Digital data flow on road showing data transfers and surveillance

Can EU-US Data Transfers be Restored? Research on Surveillance Reforms Offer a Potential Path Forward

The Schrems II ruling, followed by several decisions from European data protection authorities, has made it much more difficult and complex to send personal data west across the Atlantic. Restoration of simple EU-US data transfers hinges on assurances from the United States that these communications will not be subject to government surveillance, something that is politically difficult given the lack of a federal data privacy law that can equal the protections provided by the General Data Protection Regulation.

A new research paper from New America’s Open Technology Institute looks to untangle this problem and provide some sort of a path forward for EU-US data transfers. While the paper does advocate for continuing efforts to pass a federal-level data privacy law in the US, it sees the possibility of a more direct first step that would involve hammering out a legal agreement between the two powers backed up by new targeted laws limiting intelligence agency surveillance on the US side.

Can straightforward EU-US data transfers be restored in the near term?

At the moment, the US and the EU Commission remain in negotiation regarding a new legal framework for data transfers. The primary obstacle is that Schrems II has established that data partners must offer equivalent protections to those offered by the GDPR; the US presently has nothing at all of this nature at the federal level. The issue is also compounded by the Snowden revelations of routine international data interception and surveillance by American intelligence agencies, something that any agreement must provide legally binding assurances against.

The one grand move that could restore data transfers would be the passage of national data privacy legislation in the US, but this avenue of resolution appears to be a pipe dream. There have been several bills proposed in recent years, and some have gained bipartisan traction, but none would be a “magic bullet” that comprehensively addresses all the relevant surveillance issues. Even the more modest bills struggle to climb up the priority list as Congress grapples with a seemingly interminable chain of bigger issues: contentious election years, budget packages, Covid issues, and so on.

There are also complications at the EU end, the biggest being that any legal agreement for data transfers must be able to survive yet another GDPR-rooted court challenge that might invalidate it. European Commissioner Didier Reynders essentially surrendered on solving the issue in 2021 after the EU-U.S. Trade and Technology Council meeting in September, with policymakers instead proceeding slowly and with caution to hammer out something that is legally bulletproof.

The research report sees targeted new laws that limit surveillance as an achievable first step to legally bulwarking an agreement on data transfers. One recommendation is to create safeguards that address the sort of bulk international data collection that sweeps up many individuals that are not subjects of any kind of criminal investigation. The report points to recent developments in Germany, where a distinct and independent agency that handles receiving and sorting of international personal data appropriately is in the process of being created.

The report also calls for stronger and more specific laws protecting communications of “personal character.” This means expressions of thoughts and feelings, or exchanges that address categories of already protected information such as sexuality and religion. Communications of this nature should be formally excluded from bulk collection and use by government agencies outside of formal criminal investigations.

Another idea is a legal volume limitation, something also recently passed in Germany. This would restrict bulk data collection to some percentage of all global telecommunications, 30% in the case of the new German law.

Non-nationals might also be formally extended the same rights that residents of the nation handling their data have. In the case of the US, this would mean that EU citizens would be furnished with 4th Amendment protections once their personal data passes into the country.

Addressing surveillance issues requires increased international cooperation

Another important point of note in the report is that data transfers are difficult to fully track due to passing through the hands of private entities; the companies that the Schrems II decision most directly impacts are social media and online retailers like Facebook, Amazon and Google.

The report notes varying levels of legal access to these private data stores and the records of interaction between government and these private businesses, even amongst the countries of Europe subject to the GDPR rules. This is an area where an international agreement on standards of government access to this data could be applied. European nations are already more equipped for this, but the report notes that comparable powers could be exercised by the independent Privacy and Civil Liberties Oversight Board in the US.

The idea of a multinational database that is jointly managed is also floated, something that the report finds precedent for in existing joint international counterterrorism surveillance operations.

The report addresses many other potential strategies, but one key issue that it suggests be addressed is the use of loopholes by government agencies to circumvent existing laws that could presently be used as legal foundation stones for data transfers.

According to Lauren Sarkesian, senior policy counsel at New America’s Open Technology Institute: “ … The EU and U.S. governments also need to think beyond the near-term fixes that could satisfy the Court of Justice of the European Union, and make holistic reforms that could prevent future halts to transnational data flows. Most pressingly, this requires addressing legal loopholes such as government purchases of data from data brokers, an increasingly common method for U.S. government agencies to obtain personal data.”