Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S. Surveillance, and the Search for Common Ground

Artificial Intelligence and Privacy and Security

Article Snapshot

Author(s)

Peter Margulies and Ira Rubinstein

Source

Connecticut Law Review (forthcoming)

Summary

Transatlantic data transfers are limited by decisions of European Union (EU) authorities ruling that surveillance conducted by the United States threatens privacy. Export control law provides a model to resolve the conflict.

Policy Relevance

Congress should create an independent court to review surveillance decisions affecting EU subjects. Congress should reduce the scope of foreign surveillance.

Main Points

  • In 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield agreement between the United States and the European Commission, which allowed transatlantic data transfers necessary for commerce.
     
  • Influenced by Edward Snowden's revelations about surveillance in the United States, the CJEU ruled that U.S. privacy guarantees are inadequate.
     
    • Surveillance programs permitted by the U.S. Foreign Intelligence Surveillance Act (FISA) are inconsistent with EU law requiring that surveillance be necessary and proportionate.
       
    • Some critics argue that the CJEU ignored effective U.S. safeguards.
       
    • U.S. surveillance officials probably use flawed machine learning systems to process surveilled messages, and may review many messages unrelated to real threats.
       
  • Article 49 of Europe's General Data Protection Regulation (GDPR) exempts some data transfers from strict data protection rules, and might help US firms comply with EU rules so long as the firm seeks only to transfer data within the firm; Article 49 would not fit social media companies such as Facebook.
     
  • The European Data Protection Board has ruled that encryption must be used to preclude access to transferred data by U.S. or other non-EU country cloud service providers; this ruling prevents cloud services from checking for malware or other security threats, and effectively bans data transfers.
     
  • To resolve the transatlantic data transfer issue, the US should take an approach modeled on export control law.
     
    • Export control law creates different licensing regimes for different groups of countries, depending on risk.
       
    • Firms self-classify to determine which license to apply for.
       
    • Key policy decisions about risk are made by government, not delegated to private firms.
       
  • EU policymakers should categorize countries depending on the level of risk to data protection; the U.S. should be recognized as a country with divergent privacy laws but a strong commitment to human rights and freedoms.
     
  • The U.S. should create an Algorithmic Rights Court to field the privacy complaints of EU-based computer users and conduct independent review of surveillance programs.
     
  • Congress should enact a law restricting intelligence agencies’ collection of the communications of foreign employees of U.S.-based firms abroad.
     
  • Congress should amend laws giving U.S. surveillance officials broad discretion in their choice of targets, instead requiring surveillance to focus on intelligence regarding foreign nationals' evasion of U.S. sanctions, or engagement in corrupt practices such as taking bribes.
     

Get The Article

Find the full article online

Search for Full Article

Share