The Asymmetry of Intelligence Collection after Schrems II
The EU-US Privacy Shield Framework was put into place to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US. On July 12, 2016, the European Commission deemed the EU-US Privacy Shield Framework to be “adequate”, meaning that organizations could transfer personal data from the EU to the US without additional requirements.
On July 16, 2020, the Court of Justice of the European Union (CJEU) determined that the European Commission’s decision on the adequacy of the Privacy Shield Framework was “invalid”. The court concluded that surveillance practices by U.S. national intelligence agencies fail to meet European privacy standards. EU citizens do not have sufficient redress when they are targeted for surveillance, nor is there independent judicial review regarding their targeting for surveillance.
This determination of invalidity has enormous economic impact on both the EU and the US, potentially affecting trillions of dollars of commercial activity. It should be in the best interests of both sides to resolve the problem to avoid massive economic costs. However, the incentives are not exactly aligned for either party to take the steps needed to reestablish adequacy. The main inhibiting factors are: European privacy concerns and American intelligence gathering objectives.
European Privacy
The European privacy concerns are straightforward. The EU has been at the forefront of privacy regulation globally. The Global Data Protection Regulation (GDPR) is the eminent privacy law and has influenced the rest of the world while demonstrating the EU’s commitment to protecting the privacy rights of their citizens.
Now for an embarrassing twist. The EU, the global privacy leader, beacon of individual data privacy rights has been put in its place on privacy issues, not once, but twice by an EU citizen, Max Schrems. In 2013, Schrems filed a complaint against Facebook Ireland for transferring data from the EU to the US contrary to existing EU data protection law. This led to the CJEU determining that the Safe Harbor framework was invalid in October of 2015. (Safe Harbour allowed US companies complying with data privacy principles to transfer data from the EU to the US.) Without a legal method by which companies could transfer data from the EU to the US, the two governments worked out the Privacy Shield agreement, which once again allowed data transfers from the EU to the US. In 2017, however, the Irish High Court that had been addressing the issues in Schrems’ complaint against Facebook referred the matter to the CJEU. In July of 2020, the CJEU invalidated the Privacy Shield Framework as a means of transferring data from the EU to the US.
So, the EU has twice been demonstrably proven to not provide the data privacy protections that it purports to. It would be looked at very cynically for the EU to then bend over backwards to accommodate the US through some means of adequacy determination when the US legitimately does not provide nearly the same level of privacy protection as the EU does.
That is the EU perspective and why even with such drastic economic impacts on the line, their hands are tied and they can’t fudge the facts in order to enable transatlantic data flows.
American Intelligence
National governments all engage in some amount of espionage. Bulk data gathering is often a big part of it. The US government is notorious for its bulk data gathering as former NSA contractor Edward Snowden laid bare for the rest of the world to see in 2013.
This sort of snooping doesn’t line up very well with data privacy. As a matter of fact, the reason that both the Safe Harbour Privacy Principles and The Privacy Shield framework were invalidated is because they didn’t provide adequate protection against state actors accessing the transferred data. Specifically, contemplated was government espionage.
The relevant regulations that allow for US government snooping are section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333. FISA 702 allows the US government to acquire communications data of an individual upon a written certification from the US Attorney General and Director of National Intelligence. The written certification needs to include targeting procedures to narrow in on whose communications may be acquired. Next, the Foreign Intelligence Surveillance Court (FISC) has to approve the targeting procedures, and once approved they must be used by the government.
This process and level of oversight provides greater legal safeguards than is offered by most EU member states.
Executive Order 12333 is a directive that assigns intelligence collection to specific intelligence agencies and places restrictions on certain agency activities. Importantly, it doesn’t require any business or person to disclose data to the US government.
FISA 702 and EO 12333 do not stand out as being outside normal standards of national data intelligence collection even as compared to EU member states. How then do the EU member states balance intelligence gathering and data privacy protection? Simply put, they don’t. The EU member states are held to a different standard than the US is.
Asymmetry
The Lisbon Treaty allows member state national security law to operate independently of EU law. This means generally that whatever approach EU member states use in gathering intelligence related to national security, it will not be reviewed under EU law. There is some nuance to the issue and the CJEU has pushed back in instances where the data collection appears to have a greater impact on data privacy than it would have a negative impact on intelligence gathering efforts. For instance, a member state requiring electronic communication providers to forward all bulk data (not targeted) falls within the scope of the e-Privacy Directive and EU law will apply and likely prohibit such generalized bulk data collection.
The US government doesn’t receive the same Lisbon Treaty carve-out for its national security and intelligence gathering objectives. US intelligence gathering efforts have to comply with EU law, which as mentioned above is rather strict regarding data privacy. A useful analogy is to think of a dome covering the EU. Intelligence agencies within the dome have nearly unfettered access to all the information inside the dome. Intelligence agencies outside the dome have to go to one of the entrances and request intelligence data from their domestic intelligence counterparts within the dome.
Not only do US intelligence agencies have to operate outside the dome, but even if the dome ever came down, they would still have a tougher time gaining access to intelligence data. Recently, the European Court of Human Rights applied a principle of proportionality regarding member state observance of privacy rights. In practice, that meant that an EU member state could violate some EU privacy rights as long as the violation was proportional to the security objective motivating the violation. In Schrems II, a different principle was applied to the US. The standard to view US security actions was whether or not they were strictly necessary. This is of course a more difficult standard to meet and in light of intelligence sharing agreements between EU member states and the US, likely impossible. It can’t be strictly necessary for the CIA to find the intelligence themselves when German or French intelligence agencies will share the information with them anyways (filtered of course).
The end result is that the US would have to make national security sacrifices to be deemed adequate and thereby allow for data sharing to US businesses. This is the case even though EU member states could undertake egregious intelligence gathering activities as long as they are deemed to be for national security. Additionally, there is no reciprocal benefit to US citizens if the US government agrees to not gather intelligence from EU citizens. US compliance with current EU laws wouldn’t guarantee EU compliance with future US laws. GDPR provides data privacy protections for EU citizens and residents, not for others.
Conclusion
The EU has been perhaps overly conciliatory towards granting the US adequacy (or the equivalent) in the past. They have done so in ways that were not logically or facially consistent with GDPR or previous data protection laws. Given the history and the fact that these errors were corrected by an EU citizen rather than EU authorities, it would probably be a political misstep to try to accommodate the US government one more time (especially given the diminished popularity of the US in Europe these days).
On the other hand, the US government would have to significantly limit its intelligence gathering of EU citizens and residents. This limitation wouldn’t provide any direct benefit to those same intelligence and defense agencies, nor would it provide any direct benefit to the privacy interests of US citizens. It would benefit US businesses, which is generally beneficial for the US, but in the balance, not something that would have good optics in the US (sacrificing national security for business interests).
Neither accommodation seems likely right now, but a US national data privacy law could alter the balance. It could potentially result in an agreement allowing intelligence gathering for both sides or honoring data privacy for both sides. For example, negotiators on both sides could be facing opposing legislations restricting foreign intelligence gathering. The negotiators could decide to bilaterally relax the protections against foreign intelligence gathering just as against each other. Alternatively, both sides could decide to accept the laws as they are, in which case the domestic residents each gain the benefit of protection against foreign intelligence gathering.
Right now, neither side has great enough incentives to work toward a solution, but a US national data privacy bill could change that calculation.
Regardless of how the EU and US work things out, Clarip can help you with our Data Risk Intelligence Scan. We can scan your public facing assets and help you determine where your data is flowing. From the data mapping afforded by our Data Risk Intelligence Scan to fulfilling data subject requests with our automated compliance tools, Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.