Playing Legal Ping-Pong: Schrems I, II, and Perhaps III

In both the United States and European Union, protection of personal data is an essential right. [1] Transatlantic data exchanges are projected to form the foundation of over $1 trillion in yearly trade and investment for multinational companies. [2] Despite its lucrative potential and the United States’ reliance on transatlantic transfers of personal data for national security, the legality of such transfers has yet to be clearly outlined. Since the Court of European Justice’s ruling in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (colloquially known as Schrems II), the EU-U.S. Privacy Shield has been deemed invalid and companies with U.S. and EU presences have been left without necessary compliance regulations that allow them to legally transfer data internationally. [3] When the Court invalidated the EU-U.S. Privacy Shield, it failed to replace it with a clear alternative. This has created challenges for international businesses and governments as none of the parties know to whom to defer for regulatory compliance inquiries. While on July 10, 2023, the EU Commission and the Biden Administration agreed upon an EU-U.S. Data Protection Framework, it is unlikely that this agreement will be legally binding. Should the Court of Justice of the European Union (CJEU) overturn this framework, all policy proposals must start over. The debacle not only highlights differences in data protection standards and surveillance practices between the two regions but also the inadequate commonplace of international organizations deciding on ‘legal’ frameworks without judicial approval. Not only has the Court’s ruling in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems left lingering questions for companies and consumers, but it has also resulted in an overreach of judicial power due to the misinterpretation of the legal scope of the Foreign Intelligence Surveillance Act (FISA) section 702. [4]

Maximilian Schrems’s concerns about the privacy of transferring data internationally were first brought to the Irish High Court in 2015 in the case Maximillian Schrems v Data Protection Commissioner. [5] Amid the Edward Snowden controversy in the U.S. and questions over the ethics and legality of U.S. data harvesting, Schrems contended that the US was overstepping its international rights. The CJEU declared in 2015 that the European Commission's approval of the U.S.-EU Safe Harbor Framework was invalid; thus, the U.S. could not continue to harvest EU data in the same capacity. This decision prompted the development of the EU-U.S. Privacy Shield – a provision that was later overturned in 2020 in Schrems II. This Privacy Shield, which had guided data protocol for 5 years prior to Schrems I, empowered consumers with respect to their data rights. [6] EU Consumers had the right to know about and access the data that companies possess about them and even maintained the right to have this data deleted from a company’s database. The Privacy Shield was struck down due to the Court’s issue with the shield’s supposed failure to comply with EU General Data Protection Regulation (EU GDPR). Notoriously the toughest data privacy law in the world, EU GDPR applies to any entity doing

business with EU data and comprises seven areas of compliance that the U.S. government and companies must follow: transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. [7] Most challenging to abide by is the demand that individuals have the right for their data to be forgotten, meaning companies must make significant investments in improved software and infrastructure. [8] While the EU-U.S Privacy Shield required notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and resources, enforcement, and liability, this was not enough to cover the seven principles necessary to successfully comply with the GDPR. [9] Thus, the CJEU struck down the Privacy Shield leaving consumers wondering whether any provision will ever be able to protect their personal information and companies wondering how and when they can manage the information that their systems are gathering. [10]

The CJEU’s decision to strike down the US-EU Privacy Shield was primarily based on the belief that the United States does not offer sufficient protection for personal data transferred from the European Union. This incomplete analysis by the court leaves inadequate guidance on the validity of both present and future adequacy decisions, which will be detailed below. According to the Court, legislation in the U.S. fails to “indicate any limitations on the power it confers to implement surveillance programs for the purposes of foreign intelligence.” [11] However, the court's examination of U.S. surveillance laws, particularly FISA section 702, was insufficient. Section 702, a pivotal component of the FISA Amendments Act of 2008, authorizes the government to perform focused surveillance on foreign individuals situated beyond the borders of the United States. This is done with the necessary cooperation of electronic communication service providers to obtain foreign intelligence data. [12] While the CJEU does not deem 702 cooperative enough with EU data regulations, it remains unclear which elements of section 702 actually exceed what information is strictly necessary for the US government to obtain. Nor is it evident which elements of 702 lack essential safeguards to protect consumer data rights. In its ruling, the CJEU suggested that in the future, companies using standard contractual clauses (SCCs) must independently assess whether the recipient country's data access laws offer privacy safeguards that comply with EU legal requirements. [13] However, it is unrealistic to assume that every company’s independent legal team will reach a singular conclusion regarding the data, let alone one that the CJEU would consider legally binding. Nonetheless, the consequences of the Court’s ruling are not what makes the ruling questionable; rather it is that the Court has understated the privacy protections detailed in FISA 702, leading them to believe FISA 702 does not comply with EU GDPR.

First, the Court asserted that US surveillance programs are “not covered by requirements ensuring, subject to the principle of proportionality, a level of protection essentially equivalent to that guaranteed by the second sentence of Article 52(1) of the Charter.” [14] This effectively prescribes that there are no limits to the data that US intelligence officials can access. Yet, US surveillance has limitations inscribed by FISA 702 such that the intelligence methodology for

data harvesting “consists entirely of targeting specific persons about whom an individualized determination has been made.” [15] Thus, by law, US intelligence officials are required to have reasonable doubt for their surveillance target’s information to be relevant to US security. A European individual’s data, which poses no threat to US national security, is, at least on a policy basis, still protected. Admittedly, the Court, Maximillian Schrems, and individuals have valid concerns about whether these rules are enforced in practice and the extent to which something can be considered reasonable doubt; however, enforcement of pre-existing legal conditions is not the court’s job, and lack of enforcement does not mean that the Privacy Shield itself should have been deemed invalid. [16] Under 702, the US identifies individuals via “selectors” – email addresses or phone numbers, for instance – that are thought to be carrying information relevant to US security. The US may only gather data directly from selectors, and not from messages or communications where the selector is referenced. Additionally, according to the National Security Agency (NSA), analysts gathering information on selectors are required to create a written report on the purpose for that data gathering, and the probable cause that they may be involved in something relevant to US security. [17] However, because the Foreign Intelligence Surveillance Court does not approve specific requests of 702, the CJEU took issue. [18] Had the CJEU looked closer into the existing legal power restrictions on US intelligence instead of what might occur in practice, the Court may have reached a different conclusion than knocking down the EU-US Privacy Shield.

On July 10th, 2023, the European Commission announced the creation of the EU-U.S. Data Privacy Framework (DPF), a nominally similar but conceptually novel agreement intended to address the aforementioned issues with the Court’s ruling in Schrems II. [19] Yet, despite the supposed tightening of regulations, the DPF is not, in principle, much different from the US-EU Privacy Shield that was just invalidated in Schrems II, signifying that there have been no changes to US Surveillance law. Thus, again, there remains a severe area of ambiguity for international data transfer law, and the same problems that existed with the EU-US Privacy Shield will still exist under this new framework. The new provisions of the DPF are to be enforced by the Federal Trade Commission and the Department of Commerce and require that US companies that want access to personal data residing in the EU self-certify as participants of the DPF prior to any data collection – a concession to the stricter EU data protection laws, because US companies must be more intentional when collecting data. [20] However, with FISA 702 remaining unchanged, non-US persons are still left without what the EU legally considers “reasonable privacy protections.” While both the EU and the US acknowledge that FISA 702 fails to comply with the 4th amendment in the US and articles 7, 8, and 47 in the EU CFR, the US claims that because the constitution does not protect non-US citizens, their rights for privacy are not insured by the 4th amendment. [21] Max Schrems, who originated this transatlantic data protection conflict in Schrems I, considers the DPF just another form of “legal ping-pong” which he already plans to challenge in the CJEU. [22] Thus, the DPF appears to be an agreement to improve the optics of the data transfer situation, rather than an agreement that instills meaningful, legally-binding policy reform. Consequently, the puzzle of international data transfer, arguably, remains unsolved.

In the case of Schrems I, Schrems II, and now the EU-US Data Privacy Framework, the CJEU, and the EU Commission have repeatedly swung and missed. Each decision has failed to acknowledge the many moving parts involved in transferring data across continents: EU GDPR, EU data protection law, US government security needs, and FISA. It is not possible to solve the issue when each provision created seems to only comply with one nation’s legal framework at a time. It is equally unrealistic for every international company to have to research the legality of their data harvesting in all jurisdictions that may be affected, as this is no recipe for consistency or equitable legal interpretation. In a world where technologically speaking “physical borders do not matter much anymore,” the law is still very much bordered. [23] It is perpetually difficult for non-judicial organizations to create and enact legislation that may or may not be legally binding – for instance, the EU-US Data Privacy agreement between the Biden administration and the European Commission. While only time will tell whether the US-EU Data Privacy Framework will stand, one thing is obvious: US and EU data regulation laws are simply not compatible and any agreement between the two entities, if not involving tactile change in either’s laws, will continue to be overturned by the CJEU.

Edited by Christina Park

[1] Maximilian Schrems v Data Protection Commissioner, C‐362/14, 2015.

[2] “Data Privacy Framework Program Launches New Website Enabling U.S. Companies to Participate in Cross-Border Data Transfers.” U.S. Department of Commerce, July 31, 2023, https://www.commerce.gov/news/press-releases/2023/07/data-privacy-framework-program-launc hes-new-website-enabling-us.

[3] Maximilian Schrems v Data Protection Commissioner, C‐311/18, 2020.

[4] “Data Protection Commissioner V. Facebook Ireland Ltd..” Harvard Law Review, March 24, 2023, https://harvardlawreview.org/print/vol-134/data-protection-commissioner-v-facebook-ireland-ltd/ #footnote-9.

[5] Maximilian Schrems v Data Protection Commissioner, 2015.

[6] “EU data transfer requirements and US intelligence laws: Understanding Schrems II
and Its Impact on the EU-U.S. Privacy Shield.” Congressional Research Service, March 17, 2021 https://crsreports.congress.gov/product/pdf/r/r46724.

[7] Ben Wolford, “What Is GDPR, the EU’s New Data Protection Law?” GDPR.eu, May 26, 2022,

https://gdpr.eu/what-is-gdpr/.

[8] Sam Mignano, “GDPR Compliance: How to Overcome 4 of the Toughest Challenges,” Doherty Associates, November 9, 2022, https://www.doherty.co.uk/blog/gdpr-compliance-overcoming-challenges/.

[9] Maximilian Schrems v Data Protection Commissioner, 2020. [10] Maximilian Schrems v Data Protection Commissioner, 2020. [11] “Data Protection Commissioner V. Facebook Ireland Ltd..”

[12] “Foreign Intelligence Surveillance Act (FISA) and Section 702,” FBI, May 16, 2023,

https://www.fbi.gov/investigate/how-we-investigate/intelligence/foreign-intelligence-surveillanc e-act-fisa-and-section-702.

[13] Maximilian Schrems v Data Protection Commissioner, 2020. [14] Maximilian Schrems v Data Protection Commissioner, 2020.

[15] “Joint Unclassified Statement of Robert S. Litt General Counsel Office ...” U.S. Department of Justice, July 31, 2023, https://www.justice.gov/sites/default/files/testimonies/witnesses/attachments/2016/02/17/508_co mpliant_02-02-16_fbi_litt_evans_steinbach_darby_joint_testimony_from_february_2_2016_hea ring_re_fisa_amendments_act.pdf.

[16] “European Commission Gives EU-US Data Transfers Third Round at CJEU.” EU NOYB, July 10, 2023, https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.

[17] “Information on U.S. Privacy Safeguards Relevant to SCCS and Other EU... ” U.S. Department of Commerce, September, 2020, https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL50 8COMPLIANT.PDF.

[18] Maximilian Schrems v Data Protection Commissioner, 2020.

[19] “Data Protection: European Commission Adopts New Adequacy Decision for Safe and Trusted EU-US Data Flows,” European Commission - European Commission, July 10, 2023, https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.

[20] “Data Privacy Framework.” Digital Privacy Framework Program, July, 2023, https://www.dataprivacyframework.gov/s/.

[21] “European Commission Gives EU-US Data Transfers Third Round at CJEU.” [22] “European Commission Gives EU-US Data Transfers Third Round at CJEU.”

[23] “Data Protection: European Commission Adopts New Adequacy Decision for Safe and Trusted EU-US Data Flows.”