Curing the Symptom While Ignoring the Cause – Will the Trans-Atlantic Data Privacy Framework Work the Third Time?
Vol. 44 Associate Editor
Despite two years of transatlantic data privacy vacuums, a new hope seems to have materialized after the White House announced its latest collaboration with the European Commission. However, after both previous attempts at building a transatlantic privacy framework–the Privacy Shield and the International Safe Harbor Privacy Principles—were struck down consecutively by the Court of Justice of the European Union (CJEU), whether the United States can assemble a new and lasting transatlantic data privacy framework has come into serious question. The Safe Harbor, the Privacy Shield, and the impending new framework are all alternate paths specifically designed for the United States to substitute the rigorous “adequacy decision” hurdle as required by GDPR Article Forty-Five. Instead of changing the existing sectorial privacy regulations to prove the privacy protection provided by the United States is “essentially equivalent” to the EU system, under these US-EU frameworks, businesses can transfer data so long as they voluntarily join and self-certify to comply with the Safe Harbor or Privacy Shield principles. In practice, aside from the United States, countries that achieve free personal data transfer must all go through a rigorous adequacy examination by the EU. The previous failure of the frameworks has been framed as a surveillance overreach. In Schrems I, the CJEU stated that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising … the fundamental right … as guaranteed by Article 7 of the Charter.”  Schrems II further critiqued surveillance overreach and pointed to U.S. Foreign Intelligence Surveillance Act (FISA) section 702, Executive Order 12333, and the insufficiency of Presidential Policy Directive 28 (PPD-28) in striking down the privacy shield. The United States is targeting these issues with hopes to resolve them by proposing a new framework with additional focus on intelligence activities. The White House emphasized the United States’ commitment to “[s]trengthen[ing] the privacy … safeguards governing U.S. signals intelligence activities…and [e]nhanc[ing] its existing rigorous and layered oversight of signals intelligence activities.” However, in essence, the conflict here is not only one of privacy or surveillance, but also an issue of human rights and constitutional grounds. The consistent failures are largely due to divergent views between the United States and EU on the question of whether privacy is protected as a fundamental right. The 1950 European Convention on Human Rights, to which all EU members are parties, specifically lists the “[r]ight to respect for private and family life” as a fundamental human right in Article Eight. In 2009, the EU reaffirmed and updated their human rights position to further include “[p]rotection of personal data” in Article Eight of the Charter of Fundamental Rights of the European Union. In contrast, the United States Constitution does not specify privacy as a right, and courts have consequently adopted fluid interpretations of the Fourth Amendment to only protect privacy when it is reasonably expected.  The difference between privacy as a human right and privacy as a reasonable expectation is a subtle yet essential one; a fundamental right is indivisible, but an expectation of privacy can lose protection if it is unreasonable. Americans can lose their right to privacy easily and unexpectedly. For instance, under the Fourth Amendment’s third-party doctrine, which supports and shares similar logic with FISA 702, individuals are deemed to have relinquished their expectation of privacy for information they voluntarily conveyed—secretly or not—to a third party. Interestingly, despite the different viewpoints on privacy, at least two crucial international documents between the US and EU have acknowledged privacy as a human right. Article Twelve of the Universal Declaration of Human Rights (“UDHR”) declares that “[n]o one shall be subjected to arbitrary interference with his privacy…” and an individual “has the right to the protection of the law against such interference or attacks.” In spite of having no binding power, the UDHR, serving as one of the earliest human right documents, continues to have a significant normative impact in the human rights sphere today. In addition, Article Seventeen of the International Covenant on Civil and Political Rights grants individuals the right not to be subject to “arbitrary or unlawful interference with his privacy … [, and] unlawful attacks on his honour and reputation;” and a right to fight against any such interference or attacks. Has the United States, in refusing to acknowledge privacy as a constitutional right, fulfilled its human rights treaty obligations? The wording and framing of privacy in the treaties do not directly guarantee a privacy right—instead, they establish a right to fight against the infringements on privacy. The flexibility of these words provides a vague continuum for the protection of privacy, with the United States and EU standing on opposite ends of the range. It is also questionable whether people can fight to protect something if they were not given it in the first place. Should the EU demand the United States to provide this fundamental right, a problem will then arise as to whether the United States can create a fundamental right of privacy specifically to be enjoyed by EU individuals, thus providing them what the United States has not provided to the American general public. Schrems III will come. The impending framework’s attempt to bypass differences in privacy law is likely to fail – with courts striking down political agreements made by the Executive Branch for failing to comply with the Bill of Rights – due to different understandings of human rights and constitutional incompatibilities. Despite the gloomy outlook, there are some practical, though not optimal, avenues to achieve reconciliation that do not require fundamental or constitutional changes. For instance, the United States could grant preferential treatment to EU individuals. However, any preferential treatment will most likely be unpopular among American citizens and could spark political and public backlash. Additionally, some state-specific, piecemeal frameworks might survive the future scrutiny of Schrems III. For instance, California, where the constitution has specifically protected the right to privacy, might have a better chance of acquiring adequacy status. The borderless nature of data and the piecemeal solution combined could aggravate existing gaps and conflicts between the different state legislatures and lead to chaotic enforcement. However, whether these piecemeal or preferential solutions present acceptable or practicable ways forward remains an open question.
 FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework White House (Mar. 25, 2022) https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/ [hereinafter Fact Sheet].  How to Join Privacy Shield (part 1), Privacy Shield Framework, https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1; Adequacy decisions: How the EU determines if a non-EU country has an adequate level of data protection, Eur. Comm’n, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en; Commission Regulation 2016/679, 2016 O.J. (L119) Recital 104.  Case C-362/14, Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650 (Oct. 6, 2015).  Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd., ECLI:EU:C:2020:559, (July 16, 2020); Cong. Rsch. Serv., EU Data Transfer Requirements and U.S. Intelligence Laws: Understanding Schrems II and its Impact on the Eu-U.S. Privacy Shield (2021) (For instance, following article fifty-two of the Charter of Fundamental Rights of the EU, limitation to privacy must be proportionate, necessary and “genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.” However, subjecting to several procedural requirements, the FISA 702 gives the government right to require “all information, facilities, or assistance”).  Fact Sheet, supra note 1.  Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8, Nov. 4, 1950, 213 U.N.T.S. 230.  Charter of Fundamental Rights of the European Union, Mar. 3, 2010, 2010 O.J. (C 83) 389.  See Katz v. United States, 389 U.S. 347 (1967); California v. Ciraolo, 476 U.S. 207 (1986); (For instance, individuals have expectation of privacy at home but could lose that expectation if he is standing at his fence-in backyard. The naked-eye aerial observation of a fenced-in backyard from an altitude of 1000 feet is not an illegal search).  See Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (“[A] person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”).  G.A. Res. 217 (III) A, Universal Declaration of Human Rights art. 12 (Dec. 10, 1948)  International Covenant on Civil and Political Rights art. 17, Dec. 16, 1966, 999 U.N.T.S. 171, 177.  6 Months of “agreement in principle”, EU-US agreement in fact still missing, noyb (Sep 25, 2022), https://noyb.eu/en/6-months-agreement-principle-eu-us-agreement-fact-still-missing, (in which the plaintiff of the two previous Schrems cases showed that he is dissatisfied with the current approach and indicated his determination to bring up a third suit to CJEU).  Elaine Fahey & Fabien Terpan, Torn Between Institutionalisation & Judicialisation: The Demise of the EU-US Privacy Shield, 28 Ind. J. Glob. Legal Studies 205, 208 (2021).  Emily A. Ivers, Using State-Based Adequacy Now, National Adequacy over Time to Anticipate and Defeat Schrems III, 62 B.C. L. Rev. 2573 (2021). The views expressed in this post represent the views of the post’s author only.