How a Few Thoughtless Words about Privacy Led to Huge Political and Economic Headaches for the US and EU

One of the most surprising developments in recent years is how privacy – something that by definition is about small, intimate things – has become a major global force in the spheres of economics and politics. Perhaps the clearest demonstration of that transformation involves data flows across the Atlantic, and the Austrian lawyer and activist Max Schrems.

As the New York Times reported in 2015, Schrems was a 24-year-old student studying at the Santa Clara School of Law in California, when lawyers from Silicon Valley came to talk to students about their companies’ approach to privacy. Schrems was “taken aback” when he heard them say that they didn’t take Europe’s privacy laws very seriously, since companies rarely faced any significant penalties for breaking them.

What was probably just an off-the-cuff remark by a lawyer touched Schrems, an Austrian national, personally. It spurred him to investigate how Facebook dealt with EU data protection laws. In particular, Schrems asked to see all the data the company had collected from him, as he was entitled to do under EU privacy laws. He was surprised to see that Facebook had retained information that he had deleted, including highly personal matters. Schrems filed various complaints with the Irish Data Protection Commission, which regulates Facebook in the EU because Facebook’s European headquarters are located in Ireland.

The revelation by Edward Snowden in 2013 that the US National Security Agency could access the personal data of EU citizens, thanks to the Prism program, led to another privacy complaint by Schrems, which concerned the transfer of his personal data from the EU to the US. Under the 1995 EU Data Protection Directive, which preceded today’s better-known General Data Protection Regulation (GDPR), that was only permitted if the receiving country offered “an adequate level of protection of the data”. Schrems claimed that Snowden’s leaks revealed that the US did not offer the necessary level of protection.

The Court of Justice of the European Union (CJEU), the EU’s highest court, agreed with him, and ruled that the Safe Harbor framework agreed between the US and the EU to legalise the transfer of personal data was invalid. That ruling made the transfers to the US of personal data concerning EU citizens much harder, since companies could not depend on the Safe Harbor framework. To remedy the situation, a replacement for the Safe Harbor scheme was agreed between the US and the EU. However, as PIA blog reported in 2020 the Privacy Shield was also sunk by the CJEU, largely on the same grounds as before.

Since then, the US and EU have been working hard to come up with a third framework to allow the smooth transfer of EU personal data in a way that is legal under the GDPR. Businesses on both sides of the Atlantic were becoming seriously concerned about the delay. The US Chamber of Commerce of Commerce and BusinessEurope issued a joint statement on the topic, which includes the following:

We call on the European Commission and on the U.S. Administration to swiftly conclude a robust new framework for data transfers, addressing the problems which led to the invalidation of the Privacy Shield, and upholding our shared transatlantic values of privacy and security.

Finalizing a new agreement will not only provide a legal mechanism that is accessible to small and medium-sized businesses but also will remove growing uncertainty around the role of standard contractual clauses, which are relied upon for the bulk of cross-border data flows. We are confident that a new agreement is within reach that can provide long-term legal certainty and will in turn yield increased innovation, cooperation, and growth across the transatlantic economy.

Indeed, the President of the EU Commission, Ursula von der Leyen, has just announced that the EU and US have “found an agreement in principle on a new framework for transatlantic data flows.” However, there are few details yet. In particular, it is not clear whether it can deal with the fallout of an important recent judgment handed down by the US Supreme Court. An opinion piece in The Hill explains:

The U.S. Supreme Court’s decision this month in FBI v. Fazaga, a case challenging FBI surveillance, will make it significantly harder for people to pursue surveillance cases, and for U.S. and European Union (EU) negotiators to secure a lasting agreement for transatlantic transfers of private data.

The justices gave the U.S. government more latitude to invoke “state secrets” in spying cases. But ironically, that victory undercuts the Biden administration’s efforts to show that the United States has sufficiently strong privacy protections to sustain a new Privacy Shield agreement — unless Congress steps in now.

The future “Trans-Atlantic Data Privacy Framework” has “a new multi-layer redress mechanism”, and specifies that “intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties”. However, without full details of how those will work in practice, it’s impossible to say whether it is likely that the CJEU would rule that the new framework is invalid, as it did for the other two. Max Schrems has already indicated that he or others will bring a legal challenge if the new framework seems to offer insufficient safeguards.

Without a valid framework, companies will be forced to come up with expensive and messy ad hoc solutions that will act as a significant obstacle to the frictionless flow of personal data across the Atlantic. And all because of a few words said by a lawyer in front of one particular student.

Featured image by Georg Molterer.