The United States and the European Union are the world’s “largest net exporters of digitally-enabled services.”1 Transatlantic data flows between the two account for approximately half of the United States’ data transfers and more than half of the European Union’s.2 Since 2016, the EU-U.S. Privacy Shield has facilitated these transfers by establishing data privacy safeguards and protections for EU data subjects.3 Recently, in Data Protection Commissioner v. Facebook Ireland Ltd.4 (Schrems II), the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, finding that U.S. surveillance laws do not afford EU data subjects adequate levels of protection under the European Union’s Charter of Fundamental Rights (the “Charter”) and General Data Protection Regulation (GDPR).5 Specifically, the court found that section 702 of the Foreign Intelligence Surveillance Act6 (FISA) and Executive Order 12,3337 are overly broad and lack sufficient redress for EU data subjects.8 However, in reaching its decision, the court did not fully examine section 702 parameters and processes.9 The court’s incomplete analysis creates substantial uncertainty regarding the legal framework under which it will analyze data-sharing mechanisms in the future and the data privacy standards to which third countries will be held.
The CJEU invalidated a previous EU-U.S. data-sharing provision — the “Safe Harbor Framework” — on October 6, 2015.10 The decision arose from a 2013 complaint filed by Maximilian Schrems against Facebook Ireland Ltd. and submitted to the Irish Data Protection Commissioner.11 Schrems sought to prohibit Facebook Ireland from transferring his personal data to the United States under the Safe Harbor Framework, arguing that U.S. laws did not ensure sufficient protection of data against U.S. government surveillance activities.12 The court ultimately invalidated the Safe Harbor Framework in Schrems v. Data Protection Commissioner13 (Schrems I), finding that it did not ensure privacy protections for EU data subjects “essentially equivalent” to those guaranteed under EU law.14
In the wake of the Schrems I decision, Facebook Ireland transferred data to U.S.-based Facebook, Inc. using standard contractual clauses (SCCs).15 On December 1, 2015, Schrems filed an updated complaint against Facebook Ireland with the Irish Data Protection Commission, challenging the adequacy of SCCs.16 The Commissioner published a draft decision, provisionally finding that data transferred to the United States might be accessed by the U.S. government in a manner that was not compatible with EU law and that did not provide effective legal remedies for EU data subjects.17 The Commissioner further found that SCCs could not remedy this defect, as they were not binding on U.S. authorities.18
Following the invalidation of the Safe Harbor Framework and Schrems’s revised complaint, the European Commission adopted the “Privacy Shield.”19 Under this new data-sharing framework, the United States created an independent Privacy Shield Ombudsperson, charged with oversight responsibilities regarding national security interference.20 The United States also provided the European Union with detailed commitments regarding limitations and safeguards pertaining to data access for national security purposes.21 The European Commission formally adopted the Privacy Shield via Commission Decision 2016/1250 (the “Privacy Shield Decision”), an “adequacy decision” that determined that the United States “ensure[d] an adequate level of [data privacy] protection” to EU data subjects.22
Meanwhile, the Data Protection Commissioner had brought the Schrems II proceedings before the High Court of Ireland,23 which, in turn, referred eleven questions to the CJEU.24 The High Court asked that the CJEU determine, inter alia, whether data transfers under SCCs violated privacy and data protection rights guaranteed under the Charter.25 The High Court also asked the CJEU to determine whether the European Commission’s Privacy Shield Decision was binding upon national data protection authorities and the courts of EU member states.26
The CJEU upheld SCCs as valid data transfer mechanisms, but placed monitoring responsibilities on supervising authorities to ensure the enforcement of the GDPR within the context of SCCs.27 The court found that articles 46(1) and 46(2)(c) of the GDPR require that EU subjects whose data is transferred to a third country be “afforded a level of protection essentially equivalent to that guaranteed within the European Union,” including “appropriate safeguards, enforceable rights and effective legal remedies.”28 According to the court, such protection may take the form of a valid European Commission adequacy decision or be ensured through SCCs.29 If data is transferred through SCCs, however, the relevant supervisory authority must ensure that the SCCs can be complied with in the third country or that EU standards for data protection can otherwise be maintained.30
Turning to the validity of the European Commission’s Privacy Shield Decision, the CJEU found that U.S. limitations on data protection violate the principle of proportionality.31 In order to satisfy the requirement of proportionality, legislation must incorporate “clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards.”32 Moreover, any legislation infringing upon an EU data subject’s data privacy rights must be “limited to what is strictly necessary.”33 The court first acknowledged that U.S. national security, public interest, and law enforcement interests have primacy over and may interfere with the fundamental rights of EU data subjects.34 However, the court then held that U.S. surveillance laws are not sufficiently circumscribed to ensure EU data subjects privacy protections essentially equivalent to those ensured under the Charter.35 In particular, the court concluded that U.S. limitations on data protection violate the principle of proportionality, as it found that U.S. surveillance programs — specifically section 702 of FISA and Executive Order 12,333 — do not impose “minimum safeguards” and are not “limited to what is strictly necessary.”36
The CJEU further found that U.S. law does not provide effective remedies to EU subjects whose data privacy has been compromised, cementing the invalidity of the Privacy Shield.37 The court determined that Presidential Policy Directive 28, which sets forth legal requirements for U.S. “signals intelligence” activities,38 “does not grant data subjects actionable rights before the courts against the US authorities.”39 The court then determined that the Privacy Shield Ombudsperson mechanism is not sufficiently independent from the Executive and does not provide for a cause of action before a body that has the power to adopt binding decisions.40 In light of these findings, the court held that EU subjects are without effective remedy to address U.S. data transfer deficiencies.41 The court therefore declared the Privacy Shield Decision invalid.42
In invalidating the Privacy Shield, the CJEU failed to set forth a legal framework through which the European Commission may make and assess adequacy decisions. The court’s invalidation of the Privacy Shield rested, in large part, on the court’s determination that the United States does not provide an “adequate level of protection” for personal data transferred from the European Union.43 Yet the court’s proportionality assessment of U.S. surveillance laws — particularly section 702 — was at times cursory, and frequently unclear. As a result, it is not apparent what aspects of section 702 expand collection beyond what is strictly necessary or lack minimum safeguards. The court’s incomplete analysis therefore provides little guidance regarding the validity of current and future adequacy decisions.
First, the court failed to engage fully with the limitations that section 702 incorporates. Instead, it summarily determined that the legislation “does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence.”44 While the court’s language seemingly construes section 702 as an indiscriminate surveillance authority, section 702 collection “consists entirely of targeting specific persons about whom an individualized determination has been made.”45 Under section 702, communications are targeted through the use of identifiers called “selectors,” such as email addresses and phone numbers, that are “used by a non–U.S. person who is reasonably believed to be located outside the United States and who is expected to possess, receive, and/or is likely to communicate foreign intelligence information.”46 Selectors are “never key words or names of persons,”47 and the U.S. government may not intentionally collect communications referencing, but not to or from, an individual.48 An analyst who requests selector tasking must provide a targeting rationale,49 including a written explanation detailing the analyst’s determination that the target will produce foreign intelligence information.50 While the court took issue with the fact that the Foreign Intelligence Surveillance Court (FISC) does not approve individual section 702 targeting requests,51 it did not consider any of these procedural requirements, all of which operate apart from FISC review. As such, the court failed to engage in a nuanced assessment of whether section 702 targeting requirements and procedures achieve functionally similar protections to the individual approval measures the court desired.
Second, the court determined that section 702 does not impose minimum safeguards to protect against abuse, but failed to evaluate the safeguards section 702 does incorporate, including FISC oversight, administrative reviews, and democratic reassessment. The FISC is not a mere “rubber stamp” on section 702 certifications.52 The FISC reviews annual certifications submitted by the Attorney General and the Director of National Intelligence detailing targeting procedures to ensure they are consistent with statutory requirements,53 and must issue a written opinion explaining its approval or nonapproval of the certifications.54 The court has denied annual certifications due to deficiencies in agency querying and minimization procedures, requiring revised procedures prior to approval.55 Moreover, the NSA is required to report all instances of targeting procedure noncompliance to the Office of the Director of National Intelligence and the Department of Justice,56 and the FISC Rules of Procedure require that the government immediately notify the FISC of all incidents of noncompliance with FISC authorization or applicable law.57 Thus, the FISC’s review of certification procedures “is not limited to the procedures as written, but also includes an examination of how the procedures have been and will be implemented.”58 Apart from noting that the FISC does not approve individual targeting procedures, the CJEU did not evaluate the FISC’s “[i]ndependent and [e]ffective [o]versight” role with regard to section 702 surveillance.59
Furthermore, the CJEU did not consider the oversight mechanisms that operate separately from and in addition to the FISC. The Attorney General and the Director of National Intelligence are statutorily required to conduct periodic compliance reviews and to provide such reviews to elements within the judicial and legislative branches.60 Moreover, section 702 is subject to periodic democratic debate and reauthorization. Section 702, in its current form, is authorized through December 31, 2023.61 The “robust democratic deliberation” surrounding reauthorization has “produced important alterations to the program and a contemporary democratic reaffirmation of the program’s value and legitimacy.”62 The sunset clause contained within section 702 ensures that the authority does not merely rely on prior authorizations and evaluations; it must continually prove that its national security aims are subject to sufficient safeguards regarding individual privacy and civil liberties.
The indeterminacy of the CJEU’s invalidation of the Privacy Shield extends beyond section 702. Post–Schrems II, all existing adequacy decisions appear vulnerable to judicial invalidation,63 and the path to future adequacy decisions is unclear.64 The court’s ruling leaves non–EU states without clear guidelines by which to assess compatibility with the European Charter and GDPR — legal standards to which EU member states’ national security apparatuses are not themselves required to conform.65 The GDPR provides little additional guidance, requiring that adequacy assessments take account of indeterminate elements such as a third country’s “rule of law” and “respect for human rights.”66 Taken together, neither the GDPR nor the EU Charter define “adequate” or set forth clear metrics by which adequacy decisions can be appropriately made. And, as the CJEU has now invalidated two European Commission adequacy decisions, the viability of using existing adequacy decisions as a benchmark for future agreements is unsettled. Finally, because entities that rely on SCCs to transfer data to a third country bear the responsibility for assessing whether that country’s surveillance laws and privacy protections meet EU standards, the court’s unclear adequacy analysis extends to SCCs.67
The CJEU’s invalidation of the Privacy Shield is less of a roadmap for adequacy and more of a warning. Rather than engage fully with U.S. surveillance law, the court contravened existing European Commission adequacy assessments, misconstrued the legal scope of section 702, and performed an incomplete assessment of the oversight mechanisms that prevent section 702’s abuse. The CJEU’s act of “solipsistic Europocrisy meets judicial imperialism”68 invalidated the data transfer framework upon which over 5,000 U.S. and EU companies currently rely, leaving no discernible alternative — and substantial uncertainty — in its place.69