Worldwide: U.S. Senators Responding To CJEU Schrems II – Revisiting The Need For Privacy Reform
Author: Sharon Schmidt
On 09.12.2020,1 the Senate Committee on Commerce, Science and Transportation conducted a hearing, discussing the need for a comprehensive federal U.S. privacy legislation as well as the future of trans-Atlantic data flows in light of the EU/US Privacy Shield invalidation by the Court of Justice of the European Union (CJEU) on 16.07.2020 (case C-311/18, Schrems II).2 Discussions centred on policy considerations that led the CJEU to conclude that the then existing framework had failed to provide equivalent protection standards as required under EU law. In addition, the hearing featured expert submissions on the practical steps to pursue for purposes of establishing a successor data transfer framework.
The meeting reinforced the urgency of a rapid legislative replacement that would allow transatlantic operations to be continued. It was commonly agreed that such a development would be particularly crucial for small businesses, which made up over 70% of Privacy Shield certified companies.3 Although acknowledging the need for international consensus, the hearing did not include European experts nor representatives of civil society. Speakers, however, included representatives of the U.S. Federal Trade Commission (FTC), the U.S. Department of Commerce (DoC), the Software Industry (Victoria Espinel) as well as Koch Distinguished Professor in Law, Mr. Neil Richards and Mr. Peter Swire, Professor of Law and Ethics at the Georgia Tech Scheller College of Business, and Associate Director for Policy of the Georgia Tech Institute for Information Security and Privacy.
During his opening statement Committee Chairman, Mr. Roger Wicker, expressed his support for a ‘durable and lasting’ transatlantic data-transfer framework, deeming it a ‘tall but essential order’. Drawing on one estimate according to which ‘digitally enabled trade amounted to between $800 and $1,500 billion globally in 2019 [while being] projected to raise global GDP by over $3 trillion’ in 2020, he alluded to the significant economic benefit international trade provides for domestic and international businesses alike. During his remarks, Mr. Wicker argued that the former Privacy Shield established a legal mechanism that was ‘intended to ensure that over 5,000 small-/medium-sized businesses, spanning several economic sectors in both the U.S. and EU could continue engaging in transatlantic digital commerce without disruption’. By highlighting some of the key requirements stipulated under the Privacy Shield (e.g. notification obligations placed on participating organizations, appointment of Ombudsmen to allow for proper investigation of complaints etc.), he deemed the U.S.’s existing redress rights as adequate and its surveillance regime as comparable to that of other EU member states. Nevertheless, by recognizing the commonality of shared democratic values between the continents, Mr. Wicker reinforced his commitment to the development of meaningful consumer data protection standards that would ‘sustai[n] the free flow of information across the Atlantic, and encourag[e] continued economic and strategic partnership’ with Europe.
Ranking Member, Ms. Maria Cantwell, stressed the significance of greater transparency on decisions rendered by the Foreign Intelligence Surveillance Court (FISC). With digital trade between the U.S. and Europe being valued at more than USD 300 billion annually, she advocated for a resolution that would not only foster trust and reinstate greater surveillance cooperation between the entities, but that would also refrain from more diversion ‘towards national protectionism’.
In her remarks, Ms. Victoria Espinel,4 President and Chief Executive Officer of the software industry trade group BSA, underscored the importance of maintaining a both safe and reliable data transfer structure to sustain and ensure the continued growth of both economies. Notwithstanding the urgency of affording effective privacy protections to consumers, she also encouraged ‘all like-minded democratic societies interested in both security and civil liberties to think boldly about longer-term approaches to security safeguards’ (p3), positing that ‘some amount of signals intelligence is necessary in a democratic society to ensure safety and security’ (p10).
Department of Commerce Deputy Assistant Secretary for Services of International Trade Administration, Mr. James Sullivan,5 explained that he had participated in a number of multilateral discussions with EU officials, focusing on a Privacy Shield replacement. He considered the CJEU decision to have created ‘enormous uncertainties for U.S. companies and the transatlantic economy’ (p2) that had forced companies to face three distinct choices, namely: ‘(1) risk facing potentially huge fines (of up to 4 percent of total global turnover in the preceding year) for violating GDPR, (2) withdraw from the European market, or (3) switch right away to another more expensive data transfer mechanism’ (p6). He also singled out the issue of government access to data, arguing in favour of ‘broader discussions among likeminded democracies’ to ‘develop principles based on common practices for addressing how best to reconcile law enforcement and national security needs for data with protection of individual rights’ (p8). He opined that such a demand for access is, however, distinguishable from that called for by non-democratic societies, whose engagement in personal data collection is intended ‘to surveil, manipulate, and control [citizens] without regard to personal privacy and human rights’ (p8). In closing, he emphasised the importance of shared principles as an essential foundation for ‘preserving and promoting a free and open Internet enabled by the seamless flow of data’ (p8).
Considering interoperability a priority for the incoming administration, Federal Trade Commission (FTC) Commissioner, Mr. Noah Joshua Phillips,6 similarly called upon liberal democracies to unite, not splinter in seeking a path forward following the Schrems II ruling. He asserted that it is detrimental for countries to ‘evaluat[e] their approach to digital governance [,] to share and promote the benefits of a free and open Internet’ and to strengthen ties with compatible data governance regimes by drawing lines ‘between allies with shared values [and] those that offer a starkly different vision’ (p9).
The final two contributions by Mr. Swire7 and Mr. Richards,8 offered an academic account on the evidence submitted during the Schrems II proceedings. While considering the protection level offered by the Privacy Shield as essentially equivalent to that guaranteed within the EU, Mr. Swire deemed a revision of current U.S. surveillance practices as necessary. He proposed a one-year agreement that would allow the ‘new administration to engage systematically [in the creation of] durable approaches for agreements with the EU on data’ while providing a ‘useful incentive for all concerned to continue to work intensively toward a longer-term solution’ (p10).
Mr. Richards, by contrast, expressed a sense of urgency regarding a U.S. commitment to privacy and surveillance law reform, which according to him had become a ‘creature of distrust,’ (p18) rooted in the lack of a comprehensive federal privacy legislation and the Snowden revelations that had disclosed NSA surveillance activities in June 2013. Through meaningful judicial redress and addressing the shortcomings of the country’s vast signals-intelligence collection systems, he argued that the U.S. could achieve privacy and data protection adequacy. In this regard, he suggested that the Schrems II decision demonstrates a meaningful opportunity to regain leadership in consumer protection, but also to advance towards greater international cooperation and economic prosperity: ‘there is a way forward, but it requires us to recognize that strong, clear, trust-building rules are not hostile to business interest, that we need to push past the failed system of “notice and choice,” that we need to preserve effective consumer remedies and state-level regulatory innovation, and seriously consider a duty of loyalty’ (p19).
The central views conveyed by the witnesses during the Senate Committee hearing are reflective of the meeting’s overarching support for a comprehensive consumer privacy legislation that would place a duty of loyalty on companies in their treatment of personal data and endow individuals with a private right of action. Despite the considerable number of varying suggestions introduced that day, all speakers commonly acknowledged the grave impact that the Privacy Shield invalidation had brought with it and the necessity to rectify its effect. An adequacy decision could, however, only be successfully pursued if intelligence gathering approaches were revised and surveillance reform truly committed to. These endeavours, it was argued, may require broad consensus building with other democratic allies with strong privacy regimes.
Confronting these issues globally, is a critical starting point to overcome the uncertainty threatening to disrupt trans-Atlantic data flows that are essential to the operations of many U.S.-based tech companies. However, it also promises to be particularly crucial for deriving at meaningful surveillance reform options that would promote compliance with the Schrems II decision and inadvertently offer to protect the rights of consumers beyond country borders.
Footnotes
1 Webcast and written transcripts available via: https://www.commerce.senate.gov/2020/12/the-invalidation-of-the-eu-us-privacy-shield-and-the-future-of-transatlantic-data-flows.
2 Available via: http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst&dir=&occ=first∂=1&cid=5219638.
3 US Department of Commerce Department, Commerce Secretary Wilbur Ross Welcomes Privacy Shield Milestone-Privacy Shield Has Reached 5,000 Active Company Participants (Sept. 11, 2019), https://www.trade.gov/press-release/commerce-secretary-wilbur-ross-welcomes-privacyshield-milestone-privacy-shield-has ; Congressional Research Service, U.S.-EU Privacy Shield (Aug. 6, 2020), https://fas.org/sgp/crs/row/IF11613.pdf
4 Transcript available via: https://www.commerce.senate.gov/services/files/3B067E7A-26FA-497A-9AC3-4DB37F140C8F.
5 Transcript available via: https://www.commerce.senate.gov/services/files/8F72849E-3625-4687-B8F5-71AFF4640D1F.
6 Transcript available via: https://www.commerce.senate.gov/services/files/34555EB9-4074-4A11-A4E9-A85EA3CAED56.
7 Transcript available via: https://www.commerce.senate.gov/services/files/6E06A2A6-A9D9-4EFA-8390-0A288B7C1DCA.
8 Transcript available via: https://www.commerce.senate.gov/services/files/021C9A15-B562-4818-9BDE-F103512D6ED3.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.