Skip to Content

Cybersecurity & Standards, European Policy, Government Surveillance, Privacy & Data

Replacing the Safe Harbor – Robust privacy protections in a new EU-US data transfer agreement

Much has been written and said about the Decision by the Court of Justice of the EU (CJEU) in the Schrems case, invalidating the European Commission’s Safe Harbor Decision, and its implications. Recently, EU and US negotiators have briefed the press and stakeholders about the progress towards a new data transfer agreement to replace the defunct Safe Harbor decision.

A new agreement is critically important to companies, both US and European, that conduct business, serve customers and employ people on both sides of the Atlantic. Companies that self-certified under the Safe Harbor scheme are, following the Court’s decision, moving to use other available legal data transfer mechanisms; Binding Corporate Rules, and Standard Contractual Clauses.

However, the fundamental paradox of the Schrems case remains: these transfer mechanisms do not and cannot (without violating US law) include protections that limit companies’ obligations to comply with data requests from US law enforcement and national security agencies. The logic used by the CJEU in the Schrems case could well be applied to these other schemes, and Data Protection Authorities (DPAs) and courts might well decide to refuse to authorize data transfers.

It would be extremely disruptive to transatlantic economic cooperation and business if this were to happen. Some companies might have to do significant and costly operational restructuring to provide services in Europe, and others might have to suspend their operations. This would be damaging both to businesses and consumers. At least one major tech company, Facebook, has already been threated with a lawsuit if it doesn’t stop data transfers.

A comprehensive solution to the concerns raised by the CJEU requires reform of surveillance laws in the US, which could trigger needed reform of surveillance laws in European Member States. However, for the reasons noted above, CDT recognizes the need for a new data transfer agreement, and we would want that agreement to create meaningful and substantive protections for European citizens.

Some protections can be put in place administratively, without changing US law. These protections include allowing companies to disclose more detailed statistics about US Government intelligence surveillance demands, and making US Government disclosure of more statistics about its surveillance demands part of the Safe Harbor reporting requirements. Further, the US Government could commit to disclosing the subject matter of all certifications filed with the FISA Court under Section 702 of FISA. These certifications identify the intelligence requirements to be met through this intrusive surveillance. Such disclosure would shed at least some light on the extent to which surveillance under this statute is engaged in for a legitimate aim. In addition, the US Government could commit to formally declassifing the targeting procedures used to subject non-US persons to surveillance. The Intelligence Community has already agreed to revise NSA targeting procedures to require additional documentation of the reasons why a person was targeted for surveillance. Disclosure of the targeting procedures would go some way toward showing that Section 702 surveillance is necessary and sufficiently tailored.

The agreement could require a commitment to promptly release declassified FISA Court decisions. The USA Freedom Act requires declassification review of each FISA Court decision that involves novel, legal, technical or compliance issues. Such decisions may shed light on the breadth of NSA surveillance, and on the justifications for it. Finally, the agreement could require that Section 702 surveillance – to the extent it requires disclosure of data that may flow between Europe and the US – be devoted exclusively to the national security of the United States or its allies. This is consistent with a recommendation put forward in December 2013 by the President’s Review Group.

As mentioned, these elements would enhance the protection of European citizens’ privacy and can be put in place without legislative reform and we encourage the negotiators to consider them. An agreement that includes these elements would not fully address our concerns about intrusive and overbroad government access to data under Section 702, but it would be a tangible improvement of the protection of European citizens’ data, and it should to be a step towards a more comprehensive transatlantic consensus about the conduct of data collection for national security. We and others have called for this for some time.