Schrems II invalidated Privacy Shield because the court found that it did not provide an “essentially equivalent” level of protection compared to the guarantees of the GDPR. The National Security Agency (NSA) operated surveillance programs that had the potential to infringe on the rights of EU subjects, and there was a lack of oversight and effective judicial remedies to protect rights of EU data subjects, which undermined Privacy Shield as a mechanism for data transfers. This Note sets aside the surveillance and national security issue, which would require resolution through a shift in overall U.S. national security law, and instead focuses on the other problems raised by Schrems II: how can the United States be considered an adequate jurisdiction for GDPR purposes in order to facilitate cross-Atlantic data transfers?
The most complete solution for the United States is a federal data privacy law that will lead the United States to be deemed an adequate jurisdiction. Standard contractual clauses are insufficient as the sole basis of reliance for data transfers across the Atlantic for two reasons. First, Schrems II implicates the adequacy of data protection laws of jurisdictions even in the context of SCCs, placing the burden on individual companies to assess the relative adequacy of data privacy laws. Second, SCCs bind only the individual signatories such that they cannot create “adequacy” for the United States as a whole.
Part I provides context for the approach to data privacy in the United States compared to the system in the European Union. Part II analyzes why Schrems I invalidated Safe Harbor and how it created the standard that Schrems II later applied to also invalidate Privacy Shield. Part II also outlines the risks of future use of standard contractual clauses as a means to transfer data between the United States and the European Union without a U.S. federal privacy law. Part III takes a step back to address how the pace of technological development and nature of the internet require that data privacy be addressed at the federal level while also discussing easing the path toward adequacy. Lastly, Part IV presents possible solutions to the lack of harmony among data privacy laws in the U.S. and argues that a federal U.S. data privacy law is the best solution for businesses because it will provide a centralized standard on which to base their operations.
The Impact of Schrems II: Next Steps for U.S. Data Privacy Law,
Notre Dame L. Rev.
Available at: https://scholarship.law.nd.edu/ndlr/vol96/iss5/10