Privacy advocates rightly view the Court of Justice of the European Union (CJEU) decision in Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems (Schrems II) as a landmark. But, one stakeholder’s landmark is another’s headache. The CJEU’s decision invalidated the EU-U.S. Privacy Shield agreement governing transatlantic transfers of personal data. Citing U.S. surveillance, the CJEU found that data transfers lacked adequate privacy protections under the EU’s General Data Protection Regulation (GDPR). The Schrems II decision thus clouded the future of data transfers that help drive the global economy. This Article offers a hybrid approach to safeguard privacy rights and ensure the viability of transatlantic data flows.
The Article’s hybrid approach is an alternative to two less promising ways of reading the CJEU’s groundbreaking decision. The European Data Protection Board (EDPB) issued recommendations adopting a de facto absolutist view of the duties imposed by Schrems II. The EDPB guidance narrows the role of risk assessments that gauge the probability of U.S. surveillance of particular data. The EDPB places greater stock in technical measures, such as steep EU-centered encryption that thwart U.S. surveillance and impede access for U.S. firms. This unduly strict approach undermines the whole point of transatlantic data transfers.
Another response to Schrems II takes a “don’t worry, be happy” tack. Heralds of optimism assure audiences on both sides of the Atlantic that most transatlantic data transfers are immune as a matter of law from U.S. surveillance, including collection under section 702 of the Foreign Intelligence Surveillance Act (FISA) or Executive Order 1233 (EO 12333). Unfortunately for this optimistic turn, U.S. surveillance authorities are sufficiently broad to reach many communications by EU individuals. In particular, section 702’s provision for collecting communications related to U.S. “foreign affairs” lacks any intelligible limiting principle or specific review of targeting decisions. The U.S. Foreign Intelligence Surveillance Court (FISC) does not approve every target under section 702, although it has the power to scrutinize targeting procedures. Collection under EO 12333 is even broader and not subject to FISC review. In sum, surveillance optimism is a rhetorical trope, not a legal strategy.
Navigating between the EDPB’s strict approach and the heralds’ unfounded optimism, this Article proposes a hybrid model. The hybrid outlines a risk-assessment method based on U.S. export controls, which have successfully managed exports of sensitive technology for decades. This model can also be a template for managing transfers of sensitive personal data. In addition, the hybrid model proposes bolstering substantive and institutional safeguards in U.S. law. For example, the Article proposes an Algorithmic Rights Court (ARC) that would probe targeting decisions under both section 702 and EO 12333. Through more precise risk assessment and reinforced institutional and substantive protections, the hybrid model preserves privacy and supports a sustainable transatlantic data transfer regime.
Rubinstein, Ira and Margulies, Peter, "Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S. Surveillance, and the Search for Common Ground" (2022). Connecticut Law Review. 518.