Deep Dive Episode 235 – A Discussion on the US-EU Trans-Atlantic Data Privacy Framework
The US-EU Trans-Atlantic Data Privacy Framework, announced in March of this year, is a new agreement governing trans-Atlantic data flows between the United States (US) and the European Union (EU) – specifically data flows from EU countries to the U.S. that contain personal information of EU residents. The new framework is intended to replace the previous Privacy Shield Framework, which the EU Court of Justice found did not provide adequate protection of privacy, as required by the General Data Protection Regulation and other law.
In this podcast, experts discuss whether the new Trans-Atlantic Data Privacy Framework effectively addresses the concerns of the EU Court of Justice providing for a solid legal basis for future Trans-Atlantic data transfers.
Although this transcript is largely accurate, in some cases it could be incomplete or inaccurate due to inaudible passages or transcription errors.
[Music and Narration]
Introduction: Welcome to the Regulatory Transparency Project’s Fourth Branch podcast series. All expressions of opinion are those of the speaker.
On September 7, 2022, The Federalist Society’s Regulatory Transparency Project hosted a virtual event titled, “A Discussion on the US-EU Trans-Atlantic Data Privacy Framework.” The following is the audio from that event.
Chayila Kleist: Hello and welcome to this Regulatory Transparency Project webinar call. My name is Chayila Kleist, and I am the Assistant Director of the Regulatory Transparency Project here at The Federalist Society. Today, September 7, 2022, we are excited to host this event entitled, “A Discussion on the US-EU Trans-Atlantic Data Privacy Framework.”
Joining us today is a stellar panel of experts who bring a range of views to this discussion. As always, please note that all expressions of opinion are those of the experts on today’s call as The Federalist Society takes no position on a particular legal or public policy issues. In the interest of time, I will keep the introduction of our panelists fairly brief, but you can find out more about them at RegProject.org.
Today, we’re pleased to have with us Stewart Baker, who is a Partner at the law firm of Steptoe & Johnson in Washington D.C. and a former first Assistant Secretary for Policy at the Department of Homeland Security. His law practice covers cybersecurity, data protection, homeland security, and travel and foreign investment regulation.
Theodore Christakis is the Professor of International and European Law at the University of Grenoble Alpes, a Director of Research for Europe with the Cross-Border Data Forum, Director for the Centre for International Security and European Studies, and Co-Director of the Grenoble Alpes Data Institute.
Next, Peter Swire is the Elizabeth and Tommy Holder Chair in the Scheller College of Business and a Professor in the School of Cybersecurity and Privacy. He is Senior Counsel at the Law Firm of Alston & Bird LLP. Swire served as one of five members in President Obama’s Review Group on Intelligence and Communications Technology.
Finally, our Moderator today is Paul Rosenzweig, an accomplished writer and speaker on cyber security and homeland security. He is the Founder of Red Branch Consulting and a Senior Advisor with The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He’s a Professorial Lecturer in Law at The George Washington University and a Senior Fellow at the Tech, Law & Security Program at the American University, Washington College of Law.
One last note. Throughout the panel, if you have any questions, please submit them through the question-and-answer feature so that our speakers will have access to them when they get to that portion of the webinar.
With that, thank you for being with us today. Mr. Rosenzweig, the floor is yours.
Paul Rosenzweig: Thank you very, very much for that introduction. And thank you to The Federalist Society for hosting this event. As always, it is a delight to participate in these events because they are forums for civil discussion of issues about which people often disagree. And certainly, one of the most highly contentious issues of the past 20 years has been the continuing conflict between the United States and the European Union over our differing conceptions of privacy.
I say that it’s contentious in the sense that it’s been the subject of multiple arguments, multiple agreements across the Atlantic, multiple court decisions in Europe, all without, as yet, reaching any definitive resolution. It really is a little bit like Jarndyce v. Jarndyce from Charles Dickens’ “Bleak House” in that it seems to be an unending legal contention. I should hesitate to add that it is contentious only in the legal sphere, which is to say that we have yet to go to war over privacy in the kinetic realm, for which we should all be thankful.
We are at a moment in time now where we are yet again on the precipice of changes in the US-EU privacy cross water data flows. Last year, the European Court struck down the, I think, third iteration of our agreements, and we’re now looking at the prospects of a fourth agreement.
Joining me are Stewart Baker, Theodore Christakis, and Peter Swire to discuss this. Let me start with you, Peter, lay the groundwork for us. Put what I’ve just described as Jarndyce v. Jarndyce into a bit of context and give us enough history so that the rest of the discussion about where we’re going forward will actually make sense to the listeners.
Peter Swire: Great. Thank you, Paul. It’s great to be here with Stewart and Theodore.
So I was thinking more Groundhog Day than a Dickens quote. We have been through this at various points, and there’s a reason for it in the following way. In 1998, the European Data Protection Directive went into effect. And the Directives had two points. One was it’s going to help to have the common market for data related industries within Europe, facilitate France and Germany and other member states in Europe doing their thing. But then, if you have a regime where there’s a strict level of protection of privacy inside Europe, the European Union, and then it can flow to other countries where people could do anything with the data including post it on the internet, that’s not going to be a very effective regime of data protection.
And so these regimes of data protection say okay, if we’re going to be strict within a certain zone, we can only send it to other places if they have adequate protection, if there’s good enough protection of data. And then the big fight has been what counts as adequate? What counts as good enough? So the directive went into effect in 1998. That’s the year that I published a book with Robert Lighten called, “None of Your Business,” about EU-US data protection battles. And we can see these battles coming and so I’ve lived through this as Stewart and others have ever since.
So the 1998 directive led to a question of how the heck is data going to get transferred to the United States which doesn’t have a comprehensive privacy law. In 2000, when I was working at OMB, the US and EU negotiated the Safe Harbor Agreement, which basically said if companies send data to the United States, they promise to apply Europe style rules to that data when it comes to the US. So it’s protected this much in Europe, it’s going to be protected that much when it comes to the US under Safe Harbor. And that lasted pretty long as diplomatic things go. It lasted until 2015 when the Court of Justice of the European Union in the first Schrems case said that it’s not the problem with the commercial transfers of data but instead, writing two years after the Snowden revelation started, Europe said they’re worried about government access to data. The U.S. government’s doing too much surveillance. It’s not safe to send data to the United States when we don’t know what the NSA is doing. And so we had this Schrems I decision, and suddenly, there wasn’t an obvious legal way to do data transfers from Europe to the United States.
So what came out of that a few months later is the Privacy Shield Agreement. That was round two in terms of agreements. There’s been other agreements with Europe on other kinds of data. But 2016, the Privacy Shield, the United States government promised to do a bunch of things around government surveillance, including setting up an ombudsperson who would check on things if problems arose. And that was going along okay for about four years. In 2020, the Court of Justice did the Schrems II decision. Schrems II decision said, in their Supreme Court’s terms, that there’s two problems under the Charter of Fundamental Rights for Europe, not under statutory stuff but under their fundamental rights constitutional kind of law.
The first one they said is there has to be a better regime of redress, which means if a European person says that they’re worried that the NSA is doing too much surveillance, oddly enough, to American ears, the EU person gets to ask the NSA to make sure it’s doing things correctly. We don’t get to ask the KGB if they’re surveilling us too much, but Europeans need to be able to ask the NSA if the NSA is doing things correctly. And there has to be a redress procedure. How to do that is its own tricky thing and we’ll talk more about that this hour.
The second thing they said is they’re worried about too much government surveillance, that surveillance says their Supreme Court has to be necessary and proportionate. You have to have a good reason, like national security, to do the surveillance, and you can only be proportionate. You can’t go out of bounds. Now, that might seem like strange language. I’ll note that the Fourth Amendment to the US Constitution says you have to have reasonable government action before you can do seizures of data, before you can do searches and seizures of data. So very, very roughly speaking, the necessary and proportionate requirements are similar to the Fourth Amendment requirement on government surveillance for reasonableness that we have in the United States, even for FISA, even for national security.
Well, so, that sets the problem. We have an unconstitutional, in European views, amount of surveillance in the United States. We have to figure out what the new rules are going to be. In March this year, President Biden and the European Union announced an agreement in principle on a trans-Atlantic data privacy framework. And we’re going to see if we can get a final agreement announced. There’s reason to think maybe in the coming weeks, we will get that detailed final decision.
The point is that there’s a reason, if you’re going to have privacy protection, not to let it go to a data haven that’s going to publish everything. That’s logical. How to create that agreement across borders is not an easy thing, and we have this view that Europe’s going to judge the amount of government surveillance by the United States, which gets US hackles up raised on our neck. But if we want to continue to have a lawful basis for trade, the question is can we come up with a new agreement that will setup the rules for the road for that. So I’ll stop there and onto Paul and others.
Paul Rosenzweig: Well, that’s a great introduction, Peter. Thank you for that. Let me ask you one quick follow-up question though. You should probably tell everybody who’s listening who is Schrems.
Peter Swire: Oh. Max Schrems is from Austria. Think of him as a sort of ACLU kind of person who wants to make sure that the laws are being followed. There’s a famous story about Max Schrems when he was a law student, a grad student out at Santa Clara Law School, hearing a presentation by a Facebook lawyer where the Facebook lawyer basically joked, we don’t have to listen to these European laws. And Schrems then took off on Facebook for years and ended up challenging Facebook in Ireland saying that their transfers to the United States are illegal. Now, he has an organization called NOYB, which is None of Your Business, which I think’s a great title since it’s the title of my 1998 book, even though he doesn’t acknowledge it. And so he’s been making his living — he says he’s not making money off of — he’s been making his time challenging Facebook and by extension the United States transfer regime ever since.
Paul Rosenzweig: Great, thanks. Right. You should probably sue him for copyright violation or something.
So let me turn to you, Theodore. Thank you for joining us from Grindelwald, France. Since you’re obviously in Europe, you are by designation the European speaker on this group. But much of the proposed new trans-Atlantic framework stems from research that you and Peter have done, proposals you have made. So tell us a little bit more about A, what the problem is from a European perspective, and B, how you think going forward the new privacy framework is going to hopefully, successfully address the European courts and Max Schrems — I suspect nothing will satisfy Mr. Schrems, but if we could satisfy the courts, that would be enough. Talk to us about the European perspective and the way forward.
Theodore Christakis: Yes. Thanks a lot, and it’s great to be with you Paul and Stewart and Peter, with whom we’re working on these issues on the Cross-Border Data Forum. Before talking about B, the way forward, I would just like to talk a little bit, to go a little bit backwards to the present to show how important it is for this new trans-Atlantic data privacy framework to be successful.
Peter did a fantastic introduction going back to the 90’s. I will just focus here in the period since Schrems II because there have been some important, very important, developments which were far more important than after Schrems I. Very quickly, four things I would like to say about this period.
First of all, after Schrems II, which was already a big earthquake, there was another earthquake in November 2020 when the European Data Protection Board, which is a board which unites all the data protection authorities of the European Union, published a document called European Essential Guarantees for surveillance measures. And in this document, the European Data Protection Board tried to explain what are the requirements of European law in order for a country to be called as adequate, as offering a protection on surveillance, equivalent — equivalent not to what we find in EU member states but equivalent to the theoretical standards elaborated by the Court of Justice of the European Union and the European Court of Human Rights.
And what is very interesting is that if you read this document, which explains what Peter said earlier about who can be considered as adequate, you will see that they take all the case law existing and they read it in a very strict way, they forgot some things like, for instance, the national margin of appreciation of states that exist in the European convention of human rights and which gives them the discretion when it comes to national security issues to do some important things. And instead, we found a very strict approach. And what is interesting is that this strict approach, several if not all of the EU member states, some of the issues there that cannot meet them.
We see, for instance, that there are a lot of concerns concerning surveillance laws in Europe. But this doesn’t matter. We often hear this argument of comparison, for instance, between US surveillance law and France surveillance law and somebody will say oh, we ask from the US side to create redress for foreigners. While in France, for instance, there is no judicial redress in the surveillance laws for foreigners. But this doesn’t work because what you need to compare is US surveillance law in comparison with this European Essential Guarantees and this theoretical standards, not with a practice of so few member states which might themselves not meet the standards.
The second big development was that the European Date Protection Board also published another important document. You know that in Schrems II, the court said that countries, even if there’s no sense of equivalence and no adequacy decision, might be able to transfer data to a known adequate country like the United States if they adopt supplementary measures. But in reality, this document also created panic in November 2020, the first version. The second final version, which was published several months later, was a little bit more flexible and opened the way for what we call a risk-based approach based on practice and precedence.
But in reality, and this is my third point, when you see all the decisions of the data protection authorities in Europe during this last month, you see that they entirely reject the risk-based approach which, nonetheless, appeared in both the European Data Protection Board guidance and in the new model starter contractor closes guidance by the European Commission. So the DPAs entirely rejected this and they entered a logic of zero risk which means that even if there is a very slight one in a million theoretical possibility for the NSA, for instance, to request a specific type of data, then there should be no transfer.
For instance, we have several decisions that we could discuss. We have a lot of decisions of European DPA saying that websites in Europe should not use Google Analytics. This is very surprising because Google said that since Google Analytics exist, never in history, there is zero precedent of a US intelligence service requesting this kind of cookie data. Furthermore, you know, you can just press a button and do IP anonymization. But nothing is good enough for European DPAs which targeted Google Analytics, for instance, which it’s a little bit surprising because one could say that if we apply risk-based approach, this is the kind of things that could pass normally even if we have big protections in Europe. These are the kind of things that could be less concerning than others, but this reflects very well.
Another thing is that I’m very happy we are doing this now because you are using Zoom. Yesterday, there was a decision by, it seems a later, by the Berlin Data Protection Authority requesting the Freie University of Berlin, one of the biggest universities in Berlin, not to use WebEx anymore, to stop using WebEx until the 13th of September. So you can imagine, I mean, you know, my university in Grenoble, we are using Zoom. I wouldn’t be able to participate in this workshop if we start receiving from data protection authorities request not to use Zoom, Teams, or WebEx or all these collaborative tools that we’re using. And once again, we could ask what’s the risk. And anyway, its public. I mean, you know, everybody can come in here. So what is the risk of the NSA getting access to something which will be recorded and will be on your website probably?
But DPAs have an approach of zero risk. We could also talk later about the [short of the moclish 19:26] which is hanging over Facebook right now because, as you know, there is this DPC draft decision. Facebook might need to stop service in Europe.
And the last point, Paul, is that what we see also is that not only all this which affects transfers to the United States, but we have also a new movement which is to say — you know, because a lot of US companies said no worries, we will localize the data in Europe. We will be big data center and all the European data band there by Microsoft and similar things by the other companies, but this is not enough because you see now that in the cyber security certifications. In France, this has been adopted and now there is a discussion in ENISA, in the European cyber security board, about cybersecurity certifications for cloud providers. And they want to introduce there not only localization requirement, keep your data in Europe, but also another requirement which is immunity from foreign laws which means that the cloud provider must not be subject to a known EU law which means that the only solution would be then to a joint venture with European companies and to give the keys to have it trusted, European trusted.
So the conclusion of all this for this first round is that we desperately need this trans-Atlantic data framework. And eventually, during the discussion, we made a lot of work with Ken, Paul, and Peter Swire who is here present, we have been thinking for months and we made this proposals concerning redress which seem reasonable to us. But we see — we will be waiting to see, of course, what exactly will be announced, but we tried to think very carefully within these proposals, could meet the requirements of successful equivalence as fixed also by Schrems II. But there’s also another big question which is not only redress because have done a lot of work on redress but there is also the issue of proportionality. And we have always said that you know the redress is the most difficult part but I think that the proportionality part will also be difficult. And we have already started seeing reactions, for instance, an open letter by Schrems concerning challenging and saying that they will challenge very quickly the new data framework. So probably during the discussion, I could offer more thoughts about this. Thanks.
Paul Rosenzweig: Thanks. That’s a good intro. So just to summarize some of this, what Theodore and Peter have proposed essentially is to allow the US government to setup some form of independent review here in the United States as a form of redress and maybe to make some promises about uses that would address the proportionality concerns.
So let me turn to you, Stewart. I’m going to guess you think that the most important thing that Theodore said in his discussion was nothing seems to satisfy the DPAs, not even a risk-based assessment. How should we view the prospects of a new privacy framework from the US perspective? Is it to be welcomed, I guess, by corporations? And is it to be welcomed from a national security perspective?
Stewart Baker: So that’s a great introduction. Yeah, I think the most important things that we heard from both Peter and Theodore was the long history and the dark prospects for any deal that could be done. Every one of those agreements that Peter cited, and there were others, every one of them was broken by the European Union. The European Union said oh yeah, we did that deal, but it’s not good anymore. You need to give us more. And the US response to every one of those, driven by very large Silicon Valley companies, is oh my God, what can we do to satisfy Europe now?
But I think Theodore made pretty clear, it’s hard to imagine that anything that comes out of this negotiation is going to satisfy the maximalists or the European Court or the data protection authorities, none of whom have responsibility for protecting their citizens from terrorist attacks. And that’s my second point here.
We haven’t talked about why this matters to the United States, but the US has programs that under law, look at communications that touch on the United States but which are principally targeting foreign persons. If ISIS or Al Qaeda sets up an email account on Gmail or Hotmail and they start sending messages to each other, those messages are going to go through the United States and the United States has a law that says with a certain amount of predication, you can say I want to collect those communications and you take it to Google or Microsoft and get access to that.
It has turned out that that program is probably the single most important intelligence program we’ve ever had for dealing with modern terrorism. And this attack on the part of the data protection authorities and the European Court is aimed squarely at making that program work less well and maybe at cutting off access to any communications because if the Al Qaeda member is in Europe, the position of most of the people we’ve just been talking about is well, that can never go to Silicon Valley to be processed because it might get processed in response with Section 702 order.
So there really are very large stakes, not just for American potential victims of terrorism but Europeans because, in fact, a lot of the counter-terrorism intelligence that the United States collects goes back to Europe to tell them about threats inside Europe. But none of the people who worry about that are represented in Brussels and therefore, their interests are sacrificed, sort of, because—this will be my third point—these rules don’t apply to European governments. They don’t apply to any European government. Theodore said yeah, that’s really important. I think it’s important because it’s so profoundly hypocritical.
The European Court did not have to arrive at that decision, but it did, and it wrote a role that said basically this does not apply except to the United States and maybe a few other English speaking countries that we’ll get to later. And it had a clever way of saying well, we don’t actually — we’re only applying the privacy rules and the charter, which you all characterized as a kind of constitutional, I think kind of is the operative language there. It’s just a treaty among the European countries that there are certain rules that are going to apply and certain rights that they’re going to acknowledge. It’s not a constitution. In fact, Europe had the opportunity to pass it constitution and turned it down because it didn’t want a constitution. And so we shouldn’t be glorifying this as equivalent to asking the United States to modify its Constitution.
So none of these rules will apply to those countries, and most of those countries in Europe couldn’t possibly live up to the requirements that the European Court of Justice set forth. So it’s easy to write rules for somebody else if you don’t have to worry about complying with them yourself, and that’s exactly what the Court did.
The other point is this doesn’t apply to China either. So, Theodore, you’re free to use Zoom, you just can’t use WebEx. If your data goes to China, nobody is going to say anything, partly because the Chinese said we’re not going to come negotiate whether our law is adequate with Europe. Our law is our law, it’s not negotiable. And if you decide you want to negotiate that, we’ve got a whole list of things that we’re going to negotiate with you including all the German sales of cars in China. And so Europe has blinked and refused or failed to bring the standards of the Court of Justice to bear on China even though China probably has the second largest data flow after the United States, certainly in these kinds of Tik Tok and Zoom and other large web application data.
And so I guess the last thing I would say about this is when Europe does this and says we’re going to have a rule that basically just applies to the United States, doesn’t apply to us, doesn’t apply to China, it is violating its obligations under an actual treaty that it adopted in agreement on data flows that is part of the WTO services agreement that says we can restrict data flows to protect privacy as long as it’s non-discriminatory and not arbitrary. But there is nothing more arbitrary and certainly nothing more discriminatory than saying oh, we got one rule for you, America, and another rule for everybody else.
And so to my mind, all of this suggests that yes, we should try to accommodate Europe one more time, but I predict that it won’t last four years. And we should be looking for a plan B which actually brings home to the Court of Justice, the data protection authorities, and all the people who are responsible for fighting terrorism in these countries that this is just not going to go on forever. We’re not just going to keep saying oh, I thought the football was going to be there this time. We should say from now on, if this is the position that Europe’s going to take, we’re going to have to find a stick instead of simply saying well, is there another serving of honey that we can offer you.
Paul Rosenzweig: So there’s huge amounts to unpack in all three of your responses. Let me ask just one quick clarifying question for myself, and I’m going to address it to either Peter or Theodore, not sure which of you knows the answer to this. So my understanding is that China has never received an adequacy determination from the GDPR and never actually asked for one, probably. So what actually happens to the flows of data from, let’s say, Tik Tok, right? I assume Tik Tok is available — I know Tik Tok is available in Europe, and I know of a certainty because Tik Tok has said so that Tik Tok data flows go back to China. They are going back to China, which clearly — well, it doesn’t have an adequacy determination. I assume it couldn’t actually get one if it sought one. So why are those — are those flows subject to limitation? And if so, what are they? And if not, why not and doesn’t that extend some — is it just that people are ignoring China’s inadequacy and that Schrems is suing about Facebook and not about Tik Tok? Well, Peter, you first and then Theodore.
Peter Swire: Well —
Paul Rosenzweig: Or Theodore, are you heading up second? Sorry, any of you can go first.
Peter Swire: Okay. In the oral argument on Schrems II, the case of China was raised multiple times. And the holding was not a holding that just the United States is the problem. The holding is that there’s a general standard that applies to all third countries including China. So at least at the Court of Justice level, China’s in play and China has a much, much, much harder time getting any kind of adequacy deal than the US given Chinese government surveillance.
Paul Rosenzweig: So why have data protection authorities not gone after Tik Tok?
Peter Swire: Well, the European Data Protection supervisor has said that China clearly is covered and that it’s very problematic and more problematic than the United States. So this isn’t something that people have missed. And Tik Tok is subject to current enforcement actions in Europe.
Stewart Baker: Of what form?
Peter Swire: Do you know the details, Theodore, on the most recent Tik Tok things? I think was the Norwegian authority has brought in a case.
Theodore Christakis: Yes. There are inquiries I think I will have to go a little bit back because I don’t wish to give in any way the impression that there is a kind of discrimination against the United States. As a European, I don’t personally accept this argument. Let me — and I know what I said earlier, a concern how high you’re going to set the bar. But I don’t want to give the impression that EU member states, first of all, before talking about China, can do whatever they want. There is a tremendous progress in the protections concerning surveillance laws in Europe.
A lot of these countries have been condemned by the European Court of Human Rights and then it has to take, at least democratic countries, I’m not talking about Russia which was only condemned for its surveillance laws or Hungary where they didn’t take action, but if you see, for instance, what happened with the UK, which they’re still a member of the EU, what happened with France, what happened with several other countries, you will see that after these decisions against them by the European Court of Human Rights, there have been a lot of changes and a lot of progress.
And the European Court of Human Rights also highlights how scary surveillance tools become today. It’s a good thing that we have judges, either in Strasbourg or Luxembourg who take care about this and who try to adapt European human rights law to the new techniques that can be used. Of course, once again, Stewart said well, it only applies to the US. It’s not true. There is a huge issue, for instance, concerning all the data retention judgments of the Court of Justice of the European Union. I can tell you that countries like France or others are extremely upset with the very high standards that the Court of Justice of European Union has fixed concerning data retention, which is absolutely senseless according to them for law enforcement people.
And they can see there that the Court of Justice even goes beyond what is written in the treaties because there is a national security exception in the treaties and that the Court of Justice applies human rights law in a way that affects this exception. So just to say, of course, concerning China, there is huge concern. And there are inquiries, as Peter said, by several DPAs concerning Tik Tok, etc. which maintains, I think, that there are no data transfers to China by the way. But as a matter of fact, there is — China is a million years away from getting an adequacy decision. I think that this should be very clear.
So I think that this should be, of course, I show Peter when I said this at the beginning, there is some protection without any doubt because there is a dream to have, for instance, a European cloud industry. I wrote and tweet there what happens if they ask us, the university, not to use WebEx and Zoom and I had some responses. Just tweet the European sovereign decisions. And every time you see even the DPAs give at least, for instance, what you could use as a sovereign solution instead of Google Analytics or instead of WebEx and Zoom, etc. and there is probably —
So the big thing is where data protection stops and where data protection is, where protection begins, and this is why we need to have a balanced approach on these issues. We should not throw the baby with the water’s bath, but there is a real concern genuine about data protection surveillance. And it’s a good thing, but on the other hand, where exactly to fix the limit, this is the big question.
Paul Rosenzweig: So I’m going to circle back to you in a second, Stewart, for this, but I have one more set up question for Peter so that you have more meat to respond to, Stewart, if you will. So it’s really this because frankly, how we treat China is almost a sidelight. Peter, Stewart’s fundamental point, which I take it, is we’ve been trying for 20 ‘effin years — I can say ‘effin but not anything else, we’ve been trying for 20 ‘effin years. There’s no realistic prospect that your proposal will actually satisfy Max Schrems, and there’s very limited prospect that it will satisfy the European Court. Why should we keep going? Do you disagree with that as a prediction? Do you think —
Peter Swire: I disagree with that prediction.
Paul Rosenzweig: Do you think this time you got it?
Peter Swire: I disagree with the prediction which is that the redress proposal that Theodore and Ken Propp and I have worked on, we say it’s not a compromise. It’s like a rubix cube. There’s all these pieces to fit together. We could be wrong to think glorious about things we’ve worked on, but I think it does answer the redress problem.
And the Court — look, American lawyers are used to the fact that sometimes you’re stuck with a Supreme Court you don’t agree with. Everybody’s got different things they just — we’re dealing with the European Court of Justice. It’s their Supreme Court, and the legislature, the commission can’t change court rulings. They’re stuck with them to a certain extent when it comes to fundamental rights whether or not you consider it a full constitution.
So I think our efforts have been what would it take to meet the court’s standards. Another thing is real politics and realist jurisprudence, Ukraine has taught the Europeans, or at least eastern Europeans, a fair bit about the importance of US intelligence activities. And if you’re a judge from Poland or Lithuania right now, you might be pretty happy about US intelligence compared to the way you thought about it the day after Snowden happened.
And so there is some reason to think that a doctrinal match to what European court has asked for and a real politic about hey, the US in good faith has done it this time and you really want to have some intelligence activities here. So they won’t satisfy Max Schrems, but it may satisfy a court looking at Ukraine, Russia and looking at a good faith doctrinal answer to things that didn’t frankly exist in the privacy shield but would be a good faith doctrinal answer this time.
So I’m cautiously optimistic that an agreement that dots the i’s and crosses the t’s will satisfy the court. The ACLU always thinks the US government’s wrong. Max Schrems always thinks the US is wrong. That’s not going to be the test. The test is whether you have something that survives court scrutiny.
Paul Rosenzweig: So that’s interesting, Stewart. For those who listened, basically the redress provision that they’ve proposed is an independent executive board to review to provide a redress mechanism. We could discuss whether or not it really will satisfy. Stewart, let’s turn it over to you. Peter’s made the point. Okay, let’s take them seriously, take them at their word. If we can satisfy them this time and especially in light of external circumstances, there’s a political value here.
And in the court, in the US, we say the courts follow the elections. Maybe the European courts will follow the wars as well. Does that satisfy you? And if not, second part of the question, what would be your way forward? because I think it’s fair to say that though I share much of your critique of Europe, it’s hard to see what the alternative to continued fruitless negotiations might be. So, over to you, Stewart.
Stewart Baker: So there’s not — look, kicking the can down the road has some value. I’m not going to say it doesn’t, but I think it’s — several of the points that I would’ve made have already been made by others. To say oh, it’s not discriminatory, we’re already talking about China, we’ve even criticized them, 25 years after Europe said we’re going to cutoff trans-Atlantic data flows because the US is inadequate unless you give us a special agreement.
I think they’ve got 25 years of catching up to do to persuade me that this is not actually anti-American in effect. And you can say whatever you want about well, we’re coming to it late, but we’re going to get there eventually. I just don’t see that happening. I don’t believe that — I think you can judge people by their actions. We can judge Europe by its actions and by its inaction. And it has demonstrated a record of inaction against pretty much everybody but the United States. There’s a little bit of Canadian and Australian harassing, but it’s all aimed at the United States. And I think it’s fair to describe that as discriminatory until we see actual action that demonstrates that they care about Russia, they care about Belarus, they care about China, they care about India. And there is none of that yet.
Second, Theodore said well, European governments are already squealing about the things that they have to do from an intelligence point of view, so stop saying this is just bad for the United States. But all of the things that they have been asked to do are either not part of European law and they’ve been asked to do it under treaties that the United States is not part of or they are nowhere near what the European Court of Justice has set as the standard for the US. And it said quite explicitly, we are not going to impose these rules on the European government. So when you just look at what the state of the law is, it’s clearly discriminatory vis a vis European governments.
Is this going to satisfy the court? I think the court has the clearest possible way to say no. The discussion of redress talks about court redress over and over and over again, and nobody is talking about court redress in the United States. And consequently, this could easily be dismissed in the court with a three-sentence judgment. I understand that Peter and Theodore’s argument is in part well, look at all the European countries that don’t have judicial review of this kind of thing. And I think the short answer to that is we’re not making rules for Europe. We’re making rules for the Americans, and we can make any rules we want. And we told you judicial and so you need to.
So there are arguments on the other side, but the way is open and probably easy to say this is not good enough. So then the question is what can we do? I do agree that some of the countries, especially on the frontline, will say gee, we really do depend on this intelligence. That message does not get to Brussels because none of those people are in Brussels. So it’s very hard to count on that message. It’s very had to count on the French, German condominium that really runs the European Union to change its basic approach, which is well, we can probably get an industry out of this if we just keep pushing them hard enough.
So I’m not convinced that there is going to be a change of heart in Brussels, certainly not unless the administration really fights much harder, demonstrates real determination not to — that this is the end. This is a take it or leave it offer, and if the Court of Justice says no, then we’re going to go in a completely different direction. And you might ask well, what direction could we possibly go in? This is a violation of the WTO. It is discriminatory and arbitrary. Sure, you can argue about it, and I’m sure you will. There will be plenty of arguments about that. But the WTO —
We have a prima facie case of a WTO violation. Europe has said, you know those electric vehicle subsidies that you’re providing that only go to made in America products, that’s a violation of the WTO. Well, so maybe we should say to Europe if we do this deal, we say this deal — let’s suppose we do a deal and we say okay, we’re going to provide subsidies for European electric vehicles when Americans buy them but only for so long as the trans-Atlantic data flows remain unimpeded. If Europe is going to violate the WTO with respect to our data, then we just might as well say it’s not a violation when we retaliate by imposing quotas on your electric vehicle exports to the United States.
Second thing that I would think about doing, one of the reasons that Europe has walked away from 25 years of agreements is we’ve never actually asked them to commit to anything. We have said okay, here are our new sets of commitments, would you like these? Like Groucho Marx said, I have principles and if you don’t like them, I have more. And so we have said okay, we’ll do all these things and the Europeans have stepped back and said well, if you do all those things, we’ll find you adequate. And maybe what we should instead say is if we do all those things, you agree, as a matter of treaty law, that we are adequate because what the Court did in this case was to basically say there’s a treaty between the European Union that sets up our framework, a set of fundamental rights, and there’s a regulation of the European Union that sets up some rules and as we apply those, we can say Europe is wrong, the Commission is wrong in saying that this is an adequate determination.
Well, if Europe as a matter of new and superseding treaty of law agrees that it’s going to call this adequate, you can’t pull that. You can’t say, oh, but the regulation overrides a later determination by the European Union as a matter of treaty law that this is adequate. And you can’t even really, although this will deeply discomfort and I will enjoy watching it, the European Court of Justice, you can’t even say that the Charter of Fundamental Rights overrides it because it’s just another treaty and it’s further back in time. So all we have to do is say fine, give us your agreement in a binding way that you’ll treat this as adequate, and then we have some recourse if the European Court of Justice says we’d like to tear this one up.
Peter Swire: As a great treaty lawyer, I’d love to hear what Theodore has to say on that.
Paul Rosenzweig: Okay. Go for it, Theodore.
Theodore Christakis: Yes, thanks. I will start by this but I would also like to make some other comments and to respond.
Paul Rosenzweig: Well, why don’t you do the treaty point and I’ve got some questions in the queue. That way — we’re not going to get to all of it, Theodore.
Theodore Christakis: Exactly, the World Trade Organization. I think that Stewart is right about — I’ve always been saying that probably we should — you know, I come from international background, and I was surprised that there are so many negotiations for years with the US, with the UK, etc. which lead to what? To internal EU decisions where there is no reciprocity and which can be validated anytime as it happened with Schrems II and Schrems I.
Probably I would — but this is something because I don’t suggest that this is a better way, but I think that Stewart is right about the fact that if a treaty succeeds in entering into force—but this could be tricky, I will explain immediately—then it could be much more solid and it could also be based on reciprocity.
We create redress for European cities, and you will create redress, for instance, for US citizens, for foreigners, etc. And as soon as it enters into full force, if it is a real treaty, then practice [insurvada 50:33]. The court cannot — it will be much harder — theoretically, this can happen. I will not enter here into the details, but it could be very, very tricky because if the court comes and validates a treaty in force, then you will violate international law because practice [insurvada 50:49].
So it will not invalidate, it will ask, instead, the EU to the denunciate withdrawal from the treaty. But this is a path to examine because it will be more solid, and also it could offer guarantees because in the process of creating treaties in the European union, what will happen is that we will ask immediately the Court of Justice and advise about whether this projected treaty with the United States is compatible with a charter.
So I disagree with what you said, Stewart, because if it is incompatible with the charter, then the Court will say you cannot conclude this treaty with the United States. But at least this will provide legal certainty because if it passes the test in the beginning, then it will pass the test for the rest of time, and you will have something very solid. But it could be pretty tricky at the beginning if there is a negative opinion by the court about the compatibility of censored treaty with European law.
May I answer the two questions now?
Paul Rosenzweig: Let me state them or let’s state one and we’ll get — because one of them, we may not get to but let’s at least state one because this is actually a good lawyers questions and since this is The Federalist Society, most of the people here are lawyers, which is where are we right now, right? Schrems II struck down the framework. We haven’t got an agreement at all. Yet presumably — not presumably, evidently, thousands of American companies ranging from big tech like Facebook to small businesses that sell their goods in Europe are processing data here in the United States without an agreed upon framework and without the new framework in force. Are they just playing without a net? Is there any guidance? If I’m a lawyer on this call and I’m listening, Theodore, and my client is an American company that is processing data, should I be worried?
Theodore Christakis: Well, as a matter of fact, you are talking about US companies, but you should also talk about European companies that —
Paul Rosenzweig: Okay, or Chinese companies, right?
Theodore Christakis: Okay. Okay. [crosstalk] transfer data to the United States so — and this is a huge concern. If you see all the documents sent by European business organization companies to the European Data Protection Board, you will see it’s total panic. The answer is very easy. What is happening is that they’re all acting in a grey zone. They did their transfer impact assessments sometimes. Very often, they did absolutely nothing, and they hope that no DPA will come after them.
And even when, for instance, you see these decisions concerning specific websites and saying you cannot use Google Analytics anymore. Well, the others will still use Google Analytics, for instance, and they will hope that nobody will come after them. But if it happens to you, like Facebook, to be targeted by None of Your Business or somebody else, then things could become much more difficult. So we are into the grey zone, and we are waiting for the trans-Atlantic agreement concerning this first question.
Paul Rosenzweig: So basically, your answer is suck it up buttercup. You’re going to have to live with uncertainty.
So there’s another — well, there’s several questions —
Peter Swire: Can I do one sentence on that, Paul?
Paul Rosenzweig: Sure. Please.
Peter Swire: The day the United States announces an executive order from President Biden and rules from the Department of Justice, the transfer impact assessments for all the European and US companies change because instead of working off of the old Schrems II it’s not legal world, the companies would say the US now has a legal structure in place, the regulation, the EO that provides a lawful basis for transfer. So day one when the announcement happens, the lawyers for the companies don’t have to take all of their upset stomach medicine the same way anymore. They have a plausible story about why they’re acting lawfully.
Paul Rosenzweig: So, actually, that raises an important, really, question. President Biden — so Schrems II is in 2020, just at the end of the Trump administration, obviously not enough time in the last few months of the Trump administration to do anything. Biden’s administration takes a year to get up to speed, sort of reasonably, actually, sort of unreasonably but sort of reasonably. They announce the agreement in principle in March, I would note, as part of a visit mostly to shore up European support of the Ukraine.
We’re now in August. When do you expect — prediction time. Peter, then Stewart, then Theodore, when do you expect to see rules from DOJ and the executive order?
Peter Swire: Maybe in September, likely no later than October.
Paul Rosenzweig: Stewart?
Stewart Baker: Yeah, that sounds reasonable. But I do think it’s important to note that you don’t get to kick this can down the road until you get a final Court of Justice decision which would be a three-year process because it’s quite possible people will be sued, despite they’re having said yeah, we’re fine now. They’ll be sued anyway by Schrems and others, and those cases will immediately begin working their way through the courts. And the European Data Protection authorities can, at any time, say yeah, we don’t think that was good enough. And at that point, it throws the entire deal into question and you’re back in a, not quite as grey, but a pretty grey zone.
Paul Rosenzweig: Okay. Theodore, how long will Schrems III take?
Theodore Christakis: Well, as a matter of fact, concerning what Stewart said, the EDPB, European Data Protection Board, which unites all the DPAs in Europe, will give an opinion. But even if it is negative, this does not mean it’s the Commission which will decide then, the member states, just to clarify this.
And I think that the other thing to say is that Schrems has already announce that he will challenge the new arrangement and that he will try to act very quickly this time. He’ll also ask for an interim order while waiting for the judgment on the merits. So I don’t know if this will be three years this time or if the tactics that Schrems wishes to use might be quicker.
Paul Rosenzweig: So we may actually face this of the confrontation about the framework and the resolution of Peter’s predictive judgement before President Biden’s first term in office ends? First or second, before President Biden’s 2025?
Theodore Christakis: I think that there could be different kind of litigations, probably will not have until then a Schrems III judgment by the Court of Justice of European Union. But one could think that there could be also challenges in national court or in DPAs. There could be some positions about it, but I don’t really know if also the litigation tactics that Schrems wants to put in place in order to achieve a quick judgment will be successful and how long it will take. So it’s a little bit difficult to predict.
Paul Rosenzweig: Okay. So I guess that leaves us with two minutes left. We will run just slightly over but these are pretty solidly on the hour. So I’m going to go once around the horn and just ask you to put on your Nostradamus hats. Where will we be with respect to the EU-US privacy data exchange framework problem in five years? It is September 7, 2027. What’s happening now? I’ll do Peter, then Theodore, and Stewart, I’ll let you have the last word because that’s always a fun way to end a discussion. Peter?
Peter Swire: Knowing that Stewart comes later, I’ll be the cock-eyed optimist, and I will say that we will have this new version upheld in the Court of Justice eventually. There will be new kinds of challenges and plenty of work for the lawyers to litigate those, but the basic of legal framework for transfers will be in place by then.
Paul Rosenzweig: That is optimistic. Theodore?
Theodore Christakis: Yeah. I see that you let Stewart for the end so I will only try to share Peter’s optimism. This is why we’re working so hard with Peter and Ken. I think that it is absolutely essential to have a very solid relations between the traditional allies, the European Union and United States. The war in Ukraine shows how important it is for democracies to show the way because otherwise, you have the guy deciding alone in a room. And it’s extremely important to have good relations with the United States. This requires some effort from both sides and as Chris Dakis(sp) said, when there is a will, there is a way. So I do hope the US is trying to make some important reforms. Let’s see what will be announced, but I do hope as Peter that things will go better.
Paul Rosenzweig: Stewart, are you going to defy expectations?
Stewart Baker: I am. I am kind of optimistic in this sense. I believe that we’ll continue to have an obdurate, obnoxious, anti-American, hypocritical behavior on the part of Europe. That will continue, and the European Court of Justice is going to be the poster child for that. But for 25 years, I think it’s been fair to say about the European Commission’s use of this issue, what people often say about the issues on Capitol Hill, oh, that party doesn’t want an outcome, they just want an issue.
And I think that the European Commission loved getting in our way and making itself important, enforcing all these trans-Atlantic meetings over crises. But they did not actually want to cut off data flows because nothing good happens in Europe when you do that, notwithstanding the hopes of certain industries. And so they’re going to blink, we just have to make them blink in a constructive way instead of saying well, hi, I’ve got another carrot to offer. Will you take that? It’s time to get a little tougher, and sooner or later, we’re going to run out of carrots. And at that point, I think the Commission at least is going to switch sides.
Paul Rosenzweig: So I’m going to end with my own prediction which is a variant on Stewart’s. I actually think that the fundamental reality here is that European privacy issues is just not that important to the United States. The Europeans care a lot, and we just don’t care. And so we’ve been complicit in the European Commission’s idea that they want an issue which is we’re happy to let them have the issue so long as they don’t actually do anything.
And so I will join Stewart in the optimistic prediction that data will continue to flow even in a grey zone, and nothing bad will ever happen. I hope Peter and Theodore are right that it is resolved in this grand bargain that puts it to bed for forever, but I’m going to share Stewart’s skepticism that it’s just going to be — let us plan, Chayila, let us plan this five years from now, another resumption of this panel.
Back to you with our thanks. Our thanks to the panelists and to The Federalist Society for hosting us.
Chayila Kleist: Absolutely. On behalf of both myself and the Regulatory Transparency Project, I want to thank our experts for sharing their time and expertise and I want to thank our audience for tuning in and participating. We welcome listener feedback at [email protected]. If you’re interested in more from us at RTP, you can continue to follow us at regproject.org. You can also find us on all major social media platforms. Again, thank you for joining us today, and until next time, we are adjourned.
Conclusion: On behalf of The Federalist Society’s Regulatory Transparency Project, thanks for tuning in to the Fourth Branch podcast. To catch every new episode when it’s released, you can subscribe on Apple Podcasts, Google Play, and Spreaker. For the latest from RTP, please visit our website at regproject.org. That’s regproject.org.
This has been a FedSoc audio production.
Steptoe & Johnson LLP
Professor of International and European Law
University Grenoble Alpes
Elizabeth and Tommy Holder Chair
Scheller College of Business, Georgia Institute of Technology
Professorial Lecturer in Law
The George Washington University