Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S. Surveillance, and the Search for Common Ground

Abstract

Privacy advocates rightly view the Court of Justice of the European Union (CJEU) decision in Data Protection Commissioner v. Facebook Ireland, Ltd. and Maximilian Schrems (Schrems II) as a landmark. But one stakeholder's landmark is another's headache. The CJEU's decision invalidated the EU-U.S. Privacy Shield agreement governing transatlantic transfers of personal data. Citing U.S. surveillance law and practices, the CJEU found that data transfers lacked adequate privacy protections under the EU's General Data Protection Regulation (GDPR). The Schrems II decision thus clouded the future of data transfers that help drive the global economy. This Article offers a hybrid approach to safeguard privacy rights and ensure the viability of transatlantic data flows. The Article's hybrid approach is an alternative to two less promising ways of reading the CJEU's groundbreaking decision. The European Data Protection Board (EDPB) issued recommendations that took an absolutist view of Schrems II. For example, the EDPB rejects reliance on risk assessments that gauge the probability of U.S. surveillance of particular data. The EDPB insists on technical measures such as steep EU-centered encryption that thwart U.S. surveillance but also bar access for U.S. firms. This absolutist approach undermines the whole point of transatlantic data transfers. Another response to Schrems II takes a don't worry, be happy tack. Heralds of optimism assure audiences on both sides of the Atlantic that most transatlantic data transfers are immune as a matter of law from U.S. surveillance, including collection under § 702 of the Foreign Intelligence Surveillance Act (FISA) or Executive Order 12333 (EO 12333). Unfortunately for this optimistic turn, U.S. surveillance authorities are sufficiently broad to reach many communications by EU individuals. In particular, § 702's provision for collecting communications related to U.S. foreign affairs lacks any intelligible limiting principle or specific review of targeting decisions. The U.S. Foreign Intelligence Surveillance Court (FISC) does not approve every target under § 702, although it has the power to scrutinize targeting procedures. Collection under EO 12333 is even broader and not subject to FISC review. In sum, surveillance optimism is a rhetorical trope, not a legal strategy. Navigating between the EDPB's absolutist approach and the heralds' unfounded optimism, this Article proposes a hybrid model. The hybrid outlines a risk-assessment method based on U.S. export controls, which have successfully managed exports of sensitive technology for decades. This model can also be a template for managing transfers of sensitive personal data. In addition, the hybrid model proposes bolstering substantive and institutional safeguards in U.S. law. For example, the Article proposes an Algorithmic Rights Court (ARC) that would probe targeting decisions under both § 702 and EO 12333. Through more precise risk assessment and reinforced institutional and substantive protections, the hybrid model preserves privacy and supports a sustainable transatlantic data transfer regime.