Exchanges of Personal Data After the Schrems II Judgment

STUDY

Requested by the LIBE committee

Exchanges of Personal Data After

the Schrems II Judgment

Policy Department for Citizens' Rights and Constitutional Affairs

EN

Directorate-General for Internal Policies

PE 694.678? July 2021

Exchanges of Personal Data After the Schrems II Judgment

Abstract This study, commissioned by the European Parliament's Policy Department for Citizens' Rights and Constitutional Affairs at the request of the LIBE Committee, examines reforms to the legal framework for the exchange of personal and other data between the EU and the USA that would be necessary to ascertainthatthe requirements of EU law are satisfied and that the rights of EU citizens are respected, following the Schrems II judgment of the EU Court of Justice.

This document was requested by the EuropeanParliament's Committee on Civil Liberties (LIBE).

AUTHORS Ian BROWN, Visiting CyberBRICS professor at Funda??o Getulio Vargas (FGV) Law School in Rio de Janeiro, Brazil Douwe KORFF, Emeritus Professor of International Law, London MetropolitanUniversity, UK

ADMINISTRATOR RESPONSIBLE Mariusz MACIEJEWSKI

EDITORIAL ASSISTANT Monika LAZARUK Christina KATSARA

LINGUISTIC VERSIONS Original: EN

ABOUT THE EDITOR Policy departments provide in-house and external expertise to support EP committees and other parliamentary bodies in shaping legislation and exercising democratic scrutiny over EU internal policies.

To contact the Policy Department or to subscribe for updates, please write to: Policy Department for Citizens' Rights and Constitutional Affairs European Parliament B-1047 Brussels Email: poldep-citizens@europarl.europa.eu

Manuscript completed in July 2021 ? European Union, 2021

This document is available on the internet at: (2021)694678_EN.pdf

DISCLAIMER AND COPYRIGHT The opinions expressed in this document are the sole responsibility of the authors and do not necessarily represent the official positionof the European Parliament. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and senta copy. ? Cover image used under licence from Adobe

Exchanges of Personal Data After the Schrems II Judgment

CONTENTS

LIST OF ABBREVIATIONS

5

LIST OF TABLES

7

ACKNOWLEDGEMENTS

7

EXECUTIVE SUMMARY

8

1 INTRODUCTION

14

1.1 Background

14

1.2 Scope and objectives of the research and structure of the study

15

2 EUROPEAN DATA PROTECTION STANDARDS

16

2.1 Introduction

16

2.2 Fundamental matters

18

2.2.1 In Europe, data protection is a fundamental right

18

2.2.2 The national security exemption in the EU Treaties

22

2.2.2.1 The "hole " in the EU Treaties

21

2.2.2.2 Limiting the size of the "hole" and "patching" the remainder

21

2.2.2.3 Making the patch stick through EU law

23

2.2.2.4 The national security exemption does not apply to third countries

24

2.3 Implications for data transfers

25

2.3.1 Transfers to "adequate" third countries

26

2.3.1.1 General substantive requirements for adequacy

27

2.3.1.2 General procedural/ enforcement requirments for adequacy

32

2.3.1.3 Requirement relating to access to personal dara by state authorities

33

2.3.2 Transfers to "non-adequate" third countries

56

2.3.2.1 Regular transfers to "non-adequate" third countries on the basis of

"appropriate safeguards"

56

2.3.2.2 Derogations for occasional and ad hoc transfers

66

2.3.3 Stopping transfers

64

3 US PRIVACY AND SURVEILLANCE LAWS

66

3.1 US privacy laws

66

3.1.1 Introduction

66

3.1.2 US common law and constitutional law

67

3.1.3 US federal privacy laws

68

3.1.4 US state privacy laws

79

3.2 US surveillance laws

89

3.2.1 Overview of FISA s.702, E.O. 12333 and PPD-28

89

PE 694.678

3

IPOL | Policy Department for Citizens' Rights and Constitutional Affairs

3.2.2 "Secret law"

91

3.2.3 Assessment by EU standards

92

3.2.4 Proposals for reform

95

4 ANALYSIS AND RECOMMENDATIONS

100

4.1 Introduction

101

4.2 Analysis of US privacy laws

101

4.2.1 Substantive issues to address

101

4.2.2 Procedural and remedial issues to address

103

4.2.3 Proposed institutional, substantive and procedural reforms in relation to general

adequacy

106

4.3 Analysis of US surveillance laws

108

4.3.1 Substantive issues to address

108

4.3.2 Proposed institutional, substantive and procedural reforms in relation to surveillance 108

4.3.3 Long-term intelligence reform by international agreement

110

4.4 Overall conclusions & recommendations

113

4.4.1 Overall conclusions

113

4.4.2 Recommendations

114

REFERENCES

118

4

PE 694.678

Exchanges of Personal Data After the Schrems II Judgment

LIST OF ABBREVIATIONS

ACLU

American Civil Liberties Union

BCRs

Binding CorporateRules for datatransfers

CDT

Center for Democracy and Technology

CFR

(EU) Charter of Fundamental Rights

CJEU

Court of Justice of the European Union

CCPA

California Consumer Privacy Act

CPRA

California Privacy Rights Act

CRS

(US) Congressional Research Service

DMA

Digital Markets Act

DSA

Digital Services Act

ECHR

European Convention on Human Rights and Fundamental Freedoms

ECtHR

European Courtof Human Rights

EDPB

European Data Protection Board

EEGs

European Essential Guarantees for surveillance

E.O. 12333 (US) Executive Order 12333

FISA

(US) Foreign Intelligence Surveillance Act

FISC

(US) Foreign Intelligence Surveillance Court

FTC

(US) Federal Trade Commission

GDPR

(EU) General Data Protection Regulation

ICCPR

(UN) International Covenant on Civil and Political Rights

LIBE

European ParliamentCommittee on Civil Liberties, Justice and Home Affairs

OLC

(US Department of Justice) Office of Legal Counsel

OTI

(US) Open Technology Institute

PE 694.678

5

IPOL | Policy Department for Citizens' Rights and Constitutional Affairs

PCLO PCLOB PPD-28 SCCs TEU UDAP

(US) Privacy and Civil Liberties Officer (US) Privacy and Civil Liberties OversightBoard (US) Presidential Policy Directive 28 Standard Contractual Clauses for Data Transfers Treaty on EuropeanUnion Unfair and Deceptive Acts and Practices

6

PE 694.678

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download