U.S. government surveillance remains in the spotlight one year after the European Union’s top court struck down a main mechanism that Facebook Inc. and about 4,000 other companies used to transfer data across the Atlantic.
Surveillance is expected to be the focus of proposals for revamping the so-called EU-U.S. Privacy Shield, which was invalidated in a July 16, 2020, ruling from the Court of Justice of the European Union.
Assessing the likelihood of government access to data is also a key part of advice from European privacy regulators on how companies can protect transatlantic data flows in countries like the U.S. that are deemed to have inadequate privacy protections. The U.S. lacks a national privacy law akin to Europe’s General Data Protection Regulation, which threatens hefty fines against companies that violate provisions meant to give consumers more control over their personal data.
Companies facing policy uncertainty are likely eager for U.S. and EU negotiators to reach a new agreement, since data flows pose challenges that can’t be solved with private sector measures alone, according to Caitlin Fennessy, former U.S. director for the Privacy Shield.
“What is at stake here is national security and surveillance issues,” Fennessy, now research director at the International Association of Privacy Professionals, said. “Protections in that realm underpin all commercial data transfers.”
Christopher Hoff, the official charged with carrying out the Biden administration’s policy work on EU-U.S. data flows, didn’t immediately respond to a request for comment.
In the wake of the EU Court of Justice ruling on the Privacy Shield, many companies anticipated switching to another transfer mechanism known as standard contractual clauses, according to an IAPP survey. Facebook is among the many companies that use these contracts, which remain a valid option for data transfers to the U.S.
Companies have been “beefing up” privacy commitments in their data transfer contracts, according to Aaron Cooper, vice president of global policy for the software industry association BSA|The Software Alliance.
Cooper said more companies are also adopting added safeguards such as encryption, so that data transferred would be unreadable. Microsoft Corp. went a step further and pledged to challenge government requests to access its customers’ information.
Still, such measures aren’t considered enough to quell European officials’ surveillance concerns, which stemmed from former contractor Edward Snowden‘s revelations on spying by the U.S. National Security Agency.
“You can’t use a contract to avoid government surveillance,” said Neil Richards, a law professor at Washington University in St. Louis. Ireland’s Data Protection Commissioner enlisted Richards to provide expert testimony on U.S. law during the EU court case over the Privacy Shield.
“Because of the surveillance piece, this becomes a really complicated question,” he added.
The U.S. government will need to address issues raised over what sort of redress is provided to individuals from the EU who are impacted by government surveillance. A State Department official is tasked with fielding complaints about European privacy rights violations that are passed on from EU data protection authorities.
Some followers of EU-U.S. data policy, including the Georgia Institute of Technology’s Peter Swire, have suggested shifting such work to another agency.
One option is the Privacy and Civil Liberties Oversight Board, an independent agency tasked with balancing counterterrorism efforts and protecting people’s rights. Officials in the intelligence community could also be tasked with investigating European privacy complaints.
Cases in need of judicial review could be sent to the Foreign Intelligence Surveillance Court, which oversees requests for surveillance and searches for foreign intelligence purposes.
U.S. President Joe Biden could take steps on legal redress for Europeans through executive action, rather than relying on lawmakers in Congress to pass a new surveillance law, according to Swire. Moving without Congress “will take some creativity,” he said Wednesday in an online event hosted by the Information Technology Industry Council, a global tech trade association.
But transatlantic data flows are about more than just privacy compliance, he said. It’s an economic and political issue that could have ramifications for the relationship between the U.S. and EU, said Swire, who’s also senior counsel with Alston & Bird LLP.
“It comes to having an alliance with Europe,” he said.
A split over privacy protections could force companies to use data centers local to Europe, in what’s known as data localization. Microsoft, for example, is letting cloud customers in Europe store their data locally amid ongoing policy negotiations.
Data localization would be an expensive route, even for larger companies, and would effectively freeze out small and medium-sized businesses, a former U.S. Commerce Department official warned at a congressional hearing in December.
“The longer this uncertainty persists, the less outrageous it’s going to seem for transnational companies to build data centers in Europe just to avoid this whole issue,” Richards said.