amendments Act of
2008 permit the Attorney General and the Director of National Intelligence to
acquire foreign intelligence information by jointly authorizing surveillance of
individuals who are not "United States persons" and are reasonably believed
to be located outside the U.S. Finally, Section 702 FISA authorizes foreign
surveillance programs by the NSA.
i. A Contractual Alternative
23
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
On the other hand, SCCs can also be adopted by a DPA and approved
by the Commission under art. 46(2)(d) of the GDPR.
24
2021 Santa ClaraJournalofInternationalLaw 19:2
jurisdiction of that authority (art. 28 (8) GDPR). 142 Pursuant to art. 46 (2)(c)
GDPR if an organization used SCCs approved by the EU Commission, no
requirement to obtain a DPAs' authorization is needed. This is a significant
change in comparison to the repealed Data Protection Directive. 143 However,
DPAs in Member States retain powers to prohibit or suspend data flows in
exceptional circumstances (art. 37 (1) (j) GDPR). 144
142 See European Data Protection Bd., Opinion 17/2020 on the draft Standard Contractual
Clauses Submitted by the SI SA (Article 28(8) GDPR) (May 19, 2020),
https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-
172020-draft-standard-contractual-clauses_en.
143 See Data Protection Directive, supra note
4, at 40.
144 This power was in art. 28 (3) Data Protection
Directive; see Data Protection Directive,
supra note 4, at 43.
14 See Case C-311/18, Data Prot. Comm'r v. Facebook Ireland, ECLI:EU:C:2019:1145
25
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
Moreover, the data exporter liability could be claimed against the data
importer, arising out of a breach by the data importer or by his sub-processor
of any of their obligations when the data exporter has factually disappeared or
ceased to exist in law or has become insolvent. 154
26
2021 Santa ClaraJournalofInternationalLaw 19.2
The GDPR is clear in article 58 (f) and (j) that the supervisory
authority shall have corrective powers, such as impose a ban on processing or
order the suspension of data flows to a recipient in a third country. The result
is that the same proactive requirement is placed on supervisory authorities to
analyze on a case-by-case basis when equivalent protection cannot be ensured.
The new adding in Schrems II is that data controllers must stop data transfers
without waiting from a supervisory authority intervention, having an
independent duty. The door is open to disagreements between different EU
nations and even controllers about whether a particular country's law is
adequate.
27
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
28
2021 Santa ClaraJournalofInternationalLaw 19:2
164 See generally Joel R. Reidenberg, The Privacy Obstacle Course: HurdingBarriers to
TransnationalFinancialServices, 60 FORDHAM L. REV. S137, S146 (1992) (referring to
the implications of the European Convention and to the OECD Guidelines for complex
financial service information processing. For example, any information that relates to an
identifiable person is covered under the two instruments.).
165 Schneier, supra note 113,
at 78.
166 SHOSHANA ZUBOFF, THE AGE OF SURVEILLANCE CAPITALISM: THE FIGHT FOR A
29
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
171 Kari Paul, Can Trump Ban TikTok? What the Executive OrderMeans - Explained, THE
GUARDIAN (Aug. 7, 2020), https://www.theguardian.com/technology /2020/aug/07/donald-
trump-tiktok-executive-order-explainer.
172 Schrems II, supra note 43, ¶164.
30
2021 Santa ClaraJournalofInternationalLaw 19:2
safeguards exist in U.S. law to limit U.S. access authorities to personal data
transferred for commercial purposes.
31
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
32
2021 Santa ClaraJournalofInternationalLaw 19:2
intelligence targets. 192 However, people cannot prove they are under
surveillance. 193
192 Schneier, supra note 112, at 67 ("Some of this reflects the nature of intelligence;
even,
minimized information about someone will contain all sort of communications with
innocents, because literally every communication with a target that provides any interesting
information whatsoever will be retained."); see also Amicus curia in IrishHigh Court, Case
DataProt. Comm 'r v. FacebookIrelandLimited (Feb. 27, 2017) ("U.S. Privacy Law does
not provide adequate safeguards for personal data and private communications of E.U.
citizens and does not provide an effective means of redress for a breach of Charter
Rights."), https://epic.org/privacy/intl/schrems/02272017-EPIC-Amended-Submissions.pdf.
193 See Clapper, 568 U.S. 398.
194 Schneier, supra note 112,
at 77.
195 Edward Snowden, Statement to the EuropeanParliament,European Parliament
(Mar. 7,
2014), https://www.europarl.europa.eu/document
/activities/cont/201403/20140307ATT80674/20140307ATT80674EN.pdf.
196 Schneier, supra note 112, at 76-77.
197
NSA Insiders Reveal What Went Wrong, CONSORTIuM NEWS (Jan. 7, 2014),
https://consortiumnews.com/2014/01/07/nsa-insiders-reveal-what-went-wrong/.
198
Id.
199 Id
200 Id
33
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
privacy has been abused. Nothing is said about foreign targets, but it would
not be surprising a positive answer, as access was provided. According to
these ex senior NSA executives, "[t]hat NSA's bulk collection is more
hindrance than help in preventing terrorist attacks should be clear by now
despite the false claims and dissembling." 2 01
The absence of compatibility between U.S. and EU law does not focus
on commercial privacy rights in the landmark Schrems II ruling on 16 July
2020. The CJEU's analysis focuses on the lack of proportionality and
limitations in surveillance measures targeting non-American citizens.
Limitation of fundamental rights are plausible, but pursuant to art. 52 (1) of
the EU Charter only if they are necessary and genuinely meet objectives of
general interest recognized by the Union or the need to protect the rights and
freedoms of others.
201 Id.
202 Schrems II, supra note 43, ¶ 179.
203 Schrems II, supra note 43, ¶ 181.
204 Schrems II, supra note 43, ¶ 183.
205 Schrems II, supra note 43, 1 177.
206 CJEU Opinion 1/15, Draft Agreement Between
Canada and the European Union,
ECLI:EU:C:2017:592, ¶¶ 140-41 (July 26, 2017).
34
2021 Santa ClaraJournalofInternationalLaw 19.2
Finally, the CJEU held in Schrems II that the U.S. did not provide an
equivalent protection to the EU. The limitations on U.S. surveillance
programs in Section 702 of the FISA and E.O. 12333, together with read PPD-
28, "correlates to the minimum safeguards resulting, under EU law, from the
principle of proportionality, with the consequence that the surveillance
programmes based on those provisions cannot be regarded as limited to what
is strictly necessary."207 Consequently, the PS Decision does not satisfy that
the requirements on U.S. domestic law on access and use by public authorities
of such data transferred from the EU to the U.S. are essentially equivalent to
those required under article 52 (1) of the EU Charter. 208
35
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
such possibility in the event of surveillance. What is being asked is not equal
rights but accommodation to the framework of fundamental rights that prevail
in the EU. This framework may not be exactly the same as the one that binds
the Member States by the European Convention on Human Rights (ECHR),
since the EU Charter is only activated when EU law is applied or the Member
States implement EU law. 21 2
Given the current regulation with the GDPR, it is clear that the
fundamental rights contained in the Charter cannot go unnoticed. The CJEU
is right in not mentioning any article of the ECHR whilst the Advocate
General considers that such regimes of interception of electronic
communications, even on a mass scale, are compatible with Article 8 (2) of
the ECHR provided that they are accompanied by a number of minimum
guarantees. 213 Indeed, the leading interpretation was already held in Schrems
I. The express obligation under EU law to protect personal data reading in
light of Article 8 (1) of the EU Charter is intended to ensure that the high level
of that protection continues where personal data is transferred to a third
country.2 1 4 The fear of the CJEU was that without demanding an essentially
equivalent level of protection in the third country, EU law could be easily
circumvented. 1 5
The EU has been accused of being hypocritical under the premise that
some Member States do not have such limitations and safeguards with regard
to surveillance. 2 16 Nevertheless, the topic is different because EU membership
presupposes that Member States comply with EU values and that makes them
beneficiaries of internal data flows. This was one of the great handicaps that
the EU faced long ago. However, it is not true that there is a double standard.
212 See Charterof FundamentalRights of the European Union, European Union, art. 51, §
1, 26 October 2012, 2012/C 326/02.
213 Case C-311/18, Data Prot. Comm'r v. Facebook Ireland, ECLI:EU:C:2019:1145
¶ 282
(Dec. 19, 2019).
214 See Schrems I, supra note 43, ¶ 72.
215 Schrems I, supra note 43, ¶ 73.
216 See David Bender, HavingMishandledSafe Harbor, Will the CJEUDoBetter with
Privacy Shield? A US Perspective, 6 INT'L DATA PRIVACY L. 117, 123 (2016).
36
2021 Santa ClaraJournalofInternationalLaw 19:2
What happens is that the CJEU focuses on the analysis of U.S. law because
the specific case concerns the Commission decision to transfer data from the
EU to the U.S. In the near future, this standard could be applied to any country
without an adequacy decision by the Commission. In fact, the validated use
of SCCs does not prevent this mechanism from being insufficient when the
recipient of the data cannot guarantee the same level of protection that the data
had in the EU.
Some DPAs have been quick to point out that data under the PS system
should not be transferred to the U.S. and that all transfers using the
Commission's SCCs should be reviewed. 217 In the short term, a ban on data
from certain countries and specifically the U.S. could happen. It is not only a
legitimate reason, but it is worthy that personal data continues in the EU to
comply with legislation. However, the costs of implementing such a short-
term solution must be studied. The question that arises is whether this answer
is practical, considering that while large companies probably will not have
problems in the implementation (since they often operate under transnational
groups), small ones could face technical problems.
217 See Berlin: Berlin Commissioner issues statement on Schrems H case, asks controllers to
stop data transfers to the US (July 17, 2020), https://www.dataguidance. com/news/berlin-
berlin-commissioner-issues-statement-schrems-ii-case-asks-controllers-stop-data.
218 Judicial Redress Act, Pub. L. 114-126, 130 Stat. 282 (2016).
219 See The Privacy Act of 1974, 5 U.S.C. @ 552a
(2015).
220 Uniting and Strengthening America by Fulfilling Rights and Ensuring
Effective
Discipline over Monitoring Act of 2015, Pub. L. No. 114-23, 129 Stat. 272 (2015).
221 Fred H. Cate & James X. Dempsey, Introduction and Background to BULK COLLECTION:
37
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
Concerning the first legislative act, the JRA was considered a pre-
condition to sign the U.S.-EU "umbrella" Data Privacy and Protection
Agreement. In principle, it extends to all data subjects in the EU the right to
enforce their data protection rights in U.S. courts, for instance, in case of
unlawful disclosure of records or for unjustified refusal to access data. 223
The CJEU notes that the Commission erred on the assessment about
judicial redress in the Privacy Shield Decision. 229 Concerning unlawful
(electronic) surveillance for national security purposes, no effective judicial
223
See MARTIN A. WEISS & KRISTIN ARCHICK, CONG. RSCH. SERV., R44257, U.S.-EU
DATA PRIVACY: FROM SAFE HARBOR TO PRIVACY SHIELD 13 (2016), https://fas.org/s
gp/crs/misc/R44257.pdf.
224 See 5 U.S.C. @ 552a(g)(4). See also In re Jet Blue Airways Corp. Privacy Litig., 379 F.
Supp. 2d 299 (E.D.N.Y. 2005) (plaintiffs failed to prove damages for passenger records
sharing with the government).
225 In contrast, The Freedom of Information Act (FOIA) applies to "any person." See 5
U.S.C. @ 552a(b).
226 See Judicial Redress Act of 2015, H.R. 1428, 114th Cong. @2(d)(1)(C) (2016).
22
7See Bender, supra note 216, at 130.
228 Boehm, supranote 222, at 184.
229 Schrems II, supra note 43, ¶ 191.
38
2021 Santa ClaraJournalofInternationalLaw 19:2
39
2021 Cross-BorderData Transfers Between the EU and the U.S. 19:2
40
2021 Santa ClaraJournalofInternationalLaw 19:2
authority of the transfer and assess all the circumstances surrounding the
transfer.
241 Working Document 12/2001, Transfers of Personal Data to Third Countries: Applying
Articles 25 and 26 of the Data Protection Directive (July 24, 1998); Report on the
Additional Protocol to Convention 108 on the Control Authorities and Cross Border Flows
of Data, art. 2(2)(a), http://conventions.coe.int/Treaty/EN/Reports/Html/181.htm.
242 Working Party, Working Document on a Common Interpretation of Article 26(1) of
41
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
them as a ground to transfer personal data from the EU to the U.S., they are
safe with regard to the legality of the transborder mechanism used. The
practical issue is how a mechanism can be compatible as an alternative when
the international treaty-which supposes to guarantee data privacy-does not
afford an equivalent level of protection to the EU order. The inconsistency of
AG Opinion in Schrems II suggestion can only be explained by the difficult
balance that has to be struck between the current international commerce and
enforcement of data privacy principles. Safe Harbour principles were a
political-economic compromise to continue cross-border data flows and
Privacy Shield inherits the same character of being a negotiable instrument as
a voluntary mechanism for U.S. companies. The Schrems I judgement
influenced and accelerated reaching to the Privacy Shield agreement, but
some scholars rightly stated that perhaps temporary. Then, Privacy Shield
would have been like a patch waiting for new reforms in the U.S. on data
protection and intelligence power.
The CJEU decided that the party is over again and the invalidation of
PS did not come by surprise. The judgement represents a continuation of the
Court's jurisprudence on the regulation of international data transfers,
although it does not follow in its entirety the non-binding opinion by the AG.
The Irish Data Protection Commission welcomes Schrems II judgement,
underscoring that the CJEU endorses the substance of the concerns expressed
by the Irish High Court and the Data Protection Commission, but pointing that
using SCCs as a valid transfer mechanism, many questions still remain
concerning the application of the SCCs to EU-U.S. data transfers. 24 4
Therefore, further and careful examination on a case-by-case basis is required.
Moreover, the Irish Data Protection Commission observes that a supervisory
authority could not suspend data transfers while an adequacy decision was in
force 245 and offers its collaboration with the rest of supervisory authorities to
develop a common position for an effective implementation of Schrems II. By
contrast, the Berlin supervisory authority states that personal data may
generally no longer be transmitted to the U.S. as before until the legal situation
changes. 246 Relocating services in the EU or in a country that offers an
adequate level of protection may be mandatory. Exceptions exist in the special
cases provided for by law, for instance when booking a hotel in the U.S.
42
2021 Santa ClaraJournalofInternationalLaw 19:2
underlying the EU-U.S. Privacy Shield. 247 The U.S. approach seems to want
to "educate" the CJEU on U.S. national security data access laws and
practices, underlining that U.S. rules exceed European ones. From a practical
perspective, the Department of Commerce asseverates to continue with the
certification of the PS. It makes sense that the privacy principles are
maintained, because the lack of compatibility is due to a surveillance
mechanism that private companies cannot solve by themselves.
On the one hand, a relevant country to look into is the UK. From 2021
the UK will not belong to the EU. The ruling could complicate reaching an
agreement after Brexit, considering the mass surveillance taking place in that
country. This judgment is an indicator of what EU data processors could do
to transfer data to the UK. Some ideas already on the table could be to encrypt
every data and to develop codes of conduct or certification mechanisms to be
used as legal basis for the data transfer together with binding and enforceable
commitments.248 However, this is an optimistic viewpoint because if
circumvention of the GDPR is not permitted, an adequate level of protection
in the third country would be needed. At least, with respect to data transfers
to the U.S., irrespective of the mechanism used, the lack of surveillance
limitations seems to be solved by amending domestic legislation. It would be
expected that the analysis in any other country, including the UK, would need
to pass muster the GDPR's interpretation in light of the EU Charter.
247See Press Release, U.S. Dep't of Com., U.S. Secretary of Commerce Wilbur Ross
Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows (July 16,
2020), https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-
wilbur-ross-statement-schrems-ii-ruling-and
248 See GDPR, art. 46(2)(e)-(f).
249 See Christopher Kuner, The Schrems II Judgment of the Court ofJustice and the Future
of Data Transfer Regulation, EUR. L, BLOG (July 17, 2020),
https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-
and-the-future-of-data-transfer-regulation/.
43
2021 Cross-BorderData Transfers Between the EU and the U.S. 19.2
IV. CONCLUSION
44
2021 Santa ClaraJournalofInternationalLaw 19:2
2 55
NECESSARY & PROPORTIONATE, INTERNATIONAL PRINCIPLES ON THE APPLICATION OF
45