Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S. Surveillance, and the Search for Common Ground

Article Source: Connecticut Law Review (forthcoming)
Publication Date:
Time to Read: 2 minute read
Written By:

 Peter Margulies

Peter Margulies



Transatlantic data transfers are limited by decisions of European Union (EU) authorities ruling that surveillance conducted by the United States threatens privacy. Export control law provides a model to resolve the conflict.


Policy Relevance:

Congress should create an independent court to review surveillance decisions affecting EU subjects. Congress should reduce the scope of foreign surveillance.


Key Takeaways:
  • In 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield agreement between the United States and the European Commission, which allowed transatlantic data transfers necessary for commerce.
  • Influenced by Edward Snowden's revelations about surveillance in the United States, the CJEU ruled that U.S. privacy guarantees are inadequate.
    • Surveillance programs permitted by the U.S. Foreign Intelligence Surveillance Act (FISA) are inconsistent with EU law requiring that surveillance be necessary and proportionate.
    • Some critics argue that the CJEU ignored effective U.S. safeguards.
    • U.S. surveillance officials probably use flawed machine learning systems to process surveilled messages, and may review many messages unrelated to real threats.
  • Article 49 of Europe's General Data Protection Regulation (GDPR) exempts some data transfers from strict data protection rules, and might help US firms comply with EU rules so long as the firm seeks only to transfer data within the firm; Article 49 would not fit social media companies such as Facebook.
  • The European Data Protection Board has ruled that encryption must be used to preclude access to transferred data by U.S. or other non-EU country cloud service providers; this ruling prevents cloud services from checking for malware or other security threats, and effectively bans data transfers.
  • To resolve the transatlantic data transfer issue, the US should take an approach modeled on export control law.
    • Export control law creates different licensing regimes for different groups of countries, depending on risk.
    • Firms self-classify to determine which license to apply for.
    • Key policy decisions about risk are made by government, not delegated to private firms.
  • EU policymakers should categorize countries depending on the level of risk to data protection; the U.S. should be recognized as a country with divergent privacy laws but a strong commitment to human rights and freedoms.
  • The U.S. should create an Algorithmic Rights Court to field the privacy complaints of EU-based computer users and conduct independent review of surveillance programs.
  • Congress should enact a law restricting intelligence agencies’ collection of the communications of foreign employees of U.S.-based firms abroad.
  • Congress should amend laws giving U.S. surveillance officials broad discretion in their choice of targets, instead requiring surveillance to focus on intelligence regarding foreign nationals' evasion of U.S. sanctions, or engagement in corrupt practices such as taking bribes.



Ira Rubinstein

About Ira Rubinstein

Ira Rubinstein is a Senior Fellow at the Information Law Institute (ILI) of the New York University School of Law. His research interests include Internet privacy, electronic surveillance law, big data, voters' privacy, EU data protection law, and privacy engineering. Mr. Rubinstein lectures and publishes widely on issues of privacy and security, and he has testified before Congress on these topics on several occasions.