The Schrems II judgment by the Court of Justice of the European Union (CJEU) will reshape the relationship between national security and global data flows. By invalidating the EU-U.S. Privacy Shield agreement, the decision ends a two-decade transatlantic compromise on data exchange. The court found that U.S. surveillance practices were disproportionate and violated the fundamental rights of European Union citizens, who had no effective legal recourse to challenge potential U.S. abuses. The decision also threatens “standard contractual clauses”—alternative firm-based workarounds to allow data transfers—by effectively empowering national (or, in Germany’s case, regional) data protection authorities to block data exports to countries where there is a high risk that national security authorities may demand access to it. European data protection authorities are already suggesting that data localization in Europe is the only legally sound path forward.
The judgment has provoked a hostile reaction from U.S. national security and privacy experts, who describe the judgment as European overreach. Peter Swire comments that “[f]or national security experts, it is puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries.” Writing in Lawfare, Stewart Baker describes the judgment as a “gobsmacking … mix of judicial imperialism and Eurocentric hypocrisy” and proposes that the U.S. use trade penalties to force the European Union to back down and make Europeans realize that the U.S. is serious about keeping “the right to write U.S. laws without getting permission from European governments.”
The two of us have spent more than two decades studying and writing about EU-U.S. fights over privacy and security (we discussed our book on the topic, “Of Privacy and Power: The Transatlantic Struggle Over Freedom and Security,” on the Lawfare Podcast). Our work leads us to a very different conclusion.
Read the full post at Lawfare Blog.