Solving the Transatlantic Data Dilemma

Executive Summary

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s adequacy decision for the EU-U.S. Privacy Shield framework, which until then, regulated transatlantic exchanges of personal data for commercial purposes. In Data Protection Commission v. Facebook Ireland (Schrems II), the CJEU argued that U.S. surveillance law provides inadequate safeguards for EU citizens’ data. This was a transatlantic bombshell, as it left thousands of companies questioning the future of their transatlantic data flows. Since then, the United States and EU Commission have been negotiating a successor agreement, but have not yet announced a path forward.

Establishing a new agreement for transatlantic data flows is incredibly complex. Legal frameworks for different modes of government access to personal data as well as obligations for data processing, transfers, retention, deletion, and redress mechanisms vary substantially—even within Europe. What common norms and standards should be written into a new agreement to assuage valid concerns on both sides about disproportionate government access to personal data?

This report points to the heart of the current transatlantic data transfer dilemma: the governance of foreign intelligence collection and the many unresolved questions regarding the protection of fundamental rights in cross-border contexts. Reviewing recent jurisprudence and surveillance reforms in several democracies, the report shows that much more needs to be done—both in the United States and across Europe—to better protect the rights of non-nationals from disproportionate government access. Our report focuses first on direct and compelled access through bulk collection by intelligence agencies before examining voluntary access to data held by the private sector. While intelligence legislation and practice is the main focus of this report, we also review law enforcement or military agencies‘ access to data, albeit mostly in conjunction with governance and policy questions tied to inter-agency data transfers.

Each chapter of this report includes recommendations or steps that governments can take to better meet evolving international standards of necessity and proportionality. While it is neither possible nor desirable for democracies across the globe to adopt the same standards for proportionate government access to data irrespective of their different constitutional systems and heritage, more robust safeguards are necessary to ensure the free flow of data with trust to resume. This will stimulate growth among our digital economies and strengthen our democracies. Some recommendations are long-term goals that require bold legislative action; others can be achieved in the medium term without substantial reform of legal frameworks. We do not argue that all the measures we recommend are strictly required by the Schrems II decision, or that any particular reforms would resolve the CJEU’s concerns. Rather, we identified a broad package of reforms that could help to prevent a future halt of transnational data flows.