Published by The Lawfare Institute
in Cooperation With
The Schrems II judgment by the Court of Justice of the European Union (CJEU) will reshape the relationship between national security and global data flows. By invalidating the EU-U.S. Privacy Shield agreement, the decision ends a two-decade transatlantic compromise on data exchange. The court found that U.S. surveillance practices were disproportionate and violated the fundamental rights of European Union citizens, who had no effective legal recourse to challenge potential U.S. abuses. The decision also threatens “standard contractual clauses”—alternative firm-based workarounds to allow data transfers—by effectively empowering national (or, in Germany’s case, regional) data protection authorities to block data exports to countries where there is a high risk that national security authorities may demand access to it. European data protection authorities are already suggesting that data localization in Europe is the only legally sound path forward.
The judgment has provoked a hostile reaction from U.S. national security and privacy experts, who describe the judgment as European overreach. Peter Swire comments that “[f]or national security experts, it is puzzling in the extreme to think that citizens of one country have a right to review their intelligence files from other countries.” Writing in Lawfare, Stewart Baker describes the judgment as a “gobsmacking … mix of judicial imperialism and Eurocentric hypocrisy” and proposes that the U.S. use trade penalties to force the European Union to back down and make Europeans realize that the U.S. is serious about keeping “the right to write U.S. laws without getting permission from European governments.”
The two of us have spent more than two decades studying and writing about EU-U.S. fights over privacy and security (we discussed our book on the topic, “Of Privacy and Power: The Transatlantic Struggle Over Freedom and Security,” on the Lawfare Podcast). Our work leads us to a very different conclusion.
It isn’t the CJEU’s judgment or European privacy policies that need to be revised. What needs to change is how U.S. policymakers think about national security and surveillance in a world of global information networks. For two decades, the U.S. has been able to have its cake and eat it too—behaving like a unilateral, imperialist power in an interdependent world. Schrems II shows how that strategy is reaching its limits. The U.S. is discovering that interdependence means that it too is vulnerable. Fixing these vulnerabilities is going to require much deeper international cooperation with like-minded democracies. And that in turn entails a very different relationship between national courts and international surveillance. America’s security isn’t being undermined by Europe’s privacy demands. Instead, engaging these demands could provide politically robust foundations for the security architecture that both America and its allies need to confront the new threats associated with a changing world.
Over the past three decades, the world has become far more globalized and interdependent. Global networks of money, trade and transport ensured that what happened in one country was far more likely to matter for other countries than in the past. It took some time for policymakers around the world to realize that this had profound consequences for national security: Agile actors could now work across countries and exploit weaknesses in global networks, leading to worries that, for example, drug smugglers could exploit weak controls in the global financial system to easily get paid. After Sept. 11, 2001, the U.S. and its allies realized that terrorists too could use global communications systems and financial networks to organize plots across continents. The response transformed the transatlantic relationship as the U.S. put intense pressure on the European Union to subordinate its privacy regime to national security.
As our book explains in detail, European authorities and courts were typically willing to listen. European officials such as France’s interior minister and then-president, Nicolas Sarkozy, and Germany’s interior minister at the time, Wolfgang Schäuble, welcomed U.S. pressure, which made it easier for them to sideline domestic opponents and pursue their own national security objectives. Courts, including the CJEU, were reluctant to interfere. The result was that the transatlantic relationship became dominated by a cooperative network of national security officials, who had different approaches but agreed more than they disagreed. This network was deliberately designed to exclude and marginalize privacy-oriented officials in Europe.
This security-dominated transatlantic relationship might have lasted for a long time. The problem was that U.S. surveillance agencies, too, had discovered that an interdependent world presented them with many opportunities and few controls. After Sept. 11, 2001, they had new resources, a new mission, and new abilities to gather information globally and to analyze it. The internet and other global telecommunications networks made it easy to gather information in bulk, while new data techniques allowed analysts to sift through the huge amounts of data collected in search of valuable intelligence. Intelligence officials now worried less about how to get data, and more about avoiding paralysis in the face of the enormous piles of material that accumulated every day on their servers.
Meanwhile, during the 1990s and 2000s, global information and financial networks expanded to include ever more information about people’s lives. In many areas, private-sector information networks centralized around a few key nodes. Nearly all global financial transactions are recorded by the SWIFT system. The internet relies on a relatively tiny number of fiber optic cables that transmit the majority of international traffic. Six or seven platform companies dominate information markets for social media, search and e-commerce.
In other work, we describe how these chokepoints in global economic networks allowed intelligence agencies to weaponize interdependence, turning the internet into a kind of global panopticon. It also meant that the activities of intelligence agencies became more and more embroiled with the ordinary lives of unsuspecting citizens, as data on click-streams, flight patterns and credit card purchases was scooped up. Furthermore, these networks functioned in ways that made it hard for these agencies to separate out information on foreigners from information on their own citizens. Agencies also shared information with peers in other countries through arrangements that were outside of the public eye and public control. This raised a new civil liberties dilemma: Citizens’ rights were compromised as global economic networks exposed them to the surveillance practices of foreign intelligence agencies.
By turning economic networks into a global surveillance apparatus, the U.S. doomed the transatlantic compromise over commercial transfer of personal data. The predecessor to the 2016 Privacy Shield, the Safe Harbor arrangement, which was adopted in 2000, had finessed differences in domestic privacy rules between the U.S. and Europe by shifting the focus of jurisdiction to the level of the firm. U.S. companies certified that they were complying with EU-equivalent rules even if the U.S. did not. This deal lost its legitimacy when it became impossible for Europe to ignore that U.S. firms were vulnerable to the U.S. national security state.
This reckoning was shaped by two political outsiders, Edward Snowden and Austrian privacy activist Max Schrems. The Snowden leaks exposed the dramatic expansion of surveillance over global networks. Schrems, for his part, viewed the leaks as an opportunity to make some aspects of international surveillance justiciable in the European Union. Starting in 2013, he challenged the Safe Harbor arrangement in Irish courts and the CJEU, arguing that the U.S. surveillance practices revealed by the Snowden documents demonstrated that U.S. companies could not comply with Safe Harbor’s requirements.
The events that have unfolded since then have had their own logic of inevitability. Once the Snowden revelations were made public and the scope of the global surveillance apparatus became clear, it was hard for Europe and the United States to craft an agreement that would last. The Safe Harbor had been possible only because negotiators treated commercial data exchange as being separated from national security issues. The Snowden leaks allowed Schrems to persuade European judges that one couldn’t regulate the first without addressing the second, closing off the space for possible compromise.
This is why no one—including the European Union officials who negotiated it—ever thought that the Privacy Shield agreement that succeeded Safe Harbor had much chance of surviving CJEU scrutiny. It offered weak administrative procedures and descriptions of intelligence agency practices in lieu of the real redress that the CJEU wanted. Last week’s judgment has been long expected.
Snowden and Schrems set off an institutional dynamic that will be hard to reverse. American proposals to respond to Schrems II by punishing the European Union through trade sanctions or the like will fail, because they don’t affect the relevant decision makers. Like the U.S. Supreme Court, the CJEU has its own politics but it does not negotiate. Instead, it lays down authoritative interpretations of the law. National data protection officials have their own understanding of their responsibilities. While they are usually more pragmatic than some U.S. commentators suggest, they see their fundamental responsibility as protecting the rights of EU citizens, rather than facilitating international trade.
Furthermore, these judges and officials are responding to a fundamental problem that the U.S. has declined to confront—because it hasn’t been in America’s interest, as a dominant surveillance power, to confront it. International surveillance means one thing in a world of distinct nation-states, which have relatively little to do with each other. It means something quite different in an interdependent world where the communications and financial flows of different countries are mixed together, and where these communications and financial flows touch on every aspect of citizens’ ordinary lives. And as ever more devices go online, international surveillance will be increasingly intrusive and increasingly hard to separate from domestic politics.
The result is increasing resistance—including from core U.S. allies—to the U.S. assumption that America can engage in surveillance without any repercussions. The national security-dominated transatlantic relationship of the 2000s has now been pushed aside by EU judges and national officials, who are far more difficult to bully than the European negotiators who often tacitly welcomed U.S. pressure from the beginning.
America’s fundamental problem, in other words, isn’t European imperialism. As in other policy areas, it’s America’s own imperialism—the assumption that it can unilaterally impose its security requirements on allies without making significant concessions in turn or suffering any costs. This unilateralism is limiting American understanding of how the actual security needs of the U.S. are changing, and how Europe’s demands create opportunities as well as difficulties. Once, U.S. policymakers did not pay enough attention to the consequences of global interdependence for national security. Then they began to take systematic advantage of the opportunities that global interdependence offered for international surveillance, in ways that generated international opposition and undermined support for U.S. policies. Now, they face a new challenge—working together with other like-minded states to remake interdependence in ways that shore up U.S. security vulnerabilities.
For a long time, the U.S. believed that it could weaponize interdependence against other states without serious blowback, imposing global surveillance and using chokepoints in the international financial system to strangle enemies and put pressure on friends. Now, it’s discovering that other states can weaponize interdependence against the U.S. in turn. For example, American policymakers worry that if Huawei builds the global infrastructure for 5G, China will be able to conduct global surveillance and perhaps even cut states out of global communications networks to punish them. This sounds like a disaster to the U.S. but is wearisomely familiar to Europeans: As a cynical European official put it to the Economist on July 16, “America wants to prevent China being able to do what America currently does to the rest of the world by controlling the financial system.”
The strategic problem that the U.S. now faces is different from the immediate post-9/11 world. It needs to get its allies to cooperate actively in building a shared sphere of interdependence that is more robust against authoritarian countries such as Russia and China, particularly as China pushes into the core technologies that support global economic networks. Building this will require a different approach than the standard U.S. toolkit of external pressure and secondary sanctions. (U.S. complaints about European arrogance on privacy ring hollow to Europeans who have already seen their banks pay many billions in penalties under the U.S. sanctions regime.) Other democratic states would need to agree to act in a much deeper concert, to build more robust shared information systems and secure common supply chains. This would also require deeper intelligence collaboration across a broader group of partners than the existing Five Eyes alliance.
However, conversations about a new “alliance of democracies,” common development of information technology, and new and deeper Five Eyes-type arrangements will go nowhere without a changed American understanding of the relationship between national security and international civil rights. Shared arrangements for more secure technology will have to get buy-in from technology firms, national legislators and citizens. Deeper intelligence cooperation will encounter vigorous opposition from privacy officials, from civil liberties activists and, most importantly, from the courts. It will be impossible to overcome these challenges in Europe unless the U.S. radically changes its understanding of national security to incorporate rights for the citizens of allied countries. It may even be difficult to overcome such challenges in the U.S. Increasingly, not only liberals and the left but also the U.S. right are fearful of how international surveillance arrangements and intelligence cooperation can be used for domestic political purposes.
Many U.S. national security experts have been puzzled by the CJEU’s demands that greater cross-national surveillance go together with substantial cross-national legal rights. They dismiss the CJEU’s analysis as abstract and practically implausible. Yet the CJEU, and European privacy activists and officials, are not only responding to U.S. unilateralism. They also have a better pragmatic understanding of how global interdependence has changed the relationship between national security and civil liberties. For the first time in world history, it is possible for the state of one democratic country to engage in large-scale intimate surveillance of the everyday lives of citizens in another, without formal protections or redress. This opens up obvious opportunities for abuse, especially as democratic states share more information with each other, making accountability harder or sometimes even effectively impossible.
If the U.S. wants to reshape interdependence to better protect democratic economies and communications systems against authoritarian countries, it is going to have to confront the fact that there is no way to address the security challenges of interdependence among democracies without making some rights interdependent too. This might be the beginning of a new, more sustainable kind of transatlantic cooperation on security and civil liberties, in which technology and intelligence sharing goes together with real cross-national protections for civil liberties. Many European judges and officials would be willing to work with this approach. Kenneth Propp and Peter Swire quote a key EU privacy official as saying that the U.S. is much closer to European values than Chinese, and elaborating that “I have never hidden that we have a preference for data being processed by entities sharing European values.”
In other words, the U.S. is likely to find new allies in its efforts to secure itself against authoritarian countries if it is willing to revisit its understanding of national security and provide reciprocal privacy rights to the citizens of other democracies. Such a rights-based approach is almost certainly a necessary precondition for the deeper kinds of cooperation with allies that are likely essential to U.S. national security in a world where technologies and supply chains have become new threat vectors. While this may be a painful mental adjustment for U.S. policymakers, the CJEU’s judgment—properly understood—provides a valuable opportunity to start to elaborate the principles and practices that could make this approach work.