Against All Odds: Why there is no International information regime

Vanderbilt Journal of Transnational Law, 2022

In the long-awaited Schrems II decision, the Court of Justice of the European Union (CJEU) took a radical, although not an unexpected, step in invalidating the Privacy Shield Agreement, which facilitated data transfers between the European Union and the United States. Schrems II illuminates long-lasting international disagreements between the EU and the United States over data protection, national security, and the fundamental differences between the public and private approaches to the protection of human rights in the data-driven economy and modern state. This Article approaches the decision via an interdisciplinary lens of international law and VANDERBILT JOURNAL OF TRANSNATIONAL LAW [VOL. 55:1041 international relations and situates it in a broader historical context. In particular, I rely on the historical institutionalist approach, which emphasizes the importance of time and timing (also called sequencing) as well as institutional preferences of different actors to demonstrate that the Schrems II decision further solidifies and cements CJEU’s principled approach to data protection, rejecting data securitization and surveillance in the post-Snowden era. Schrems II aims to rebalance the terms of international cooperation in data sharing across the Atlantic and beyond. It is the outcome that US tech companies and the government feared. Yet, they are not the only actors displeased with the decision. An institutionalist emphasis illuminates that the EU is not a monolithic block, and that the Schrems II outcome is also contrary to the strategy and preferences of the EU Commission. The invalidation of the Privacy Shield will now (again) require either a reorientation of EU policy and priorities or an accommodation of the institutional preferences of its powerful political ally––the United States. The CJEU decision runs counter to the European Data Strategy and places a $7.1 trillion transatlantic economic relationship at risk. Historical institutional analysis suggests that structural changes in the US legal system to address the inadequacies in the Schrems II judgment are unlikely. Therefore, the EU Commission will act quickly to create a solution––another quick, contractual “fix”––to accommodate US exceptionalism and gloss over the decades of disagreement between the EU and United States over data protection, national security, and privacy. When two powerful actors are unwilling to change their institutional preferences, “contracting out” the protection of human rights in international law is the most convenient option.

This essay provides an overview of landmark legislative and judicial action relating to data protection laws and privacy rights in Europe, with a focus on international agreements overriding fundamental privacy rights. The differences in approaches towards valuing personal information privacy are contrasted in the light of recent judicial review of international agreements for the sake of the globalized digital market economy. The discussion on the dignity versus market approach on information privacy in democratic society appears to lay the basis for legal conflict leading up to the Safe Harbour-judgement by the European Court of Justice.

World Trade Review, 2015

Policymakers are faced with similar tough choices about information (or data) flows. On the one hand, they want to encourage the flow of information across borders in the interest of commerce, education, technology, and scientific progress. On the other hand, at times government officials need to restrict the free flow of information in order to achieve important policy objectives such as preventing spam, piracy, and hacking as well as protecting national security, public morals, and privacy. In addition, policymakers must find ways to ensure that the rules governing cross-border information work effectively across nations and systems, reflecting the ideal of the global interoperable Internet) 2 . Policymakers can indirectly or directly restrict information flows either by changing national policies and laws or by regulating online service providers Birnhack and Elkin-Koren, 2003: 7, 24-26).

Herein, we examine how the United States and the European Union (the EU) use trade agreements to advance the free flow of information and to promote digital rights online. In the 1980s and 1990s, after US policymakers tried to include language governing the free flow of information in trade agreements, other nations feared a threat to their sovereignty and their ability to restrict cross-border data flows in the interest of privacy or national security. In the 21st century, again many states have not responded positively to US and EU efforts to facilitate the free flow of information. They worry that the US dominates both the Internet economy and Internet governance in ways that benefit its interests. After the Snowden allegations, many states adopted strategies that restricted rather than enhanced the free flow of information. Without deliberate intent, efforts to set information free through trade liberalization may be making the Internet less free. Finally, the two trade giants are not fully in agreement on Internet freedom, but neither has linked policies to promote the free flow of information with policies to advance digital rights. Moreover, they not agree as to when restrictions on information are necessary and when they are protectionist.

Fordham Law Review, 2003

company seeking to transfer data from its European subsidiary back to its headquarters in the United States faces considerably fewer obstacles than an Australian company engaging in the same type of information transfer from its European subsidiary back to its head office in Australia. Both companies are theoretically subject to Directive 95/46/EC of the European Parliament ("European Privacy Directive"), the terms of which provide for the interruption of data transmissions if the receiving country is found to provide protections for the data that are not "adequate." 2 In reality, however, because of the Safe Harbor Agreement between the European Union ("EU") and the U.S., 3 the American company faces far fewer obstacles to the transmission. This Note considers whether the EU has violated its commitments under the World Trade Organization ("WTO") by holding American companies to substantially different and lower standards when judging the "adequacy" of the American privacy regime than it does companies from Australia and elsewhere in the world. It concludes that the EU has unfairly favored the U.S. with this different treatment and thereby discriminated against other member states by holding * J.D. Candidate, 2004, Fordham University, School of Law. I would like to thank Professor Joel R. Reidenberg for his help in selecting the topic and for generously providing a wealth of advice and suggestions. I would also like to thank my family, and most especially my children, Michaela and Nicholas, for their encouragement, love, and patience. 1. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of

West European Politics, 2018

This article develops an 'economy of secrecy' as a framework to understand how secrecy regulates interstate relations and to explicate why states react differently to breaches of secrecy. Drawing upon Simmel, the article argues that secrecy shapes interstate relations by tuning the ratio of 'knowledge' and 'ignorance'. Furthermore, while the economy of secrecy acknowledges the existence of many types of secret, it emphasises their common underlying mechanisms, namely: secrecy as a field of power, secrecy as a field of performance, and secrecy as a normative terrain. Finally, the economy of secrecy is agnostic with regard to the moral character of promoting secrecy. In order to substantiate the argument, the article examines three recent iterations of how secrecy has disrupted EU-US relations: extraordinary renditions, WikiLeaks, and Snowden's revelations. In addition to showcasing how the economy of secrecy operates, these examples contribute to our understanding of how secrecy affects information flow and dissemination in world politics.

4th International Multidisciplinary Scientific Conference on Social Sciences and Arts SGEM2017, MODERN SCIENCE, 2017

The European Union (EU) and the USA have two very different models of personal data protection (European terminology) or information privacy law (American terminology). EU law has a defined and clear concept of personal data and a general law to protect this fundamental right. Meanwhile, the USA does not have a uniform definition of information privacy or personally identifiable information (PII); and it has only some sectorial laws to protect privacy in some markets. Personally identifiable information is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. At the same time, there is not a unique concept in US law for information privacy. Moreover, computer science has shown that in many circumstances non-PII can be linked to individuals, and that de-identified data can be re-indentified. In some way, then, we can say that the European law is applicable to almost all information on the Internet. And in some way, too, we can say that American technology uses data to establish its markets and services. These widely divergent positions present a difficult point from which to start looking for an agreement. In addition, some legal categories of the European Law-General Data Protection Regulation (GDPR)-are not negotiable under contracts. Because of their inalienability they cannot be traded away by the free will of individuals, which complicates the mutual relationships between the two continents. After breaking the SAFE HARBOR (after the SCHREMS EUROPEAN COURT DECISION Sept. 23, 2015, in CASE C-362/14) and under the New Agreement PRIVACY SHIELD FRAMEWORK 2016, new problems arose. Also, it cannot be forgotten that the prospects of the Internet of Things (IoT) and Artificial Intelligence (AI) are introducing new technologies that challenge the present laws and concepts. These problems are asking for harmonized solutions that reflect cooperation of laws and policies for both sides of the Atlantic. This is necessary in order to continue with the traditional commercial relationship between Europe and North America and to work together against the terrorism threat. This paper will examine possible departure points, criteria and perspectives to find an approach based on the European Law (GDPR) and the US regulations and policies.

In the late 1990s, the growing importance of electronic commerce forged a reconciliation of different stances towards the regulation of personal data between the United States and the European Union in the interest of trade. But the "Safe Harbor" agreement's compromise quickly came under pressure when in the wake of 9/11 the United States unilaterally tightened its position, forcing the EU to comply with US regulatory preferences. What looked like a transatlantic conflict over the value of privacy in the making also developed an intra-European dimension when the European Parliament took the Commission to court over alleged negligence of European data protection legislation. The paper analyses the two conflicts and argues that the Parliament's court action and success resulted in substantial unintended consequences when competence for the subject matter was switched to another Directorate General, with different policy frames and preferences taking over, resulting in a substantive policy U-turn.

European Law Journal, 2020

When the Court of Justice announced the judgment in Schrems I, commentators described the outcome as an "earthquake" that tossed aside the fragile legal framework for transatlantic data flows known as the "Safe Harbor". The judgment of the Court in Schrems II has now toppled the second framework, the "Privacy Shield". In this article, I restate recommendations to the US Congress following the first Schrems judgment: (1) enact a comprehensive privacy law, (2) establish an independent data protection agency, and (3) ratify Council of Europe Convention 108. But I also explain that the United States and Europe are more aligned today in the common enterprise of data protection than they were five years ago, as the backdrop has shifted from the disclosures of Edward Snowden to the surveillance ambitions of the Chinese government. A common approach is therefore in the interests of these two key trading partners. There is also today shared urgency in strengthening the foundations of democratic institutions. 1 | SCHREMS I I testified before the United States Congress in 2015 after the first Schrems judgment. 1 In my statement I explained that the judgment of the Court of Justice was not surprising. For many years, scholars, members of the European Parliament and consumer groups on both sides of the Atlantic had expressed concern about the Safe Harbor framework, the legal basis for the transfer of personal data of Europeans to the United States. From the perspective of Europeans, the data transfer agreement failed to provide the protections otherwise afforded by the EU Data Protection Directive (which would become the General Data Protection Regulation). 2 The shortcoming of Safe Harbor

2002