Chapter 1: Introduction

Much of modern life relies upon a wide range of digital services and platforms. From smartphone apps to email services and beyond—these tools and programs all collect our data, some of which is quite sensitive. In our interconnected world, that data may very likely also be transferred to other jurisdictions for further data processing or storage. While most of us may not even realize this transaction happens, it can interfere with our basic rights in several ways.

Domestically, national security agencies may access personal data as part of their mandate to protect national security. While this tends to be a densely regulated space in democratic states, lawmakers, national security professionals, courts, and civil society often find it challenging to ensure that legislation and practice provide both individual rights protection and national security. This is a matter of frequent policy debates, political battles, and reform.

Cross-border data transfers raise the same issues and can cause the same interferences with basic rights, albeit by the private and state authorities of another country. In theory, this necessitates a similarly appropriate balance of strong standards to protect personal data against unconstrained and disproportionate government access. Until recently, though, safeguarding rights in the context of cross-border data transfers was not satisfactorily addressed.

In July 2020, the European Court of Justice invalidated the European Commission’s decision regarding the EU-U.S. Privacy Shield, and thus brought new attention to this issue. In its landmark Schrems II judgment, the court assessed the adequacy of U.S. intelligence law and practices, questioning whether they provide an essentially equivalent standard to European data protection and privacy law. The court held that “neither Section 702 of the FISA, nor EO 12333, read in conjunction with PPD‑28, correlates to the minimum safeguards resulting, under EU law, from the principle of Proportionality” and concluded that U.S. “surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.”¹

While this caused the European Commission and the U.S. government to privately address cross-border data flows, data protection, and government access to data with greater urgency again, there is a much greater need to publicly explore and debate a wide range of policy questions. For example, what type of data processing, by whom, may be allowed for what kind of non-national data? For which aims, and according to which safeguards? Who should set those standards, and who should oversee them? Can they be challenged, and if so, how?

Amid the current transatlantic data gridlock, enormous economic and political interests that are tied to the free flow of data hang in the balance. For example, the increased difficulty in transferring data could result in data localization. This practice, which has been on the rise in recent years, has detrimental economic and societal impacts across the globe, fragmenting the internet as we know it and interrupting global communications and a wide variety of other services.

The United States and the EU have the opportunity to set an example for how cross-border data transfers can exist without compromising human rights. It is important that they get this right, as they risk losing ground to authoritarian regimes that are far less concerned with high standards and safeguards for data processing.

Being leaders in cross-border data transfers will require a more sustainable effort to address and mitigate the wide range of concerns, risks, and dangers that are associated with insufficiently regulated and inadequately overseen cross-border data transfers and respective government access. A prior iteration of the EU-U.S. Privacy Shield also failed to meet sufficient standards and was invalidated by the European Court of Justice in 2016.² A more durable agreement is needed to satisfy not just policymakers, but individuals and judiciaries for the long term. In this report, we will focus, in particular, on concrete risks to digital rights that transatlantic policymakers should address to resume the “free flow of data with trust.”³

Chapter Two of this report lays out that the law has a lot of catching up to do with the rapid evolution of digital surveillance. On both sides of the Atlantic, opaque legal frameworks for surveillance and intelligence make it difficult for individuals to understand and enforce their rights.

Chapter Three highlights how governments’ access to commercially available data remains a frontier of law and policy on both sides of the Atlantic.

Chapter Four discusses how additional risks to lawful and legitimate cross-border data transfers stem from the fact that much of the hardware and software used by the security sector converge around similar products and facilitates automated data sharing and cross-system information analysis.

The report’s main focus lies on intelligence agencies’ access to personal data.⁴ Each chapter raises serious accountability risks and critical policy questions about government responsibilities that ought to be addressed more rigorously by transatlantic policy circles.

Policymakers on both sides of the Atlantic have been cooperating with renewed vigor as part of the EU-U.S. Trade and Technology Council (TTC) that met for the first time in Pittsburgh in September 2021. The council formed 10 working groups to “carry forward important work to strengthen our relationship and cooperation.” They focus, among other things, on topics like “data governance and technology platforms” and “misuse of technology threatening security and human rights” (e.g., “arbitrary and unlawful surveillance”).⁵

EU officials attending the inaugural TTC meeting in Pittsburgh confirmed that “data flows” were not on the official agenda.⁶ By early December 2021, after months of bilateral negotiations on a future EU-U.S. data agreement, no precise path forward, let alone successor agreement, has been announced. However, the fact that European Commissioner Didier Reynders might not meet his objective “that a successor agreement to Privacy Shield could be reached by the end of 2021,” may be good news because it will allow policymakers to engage in inclusive policy debates on the many complex and pressing questions regarding proportionate government access to personal data.

Safeguarding data amid transatlantic data transfers is incredibly complex and negotiators are right to aim for an agreement that is legally defensible.⁷ Additionally, U.S. and EU citizens need greater clarity into evolving surveillance practices, the laws that govern them, and the oversight bodies involved. We suspect that the many open policy questions and democratic deficits identified in the following three chapters are, at least in part, the result of a long-standing preference—both in the United States and across Europe—to shy away from addressing the complicated nuances and open questions of government surveillance. Unless these matters are addressed in more inclusive policy debates that result in more comprehensive legislative reforms, we are concerned that the United States and EU might not be able to resume the transatlantic free flow of data with trust.