A Conversation with James Casey: Schrems II and the Way Forward
by Sonia Intonti and James Casey
We said it to ourselves, and we heard it repeated many times, that this year 2020 will certainly have no place in the annals as a lucky year. The beginning of this new decade has seen the life or at best the activity of many of us bending due to the pandemic crisis caused by the Coronavirus, which, among others, has also led to the closure of every border between countries. But while none of us could physically move, thanks to the current state of technology we had the chance to experience the “power of ubiquity” that allowed us to sit in our European living room and be virtually to the other side of the ocean through our personal data.
But 2020 didn’t wait before it surprised us again, and so just when our physical borders were beginning to slowly reopen, on 16 July the Court of Justice of the European Union (“CJEU”) effectively declared invalid one of the main transatlantic data transfer corridors, by invalidating Decision 2016/1250 on the adequacy of protection provided by the “EU-US Privacy Shield.” Consequently, international data transfers, that are so vital for the global economy, suddenly became open to question: the CJEU has confirmed that EU standards of data protection must travel with the data when it goes overseas, which means that Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (known as “Schrems II”), has wider implications than just the invalidation of the EU-US Privacy Shield (see UK Information’s Commissioner Office, Updated ICO statement on the judgment of the European Court of Justice in the Schrems II case, 27th July 2020 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/). Besides invalidating Privacy Shield, the Court examined the validity of the European Commission Decision 2010/87/EC on Standard Contractual Clauses (“SCCs”) and considered it to be valid. Schrems II is a judgment that confirms the importance of safeguards for personal data transferred out of the EU.
This article is designed to dig into the interplay between the decision on the validity of one route (SCCs) and the invalidity of the other (Privacy Shield) from both the European and American points of view.
Question 1: What do you think is the most interesting aspect of Schrems II with respect to the Privacy Shield discussion?
European Perspective: As I will further explain in my answer to question 4, the aspect which in my opinion equals in interest the one identified by my colleague Jim, is the position of the Court with regard to the two decisions which are concerned here: the ‘Privacy Shield’ adequacy decision and the European Commission decision on standard contractual clauses. On the one hand, the Court found that the requirements of US domestic law entail restrictions on the protection of personal data which are not designed to meet requirements substantially equivalent to those of EU law and that such legislation doesn’t grant data subjects enforceable rights vis-à-vis the US authorities, thus invalidating the adequacy decision “Privacy Shield.” On the other hand, however, the court confirmed the validity of the so-called standard contractual clauses which, de facto, recognize the burden and the honour of the parties to establish the adequacy of the transfer but in the light of the arguments that led to the invalidation of the decision on Privacy Shield.
American Perspective: The most intriguing aspect of the case from my perspective was the Court’s factual findings of U.S. law. Several of the broad themes I see impacting on that discussion are the increase in the U.S. surveillance state since the 9/11 attack and the fact that the U.S. political system is a representative democracy coupled with concepts of federalism (where the federal and state governments have fairly delineated rights and responsibilities). The current president, unlike most recent ones, has a broad conception of the scope of executive power. That is not an item that is endearing to most Europeans.
It is imperative that a balance be found between the European conception of privacy as a fundamental human right, and the need for some measure of a surveillance state (in the U.S. and Europe). There is a fundamental tension between a privacy right and the proper need for some surveillance. Given the large volume of data flows between Europe and the United States and given the large amount of transatlantic trade between the two partners, it is imperative that an accommodation be found between both “partners.” That last word needs to be remembered and acted upon by leaders of the U.S. and EU.
And one final note. In this time of the pandemic, it is even more important to maintain transatlantic data flows in the areas of individual health information and public health information.
Question 2: Given the basic governmental structures between the EU and the U.S., do you think that enough changes can be made to the U.S. intelligence and law enforcement functions to allow for the necessary protection of EU personal data?
European Perspective: As I’ve already said to my colleague Jim, I’m not in the position to discuss American Law, but what I could say it’s that dialogues like this one, but at higher levels, are needed to ensure efficient interaction between countries with different backgrounds but which have similar perspectives. In times like this one where the economy is global and is based on Big Data, I believe these two important partners have, or should have, similar perspectives.
American Perspective: It will take some time for U.S. changes to be made. I say that primarily because the U.S. is in the election season. With the pandemic and social issues taking precedence, I find it hard to see any legislative changes happening this Fall. On top of that, President Trump has now positioned himself as the “law and order” president. While he strongly compliments the military and local law enforcement, he has shown a tendency to undercut the U.S. intelligence agencies. But I do not think the latter is enough for him to take executive action on data protection in the context of the activities of the intelligence agencies and federal law enforcement. But he could surprise us. He always does.
Question 3: It is clear from the court opinion that SCCs are valid, but they are on “thin ice.” What are your thoughts on improving the SCCs so that they exist on stronger legal ground?
European Perspective: The core of this question recalls my answer to the first one too. In fact, I believe this is one of the most interesting, as well as confusing, points which the Court touched on within its judgement. “SCCs confer only contractual rights on data subjects against the data exporter and importer, without, however, binding the United States authorities.”, and this constitutes the perimeter of that “thin ice” where the SCCs laid down, at the moment not supported by the suggestion of any additional measure able to guarantee an effective protection by the American data importer of Europeans’ data and/or any perspective of legislative changes in US law. In particular, the Court notes that the SCCs impose an obligation on the data exporter and the recipient of the data (“the data importer”) to verify, prior to any transfer, in the light of the circumstances of that transfer, whether that level of protection is respected in the third country concerned. Given that, we can only wait for the EDPB to give guidance on how these guarantees can be provided by the importer which falls within the definition of “electronic communication service provider” which outlines the scope of Section 702 FISA, in order for it to receive data from EU partners without contravening the local law.
American Perspective: I look forward to the European Commission releasing upgraded SCCs. As someone who has negotiated several thousand contracts in my career – many global – I have always had a dim view of “standard contracts,” because many need to be negotiated to fit the particular circumstances of the parties and subject matter. The current SCCs are critical to the European privacy regime and they are necessary (along with other tools) to protect European data protection rights. These are exciting times to be a contract professional.
Question 4: The U.S. Ombudsman, established to help EU citizens, was faulted by the CJEU for having insufficient authority over U.S. intelligence and law enforcement agencies. What are your thoughts about that component of the decision?
European Perspective: I like to believe that in this judgment European citizens were regarded as individuals rather than as citizens of a certain country. It is therefore the underlying concern about human rights and cultural protection that in my opinion has stimulated this very CJEU’s reaction to American government interference on European citizens’ data. For this reason, issues relating to national security and access to personal data by public authorities must be provided for by law and this law must lay down precise limitations to access to data by authorities, as well as clear and precise rules governing the measures able to ensure ‘effective and enforceable rights of data subjects.’
American Perspective: The Ombudsman role is a useful and necessary one. I would love to see that role exist in the next U.S. – EU agreement. Maybe the U.S. needs a specialized Privacy Court at the federal level. For instance, there is a U.S. Tax Court – so there is precedent. But that possibility needs an overarching U.S. Privacy Law, clearer articulation of a U.S. privacy right, and the money and political will to make a specialized court a reality.
Question 5: This decision illustrates the tension between the right to privacy and the role of intelligence and law enforcement agencies in a global economy. Considering the opinion, how is that balance best met?
European Perspective: Whenever I’m faced with a balance between different rights or interests, I feel grateful for the great Charter that the constituent fathers of my country (Italy) gave birth to in 1947, thus giving us the most important lesson on balancing fundamental principles: these principles, depending on the context, do not eclipse one another, but they always coexist in different declensions. And this is how I believe it must be between the right to privacy and the public security, as a prerogative of intelligence and law enforcement agencies, within an economic system that is now global. The only duty to guarantee public security and public order, at any level, cannot allow any kind of intrusion by government authorities, thus contradicting the principle of proportion, which is at the basis of the rationality that informs the principle of equality.
American Perspective: The tri – sector tension as articulated (right to privacy, role of intelligence and law enforcement agencies, and a global economy with massive data flows) is the most fascinating aspect of privacy (well, next to the clear articulation of “rights” in both the U.S. and EU). I believe that all three tensions can be managed (though probably not always eliminated) within the context of global economic growth. Post – pandemic, both the U.S. and EU – not to mention the rest of the planet – needs a long period of economic growth to get out of this hole we find ourselves in. The “pie” needs to grow. If it does not, there will continue to be economic and social unrest. But yes, I believe that privacy, security, and economic growth can exist concurrently. How that comes about is not that clear now, though.
Our conversation regarding the Schrems II decision and the way forward illustrates, in a small way, the similarities and differences between the partners to this transatlantic partnership. Or, perhaps, these differences and similarities are more borne out of different recent experiences on the global stage. As privacy is now a central component of global living, it will be interesting to see how events on the global stage have an impact on privacy, and vice versa.