Abstract
Despite efforts to mitigate European concerns over US governmental access to European data, the US regulatory framework is still problematic from a fundamental rights perspective, as elevated by the Schrems II ruling. The issues associated with transnational transfers of data have been further complicated by the European Data Protection Board's recommendations that state that EU personal data cannot be processed in the clear in third countries where public authorities demand access to data. Based on empirical case studies from the Netherlands and Sweden, the present contribution outlines possible remedies that mitigate this problem, but the fundamental issue appears unsolvable. While the US has taken steps to grant foreign nationals more rights, significant challenges remain with the US approach to mass surveillance and EU citizens' lack of judicial redress.
Highlights
Never has it been so easy to share data
The CLOUD Act differs from the surveillance capabilities regulated by EO 12,333 and Foreign Intelligence Surveillance Act (FISA) section 702 in two important ways—first, each request is subject to judicial review, and second, law enforcement will have to demonstrate probable cause to obtain a warrant
The US legal framework clearly enables governmental access to data held by US companies—to such a degree that the Court of Justice of the European Union (CJEU) has invalidated not one but two Commission (2000; 2016) adequacy decisions based on the Safe Harbor agreement (Schrems I) 8 and the Privacy Shield arrangement (Schrems II)
Summary
Never has it been so easy to share data. Decentralised operations can operate seamlessly thanks to cloud services, allowing for real-time updates of databases and other documentation. It shows how both administrative law and the EU fundamental rights framework together raise questions on the legality of using such services. Section three presents to what degree this legal framework is incompatible with European fundamental rights as argued by the Court of Justice of the European Union (CJEU) in Schrems II This ruling is further analysed in light of the European Data Protection Board’s (EDPB) (2020) recommendations on supplementary measures, the European Commission’s (2020) draft standard contractual clauses (SCCs) and the European Data Protection Supervisor’s (EDPS) and the EDPB’s (2020) joint opinions on said SCCs. Section four discusses how this presents a challenge for public services wishing to use the services of US cloud providers. Case C‐311/18, Data Protection Commissioner vs Facebook Ireland Ltd, Maximillian Schrems, (Schrems II) ECLI identifier: ECLI:EU:C:2020:559
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have