SEEKING A SAFE HARBOR IN A WIDENING SEA: UNPACKING THE SCHREMS SAGA AND WHAT IT MEANS FOR TRANSATLANTIC RELATIONS AND GLOBAL CYBERSECURITY

• Published in: The William and Mary Bill of Rights journal Vol. 30; no. 2; pp. 319 - 336
• Main Author: Shackelford, Scott J
• Format: Journal Article
• Language: English
• Published: Williamsburg Bill of Rights Journal 01.12.2021
• Subjects: Agreements; Alliances; Computer centers; Cybersecurity; Data collection; General Data Protection Regulation; Information sharing; Internet; Judicial reviews; National security; Right of privacy; Surveillance; United States > US; Ireland; Europe
• ISSN: 1065-8254; 1943-135X

INTRODUCTION In June 2020, India banned TikTok along with fifty-nine other apps developed by Chinese firms.1 The move, although not unexpected, was just part of a drive by the Indian government to challenge China's growing clout in the digital ecosystem, and in response to border clashes that left twenty Indian soldiers dead.2 The rise of so-called "techno nationalism" is one component of a larger move toward greater data localization3 and even cyber sovereignty.4 This conceptualization of Internet governance represents a significant shift from long-held beliefs on the part of many Western nations about building a cyberspace that is "free, open, interoperable, secure, and resilient" and one that is more closed, highly regulated, and de-anonymized.5 The debate over the future of internet governance between those preferring more multilateral versus multi-stakeholder is an oversimplification, but it does highlight the different visions for cyberspace, including to what extent information sharing will be possible between digital walled gardens.6 Such sharing is vital-if challenging-to permitting like-minded nations and other stakeholders to work together to defend against common threats and build a global culture of cybersecurity.7 Yet even among historic allies, such as the transatlantic alliance between the united States and Europe, walls are going up that are making it more challenging for both the public and private sectors alike to pool their resources and expertise to better confront common challenges. [...]looking back six years later, while the feared economic harms were largely avoided, the ancestor agreement to Safe Harbor, called "Privacy Shield," faced another round of scrutiny before the CJEU tested many of the same legal issues that arose in the Safe Harbor dispute, but with the addition of Standard Contractual Clauses (SCCs) that have been used for decades to help firms transfer data between EU and non-EU nations.11 This Article reviews this history as a case study for larger issues surrounding information sharing and assesses the Schrems saga, including what options exist for resolving this transatlantic impasse given the CJEU's July 2020 decision invalidating Privacy Shield.12 At stake are larger questions about the ability of like-minded nations, and indeed the international community, to come together to meaningfully address common cyber-enabled threats. SCHREMS V. DATA PROTECTION COMMISSIONER (FALL OF SAFE HARBOR) The case that has become colloquially known as Schrems I was brought by an Austrian law student and civil rights advocate, Maximilian Schrems, who sought to challenge Facebook's international data transfers from Ireland (where Facebook's European subsidiary is headquartered) to the United States, arguing that this practice infringed on his privacy rights due to the potential for U.S. government surveillance.13 The Irish Data Protection Commissioner rejected Schrems' complaint on the grounds that the European Commission had already decided that the United States ensured an adequate level of privacy protections.14 Schrems appealed that decision to the Irish High Court, which referred the dispute to the CJEU.15 At the heart of the case was the Safe Harbor Agreement negotiated between the EU and United States in response to the 1998 EU Data Protection Directive (DPD), which directed EU Member States to enact legislation containing certain privacy safeguards and prohibited the transferring of data on EU persons to non-EU nations that do not maintain adequate privacy safeguards.16 The architects ofthis provision had the best intentions, namely to ratchet up privacy protections in EU partners, but the agreement left U.S. firms (many of which then, as now, are global tech leaders) in a difficult position given that, until the Safe Harbor Agreement was finalized, U.S. privacy law was found to be inadequate.17 Under Safe Harbor, U.S. companies transferring data on EU persons pledged to self-certify that safeguards were in place that went beyond those required by the more sector-specific U.S. privacy law.18 It was largely successful at easing transatlantic data flows, at least until the 2013 revelations by former NSA contractor Edward Snowden, who succeeded in bringing to light a number of U.S. surveillance programs.19 These resulted in thirteen recommendations by the European Commission for revising Safe Harbor and set the stage for Schrems 1.20 Among other concerns, in its Schrems I decision the CJEU noted that carve outs in the Safe Harbor Agreement-such as for U.S. national security, public interest, and law enforcement-opened the door for bulk data collection, including the NSA program code-named PRISM.21 This reasoning led the CJEU to hold that: (1) the U.S. bulk collection of personal data violated the privacy rights of EU citizens, stating that "generali[z]ed" data storage by a foreign government lacking any objective criteria being specified as to the extent of the data's use is inconsistent with the DPD;22 and (2) that EU citizens were not afforded the opportunity to challenge these U.S. practices, compromising their right to judicial review.23 Ultimately the CJEU decided that no amount of self-certification could get around U.S. surveillance practices, which were found to be irreconcilable with EU privacy law (even though the USA Freedom Act, passed prior to the Schrems I ruling, outlaws the kind of bulk data collection that this CJEU decision says violates the DPD).24 It also found that the CJEU alone has the power to decide whether or not European Commission decisions on the privacy practices of other nations are valid.25 This outcome resulted in the fall of the Safe Harbor regime, calling into question whether U.S. firms could continue transferring data collected on EU citizens back to U.S.-based data centers. "27 This prompted the EU and the United States to come together and create a replacement regime for Safe Harbor called Privacy Shield.28 The new agreement differed in several ways from its predecessor in response to the CJEU's Schrems I ruling, including instituting new requirements for privacy policies to be posted to the U.S. Department of Commerce Program List.29 It also grants "[t]he right of data subjects to access [their] data," "[a]cknowledge[s] liability in relation to onward data transfers," accepts binding arbitration to resolve disputes, and requires covered entities to "[t]ake steps to stop unauthorized processing" and to minimize the amount of time that data is retained.30 After Privacy Shield was created in 2016, by three years later some 5,000 companies participated in Privacy Shield, with the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, calling it a "success story.