Cross-Border Data Flows: A Case Study of U.S./EU Relations And Potential Impacts for Other Countries

The concept of privacy can mean different ideas to different people in different places around the world. The right to be left alone is one from the US perspective that means a lot to me, but also there is an idea of control: who can collect, who can use, who can disseminate. From a US perspective, there are two ideas of privacy that are very important. One is protection against companies, regarding consumer rights and commercial practices. We have talked about the fact that in the US this approach is sector-based on the federal level, and that each of the 50 states has their own law. The second idea is protection against government, and there has been some talk about that at the conference as well. Since the 1700s in our Constitution we have spoken about this protection against government. This protection against law enforcement in a criminal case has also been interpreted to apply in the foreign intelligent or national security area against the NSA (National Security Agency).

One aspect of privacy is informational privacy. Data protection is the term used in other places in the world. At this point, I will start the case study which shows the relations between the EU and the US. Prior to GDPR going into place, there was already the 1995 Directive. It said that for data to leave the EU, there needed to be a lawful basis for that transfer and that could be at the country level if your law was similar enough and you could get an adequacy decision from the EU.

The US does not have a comprehensive federal approach to privacy that regulates the use of personal information by businesses. We did not get an adequacy or full adequacy decision; instead, the US had an agreement with EU that was originally Safe Harbor.

There is another way to have a lawful basis and that’s at the company level. With Standard Contract Clauses and Binding Corporate Rules, companies make promises about how they will handle data. It is to my understanding that some Chinese companies are using this approach as their basis of transfer.

In 2015, the current problems between the US and the EU came to light. There is a case that is referred to as the Schrems 1 case. That case is filed by an individual by the name of Max Schrems and he is  concerned about his data being held by Facebook. As a result of the case, the European Court of Justice invalidates that Safe Harbor agreement. The real concern from the US perspective is that Safe Harbor is invalidated not because of practices of the company, not because of Facebook’s practices, but instead because the European Court of Justice looks at the practices of the US government and its access to European data as it enters the US going to Facebook.

And it says that those practices that came to light in 2013 (after the Snowden disclosures) are the reason to stop the transfers based on the Safe Harbor agreement.

Shortly thereafter, Max Schrems files a second case which is referred to as the Schrems 2 case. And in that case, which is currently pending before the European Court of Justice, Max Schrems says, if there was a problem with US practices that led to invalidation of Safe Harbor in the Schrems 1 case, then why wouldn’t that also be a problem for the Standard Contract Clauses for the company level approach? There have been reforms to the US surveillance practices since the Schrems 1 case but there are still national security practices going on and the US still collects data.

From a technical legal perspective, I will step back and explain in the Schrems 1 case there is not a developed record about the practices and protections that take place under US law. And for the Schrems 2 case, there has been a developed record, with expert testimony related to the US practices and protections in law enforcement and national security. The Georgia Tech team was actually involved in that testimony. I am going to go through some of the highlights of that testimony, which is available online. It’s a 350-page document online.

As to protection generally in the United States against government access, you have both law enforcement and national security safeguards. These come most basically from the United States Constitution. The Fourth Amendment is often what you would hear referred to inside the United States. The language of the Fourth Amendment to the United States Constitution is “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

I have written an article with a colleague that says that this protection in the United States is probably the strongest in the world. If it is not the strongest, this protection is one of the strongest in the world. That Fourth Amendment right in the United States is further protected in a criminal case. If a law enforcement officer violates the search warrant requirement, that evidence cannot come into the criminal case (under the exclusionary rule) and any evidence that is linked to that is also excluded (under a doctrine called the Fruit of the Poisonous Tree).

There is also specific federal legislation that has been put in place and has been in effect for many years called the Electronic Communications Privacy Act. ECPA has been interpreted to say that for law enforcement to access the content of stored electronic communications, they have to have a search warrant based on probable cause.

There has been a very brief talk on Watergate here at this conference. Watergate happened in the early 1970s. President Richard Nixon used the power of the presidency for political advantage. His political party was the Republicans. He used that power to surveil the other party, which was the Democrats.  After it came to light that this had occurred, there was great deal of concern in the United States that you should not use the power of the presidency to surveil another party for political gain to try and win another election. And there was a reform that took place. The legislation passed in 1978 was the Foreign Intelligence Surveillance Act - FISA. Most basically what that put in place was, for the executive branch to be able to use the power to surveil, they had to get a judge to approve that surveillance prior to it being done on US soil.

Now most communication goes across the internet. There has been an update to FISA which is called Section 702, which basically talks about how you are going to use that power to gather information from the internet. How do you do surveillance in this modern age and still restrict the executive branch of government? How do you make sure that if government surveillance is happening on US soil that it is not being targeted at a “US person” – who is a US citizen as well as someone who is physically in the United States?

The protections that Section 702 provides include a requirement that a judge annually review selectors to ensure the information that the NSA is targeting has to do with foreign actors, and that a judge annually review minimization procedures to make sure they are adequate to ensure that information which should not be looked at by a human being at the NSA is not reviewed by humans. And the judge that does the review of those procedures is part of the Foreign Intelligence Surveillance Court, called FISC in the United States. This court came into existence in 1978 so it’s been in place for some time and again it’s there to make sure that there is a check and balance -- a check on the executive power in the United States by the judicial branch of government.

The Fourth Amendment comes into play even in this context because the individuals at the NSA have to show a probable cause finding that their request is related to foreign intelligence gathering. The judges at the FISC are real judges, so they are federal judges in the US system. They have lifetime tenure. They basically are asked by the Chief Justice of United States Supreme Court to serve a term of seven years and after that term is over, they go back to being a judge in the federal system.

And the judges of this court have real power. There is an example of Judge Bates’ 2011 order, just prior to the Eric Snowden disclosures in 2013. Judge Bates received information about one of the practices that is going on at the NSA and did not think that practice was compliant with the United States FISA or the United States Constitution. Judge Bates shuts down the program. It was only after the government substantially revised its procedures for handling emails that Judge Bates approves future acquisition of those emails subject to the new minimization procedures.

There is also additional oversight that is provided by Congress in the United States so that both the US Senate and the US House have committees that are dedicated to oversight of intelligence gathering agencies. There is also an inspector general who is outside the normal chain of command that someone can go to if there is a concern.

Then there is independent review of foreign intelligence by an entity in the US government called the Privacy and Civil Liberties Oversight Board or PCLOB. So, in the United States we have quite a few national security safeguards. After the Schrems 1 case, a research team at Oxford University in the UK looked at the protections not only in the United States but also in numerous countries throughout Europe. The conclusion of that look was that the US was the benchmark and provided the strongest protections for national security safeguards.

After the Safe Harbor agreement was invalidated in Schrems 1, the EU and US were able to negotiate the Privacy Shield which came into force in July of 2016. It requires not only commitment from US companies but also from the US government and particularly those guarantees by the US government that relate to law enforcement and national security safeguards.

Earlier this year, the second review by the EU Privacy Shield occurred and again the EU was concerned about Section 702, the FISA, and also executive orders related to national security. So, the Schrems 2 case is still pending. The question right now in the United States is what will happen if Schrems 2 is decided against Facebook and ultimately against the US based on the practices of our law enforcement and the practices for national security purposes. There is a belief by several US experts that if Standard Contract Clauses are struck down as a basis for transfer, it would be difficult for Binding Corporate Rules to survive.

My understanding is that there is at least one current lawsuit against Privacy Shield to try and say that Privacy Shield should fall. So that could leave the US without a legal basis for legal transfer of data from the EU.

Obviously for the US that could be a major impact and it’s talked about in the trade context. But the reason I bring this to you is because it has potential impacts for other countries. As I have described to you, the protections that are provided by the United States for law enforcement are the strongest or one of the strongest in the world. For national security, our safeguards are either the strongest or one of the strongest in the world. If the EU is reviewing those, not just for the US but begins to look at other countries that don’t have an adequacy decision, it’s hard to understand how another country would be able to meet the requirements of the EU if the United States does not meet those requirements.

One example, if Brexit does occur, what could likely happen in the UK? The UK may be able to get an adequacy decision after it exits. It may not be able to, so it has agencies that are involved in national security and those practices would have to be looked at. I will end with this article that appeared in the news last month with the title, “Europe Eyes Privacy Clampdown on China Surveillance.” According to this article which appeared in Politico, there is a European watchdog that is considering looking at China’s government access to commercial data. And it is considering whether they should be looking at the practices of the Chinese government in its access for law enforcement and for national security.

( DeBrae Kennedy-Mayo is a Faculty Member at Georgia Tech and an Attorney-at-Law. She spoke at the Conference on Privacy and Data Governance organized by Luohan Academy on March 19-20, 2019, Hangzhou

Related Insights