Privacy Wars: Peril and Promise for Transatlantic Data Transfers

In May 2013, Edward Snowden publicly disclosed a trove of highly-classified information about US signals intelligence programs around the world, unleashing a torrent of outrage both in the United States and abroad.  Nowhere did his revelations have a bigger impact than in Europe, where the extent of activities conducted by the US National Security Agency, sometimes with the cooperation of foreign intelligence services, came as a huge shock.

European Union officials were chagrined — and a little flattered — to learn that internal conversations with their overseas delegations had been intercepted.  German headlines trumpeted the alleged tapping of Angela Merkel’s personal cellphone.  Snowden’s revelations sharply disrupted the generally cooperative character of US-EU relations. “It seemed that the entire well of US-EU relations had been poisoned by the fallout from the Snowden affair,” the US Ambassador to the European Union during the period has written, citing its political impact on negotiations over a potential transatlantic free trade agreement, among other effects.

In Brussels, the evident scale of NSA surveillance was perceived as a challenge to ‘data protection’, the extensive body of privacy law that is one of the EU’s signature regulatory initiatives.  Snowden’s disclosures provoked an almost existential crisis in Europe about whether privacy protection even mattered.  Not long after, European privacy activists went to court to challenge the legitimacy of data transfers to the United States, in a series of cases that rumble on to this day. Their efforts have upended one US-EU data transfer agreement, the Safe Harbor Framework, and now threaten to do the same for the successor Privacy Shield, as well as for contract-based privacy protections.

The political impact in Europe of the Snowden revelations inevitably has diminished over the past seven years.  Today Europeans worry as much about weak privacy standards in authoritarian countries as about US surveillance practices.  In addition, as governments around the world struggle to overcome COVID-19, they see data-tracking technologies as a key part of the solution – and worry less about the attendant privacy risks.  Indeed, European governments are embracing data-tracking to a far greater extent than is the United States.

The forthcoming ruling by the European Court of Justice (ECJ)in the Snowden-legacy cases – due to be handed down on July 16 — has the potential to do more than reopen old wounds. Even more ominously, it may cause disarray in transatlantic digital commerce – at a time when governments cannot afford further economic damage.

A new Democratic Administration would be forced to confront the unresolved challenges of keeping data flowing across the Atlantic. How should the US Government respond if the ECJ again finds US privacy protections against surveillance of Europeans’ personal information to be insufficient? Is it finally time for the United States to directly challenge Europe’s efforts to impose its privacy rules on US national security data collection? Is there still room for compromise? Could a comprehensive US privacy law be part of the solution?