On July 16, 2020, the European Court of Justice (the “ECJ”) in Data Protection no government overreach v. Facebook Ireland and Maximillian Schrems (C-311/18) (the “Schrems II”) invalidated the EU-US Privacy Shield framework commonly used for transatlantic information transfers. The ECJ held that Standard Contractual Clauses are valid but may not be adequate and businesses will be mandated to do a case by case analysis to determine whether regulations of government access to information in non-EU countries meet rigorous EU standards.
If a foreign government has a need to access the information belonging to a EU citizen which information was transferred to a foreign country for commercial purposes, the EU requires that the government’s necessity to access such information meets the standard of “strictly necessary”. Schrems II ruling substantiates that the EU deems current U.S. regulations are inadequate to meet this standard. Specifically, to be in compliance with privacy rights guaranteed in the EU under The Charter of Fundamental Rights, the U.S. would have to implement some additional safeguards to protect EU citizens’ personal information from government overreach and provide EU citizens legal recourse to defend their rights in the U.S. judicial system, if necessary.
Following Snowden’s 2013 PRISM-related bulk data collection revelations, the U.S. put efforts into providing assurances to the EU authorities that once the EU citizens’ information is transferred to the U.S. such information is safe from the invasive U.S. government’s overreach. The USA Freedom Act of 2015 imposed new limits on the bulk collection of telecommunication metadata. The FISA Amendments Reauthorization Act of 2017 provided enhanced oversight over domestic and foreign U.S. surveillance practices. The Schrems II ruling calls for more action from the U.S.
The ECJ’s order also means that the EU considers that EU citizens are not provided with equivalent protections compared to the protections afforded to the U.S. citizens when their information is processed in the EU. Earning the EU’s trust back will necessitate the U.S. to review its current information privacy regulations, revise its practices related to government access to information of non-U.S. citizens, and open up to yet more constructive transparency. We may see a period of an impasse between both sides for a while unless the U.S provides the EU citizens actionable rights in the U.S. judicial system when EU citizens allege U.S. government overreach, which the U.S. now opposes.