How should the U.S. respond to the Schrems II decision?
A five-point plan
The decision of the European Court of Justice (CJEU) in Schrems II is gobsmacking in its mix of judicial imperialism and Eurocentric hypocrisy. The decision invalidates the Privacy Shield agreement between the U.S. and the EU on the ground that U.S. protections for individual rights are not "adequate," by which the court means not "essentially equivalent" to the rights provided to individuals under European law. It manages to do this while acknowledging that the court and the EU have no authority to elaborate or enforce these rights against any of the EU's member states. That, the court says, is "irrelevant." It is making the rules for benighted foreign lands like Canada and the United States, not for Europeans. Freed from the prospect that any of the governments that appoint them will have to live with these rules, the judges of the CJEU declare that large chunks of U.S. intelligence law—including some of America's most productive and essential authorities, such as Section 702 of the Foreign Intelligence Surveillance Act (FISA)—are beyond the pale.
In theory, this means that the United States is a privacy-inadequate nation, and any company sending personal data here may be fined under the General Data Protection Regulation (GDPR) up to four percent of gross global income. (Yes, the court left open the question whether a special set of corporate contract clauses remained a legal basis for transferring data to the U.S., but very few lawyers think those clauses will actually provide any protection when challenged, since no private contract can undo the obligations of Section 702.)
It is astonishing that a European court would assume it has authority to kill or cripple critical American intelligence programs by raising the threat of massive sanctions on American companies. In so doing, the court overrode a formal executive agreement reached by the EU with the U.S.; it also rejected the view of the European Commission that U.S. law was adequate to protect individual rights.
Still, the court clearly does think it can force its views on not just the United States but the rest of the world as well. It has already told the Canadians that they don't measure up. Australia and India have been kept in limbo for a decade due to doubts about whether their democracies dance sufficiently to the justices' tune.
Perhaps, had the court been less stiff-necked, it might have forced a change in the laws of these countries. But now the entire project is bound for disaster. China, which is already a great power when it comes to personal data, has signaled to Europe that it will not tolerate interference with its internal affairs. Yet rather than confront a country that clearly lacks protections for individual rights, European bureaucrats have spent 20 years chivvying the United States over data transfers, signing and breaking half a dozen agreements, always asking for more and usually getting additional concessions—including appointment of a special U.S. "ombudsperson" to hear European complaints; enforcement of European law by U.S. agencies like the Federal Trade Commission and Commerce Department; and a special Judicial Redress Act, passed for Europe in 2015, that grants Europeans the right to file FOIA petitions. None of that was good enough for the CJEU. This history shows that, even if the U.S. again tried to modify its law to meet the court's rigid demands in Schrems II, more litigation and more demands—not peace—would be the result.
The time for American concessions is over. Throughout the emergence of this issue, the U.S. has insisted—and the EU has agreed—that data flows across the Atlantic should not be interrupted. Indeed, the World Trade Organization (WTO) agreement signed by Europe makes clear that data flows may not be regulated in the name of privacy if the regulation is a means of "arbitrary or unjustifiable discrimination between countries where like conditions prevail." Nothing could be more discriminatory or arbitrary than 20 years of pursuing the United States for the privacy equivalent of parking tickets while ignoring similar infractions by the member states and an endless series of privacy felonies by the People's Republic of China. It's time for the U.S. to get serious about ending this campaign of harassment.
What can the United States do? Plenty. Here are a few options that belong on the table in the interagency process.
1. Rescind the concessions the U.S. made to get the now-broken deal. This is a no-brainer. Europe has broken the deal it made, and it cannot keep the parts of the deal it likes. The U.S. attorney general should withdraw the special status of European nationals under the Freedom of Information Act and the Judicial Redress Act. The Office of the Director of National Intelligence should abolish the office of the ombudsperson created to give Europeans comfort that their complaints about intelligence collection would be heard. President Trump should rescind PPD-28, the Obama-era set of politically correct limitations on intelligence community activities, which has been kept alive as part of the Privacy Shield negotiations.
2. Prepare to retaliate in a way that shows the U.S. is serious. Americans have never paid much attention to periodic eruptions of the data transfer issue. We are always a little inclined to think that maybe Europeans have something to teach us about privacy and human rights, so righteous American anger about intrusion on our sovereignty has been slow to ignite. But now is the time to show Europe that the U.S. is serious about keeping in place effective counterterrorism measures—and keeping the right to write U.S. laws without getting permission from European governments.
Because this decision violates U.S. rights under the WTO, the executive branch has authority under Section 301 of the Trade Act of 1974 to impose tariffs and other import restrictions on the countries of the European Union. And it should. If the U.S. wants to get Europe's attention, it needs to get Germany's attention, which probably means heavy tariffs on German cars and perhaps car parts. Airplanes and airplane parts are also a touchpoint. As usual, the list of retaliation candidates will need to include something of great value to each member state—Irish whiskey, say, or French wines.
The retaliation process will take a few months. The goal is not to impose the tariffs but to put an end to the crisis—and to Europe's peculiar arrogance about imposing its personal data law on the rest of the world.
3. Make common cause with the U.K., Canada, Australia and perhaps India. The U.S. doesn't have to stand alone. The EU has been threatening the U.K. with an "inadequacy" determination as punishment for Brexit. Its court has already struck at Canadian law. And Australia and India surely know they are next. The U.S. should include these nations in any negotiation, but only if they join America in preparing sanctions against Europe.
4. Find a stopgap solution in one of the member states. The CJEU's admission that it doesn't have anything to say about how member states protect personal data isn't just a confession of hypocrisy. It could be an opportunity to do an end run on the whole mess created by the court. If any one of the member states—Poland, say, or Ireland or Hungary—were willing to sign a national security agreement with the United States, it would be acting within the national security authority conferred on it by Article 4(2) of the Treaty of the European Union.
Suppose, in the pursuit of its national security interests, Poland agreed to allow personal data to flow to the United States without restriction, in exchange for which the United States agreed to share with Poland any counterterrorism data it was able to obtain by virtue of its worldwide intelligence collection. That would only apply to data transferred from Poland, of course, but companies could set up subsidiaries in Warsaw, transfer their data holdings there from elsewhere in Europe—after all, the EU is a single market—and then let them move to the United States.
Or suppose that Poland's government and data protection authority agreed that data exports to the United States could be challenged on the ground that protections for Europeans from U.S. intelligence were inadequate—but only by a plaintiff who could demonstrate concrete economic injury. Since the European objection to U.S. law has been almost entirely theoretical, this has the double advantage of providing redress for actual human rights violations while exposing the fact that, by and large, no one in Europe can point to any.
Whether these one-country solutions would withstand the inevitable legal wrangling, I don't know, but the court left no time for companies to adjust. Getting a Polish exit visa for data from that country would give them breathing room even if the shelter doesn't ultimately survive its journey through the courts.
5. Negotiate an agreement that ends the threat to American companies. If the U.S. can get European governments to take seriously American objections to the notion that Europe can write U.S. law, there is a simple solution to this problem. The CJEU's opinion, though written as though grounded in the rights of man, is in fact based on a European regulation and a European treaty. As a matter of international law, both of those can be overridden by a newer treaty. Indeed, the U.S. entered into a binding executive agreement—the international equivalent of a treaty—when it bargained for the adequacy determination that the court overturned.
How could the court overturn a binding agreement, then? The Americans who negotiated the deal under the Obama administration gave a lot of binding promises about how they would handle European data, but they didn't get a binding promise in return that U.S. law would be deemed adequate and that data flows of compliant companies would not be restricted. Maybe they got snookered. Maybe they couldn't muster the will to draw a line in the sand. Whatever the reason, the agreement is utterly one-sided—all American concessions, plus a little European mood music.
So the U.S. should ask for the concessions it should have gotten last time: a binding assurance that U.S. protections for individual rights are not in need of European editing and that data flows will never be threatened again over this issue.
As democracies with long histories of protecting civil liberties—histories that stand up well next to those of most EU members—the United Kingdom, Australia and Canada should get the same assurances. The CJEU's only source of power to undo the deal is the GDPR and the Treaty of the European Union (which is also the source of the Charter of Fundamental Rights of the European Union). All of those instruments must yield to a binding international agreement with the United States and other democratic nations.
A version of this post also appears on Lawfare.