In July 2020, the European Court of Justice (ECJ) declared the EU-US Privacy Shield invalid in the Schrems II judgment. The EU-US Privacy Shield was the legal framework for transatlantic data transfers.
In particular, the ECJ found that far-reaching, legitimised intrusions into the privacy of Europeans by US intelligence agencies would be possible and that Privacy Shield did not provide adequate redress mechanisms.
In rejecting Privacy Shield, the ECJ made it clear that a data transfer agreement between the EU and the US is unlikely to withstand judicial review unless the US restricts and/or transforms the scope of its surveillance.
Since then, the question as to how to do transatlantic data transfers has arisen, especially in connection with tracking tools such as Google Analytics, but also with other services such as cloud providers, mailing services, etc. and with social media platforms. For a long time, it was assumed that anonymising the most frequently used analysis tool Google Analytics via the IP address would be a safe way “not to be included” in the scope of the GDPR. However, the Austrian data protection authority is of the opinion that the tool transfers such a large amount of data that the GDPR is applicable and legally compliant data transfer is not possible.
Last week, the European Union and the US announced that they had basically agreed on a new framework for EU-US data transfers. A new agreement based on this framework should allow for predictable and trustworthy data transfers between the EU and the US while ensuring the protection of privacy and civil liberties. However, no explanation was given as to how this would be designed in specific detail, especially in view of the strict surveillance laws of the USA.
In this context, it is particularly ironic that the powers of intelligence agencies have been further strengthened by the US Supreme Court's recent ruling in FBI v. Fazaga. The FBI v. Fazaga case stems from an FBI operation in 2006 and 2007 in which agents sent a paid informant to some of the largest mosques in Orange County, California, instructing him to pose as a convert to Islam. The FBI informant collected names, phone numbers and e-mail addresses, as well as information about the religious and political beliefs of numerous Muslim Americans who were exercising their constitutional right to religious freedom.
It remains to be seen which legal framework will govern data transfers between the EU and the USA, when it will be in place and whether such a legal regime for data transfer between the EU and the USA will - again - be "overturned" by the ECJ. For the time being, practitioners as faced with considerable legal uncertainty as legally compliant data transfer between the EU and the USA is hardly possible at this point.
[Link to Schrems II: https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:62018CJ0311&from=DE]
[Link to Austrian DSB decision: Standarderledigung Bescheid (noyb.eu)]
[Link to Fazaga vs. FBI: Fazaga v. FBI, No. 12-56867 (9th Cir. 2020) :: Justia]