Introduction
On January 11, 2022, reports emerged that the European Union’s chief data protection supervisor had put sanctions on the European Parliament for breaching data protection rules. This intervention was a response to the COVID-19 test booking website launched by the European Parliament in September 2020. In early 2021, Noyb, along with six MEPs, filed a complaint against the European Parliament over the presence of third-party trackers and deceptive cookie consent banners, among other compliance-related issues, including transparency, data access problems, and ‘illegal data transfer to the United States’. Following an investigation, the European Data Protection Supervisory Authority (EDPS) imposed sanctions on the EU Parliament for violating the GDPR. It was found that the said website in question had been dropping cookies associated with Google Analytics and Stripe. However, the EU parliament failed to demonstrate that they took any concrete measures to ensure that the personal data transfers to the U.S. were adequately protected. This is not the first and only instance of data security concerns emerging between the EU and the U.S. A similar case arose not too long ago on January 13, 2022, when Austria’s Data Protection Authority upheld a complaint against a website, which was exporting visitor’s data to the U.S. The website in question was held liable for violating Chapter V of the GDPR.
Background
For a long period of time, there have been frictions in the US – EU relations due to the differences in legal frameworks and policy approaches on data privacy and protection between the two regions. In response to the EU’s concerns regarding US’s inadequate data protection policies, the US and the EU have signed multiple data transfer agreements to permit cross-border data flows. Way back in 2013, there were widespread reports of the U.S. National Security Agency’s unauthorized revelation pertaining to its surveillance programs. This, in turn, aggravated E.U’s concerns regarding the Washington government’s access to the personal data of E.U citizens. Since then, the European Court of Justice has knocked down and invalidated two commercial data transfer agreements between the United States and the European Union: the Safe Harbour agreement in 2015 and its new model, the Privacy Shield Framework, in 2020.
The invalidation of Privacy Shield has left U.S. based entities with very few cross-border options for data flows with Europe; furthermore, it is also being seen as a threat to bilateral trade. The U.S. Congress has raised concerns on how the approach of the EU has created unfair trade barriers and hindered accessibility to the European Market. Officials from the European Union and the United States are “ramping up negotiations” on a new transatlantic data transfer treaty, attempting to resolve the thorny issue of personal data flow between the two regions.
The Conflict –Schrems I & Schrems II
The strife between the two regions reached a breakthrough in 2014 when Maximilian Schrems, an Austrian Data Activist, filed a complaint with the Irish Data Protection Commissioner (DPC) questioning the legality of Facebook’s use of the Safe Harbour agreement. The case was eventually submitted to the Court of Justice of the European Union (CJEU) for a preliminary judgement, which invalidated the Agreement. The fundamental basis for this decision seemed to be the CJEU’s belief that for the U.S. national safety considerations take precedence over the Principals of the Safe Harbour Accord, and that U.S. organizations are obligated to overlook, without limitation, the Safe Harbour protective standards when they contradict with requirements of national interest. As a consequence, the CJEU concluded that the Safe Harbour system “allows interference” by US authorities “with the basic rights of persons whose personal data is or may be transferred from the European Union to the United States.” Following this decision, work to enhance the Safe Harbour accord escalated, culminating in the signing of a new agreement on February 2, 2016. It was named the ‘Privacy Shield Framework’.
In 2020, Facebook Ireland announced the transfer of the majority of its data to its US servers using standard contractual clauses (SCCs), a recognised EU procedure for transferring personal data between EU and non-EU countries. Mr. Schrems subsequently filed a fresh complaint with Ireland’s Data Protection Authority, challenging the capacity of SCCs to offer an adequate degree of data protection, given that the US surveillance laws allow US officials access to personal data sent to Facebook servers in the United States.
In essence, the Court emphasized the wide-ranging surveillance powers granted by US national security legislations and that these regulations govern the access and use of personal data imported from the EU by US authorities. However, they lack the necessary restrictions to appropriately protect EU citizens who may become the subject of national security investigations. Conclusively, the second agreement met the same fate as the first and was invalidated by the CJEU.
Personal Data Protection Policy: Two Diverging Approaches
Unlike the EU, there is no single federal legislation in the United States which controls the acquisition and use of consumers’ personal data. The federal government’s handling of personal information is governed by the Privacy Act of 1974 and the Electronic Communications Privacy Act of 1986 . The US takes a sectoral approach; and as such, is based on a mix of legislation, regulation, and self-regulatory mechanisms. The Federal Trade Commission (FTC), for example, has the authority to initiate enforcement proceedings against corporations that mislead customers about their privacy practices, but it lacks the authority to enforce comprehensive online privacy standards.
In rapidly evolving areas like artificial intelligence, some stakeholders see self-regulation as beneficial and preferable because it allows companies to efficiently respond to changes in innovation and technology while providing a much more market-oriented remedy. Companies may use these methods to improve their brand image and increase customer confidence; however, this method relies on self-policing rather than government action. The US sectoral approach to data protection, according to proponents, is more adaptable than the EU’s invariant legal approach. They further argue that the US strategy promotes and fosters technological innovation in the United States.
On the other hand, advocates of privacy argue that the US approach has flaws, specifically in the context of online data collection, and that growing demands for better protection has risen in recent years as a result of data breaches and mishandling at companies such as Facebook, Apple, Amazon, and others.
There’s a good chance that any analysis conducted to demonstrate compliance with EU privacy principles in the United States will be a sandcastle. European privacy advocates feel that US surveillance laws, particularly FISA, are fundamentally incompatible with EU ideals and cannot be harmonized. They may also argue that a recent court judgment allowing the FBI to monitor on an individual’s web browsing without a warrant is incongruous with EU values.
Emerging Implications in the GDPR Era
The invalidation of the Privacy Shield Framework and the enforcement of the GDPR have created various implications for U.S. firms and businesses. The GDPR makes it illegal to transmit Europeans’ personal data outside of the EU unless one of several requirements is met. With regards to the transfer of information to the U.S., the basis for such data transfer includes –consent of such individual; the necessity of performance of a contract; and Standard Contractual Clauses. Usually, Companies of the United States provide back-end services to organizations that operate in the EU. These Organizations generally ask service companies to abide by the SCC to ensure compliance with the GDPR.
A new set of SCCs came into force on September 27, 2021. Though the new SCCs are preferable in the context of today’s complicated internet-driven data chains, they pose great difficulty in compliance. Annex I and II require a detailed set of information ranging from the categories of details on personal data transfers, to the description of technical measures being taken to ensure safety. Though reasonable, they indeed are time-consuming. However, it is Clause 14 of the SCC that poses a hassle to the U.S. It requires the parties to certify that US laws and practices regarding the disclosure of personal data to law enforcement, intelligence services, and other government agencies doesn’t exceed the reasonable limits expected in a democratic society, in order to protect national security, defence, and public safety. There are two major issues with this: the magnitude (and possible cost) of the undertaking, as well as its absurdity.
Way Forward
The above mentioned consecutive rulings are meagrely setbacks in the bigger discussion about the future of cross-border data sharing in the 21st century. Concerning the EU-U.S dispute, a short-term solution based on a more sophisticated application of the SCC provision would be to provide a temporary route ahead, but the legal and governance inconsistencies between the two jurisdictions would make this approach difficult to sustain over an extended period of time. Instead, it is advocated that the wider data transmission ecosystem be upgraded to accommodate not only the current needs but also future sustainable realities that may offer new challenges to the Transatlantic Data-sharing partnership. The options range from creating Multilateral Data Trusts to revising the concept of Diplomatic Immunity to include data and information; incorporating data transfers as part of future trade agreements; creating International Frameworks on the Transfer of Data; and allowing the creation of National Privacy Frameworks in the US.
(This post is authored by Harshita Tyagi and Anupam Verma. The authors are the 2nd year students of
SVKM’s Pravin Gandhi College of Law, Mumbai.)
Cite As; Harshita Tyagi and Anupam Verma, ‘Analyzing the Evolution of the U.S. – EU Transatlantic Data Transfer Security Tensions’ (The Contemporary Law Forum, 14 May 2022) <https://tclf.in/2022/05/14/analyzing-the-evolution-of-the-u-s–eu-transatlantic-data-transfer-security-tensions/> date of access