In his Atlantic Council issue brief US Surveillance on Trial in Europe: Will Transatlantic Digital Commerce Be Collateral Damage?, Propp summarizes the history, oral arguments, and possible outcomes of the European Court of Justice’s pending decisions on the validity of Standard Contractual Clauses and the EU-U.S. Privacy Shield.  Propp notes that if the Court finds U.S. surveillance law is inconsistent with EU privacy laws, “transatlantic data transfer mechanisms relied upon by [Facebook], and thousands of other companies, may be invalidated.”  The article examines the roots of this transatlantic privacy divide, traces the history of the Safe Harbor through the Schrems I case to the EU-U.S. Privacy Shield agreement, and analyzes the oral arguments made before the European Court of Justice in the Schrems II case.

Prof. Peter Swire, Research Director of the Cross-Border Data Forum, recently published an opinion piece, first in French in Le Monde, and then in English in the European Law Blog, with the title “the US, China, and Case 311/18 on Standard Contractual Clauses.” The piece argues that the Court of Justice of the European Union’s decision in the Schrems II case could create a privacy absurdity: Trans-Atlantic data flows to the U.S. would be halted for fear of intrusive surveillance, but European data would still flow freely to China, “a nation with surveillance practices ripped from the pages of a dystopian science fiction novel.” Swire has also published an annotated bibliography supporting the factual and legal points made in the article.

The Department of Justice recently published a white paper, mounting a defense of the CLOUD Act and proposing to answer frequently asked questions (FAQs). However, one point repeatedly made by the DOJ in this paper (and other DOJ statements) in support of the Act is a matter of significant international debate.  The DOJ contends that the Council of Europe Cybercrime Convention requires that parties to the Convention adopt legislation mirroring  Section 103 of the CLOUD Act. This section of the Act requires providers to produce stored data within their possession, custody. or control regardless of where in the world that information is stored.  This provision  is also generating the most controversy abroad, and contrary to the DOJ’s assertion, it is far from clear that international law requires the U.S. or any other state to adopt such measures.

In her Yale Law Journal Online article Privacy and Security Across Borders, Daskal analyzes the impetus and results of three recent initiatives for law enforcement access to data: the U.S. Cloud Act; the EU E-Evidence proposal; and recent Australian legislation. The article highlights these initiatives’ promise and limits, and offers a way forward. Daskal explains that there is, on the one hand, the risk of governments demanding access to all information anywhere and everywhere, in ways that will almost certainly result in reduced cybersecurity, privacy, and civil liberties for all. On the other hand, there is a unique opportunity to set baseline standards and clear jurisdictional rules—thereby facilitating law-enforcement access while also protecting, and ideally elevating, speech, privacy, and other rights protections in the process.

Andrew Burt and Dan Geer’s Lawfare article The Budapest Convention Offers an Opportunity for Modernizing Crimes in Cyberspace explores how the current negotiations of an additional protocol to the Budapest Convention on Cybercrime provide an opportunity for lawmakers to modernize how crimes are defined in cyberspace. Burt and Geer propose a new starting point for the definition of a cybercrime:

In his paper Transfer of Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?, Prof. Christakis looks at how Section 103 of the CLOUD Act may conflict with the GDPR’s restrictions on transfers of personal data to outside the European Union.