The United States and the National Security Exception to GDPR

By: Ben Boston; Staff Editor

[The United States is trying, for a third time, to achieve synchronicity.]

Accustomed to world primacy, American policymakers have, in the past decade, found themselves on shaky ground when it comes to European digital policy.  Restrictions stemming from the E.U.’s General Data Protection Regulation (GDPR) have impacted the enforcement of sanctions, the ability of financial institutions to comply with U.S. anti-money laundering regulations, and even the reach of American tax collection.

American commentary on U.S.-E.U. tension regarding data privacy often emphasizes European hypocrisy, pointing to the broad national security exceptions permitting E.U. member state intelligence services and law enforcement to collect information in ways that (these American critics allege) extend far beyond their American counterparts, with fewer procedural safeguards.  This argument serves as a partial rejoinder to the rhetoric of European elites around data privacy, which emphasizes European historical memory and the legacy of World War II and Cold War surveillance. In the eyes of those in Washington, European moralism belies a combination of anti-Americanism, anger over the Snowden leaks of 2013, and a protectionist desire to hinder American tech firms’ operations in Europe.  These American critiques demonstrate a real tension in the European data privacy regime.  However, they risk obscuring competition—between data protection authorities and intelligence and law enforcement agencies at the country level, and between national security authorities and the Court of Justice of the European Union (CJEU)—which could prove beneficial for American interests.

Data privacy legislation was passed in Germany in the 1970s, at the state and then eventually federal level, rooting data privacy protections in a human right to privacy protected by Article 8 of the European Convention on Human Rights.  Almost immediately, German data privacy governance created friction for interstate commerce, cutting against regulatory convergence within the European Community’s single market, prompting efforts to synchronize data privacy law across the Union that resulted in the 1995 Data Protection Directive in 1995 and then the General Data Protection Regulation (GDPR) in 2016.

The GDPR binds European member states and creates a supervisory European Data Protection Board, but Data Protection Authorities (DPAs) conduct enforcement at the national level.  These authorities can be roughly understood by reference to the law of the hammer: for a data protection agency, everything can be a matter of data privacy.  The determinations of DPAs are appealable within the judicial system of the member state, but the final appeal goes to the Court of Justice of the European Union (CJEU).

The CJEU is, in the best of times, an institution of extraordinary opacity and great power. Dutch scholar Luuk van Middelaar has described it as capable of delivering “coups,” or subtle actions with decisively binding consequences for European integration.  Regardless of its interest in data privacy itself, the Court is undeniably committed to upholding the binding nature of the E.U. Charter of Fundamental Rights, which expands upon the European Convention on Human Rights’ provision of a right to privacy to expressly incorporate a “right to the protection of personal data concerning him or her” in Article 8.  The Charter, in turn, is incorporated as binding E.U. member states by the Treaty of Lisbon.

So if and when privacy activist Max Schrems brings an action against the newest iteration of U.S.-E.U. data governance synchronization, the Data Privacy Framework, he will have structural support from both regulators deeply invested in protecting and furthering the European data privacy regime and courts deeply invested in protecting and furthering the binding nature of European Union law.  American assertions of European hypocrisy might be met by agreement, from privacy regulators and courts who, for distinct reasons, might want to bind member states’ intelligence services and law enforcement.

As Christakis and Propp note, European intelligence services, led by France, have sought to counter the expansive approach of the DPAs and the courts via a national security exception.  As in other bodies of European law, the carveouts initially granted for national security have come under pressure, with the 2020 Privacy International and LQDN decisions applying CJEU review to the collection and retention of intelligence by member states.  The response of member states, led by France, has been to explicitly exempt intelligence collection from the jurisdiction of the CJEU altogether.  This leaves oversight in the hands of the European Court of Human Rights, where data privacy jurisprudence is less developed and slower, and the principle of margin of appreciation grants more space for surveillance and national security exceptionalism.

Perhaps this time will be different, and the U.S.-E.U. Privacy Shield will stand up to the scrutiny of European courts.  But if European judges are not convinced by the adequacy of the Data Protection Review Court created within the Department of Justice to hear appeals from E.U. data subjects, then the U.S. government will need to think more creatively about pathways maintaining critical national security data sharing.  A starting point is working more closely with the European intelligence agencies who are able to avail themselves of the national security carveouts American policymakers currently decry for their hypocrisy.

Ben Boston is a second-year student at Columbia Law School and a Staff member of the Columbia Journal of Transnational Law.  He graduated from Stanford University in 2020.