By Special To The Washington Post · Michael F. Harsch, Vlagyiszlav Makszimov, David B. Ramsey · OPINION, BUSINESS, TECHNOLOGY, OP-ED, US-GLOBAL-MARKETS
It also set clear limits on the other main tool that businesses use to transfer data: standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) found that the Privacy Shield did not protect European citizens against U.S. surveillance, and suggested that contractual clauses would only work for transfers of data to jurisdictions that had equivalent privacy protections to the European Union. This means trouble for Facebook and other similar companies that rely on these data flows as part of their business model, as well as other big companies.
Here are three key takeaways from the ruling.
- Businesses can expect a turbulent time
The CJEU was deciding on a case that most people are calling Schrems II - after the Austrian privacy activist Max Schrems. The court ruled on the validity of the Privacy Shield, the U.S.-E.U. agreement which over 5,300 companies use to send sensitive data across the Atlantic, including tech giants such as Facebook, Twitter, Google and Amazon; and SCCs, which contractually oblige companies to follow E.U.-level privacy standards once they transfer personal data outside Europe.
The court annulled Privacy Shield, arguing that U.S. law does not limit surveillance programs to what is strictly necessary and that exposing the data of Europeans to U.S. intelligence agencies violates their privacy rights. In addition, the court found that the system offers insufficient legal recourse for Europeans to challenge U.S. practices. With transatlantic relations severely strained, the European Union and the United States face the daunting task of finding a new arrangement that satisfies the court's concerns without disrupting the transatlantic economy. Recent history will loom large over these negotiations: when the CJEU quashed Privacy Shield's predecessor, Safe Harbor in its Schrems I decision of 2015, regulatory chaos ensued.
SCCs could help in the short term, but they have problems, too. The court found that SCCs are generally sufficient for transferring personal data. However, the court said that E.U. data protection authorities are obliged to stop SCC-based transfers if they have concerns about data protection in the receiving country. The ruling thus creates significant uncertainty for any firm based in Europe that operates in countries such as China or India where governments have broad surveillance powers. Max Schrems's nonprofit organization claims the court's decision means that SCCs cannot be used anymore for data transfers to the United States, and Hamburg's activist data protection authority seems to agree. Facebook says it will await guidance, putting pressure on the European Union and the United States to find a solution.
- The European Court is becoming more activist on fundamental rights
Schrems and other recent decisions suggest the European Court is becoming more sensitive to public opinion and hence emphasizing fundamental rights. In the wake of 9/11, Europeans broadly supported U.S. counterterrorism measures, but over the past decade, Europeans have begun to favor safeguarding fundamental rights over security concerns, and the courts have followed. For example, in the Kadi case, an E.U. court in 2005 first upheld the U.N. Security Council's ability to freeze assets of alleged terror suspects. Yet in 2008, the highest court reversed course, ruling that blacklisted suspects deserve full judicial review and that governments must explain their reasons for imposing sanctions. The court ultimately upheld this decision in 2013, when only 1 in 50 Europeans still considered terrorism an important issue. That same year, Edward Snowden revealed that Facebook was affected by the National Security Agency's mass surveillance programs, which led to the original Schrems case.
Public concerns in Europe about data protection remain high. In a 2019 E.U.-wide survey, over 80 percent of respondents said they had only "partial" or "no control at all" over the information they provide online - despite the introduction of the E.U.'s General Data Protection Regulation in 2018. The Kadi and Schrems cases both suggest that Europe's highest court has become more similar to the U.S. Supreme Court, whose responsiveness to public opinion is well documented. As long as the CJEU does not face a public backlash, expect more bold rulings from the court defending fundamental rights.
- Europe and California are replacing Washington as standard-setters
With Schrems II, the CJEU has asserted its role as international standard-setter in data protection and privacy law. While Congress remains divided over establishing national standards, California's Consumer Privacy Act came into effect in 2020. The regulations under that law are poised to lead to more stringent standards nationwide.
To advance privacy protection, both the European Union and California are using a powerful legal principle also used by the federal government, "extraterritoriality," or the application of one country's domestic laws in other countries. The United States has long sought to enforce certain domestic legal standards abroad. A key example is the Foreign Corrupt Practices Act of 1977, which resulted in U.S. sanctions against several European companies and led to the adoption of the 1997 OECD Anti-Bribery Convention. In the Schrems II case, the CJEU effectively asserts the extraterritoriality of E.U. data protection regulations. Some now raise concerns about a "balkanization of the internet." But when faced with the choice of either complying with E.U. law or separating their European operations, U.S. tech giants previously stated they will comply. If the field of anti-corruption is any guidance, extraterritorial application of E.U. privacy rules could lead to stronger international standards and support the push for privacy rights in the United States.