In the aftermath of the July 16 Schrems II judgment by the Court of Justice of the European Union (CJEU) invalidating a principal legal method for transferring personal data from EU territory to the United States, the future of data flows for transatlantic commerce is dangerously uncertain. The more than 5,300 companies that relied on the U.S.-EU Privacy Shield are scrambling to find another basis under EU law for transferring personal data to the United States, and their principal alternative—standard privacy protection clauses in international data transfer contracts—also appears unlikely to survive ensuing European litigation. In these circumstances, the United States government should look closely at whether the perceived defects in U.S. surveillance law identified by the EU’s judicial branch can be fixed.
Establishing a lasting foundation for data transfers in transatlantic commerce means addressing the core fundamental rights concerns expressed by the CJEU. In particular, this would require making some provision for meaningful individual redress when the government obtains personal data by means of surveillance. Redress entails, at a minimum, constructing a system of administrative fact-finding and judicial review to respond to individual complaints. Fortunately, there’s no need to start from scratch. As we propose here, existing institutional mechanisms within U.S. surveillance law can be adapted to this task, albeit with certain modest statutory adjustments.
The Legal Importance of Individual Redress
The Schrems II case already has elicited multiple responses on Lawfare alone, including our own, Stewart Baker’s stern criticism of the judgment and Henry Farrell’s and Abraham Newman’s more hopeful view that the case creates an opportunity for positive reform of U.S. intelligence law. From Europe, among other commentaries, Théodore Christakis has offered detailed analysis of the issues the judgment raises under European Union law.
In essence, the Luxembourg-based Court of Justice for the European Union (CJEU) repeated the legal standard developed in its 2015 Schrems I judgment: that the privacy protections in nations receiving data from the EU must be “essentially equivalent” to those afforded within the EU. Companies may satisfy this standard if they apply the same safeguards both within the EU and in a third country such as the U.S. that receives personal data from the EU. The challenge is that essential equivalence is also required with respect “to any access by the public authorities to the personal data transferred [and] the relevant aspects of the legal system of that third country.” In other words, when the personal data arrives in the U.S., China or any other third country, there must be “essential equivalence” to EU safeguards with respect to how the government might access the data.
Specifically, the CJEU observed that the U.S. surveillance programs conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) or EO 12333 do not grant surveilled persons “actionable” rights of redress before “an independent and impartial court.” The Court emphasized that “the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.” It added that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her” fails to “respect the essence of the fundamental right to effective judicial protection,” as set forth in Article 47 of the EU Charter of Fundamental Rights.
The CJEU identified two ways in which U.S. surveillance law lacks essential equivalence to EU safeguards. The first, and the focus of this article, is that the U.S. lacks an “effective and enforceable” right of individual redress. The second, which is beyond the scope of the proposal we offer here, is the finding that there is a lack of “proportionality” in the scale of U.S. intelligence activities. The Court did not dwell much on the issue of proportionality, other than expressing its disapproval of the scope of bulk personal data collection programs conducted under the authority of FISA Section 702 and EO 12333.
The CJEU thus insisted on measuring U.S. surveillance law protections against an idealized, formal standard set forth primarily in EU constitutional law. In the real world, as Professor Kristina Irion recently explained, an EU member state’s own national security agency need not meet this standard, because the Union’s governing treaties state that “national security remains the sole responsibility of each member state.” (A set of challenges to member state bulk personal data collection programs, expected to be decided by the CJEU this fall, will determine whether this exclusion is as absolute as it appears on its face to be.) Thus, the standards for each member state’s surveillance depend on that country’s legal order, as well as the standards developed by the European Court of Human Rights in a series of surveillance cases. But the CJEU relied on neither source of law for its analysis of U.S. surveillance law protections. The court’s legal analysis similarly did not cite the EU Fundamental Right Agency’s survey of member state surveillance laws, many of which lack safeguards the CJEU appears to require of the United States. Nor did it cite an assessment by Oxford scholars that reviewed U.S. surveillance reforms after Snowden and found “much clearer rules on the authorization and limits on the collection, use, sharing, and oversight of data relating to foreign nationals than the equivalent laws of almost all EU Member States.”
The CJEU’s finding of a fundamental right for a citizen of one nation to receive redress concerning surveillance by another nation is similar to a major ruling in May by the German Federal Constitutional Court. The Constitutional Court there held that the German federal intelligence service (BND) must take foreign persons’ interests into account in devising a proportionate surveillance regime. However, even the German court did not go so far as to accord foreigners an individual constitutional right of judicial redress. On the contrary, it expressly acknowledged the attendant difficulties, since German intelligence law very narrowly circumscribes the circumstances in which the BND must notify an individual of the fact of surveillance. Germany has not to date enacted surveillance legislation to implement the constitutional court’s holding.
Getting Privacy Right in Transatlantic Data Negotiations Takes Time
Understandably, some in the U.S. national security community have reacted to Schrems II with anger and disbelief. Stewart Baker, a regular Lawfare contributor, termed it a “mix of judicial imperialism and Eurocentric hypocrisy.” He went on to propose an aggressive U.S. government response aimed at compelling the EU to overturn the effects of the judgment. By contrast, a coalition of major industry groups took a more conciliatory approach, calling for “immediate negotiations on a successor agreement” for U.S.-EU data transfers, and saying “disruption must be avoided” to cross-border data flows between the U.S. and Europe, which it claimed are valued at approximately 1.3 trillion U.S. dollars annually.
Both sides have strong motivation to pursue a further agreement—and past agreements show that negotiations can lead to meaningful results. In recent decades, it has often taken multiple attempts to fashion U.S. privacy protections into a form satisfactory to persuade the EU to authorize data transfers to the United States for security purposes. In one instance, the Court rejected an agreement negotiated between the U.S. Department of Homeland Security and the European Commission on the transfer of airline passenger name records for flight security purposes; however, a revised version has proven durable for the past eight years. Similarly, the U.S. Treasury Department required two tries before concluding a 2010 agreement on the Terrorist Finance Tracking Program that provides US authorities with a steady flow of international bank transfer data from EU territory.
More broadly, in 2016, the U.S. and EU reached an “umbrella” agreement providing baseline privacy protections for criminal law enforcement transfers generally. That agreement could only be reached after the United States agreed to change the Privacy Act to grant foreign persons a right to sue equivalent to that enjoyed by U.S. persons. There is no evidence that this has resulted in burdensome litigation by Europeans in U.S. courts.
For the United States, negotiating lasting data privacy protections with the EU, whether in the commercial or security context, has often been a lengthy and sometimes maddening process. It has required repeated adjustment—including to U.S. law—to accommodate evolving CJEU jurisprudence and complicated dynamics between Brussels and EU member states. After Schrems II, the endgame inevitably will include some modification to U.S. surveillance law and practice, specifically to address the clear concerns expressed by the CJEU about lack of individual redress. Despite the demise of Privacy Shield, history shows that a further agreement may yet be possible.
Lessons from Schrems II About Redress
The Privacy Shield was itself an iterative response to the criticisms of U.S. surveillance law voiced by the CJEU in striking down its predecessor, the Safe Harbor Framework, in 2015. In that prior ruling, the Court emphasized the importance of effective redress to protect surveilled persons, with an independent decision-maker providing protection for the individual’s rights.
In response, the United States agreed in the Privacy Shield to designate an Ombudsperson, an Under Secretary of State, to receive requests from Europeans regarding possible U.S. national security access to their personal data, and to facilitate action by the U.S. intelligence community to remedy any violation of U.S. law. This role was built on top of the Under Secretary’s previously assigned responsibilities under Presidential Policy Directive 28 as a point of contact for foreign governments concerned about U.S. intelligence activities. No change in U.S. surveillance law was needed to establish the Ombudsperson—only the conclusion of an interagency memorandum of understanding between the Department of State and components of the U.S. intelligence community.
In Schrems II, the CJEU made short work of the Privacy Shield’s Ombudsperson innovation. The Court observed that the Under Secretary of State was part of the executive branch, not independent from it, and in any case lacked the power to take corrective decisions that would bind the intelligence community. An inquiry conducted by an administrative official, with no possibility of appealing the result to a court, did not meet the EU constitutional standard for independence and impartiality, the CJEU held. The U.S. bid to finesse the judicial redress requirement in the Schrems I judgment by creatively repurposing the role of the Under Secretary of State had fallen well short of the mark.
Any future attempt by the United States to successfully address this perceived deficiency in judicial redress thus must have two dimensions: a credible fact-finding inquiry into classified surveillance activities in order to ensure protection of the individual’s rights, and the possibility of appeal to an independent judicial body that can remedy any violation of rights should it occur.
In devising a system of individual redress for potential surveillance abuses, the first question is how best to create an effective factual inquiry. Our tentative recommendation is that this review be conducted by existing privacy and civil liberties officers (PCLOs) within the intelligence community, as established by Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007. Another possibility is to enlist the Privacy and Civil Liberties Oversight Board, whose statutory authorities were most recently updated in 2018.
One important advantage of the PCLOs is that they already have statutory responsibility for investigating and addressing complaints about violations of privacy and civil liberties. For instance, there are existing forms for making complaints on the PCLO sites for the Department of Justice, National Security Agency and Office of Director of National Intelligence. These officials also have other relevant virtues for investigating allegations of wrongdoing by U.S. intelligence agencies:
- Access to relevant databases, including Top Secret and other classified ones.
- Responsibility for performing Privacy Impact Assessments of new surveillance systems, demonstrating their familiarity with agency data handling.
- Direct reporting channels to senior officials, useful in case of difficulties while conducting an investigation.
- Responsibility for annual or more regular reports, ensuring familiarity with the full range of the agency’s relevant activities.
- Existing staff, to accommodate any new responsibilities to investigate complaints, such as from the EU.
Overall, it is instructive to compare the role of PCLOs, pursuant to Section 803, with the responsibilities of corporate data protection officers under Articles 37 to 39 of the General Data Protection Regulation (GDPR).
Alternatively, one could look to the Privacy and Civil Liberties Oversight Board (PCLOB), a small federal agency currently charged with protecting those interests in relation to U.S. counterterrorism programs. Over the past six years, the PCLOB has studied both FISA Section 702 and EO 12333. Its independent voice on these subjects is recognized and well-respected in Europe. Like the PCLOs, the PCLOB has access to Top Secret and other classified databases.
Current law, however, limits the suitability of the PCLOB for this task. First, its statutory purposes relate only to oversight and policy at the programmatic level, not to the investigation of individual complaints already conducted by the PCLOs. Second, its mandate extends only to anti-terrorism, rather than also including counterintelligence, other types of nation-state threats and other aspects of national security. Congress may question extending the PCLOB’s scope beyond antiterrorism. Third, there have been periods since its establishment in 2007 when the PCLOB lacked a quorum to operate, due to an insufficient number of Senate-confirmed board members.
From a European law perspective, neither the PCLOs nor the PCLOB is a perfect fit for undertaking independent fact-finding. The PCLOB is often referred to as an independent agency, but its statute defines it as “an independent agency within the executive branch.” The PCLOs also fall within the executive branch, embedded in each agency and reporting to its head. The possibility of any federal agency acting entirely independently of the executive branch has become more doubtful constitutionally as a result of the June 2020 Supreme Court decision in Seila Law limiting the independence of the Director of the Consumer Financial Protection Bureau. However, our proposal as discussed below would also subject agency decisionmaking to review by an independent Article III federal judge, who would have the power to redress any flaws in the investigation.
Reliance on the PCLOB as a fact-finder, going beyond its current anti-terrorism mandate, would require statutory change by Congress; PCLOs, by contrast, potentially could be empowered to conduct factual investigations, including of non-U.S. persons, simply by administrative direction.
Beyond the question of who in the U.S. Government is best-placed to act as a fact-finder, a new statute would need to define the standard for that investigation, which we believe should apply both to U.S. persons and those in the EU. Precise definition will require the involvement of experts within the U.S. intelligence community as well as those knowledgeable about surveillance-related redress procedures in European countries. We suggest that the legal standard for all complaints should be to test compliance with U.S. legal requirements, such as whether collection under FISA Section 702 was done consistent with the statute and judges’ orders governing topics such as targeting and minimization. In addition, a future agreement between the U.S. and the EU or other third countries could add provisions forming part of the investigative standard, perhaps including reciprocal rights for U.S. persons with respect to the other country’s surveillance programs. Similarly, the new statute could address other issues, including whether individuals would ever receive actual notice that they have been surveilled—a rarity in actual practice.
Enter the FISC
The fact-finding stage would presumably conclude with the PCLO (or PCLOB) making a finding similar to the one assigned to the Ombudsperson under the Privacy Shield: advising the complainant either that there has been no violation of U.S. surveillance law or that any violation has been corrected. This sort of limited reporting about classified investigations exists as well for the U.K. Investigatory Powers Tribunal, which is prohibited from disclosing to the complainant “anything which might compromise national security or the prevention and detection of serious crime.” Broader disclosure about classified investigations risks benefiting hostile states, terrorist groups or others.
We suggest that the obvious and appropriate path for an appeal from the fact-finding stage would be to the Foreign Intelligence Surveillance Court (FISC). FISC judges, along with other federal judges, meet the gold standard for independence, since Article III of the U.S. Constitution ensures that they have lifetime tenure and are located outside of the executive branch. Making the FISC responsible for the adjudication of individual complaints would be a novel departure from its current institutional responsibilities, but consistent with the work of reviewing agency decisions that federal judges do in their non-FISC capacities. Still, this court is better-suited than an ordinary Article III court would be, because of its specialized expertise in U.S. surveillance law and well-established procedures for dealing with classified matters. The FISC already provides judicial oversight for the FISA Section 702 program—and has a proven track record of effective oversight. In the wake of the Snowden revelations, numerous FISC decisions were declassified and made public. A detailed review of these decisions concluded: “The FISC monitors compliance with its orders, and has enforced with significant sanctions in cases of noncompliance.”
A key legal issue in crafting such a system is ensuring that a plaintiff has “standing” to sue, as required by Article III of the U.S. Constitution. In the Irish High Court decision in Schrems II, Judge Costello wrote that “All of the evidence show that [standing] is an extraordinarily difficult hurdle for a plaintiff to overcome” in government surveillance cases. In summary, the plaintiff must show: (1) he or she has suffered injury in fact (2) that is causally connected to the conduct complained of and (3) is likely to be redressed by a favorable judicial opinion. Under EU law, an individual such as Max Schrems can bring a successful case without proving that he was ever under surveillance by the U.S. government. By contrast, as explained by Tim Edgar in Lawfare, plaintiffs in the U.S. have had to clear a high hurdle to establish standing and gain a legal ruling about the lawfulness of surveillance.
To assure standing for these appeals to the FISC, a mechanism similar to the one utilized under the U.S. Freedom of Information Act (FOIA) appears feasible. Under FOIA, any individual can request that an agency produce documents, without the need to first demonstrate particular “injury.” The agency is then under a statutory requirement to conduct an effective investigation, and to explain any decision not to supply the documents. After the agency completes its investigation, the individual can appeal to federal court to ensure independent judicial review. The judge then examines the quality of the agency’s investigation to ensure compliance with law, and he or she can order changes in the event of any mistakes by the agency.
Analogously, when seeking individual redress on a matter relating to national security, the FISC could independently assess whether the administrative investigation met statutory requirements, and the judge could issue an order to correct any mistakes by the agency—including by correcting or deleting data or requiring additional fact-finding. This sort of judicial review of agency action is extremely common under the Administrative Procedure Act that applies broadly across federal agencies. Typically, the judge must ensure that the agency action is not “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” There is standing on the part of the individual—a “case or controversy”—to assess whether the agency has properly discharged its statutory duties. As with FOIA, there is no need to determine whether the complaining individual has suffered injury in fact, since the statute creates a duty on the agency to act in a defined way.
We identify three features worth considering with this approach. First, due to the classified nature of the PCLO finding, there may not be any workable way for the complainant to decide whether to bring an appeal. Therefore, it may make sense to have an automatic appeal to the FISC. Second, the 2015 USA FREEDOM Act established a role for appointed amici curiae who have full access to classified information and can brief the FISC on “legal arguments that advance the protection of individual privacy and civil liberties.” These amici could play a role in advocating for the rights of the complainant, so that the FISC judge can receive briefing from both the agency and an amicus assigned to scrutinize the agency investigation. Third, we recommend that, for reasons of equity, the right to file a complaint be extended to U.S. persons in addition to those making complaints from the EU concerning surveillance under FISA Section 702 and EO 12333. Congress should consider how to structure a meaningful right to redress while avoiding a flood of complaints. The experience from Europe, and from prior agreements such as Privacy Shield and the Terrorist Finance Tracking Program, suggests that the actual number of complaints would likely be manageable.
Until now, U.S.-EU discussions about individual redress have proven futile. EU law, as reiterated in Schrems II, requires independent and effective redress for the individual subject to third-country surveillance activities. U.S. law, meanwhile, has seemed to prohibit federal judges from acting on such individual claims about surveillance, due to difficulties in establishing the standing required by Article III of the Constitution.
The proposal here draws on a different strand of U.S. law—the opportunity for an individual to test compliance with acts that an agency is required to perform. We propose that agencies that conduct or assess surveillance be required to carry out fact-finding investigations, as authorized by a new statute. Then, an independent federal judge would evaluate the fact-finding investigation, and order changes in its result if needed. As with other decisions by the FISC, there can be appeal to the Foreign Intelligence Surveillance Court of Review and ultimately to the U.S. Supreme Court.
We offer this proposal to stimulate thinking about adapting existing U.S. federal privacy and surveillance oversight structures to create a genuine right of individual redress for surveillance complaints, as EU law requires. Whatever future negotiations for the U.S. and EU on transatlantic data flows may yield, the result this time must be one that complies with the requirements of both legal systems.