The U.S. and the European Union are Further from a Privacy Shield Agreement than Before.
The Supreme Court’s decision in FBI v. Fazaga[1], a case challenging FBI surveillance, will make it significantly harder for people to pursue surveillance cases and for the U.S. and European Union (“E.U.”) negotiators to secure a lasting agreement for transatlantic transfers of private data.
Prior to the Fazaga decision, the European Union’s Court of Justice (“C.J.E.U.”) struck down the U.S.-E.U. Privacy Shield[2], legal guidelines used by thousands of U.S. companies to accomplish data transfers, because the U.S. failed to provide adequate protection for data belonging to people of the E.U. by permitting unjustifiably broad government surveillance and failing to provide proper redress for people of the E.U. whose data was transferred to the U.S. In the strike down of the U.S.-E.U. Privacy Shield, it was made incredibly clear that no data-transfer agreement will survive the C.J.E.U.’s scrutiny until two things take place:
1. The U.S. narrows the scope of its surveillance; and
2. The U.S. ensures that individuals subject to potentially illegal surveillance have a real, meaningful way to pursue accountability.
The Fazaga decision follows from a case wherein an FBI operation sent a paid informant into some of the largest mosques instructed to pose as a convert to Islam while he indiscriminately gathered names, phone numbers, email addresses, and information on each person’s religious and political beliefs of hundreds of Muslim Americans who were exercising their constitutional right to religious freedom. The Supreme Court ruled that the state secrets privilege continues to apply in spying cases, meaning that the government will now have an easier time shielding sensitive information from a court of law with the state secrets privilege, making it even more difficult for people challenging surveillance to prove their claims and obtain justice.
Essentially, the Fazaga decision persists the notion that safeguards for data transfers in the U.S. are inadequate and continuously fail to satisfy the E.U.’s privacy rules, which requires that (1) people must be able to seek redress before an independent decision-maker, (2) the remedies must be binding, and (3) people must be able to raise fundamental legal challenges to the surveillance. Should another proposed privacy agreement be struck down, small and medium-sized companies become at risk as they lack the capital necessary to cover the costs and legal risks associated with data transfers from Europe, yet Congress could prevent this. If Congress were able to establish clear procedures for a court to examine secret evidence in lawsuits challenging illegal spying, then Congress would prevent the government from using the state secrets privilege to frustrate court review in lawsuits going forward and allow citizens proper recourse for unlawful surveillance.[3]
[1] https://www.scotusblog.com/wp-content/uploads/2022/03/20-828.pdf
[2] https://curia.europa.eu/juris/fiche.jsf?id=C%3B311%3B18%3BRP%3B1%3BP%3B1%3BC2018%2F0311%2FJ
[3] https://thehill-com.cdn.ampproject.org/c/s/thehill.com/opinion/judiciary/598899-the-supreme-court-just-made-a-us-eu-privacy-shield-agreement-even-harder?amp