Transatlantic Data Flows in the Wake of the Schrems II Ruling
In July 2020, in a case knowns as Schrems II, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield Framework, which had been the mechanism used by thousands of businesses to transfer personal data from the European Union (EU) to the U.S. The CJEU found that the U.S. national security legal framework did not meet EU privacy requirements. Based on that ruling, data protection authorities (DPA’s) across Europe have initiated investigations and enforcement actions against U.S. companies. Unless the U.S. makes changes to address the CJEU’s findings, those DPA’s may cut off flows of personal data to the U.S., with potentially massive consequences for transatlantic commerce.
This project seeks to identify the way forward for preserving transatlantic data flows in the wake of the Schrems II ruling. We are examining relevant aspects of the applicable legal frameworks in Europe and the U.S. to find commonalities and opportunities for convergence; engaging with experts and practitioners in the private sector, government, and civil society, on both sides of the Atlantic, to seek a broad spectrum of perspectives; and creatively designing solutions that take into account broader implications for the private sector, commerce, and national security for countries around the world. Our goal is to develop workable approaches that put digital data flows on a sustainable footing not only in response to the current crisis, but also over the long term, in a manner that balances the protection of both privacy and national security.
We are proceeding along three concurrent tracks: what is achievable by the Executive Branch within existing laws; whether and how might legislative change be helpful; and what general principles do like-minded democracies share when protecting privacy in the national security context. We are reaching out to key stakeholders to delineate the “art of the possible” in these areas, being mindful not to disrupt ongoing negotiations.
As outlined in our recent article in the European Law Blog, establishing an adequate redress mechanism that is equivalent to the EU’s standards has proven to be one of the biggest sticking points. To address this challenge, we are exploring avenues available under existing law, potential legislative changes, and how redress is provided by EU member states.
To inform our work, we are holding a series of not-for-attribution roundtables with thought leaders, experts, policy makers and practitioners across a range of sectors.