Each time a person goes online they leave a digital footprint, but that does not mean they are aware of what that footprint contains. For example, some smartphone applications have location tracking set as a default, which requires the user to have knowledge of this default setting in order to turn it off. (1) In the case of Strava, a popular fitness application that allows members to share running routes with each other and compare fitness goals, the location-sharing feature also publicized heat maps of runners' routes that showed the positions of military service members on U.S. bases abroad. (2) Even where location sharing does not implicate national security by showing exact stations of servicernembers, it raises serious privacy concerns when it reveals information that the user did not know was accessible to others. (3) Design choices make it more difficult for users to become aware of what is happening with their personal information, and subsequently limit their ability to exercise meaningful control over data collection even where applications purport to give it to them. The European Union's comprehensive data privacy regulation, the General Data Protection Regulation (GDPR), acknowledges this defect in Article 25, titled "Data protection by design and by default," which requires companies to implement upfront data protection principles prior to processing personal data. (4)
Many in the United States also see comprehensive federal privacy legislation as necessary, including members of Congress who have introduced more than thirty total bills regarding federal data privacy since 2018. (5) The United States has yet to act on the issue on a federal level, (6) instead generally leaving it to individual companies and states to determine their own privacy policies. Generally, the U.S. approach to data collection is permissive with certain exceptions and prohibitions. (7) The EU took a different approach beginning with the Data Privacy Directive in 1995, which is now in force as the General Data Protection Regulation of 2018. (8) In the EU, data processing is unlawful unless the processor can first show one of the bases outlined in the GDPR as a reason for collecting it. (9)
Although starting from different viewpoints, both systems recognize that the companies who want to do business across their borders have to be permitted to engage in cross-border data transfers in order to operate. Under the GDPR, a country must be deemed to have adequate data protection laws before being allowed to receive data transfers from subjects located in the European Union. (10) The United States is not currently an adequate jurisdiction, resulting in the need for other agreements to facilitate business between these markets. (11) The first agreement, the Safe Harbor Agreement, (12) and then its replacement, Privacy Shield, (13) both operated as voluntary self-certification programs for individual companies. (14) Due to Austrian data privacy activist Max Schrems, both agreements have been held invalid. (15) First, the 2015 case of Maximillian Schrems v. Data Protection Commissioner (Schrems I) invalidated the Safe Harbor Agreement, (16) and later the 2020 case...