This post examines a report issued in March 2022 by the Atlantic Council entitled, “Trading in U.S.-India Data Flows: Prospects for Cooperation in U.S.-India Data Policy.” Noting the opportunity created by the reconvening of the U.S.-India Trade Policy Forum (TPF), this report urges the Biden administration and the Modi government to pursue cooperation on cross-border data flows.

In the paper entitled The Effects of Data Localization on Cybersecurity, CBDF Research Director Peter Swire and CBDF Senior Fellow DeBrae Kennedy-Mayo provide the first systematic examination of the effects of data localization laws on cybersecurity. The authors focus on the effects of “hard” data localization, where transfer of data is prohibited to other countries. The discussion includes both de jure and de facto effects, including China’s explicit laws, recent enforcement actions in the European Union, and proposed privacy legislation in India.In the paper entitled The Effects of Data Localization on Cybersecurity, CBDF Research Director Peter Swire and CBDF Senior Fellow DeBrae Kennedy-Mayo provide the first systematic examination of the effects of data localization laws on cybersecurity. The authors focus on the effects of “hard” data localization, where transfer of data is prohibited to other countries. The discussion includes both de jure and de facto effects, including China’s explicit laws, recent enforcement actions in the European Union, and proposed privacy legislation in India.

For the full article posted today on the European Law Blog, click here. Can the U.S. Government create, by non-statutory means, an independent redress authority capable of providing an effective remedy for a European person who believes that her or his rights have been infringed by an intelligence service? In this article we put forward a novel non-statutory solution that could resolve the “redress” problem in the EU/US adequacy negotiations. This solution is based on three “building blocks” inspired by methods utilized in U.S. administrative law. First, the U.S. Department of Justice should issue a binding regulation creating within that executive agency an independent “Foreign Intelligence Redress Authority” (FIRA). Second, the President should issue a separate Executive Order providing the necessary investigative powers and giving FIRA’s decisions binding effect across the intelligence agencies and other components of the U.S. government. Finally, European individuals could obtain judicial review of an independent redress decision by using the existing Administrative Procedure Act.

In the Schrems II case, a central concern of the Court of Justice of the European Union (CJEU) concerned the lack of redress – the ability of an individual to invoke an effective remedy concerning foreign intelligence surveillance. The CJEU specifically stated that Article 47 of the EU Charter of Fundamental Rights, which requires an “effective remedy,” operates on “the premis[e] that data subjects must have the possibility of bringing legal action before an independent and impartial court.” In the negotiations between the EU and the U.S. for a new Privacy Shield, a key issue has been to determine what sort of legal action must be provided in the U.S. to provide an effective remedy.

Must the U.S. Congress change statutory law to solve the major issue of “redress” in the EU-US adequacy negotiations? This is a crucial question, especially since a series of political, pragmatic and even legal/constitutional difficulties mean that the U.S. might not be able to come up with a short-term statutory solution for redress. In this article we analyse this question for the first time in detail, and argue that, provided the U.S. is able to address the deficiencies highlighted by the Court of Justice of the European Union (CJEU) in its Schrems II judgment (independence of the redress body; ability to substantively review the requests; and authority to issue decisions that are binding on the intelligence agencies), then relying on a non-statutory solution could be compatible with the “essential equivalence” requirements of Article 45 of the EU’s General Data Protection Regulation (GDPR). In a second, forthcoming article, we set forth specific elements of a novel non-statutory solution and assess whether it would meet the substantive European legal requirements for redress.

This post provides a link to a chapter of the book “Surveillance and Privacy in the Digital Age: European, Transatlantic, and Global Perspectives” (Bloomsbury Publishing, 2021), edited by Valsamis Mitsilegas and Niovi Vavoula, and is provided here with the permission of the publisher. Cloud computing has revolutionized the ways in which individuals, companies and governments operate in the twenty-first century.  Such progress however can also beget more sophisticated mechanisms for coordinating and executing criminal acts.  When evidence sought by one government is stored on a server in another country with a different data privacy regime, how can these conflicting interests be reconciled?  What are the responsibilities of service providers when such transfers are concerned?