Transatlantic Data Sovereignty: How to Achieve Privacy-proof Data Flows between the EU and the US

→ The state of the problem. The European Court of Justice (CJEU) ruled in July 2020 that in the US there is no sufficient level of protection for personal data of EU citizens, thus invalidating the 2016 US-EU Privacy  Shield agreement that served as a basis for transatlantic data transfers. Recently, theEuropean Commission and the US government jointly announced an “agreement in principle” to produce a new framework for data flows. However, its content, its specifics and especially its translation into enhanced changes will be key to ensure it is more sustainable than its predecessor.

→ What’s at a stake. The ruling, along with vague and uncertain guidance given by European Data Protection Authorities and its erratic enforcement by national entities, generated considerable uncertainty for businesses  (small and large), organizations and private citizens around a central aspect of global economic governance: over the past 15 years data has enabled trade in digital services between the US and Europe to double; and digital as  well as less digital industries, e.g., traditional manufacturing, critically depend on data that flows between the EU and the US.

→ Key roadblock. The CJEU considers that US data collection powers under current surveillance laws lack effective redress options for EU citizens, allowing government agencies to collect information from foreign users outside their national territory, but without them having the same means that US citizens do have to defend their privacy through the judicial process. This prioritization of national security over (foreign citizens’) privacy spurs from distinct approaches to privacy in both legal systems: In the EU, the protection of personal data is considered a fundamental right; in consequence, the European General Data Protection Regulation (GDPR) imposes  mandatory rules for how organisations and companies must use personal data and gives authorities capacity to act ex officio on breaches from this basic privacy protection. In contrast, the US has no GDPR federal equivalent (nor immediate plans or credible attempts to produce one), relies on state-level regulation of different scope, substance, and procedural issues, usually placing the responsibility to correct negative externalities on private actors and their specific actions.

→ A potential way forward. The end goal EU & US should set themselves is “transatlantic data sovereignty”, i.e. privacy-proof transfers of individuals’ personal data based on the shared common goals and principles of valuebased standards for international trade and technology among rights-oriented and rule of law-based market democracies. Despite these commonalities, it might be best to take a pragmatic approach acknowledging the
limited scope for agreement, thus focused on adequacy, equivalence, or mutual recognition. The departing minimum for it should be mirrored EU-US conditions recognizing redress options and reining in surveillance capacities. The US government has recently signaled its willingness to implement a new framework that features both novelties.

→ Within the US, the main issue would be the articulation of the political process. We suggest three distinct paths:

1. The most expeditive and efficient would be an Executive Order that limits bulk collections of data by US surveillance agencies and that provides additional redress mechanisms for European citizens, such as an executive  office or tribunal with the power to adjudicate complaints and issue binding decisions on US intelligence services. This seems to be the preferred approach by the current US government, which has committed to include  its upcoming commitments in a new EO. The central problem of this alternative would be its long-term sustainability after the end of the current Administration.
2. The most sustainable in the long term would follow a conventional legislative path: US Congress could amend FISA to prohibit bulk intelligence collections and require court approval with respect to each target of  surveillance. However, this route might prove too slow for the urgency of the matter, as well as subject to political uncertainty: the political situation in the US is challenging, characterised by a divided Senate, distinct  partisanship, and upcoming midterm elections.
3. A non-statutory solution is also on the table, for instance by amending the role of the Ombudsperson to empower it to act ex officio on behalf of privacy protection. This alternative, fast and perhaps more politically  feasible, bears the problem of difficult to assess whether a non-statutory option would meet substantive European requirements on redress, and whether it would lead to stable and reliable rules.

→ Within the EU, Member States are not subject to the same standards as foreign entities are. In fact, certain Member States (e.g. France) expressed in the past their willingness to entirely exclude their intelligence agencies  from the scope of EU law. But, to make it sustainable, any US concession on the possibility of redress should be effectively mirrored by EU Member States’ treatment of personal data of US citizens. This opens up a possibility  for other EU Member States to advocate a mirrored EU approach to US concessions on fundamental redress rights in the context of government surveillance activities, underlining their commitment to EU fundamental rights,  economic openness and meaningful Transatlantic cooperation to resolve the privacy-security dilemma.