EU Privacy Law and U.S. Surveillance: Solving the Problem of Transatlantic Data Transfers

Read the original article: EU Privacy Law and U.S. Surveillance: Solving the Problem of Transatlantic Data Transfers

Composite image of Europe at night, created with hundreds of images collected using satellite data. (Woodleywonderworks, https://flic.kr/p/58JL9G; CC BY 2.0, https://creativecommons.org/licenses/by/2.0/)

The July 2020 decision of the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland, Ltd. and Maximilian Schrems (Schrems II) was both a landmark in privacy law and a major obstacle for international trade. The Schrems II court cited the breadth of U.S. surveillance in holding that the EU-U.S. Privacy Shield agreement on transatlantic data transfers failed to provide adequate safeguards for the privacy of EU persons’ data. This meant that Privacy Shield violated the EU’s robust privacy law, the General Data Protection Regulation (GDPR). Both the European Commission—the EU’s executive arm—and the United States are now seeking a resolution that will allow data transfers while protecting privacy.

The viability of transatlantic data transfers is a pressing and pervasive problem. Tens of thousands of companies depend on transatlantic data transfers. A halt to data flow would undermine the business models of countless firms.

Unfortunately, most current approaches to resolving the EU-U.S. conflict fall short. The Trump administration sought to wish away the conflict, as in this white paper by the Department of Commerce. The approach of the European Data Protection Board (EDPB) insists on rigid technological fixes that will severely hinder most transatlantic transfers of personal data. In a new article, we offer a hybrid approach that incorporates both substantive and institutional safeguards and a pragmatic assessment of the real-world risk of U.S. surveillance for particular data. Here, we’ll describe some of the suggestions we make in the paper and the dynamics that underlie the problem.

The CJEU’s concerns started with Edward Snowden’s 2013 revelations about U.S. surveillance. In the EU, worry about the scope of U.S. surveillance centered on two U.S. measures: § 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. U.S. surveillance officials may target the communications of persons or entities reasonably believed to be located abroad to obtain “foreign intelligence information.” Section 702’s definition of “foreign intelligence information” includes attacks on the United States, espionage, sabotage, international terrorism, proliferation of weapons of mass destruction, along with a more amorphous category: information “with respect to a foreign power or foreign territory that relates to … the conduct of the foreign affairs of the United States.” Review of this surveillance is limited. In 1978, as part of the original FISA, Congress established the Foreign Intelligence Surveillance Court (FISC), which issues court orders under FISA’s “traditional” framework, authorizing surveillance of agents of foreign powers in the United States. The FISC, which comprises life-tenured Article III federal judges, approves targeting procedures under § 702 but does not approve each individual target in advance.

On its face, Executive Order 12333 requires even fewer institutional or substantive checks. The executive order itself, which dates back to the Reagan administration, does not expressly limit targets, except for the general requirement that these targets be located abroad. The FISC has no role in reviewing targeting protocols.

After the Snowden revelations, President Obama issued Presidential Policy Directive-28 (PPD-28), which limited the purposes of surveillance. In a nod to the growing global focus on privacy, PPD-28 acknowledged that “[a]ll persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information.” Accordingly, PPD-28 limited U.S. bulk collection under Executive Order 12333 to a defined set of goals. Under bulk collection, the U.S. can collect a wide range of communications from communications providers and internet hubs, some through algorithms. Software and intelligence officials sort through these communications for those that match certain categories, including countering espionage, sabotage, terrorism, cybersecurity threats, proliferation of weapons of mass destruction, and transnational criminal threats such as money laundering and evasion of U.S. sanctions. (The guidelines recently posted on the intelligence community’s blog, IC on the Record, track these limits in more detail.)

But PPD-28’s institutional checks do not match these substantive limits. PPD-28 provided no role for the FISC, leaving Executive Order 12333 vulnerable to the same concerns that critics have levelled at § 702: The framework lacks an independent review mechanism that would ensure that the U.S. intelligence community stays within the constraints that PPD-28 imposes.

As the name suggests, Schrems II is the CJEU’s second encounter with assessing whether U.S. law provides adequate safeguards for EU persons’ data. In Schrems I, the CJEU in 2015 held that the then-extant data transfer agreement, Safe Harbor, failed to hedge against the scope of U.S. surveillance. After the ruling, the European Commission and the United States negotiated a new agreement—Privacy Shield—which tasked an ombudsperson at the U.S. State Department with fielding EU persons’ privacy complaints. Schrems II found that the ombudsperson role failed to cure the problems with adequacy that the CJEU had discerned in Schrems I.

Schrems II cit

[…]

Become a supporter of IT Security News and help us remove the ads.