It used to be the case that companies from the European Union could freely and legally transfer their consumer data to companies located in the United States without adhering to today’s strict requirements and safeguards. This smooth transfer process was a byproduct of the adequacy decision on the EU-US Privacy Shield, which was what initially enabled these types of data transfers. The Privacy Shield, adopted in July 2016, allowed for the free transfer of data to certified US-based companies that were listed on the Privacy Shield list. This list was governed by the US Department of Commerce and monitored by the US Federal Trade Commission. Companies could self-certify to the Privacy Shield by reviewing Privacy Shield Framework documents and principles to understand their obligations under the framework, thereby developing a Privacy Shield-compliant privacy policy that meets the requirements of the framework. Companies had to designate a Privacy Shield contact person who would be responsible for overseeing the company’s compliance with the framework: completing the online self-certification process, paying a fee, and making sure to maintain compliance with the Privacy Shield principles by allowing individuals the right to access, correct, or delete their personal data, and ensuring that personal data is protected against unauthorized access or disclosure.
As technology rapidly advanced, and the use of personal data by organizations increased, the European Union adopted a new comprehensive law called the General Data Protection Regulation (GDPR) in 2016. The GDPR finally came into effect in 2018. The goal of the GDPR was to give individuals more control and protection over their personal data than the Privacy Shield afforded, as well as to unify the European Union’s data protection laws. The GDPR created strict criteria for businesses to be able to transfer data cross-border lawfully. Some of these requirements include obtaining clear and explicit consent from individuals before processing their personal data and giving individuals a range of new rights and privileges, including the right to access, correct, and delete their personal data. Additionally, the GDPR creates consequences for organizations who failed to comply with the law, including fines up to 4% of their global annual revenue or €20 million (whichever is higher). The GDPR remains the most robust and far-reaching privacy and security law in the world.
In 2020, the European Union Court of Justice of the European Union invalidated the adequacy of the Privacy Shield in the decision Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, also known as Schrems II. In this case, Facebook in Ireland transferred data to its parent company in the U.S.. The Court held that the Privacy Shield was inadequate to protect E.U. citizens because the US did not have an equivalent level of protection as guaranteed by European Union regulations, such as the GDPR and the CFR. This case was initially aimed at the United States but ended up applying to many other countries outside of the EU. Once the EU established a country did not have adequate protections, all transfers between companies in the EU and companies in those countries would be halted.
This is now the law: there is no longer a Privacy Shield between the European Union and the United States. As a result, a different legal basis must be established for the lawful transfer of consumer data between the EU and the US. Importantly, the European Union Court of Justice upheld European Commission Decision 2010/87 on Standard Contractual Clauses (SCCs), explicitly recognizing them as a legal basis for transferring personal data to countries outside of the EU under EU law. The European Commission also published an announcement shortly after the Schrems II case, explicitly stating that the new EU-US Data Privacy Framework (DPF), which includes SCCs, adequately addresses the concerns raised by the ECJ in the Schrems II decision and will provide for a “durable and reliable legal basis” for data transfers to the US.
The Schrems II decision stemmed from the EU’s lack of trust in US laws and policies. EU authorities believed that US companies and laws provided for insufficient and inadequate consumer data protection of EU citizens. This skepticism arose from the EU’s views over the various US government surveillance programs, which give the US government the ability to access US citizens’ data. The EU considers these to be a violation of privacy rights and has expressed concerns that US companies who obtain data from EU companies may be required to provide data to US authorities without proper safeguards to protect EU citizens and their data. Specifically, there were two laws in place that led to EU skepticism of US privacy laws: the Foreign Intelligence Surveillance Act (FISA) of 1978 and Executive Order 12333 on enhancing safeguards for United States signals intelligence activities.
The first surveillance program that caused EU skepticism, the FISA, allows the US government to spy on foreign nationals and governments in order to collect information on foreign powers and their agents suspected of espionage and terrorism. Section 702 of the FISA allows the NSA to collect data on non-US citizens located outside the US. The EU and other countries have repeatedly criticized this program because it enables US government officials to collect data from innocent individuals and violates their privacy rights time and again.
Additionally, Executive Order 12333 led to EU skepticism on the adequacy of US protection over US citizens’ private data. The Order authorizes the US government to collect foreign intelligence information. However, unlike FISA, Executive Order 12333 does not require companies or persons to disclose data to the US government. Any requirement that a company in the United States disclose data to the government for intelligence purposes must be authorized by statute and must be targeted at specific persons or identifiers, such as through FISA’s section 702. The program has been widely criticized by many individuals in authority and outside countries, including the EU, for being overly broad and lacking transparency and oversight.
These surveillance programs are only a few of the ones available to the US government when it comes to collecting personal information for the sake of government interests, making EU authorities worried as to the boundaries and protections of consumer data in the United States, and therefore, hesitant to sign agreements with the United States concerning data transfers. In response to wide criticism over these surveillance programs, the US has argued that for many companies, the issues of national security data access that concerned the ECJ in Schrems II are unlikely to arise because the data they handle is of no interest to the US intelligence community. EU authorities and companies are nonetheless public about their reservations when it comes to collaborating with the United States on these matters, and are hence cautious before they blindly agree to transfer data to any and all US entities for these reasons.
In December of 2020, the European Commission initiated the process to readopt an adequacy decision for the EU-U.S. Data Privacy Framework, which would advance data transfers across the Atlantic and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision. These attempts officially failed, leaving the GDPR to be the most important and influential privacy law both in the European Union and in the world as a whole. This means that currently, for an organization to lawfully transfer data from the European Union to an organization outside of the European Union which does not have an adequacy decision with the EU as defined under the GDPR, the organization must find a supplemental legal basis which makes the data transfer lawful. Some of the common and stable options that often supplement adequacy decisions include Standard Contractual Clauses (SCC’s) and Binding Corporate Rules (BCRs).
The European Commission has approved a set of pre-approved contractual clauses called standard contractual clauses (SCCs) that may be included as part of contracts between organizations in the EU and the US to ensure that personal data is transferred in compliance with EU data protection laws. SCCs provide a lawful mechanism for the transfer of personal data from the European Union (EU) to third countries where there is no adequate level of data protection, such as the US. These pre-approved clauses are currently one of the most popular ways that organizations transfer data from the EU to the US absent an adequacy decision.
Another tool that is often used for cross-border data transfers is referred to as Binding Corporate Rules (BCRs). BCRs are internal rules that are usually referenced in a separate document or policy from the original contract between the parties to the transfer. Once BCRs are introduced in an agreement between parties, they indicate that the organizations were approved by the relevant data protection authorities of each party’s country’s guidelines. The European Union’s Data Protection Directive 95/46/EC approved BCRs as a lawful method for cross-border data transfer in 1998. This transfer method was introduced as a way for multinational companies to ensure that the transfer of personal data from the EU to countries outside the EU complied with the EU’s data protection requirements. BCRs were a popular alternative to the Privacy Shield and Standard SCCs, but were not used as often due to their complex and resource-intensive nature.
Clearly, surveillance programs that feed into government interests in the United States give rise to global skepticism over collaboration and agreement opportunities with the U.S. It may be in the best interest of the U.S. to contemplate whether these programs and laws are worth the backlash that the U.S. faces as a nation, and whether it may be worth re-considering the level of priorities and importance toward our national goals when it comes to data protection.