Information Insecurity

Because a European court doesn’t trust U.S. protections on personal data, transatlantic commerce and national security are at risk

The Court of Justice in session: its <em>Schrems</em> decisions restricting the flow of personal data have been accused of hypocrisy. (European Court of Justice)
The Court of Justice in session: its Schrems decisions restricting the flow of personal data have been accused of hypocrisy. (European Court of Justice)

Last July, the European Union’s Court of Justice struck down a 2016 agreement that made it possible to transfer personal data from Europe to the United States. The Court of Justice, unlike the more famous European Court of Human Rights, usually concerns itself with interpreting prosaic matters of European law. Perhaps because of this, the 2020 decision received little media attention, especially in the United States. Yet the ruling has potentially devastating effects on transatlantic trade, as well as serious national security and privacy implications.

EU law permits personal data to leave any of its 27 member states only under certain conditions, the most important being that the country receiving the data provides “adequate” protections for its privacy. Historically, the European Commission—the administrative arm of the EU—has been responsible for determining whether protection is adequate. But so few countries have been willing to submit their laws for review by the commission that other means of determining adequacy have assumed greater importance. One of these involves agreements between the EU and other nations; another employs “standard contractual clauses” that companies in other countries adopt. Both approaches are designed to protect the data of Europeans while in the hands of a company in a non-EU country.

In the July decision, the Court of Justice ruled that because U.S. national security laws allow broad government access to data held by private companies, the United States does not adequately protect the data of EU citizens. The order invalidated an agreement between the EU and the United States known as the Privacy Shield, under which more than 5,300 American companies transfer data every day. The court also instructed national data protection commissioners to determine whether contracts with individual U.S. companies should be invalidated for the same reason.

Login to view the full article

If you are a current digital subscriber, login here.

Need to register?

Already a subscriber through The American Scholar?

OR

Are you a Phi Beta Kappa sustaining member?

Want to subscribe?

Print subscribers get access to our entire website

You can also just subscribe to our website for $9.99.

true

Permission required for reprinting, reproducing, or other uses.

Fred H. Cate and Rachel D. Dockery co-wrote this article. Fred H. Cate is Vice President for Research, Distinguished Professor, and C. Ben Dutton Professor of Law at Indiana University, and a senior policy adviser in the Centre for Information Policy Leadership. He is a former president of Phi Beta Kappa. Rachel D. Dockery is a senior research fellow in cybersecurity and privacy law at the Indiana University Maurer School of Law and Executive Director of the Indiana University Cybersecurity Clinic.

● NEWSLETTER

Please enter a valid email address
That address is already in use
The security code entered was incorrect
Thanks for signing up