Introduction

On July 16, 2020, the Court of Justice of the European Union (CJEU), in Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (Schrems II), invalidated the Privacy Shield that had provided a mechanism for data transfers between the United States and Europe.¹ Over 5,300 companies relied on the Privacy Shield to facilitate transatlantic data transfers for services including social media, messaging, cloud services, and email.² The Privacy Shield enabled these companies to freely transfer data between markets, thereby permitting them to sell physical and digital goods and services to consumers in Europe. Recent figures indicate that these commercial activities made up a significant portion of the over $7 trillion in transatlantic trade that takes place every year.³

In the Schrems II case, the CJEU found that U.S. surveillance laws do not provide an adequate level of protection for the personal data of European Union (EU) citizens that is equivalent to the rights guaranteed in the EU by the General Data Protection Regulation (GDPR). The CJEU also found that the United States lacks any mechanism to provide effective and independent review and redress for EU citizens whose data is transferred to the United States. The decision has created ambiguity around the future of trade between businesses in the United States and the EU.

The United States and the EU are currently engaged in negotiations seeking to resolve the concerns presented by the CJEU. In order for the U.S. government to create an effective and sustainable solution, it must institute reforms to the U.S. surveillance ecosystem. This report puts forth recommendations for measures that the U.S. government can implement in the near term, without need for congressional action, with the aim of providing guidance for the negotiation process and meaningfully addressing the concerns set forth in Schrems II.

Since the CJEU’s decision in Schrems II addresses protections for the data—and the interests—of EU citizens, meeting the court’s concerns requires increasing protections for non-U.S. persons.⁴ It is worth noting, however, that most of the increased safeguards that we recommend for non-U.S. persons would also increase protections for the rights of Americans. For example, proposals to institute narrower standards for surveillance targeting would result in data collection that better focuses on appropriate targets and intrudes less on the privacy of U.S. persons and non-U.S. persons alike.

We do not suggest that every measure we recommend in this report is strictly required by the Schrems II decision, nor can we forecast that if all of the recommendations we set forth here are adopted, this would fully satisfy the CJEU. Rather, we seek to outline a package of reforms that address the Schrems II decision, that increase privacy safeguards for both U.S. persons and non-U.S. persons, and that should be achievable in the near term. Although we will continue to urge the U.S. government to adopt comprehensive surveillance reforms beyond those outlined in this report,⁵ we focus here on measures that should be feasible and actionable by the U.S. Intelligence Community without need for statutory changes. In some instances, we note that legislation would be necessary to fully resolve the CJEU’s concerns, and in most cases we urge that steps taken by the executive branch should subsequently be codified by Congress. We plan to elaborate on those items that require congressional action in a subsequent report.