The Supreme Court Just Made a US-EU Privacy Shield Agreement Even Harder
The justices gave the U.S. government more latitude to invoke "state secrets" in spying cases. But ironically, that victory undercuts the Biden administration's efforts to show that the United States has sufficiently strong privacy protections to sustain a new Privacy Shield agreement -- unless Congress steps in now. In July 2020, the EU Court of Justice (CJEU) struck down the EU-U.S. Privacy Shield, a legal framework used by thousands of U.S. companies to facilitate data transfers, because the U.S. failed to provide adequate protection for data belonging to people from the EU. Specifically, the court found that U.S. surveillance authorities, including Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, permit unjustifiably broad government surveillance. The court also found that the Privacy Shield failed to provide adequate redress mechanisms for Europeans whose data is transferred to the U.S. -- namely, the ability to be heard by an independent court that can order binding remedies. In striking down Privacy Shield, the CJEU was clear: no EU-U.S. data-transfer agreement will survive the court's scrutiny until the U.S. narrows the scope of its surveillance and ensures that individuals subject to potentially illegal surveillance have a real, meaningful way to pursue accountability.
The justices gave the U.S. government more latitude to invoke "state secrets" in spying cases. But ironically, that victory undercuts the Biden administration's efforts to show that the United States has sufficiently strong privacy protections to sustain a new Privacy Shield agreement -- unless Congress steps in now. In July 2020, the EU Court of Justice (CJEU) struck down the EU-U.S. Privacy Shield, a legal framework used by thousands of U.S. companies to facilitate data transfers, because the U.S. failed to provide adequate protection for data belonging to people from the EU. Specifically, the court found that U.S. surveillance authorities, including Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, permit unjustifiably broad government surveillance. The court also found that the Privacy Shield failed to provide adequate redress mechanisms for Europeans whose data is transferred to the U.S. -- namely, the ability to be heard by an independent court that can order binding remedies. In striking down Privacy Shield, the CJEU was clear: no EU-U.S. data-transfer agreement will survive the court's scrutiny until the U.S. narrows the scope of its surveillance and ensures that individuals subject to potentially illegal surveillance have a real, meaningful way to pursue accountability.
