US Supreme Court just blew up EU-US Data Transfers

US Supreme Court just blew up EU-US Data Transfers

美国最高法院刚刚摧毁了欧美数据传输协议

On Monday, the US Supreme Court decided in Trump v. Slaughter that the US Federal Trade Commission (“FTC”) may not be independent anymore. Since 2000, the EU has relied on the “independent” FTC as the enforcer of EU-US deals on personal data. According to EU treaty law, such oversight must be independent. In the current EU-US deal, the European Commission relies on the independent FTC 259 (!) times. Max Schrems: “Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US.”

周一,美国最高法院在“特朗普诉斯劳特案”(Trump v. Slaughter)中裁定,美国联邦贸易委员会(FTC)不再具备独立性。自2000年以来,欧盟一直依赖“独立”的FTC作为欧美个人数据协议的执行机构。根据欧盟条约法,此类监管必须保持独立。在当前的欧美协议中,欧盟委员会引用“独立FTC”的次数高达259次!Max Schrems 表示:“鉴于美国已不存在独立的监管机构,我们呼吁欧盟委员会有序撤销对美国的充分性认定。”

Since 1995, the EU generally prohibits the export of personal data to third countries in order to prevent EU privacy rules from being circumvented by simply sending data abroad. While there are exceptions for necessary transfers, ranging from anything like booking a hotel to complex transactions, many EU companies simply outsourced the processing of personal data to US cloud providers. Since 2000, the European Commission has repeatedly accepted that the US is an “adequate” country when it comes to the protection of personal data – allowing free data flows between the EU and the US. The European Court of Justice (CJEU) annulled the Commission’s two previous decisions in the so-called “Schrems I” decision (killing “Safe Harbour”) and “Schrems II” decision (killing the “Privacy Shield”) because of US Surveillance Laws and the lack of judicial remedies in the US. Nevertheless, in 2023 the European Commission issued a third EU-US deal, called the “EU-US Data Privacy Framework”, which was largely a copy of the previously annulled deals.

自1995年以来,欧盟普遍禁止向第三国出口个人数据,以防止通过将数据发送到国外来规避欧盟隐私规则。虽然对于必要的传输(从预订酒店到复杂的交易)存在例外情况,但许多欧盟公司只是简单地将个人数据处理外包给了美国云服务提供商。自2000年以来,欧盟委员会一再承认美国在个人数据保护方面是一个“充分”的国家,从而允许欧美之间的数据自由流动。欧洲法院(CJEU)此前在所谓的“Schrems I”裁决(废除“安全港”)和“Schrems II”裁决(废除“隐私盾”)中撤销了委员会的两项决定,理由是美国的监视法律以及美国缺乏司法救济。尽管如此,欧盟委员会在2023年发布了第三份欧美协议,即“欧美数据隐私框架”,该框架在很大程度上是此前被废除协议的翻版。

EU requirement for an independent DPA. EU treaty law (so the EU’s “constitutional” framework), namely Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights, requires that the oversight over data protection matters must be done by an “independent” authority. Because third countries must have “essentially equivalent” protections, it is necessary that any third country that wants to enjoy free flow of personal data from the EU also affords such protections. So far, the US has appointed the “independent” FTC to be the US privacy regulator to meet the EU’s requirement for independent oversight. The EU, in turn, has relied on the FTC a whopping 259 (!) times in it’s EU-US data flow decision. Max Schrems: “Crucially, the EU constitutional framework requires independent oversight. The only way to change this would be a unanimous vote by all EU Member States to change the EU treaties.”

欧盟对独立数据保护机构(DPA)的要求。欧盟条约法(即欧盟的“宪法”框架),特别是《欧盟运行条约》第16条第2款和《欧盟基本权利宪章》第8条第3款,要求数据保护事项的监管必须由“独立”机构执行。由于第三国必须具备“实质上等同”的保护措施,任何希望享受欧盟个人数据自由流动的第三国也必须提供此类保护。迄今为止,美国已指定“独立”的FTC作为美国隐私监管机构,以满足欧盟对独立监管的要求。反过来,欧盟在其欧美数据流决定中引用FTC的次数高达259次!Max Schrems 指出:“至关重要的是,欧盟宪法框架要求独立监管。改变这一点的唯一途径是所有欧盟成员国一致投票修改欧盟条约。”

The requirement for an independent Court. Furthermore, the CJEU also highlighted that the US would need to provide an independent legal redress mechanism in matters of government surveillance. Because the US was unable to pass relevant legislation, the Biden Administration created a “Data Protection Review Court”. Despite being called a “Court” it is in fact an executive body within the US Justice Ministry. It is only “independent” via an Executive Order (EO) by former President Biden that can be changed by Trump any moment and is not binding for the President.

对独立法院的要求。此外,欧洲法院还强调,美国需要在政府监视问题上提供独立的法律救济机制。由于美国无法通过相关立法,拜登政府设立了一个“数据保护审查法院”。尽管被称为“法院”,但它实际上是美国司法部内的一个行政机构。它仅通过前总统拜登的一项行政命令(EO)保持“独立”,而该命令随时可能被特朗普更改,且对总统没有约束力。

The “Slaughter” decision: unitary (Trump) executive. In a 180° turn on previous case law, the conservative majority in the US Supreme Court has now decided that the independence of the FTC is unconstitutional. This follows the “unitary executive theory” that the US President must have power over all US executive bodies, declaring all US laws that make various agencies independent to be unconstitutional. Given that the EU relied on the “independence” of the FTC as a privacy watchdog in almost all cases, the entire structure of the EU-US Data Privacy Framework has just collapsed. Max Schrems: “Even in the European Commission’s logic, the basis for any EU-US data transfer deal is dead. We call upon the Commission to start an orderly exit from the US cloud – which is not easy, but unfortunately unavoidable. The Commission built a legal house of cards under industry pressure. Now that it clearly collapses, it has to take responsibility.”

“斯劳特”裁决:单一(特朗普)行政权。美国最高法院的保守派多数派在判例法上做出了180度大转弯,裁定FTC的独立性违宪。这遵循了“单一行政理论”,即美国总统必须对所有美国行政机构拥有权力,并宣布所有使各机构保持独立的美国法律均为违宪。鉴于欧盟在几乎所有情况下都依赖FTC作为隐私监管机构的“独立性”,欧美数据隐私框架的整个结构刚刚崩溃。Max Schrems 表示:“即使按照欧盟委员会的逻辑,任何欧美数据传输协议的基础都已经死亡。我们呼吁委员会开始有序退出美国云服务——这并不容易,但遗憾的是不可避免。委员会在行业压力下建立了一个法律纸牌屋。现在它显然已经倒塌,委员会必须承担责任。”

Impact not unlimited. Even if all the underpinning of the EU decision is gone, the European Commission’s decision is formally in force until either the European Commission repeals it or the Court of Justice annuls it. Hence, there is no imminent effect. The GDPR also only regulated the transfer of personal data. Non-personal data can flow freely. Furthermore, Article 49 GDPR allows necessary data transfers to any third country. It does, however, not allow to structurally offshore data from the EU, if it is not strictly necessary.

影响并非无限。即使欧盟决定的所有基础都不复存在,欧盟委员会的决定在正式被委员会废除或被欧洲法院撤销之前仍然有效。因此,目前没有直接影响。《通用数据保护条例》(GDPR)也仅规范个人数据的传输,非个人数据可以自由流动。此外,GDPR第49条允许向任何第三国进行必要的数据传输。然而,如果不是严格必要,它不允许将数据从欧盟结构性地离岸化。

SCCs and BCRs also affected. While some companies may not directly rely on the EU-US Framework and instead formally use SCCs and BCRs, they usually also rely on an “impact assessment”, which in turn relies on formerly independent US executive bodies such as the PCLOB or the Data Protection Review Court. The Supreme Court decision therefore usually affects them too, even if they do not rely on the FTC. Other than controllers relying on a formal Commission Decision, they must immanently update their assessment – and logically come to the conclusion that data transfers are not legal anymore.

标准合同条款(SCC)和约束性企业规则(BCR)也受到影响。虽然一些公司可能不直接依赖欧美框架,而是正式使用SCC和BCR,但它们通常也依赖“影响评估”,而该评估又依赖于以前独立的美国行政机构,如隐私和公民自由监督委员会(PCLOB)或数据保护审查法院。因此,最高法院的裁决通常也会影响它们,即使它们不依赖FTC。除了依赖正式委员会决定的控制者外,它们必须立即更新其评估——并从逻辑上得出数据传输不再合法的结论。

Next Steps: Commission must repeal EU-US deal. noyb has sent a formal letter to the European Commission today, asking it to take the appropriate steps to repeal the EU-US data deal in an orderly way. Politically, many EU Member States have already moved towards a “digital sovereignly” approach and announced to decouple from US service providers. Some US service providers also move towards separate EU data processing. However, given that the US still exercises massive pressure on the EU to keep personal data flowing, noyb will also file a lawsuit in the coming weeks, aiming to allow…

后续步骤:委员会必须废除欧美协议。noyb(欧洲数字权利组织)今天已向欧盟委员会发送了一封正式信函,要求其采取适当步骤,以有序方式废除欧美数据协议。在政治上,许多欧盟成员国已经转向“数字主权”方针,并宣布与美国服务提供商脱钩。一些美国服务提供商也开始转向独立的欧盟数据处理。然而,鉴于美国仍在对欧盟施加巨大压力以保持个人数据流动,noyb 也将在未来几周内提起诉讼,旨在允许……