The ‘Three Rs’ of President Biden’s Trans-Atlantic Privacy Outreach
Can President Biden finally resolve America’s privacy conflict with Europe? Only time will tell, but he’s made a good-faith offer that European leaders would be wise to accept.
Ever since the 9/11 attacks, the United States and its European Union allies have been engaged in a long-running, low-level diplomatic dispute over the contours of a right to privacy. The basic cause of this dispute has long been clear: For European Union members, privacy is considered a fundamental human right, enshrined in charter language; for Americans, it is typically characterized as a more limited statutory right (with the notable exception of certain privacy aspects found in the Fourth Amendment to the Constitution). And, for U.S. lawmakers, that conception of privacy has been central to exploitation of collected intelligence (as well as other data) and post-9/11 counterterrorism and national security efforts. Europeans tend to see that collection construct as intrusive and unnecessary.
The upshot of this disagreement has been a modest disruption of the U.S.-EU alliance. Because of shared interests in more pressing issues (such as dealing with China’s economic rise), neither side has made privacy issues the focus of a major diplomatic dispute. Instead, the difference of opinion has become a long-running irritant—a thorn, if you will, in the side of an otherwise positive relationship. Over the past 20 years, at least four or five (depending on how you count it) efforts to ease these differences (some of which I personally participated in) have, to date, failed to find a mutually agreeable solution.
The disagreement has largely played out in the commercial sphere. For the most part, European national security agencies have been active and effective participants in U.S. intelligence activities. However, because the EU, which administers the privacy regulations for the union, has competence only in commercial areas (leaving national security to the member states), the union has evinced little interest in how signals intelligence (SIGNIT) benefits Europe, and has allowed the commercial privacy disagreement to “spill over” into the national security space. The most recent iteration of these efforts, known as Privacy Shield, was rejected by the European Court of Justice in July 2020. Since that time, the U.S. and the EU have been searching for yet another possible resolution.
President Biden’s most recent effort may finally do the trick. In March of this year, while in Europe to bolster support for Ukraine’s defense against Russian aggression, Biden tried to calm the privacy waters by committing to a Trans-Atlantic Data Privacy Framework. Earlier this month, he issued an executive order (and the Justice Department issued accompanying regulations) intended to implement his commitment (and, along the way, appears to have renamed the agreement as the EU-U.S. Data Privacy Framework). Others on Lawfare have already provided an excellent summary of the provisions of the new executive order.
From a higher-level perspective, there are three unique aspects of the Biden administration’s work—what we might call the “Three Rs” of the executive order: restrictions, review, and reciprocity. Each is a relatively new aspect of how the U.S. government approaches signals intelligence and is responsive to the quagmire of issues stalling U.S.-EU agreement.
One of the major objections from the EU side has always been the perceived breadth and scope of the American SIGINT program, as well as the perceived lack of limits on how collected signals intelligence may otherwise be used by parts of the American government. EU leaders have also pushed back on other data collection activities, like the Passenger Name Record collection by U.S. Customs and Border Protection. European privacy advocates consider American data collection profligate and disproportionate to the need.
The first innovation of the executive order is an effort to address this concern (at least as to signals intelligence) by articulating legitimate and illegitimate grounds for SIGINT collection. To be sure, some of these restrictions have previously been incorporated in various orders and directives. Some are even contained within statutory provisions. But to my knowledge, this appears to be the first time that the U.S. government has attempted to make a binding, legal commitment to limit its SIGINT activities beyond that mandated by domestic law.
Indeed, quite the opposite has been the historical norm. Most of America’s public advocacy relating to intelligence collection has always been about the need to maintain its freedom of action. Our national security professionals have long contended that the intelligence community would need to “Play to the Edge” in its contest with adversaries. In the new executive order, though the president has wisely retained the discretion to modify the list of legitimate objectives for SIGINT collection, their articulation in a public document is a first-of-its-kind self-restriction by the United States. While some may think this unwise, none can doubt the novelty of the action.
Compounding this new step is the order’s adoption of even greater limitations on bulk collection activities, with even fewer permitted objectives for this sort of collection. These restrictions are similar to ones adopted earlier by President Obama in Presidential Policy Directive 28, though they are now restated and modified slightly. The collection of bulk data has been a particular point of contention from the European Union, which contends that the practice lacks proportionality and particularity. Though European advocates would likely have preferred that the practice be completely prohibited, it is significant that bulk collection activities are even more closely circumscribed than targeted signals intelligence activities.
Another change is the inclusion of a list of prohibited objectives for signals intelligence, which had been articulated earlier in a 2014 presidential policy directive from the Obama administration. The list will be familiar to some; it says SIGINT may not be collected to suppress criticism, disadvantage privacy, invade the province of legal counsel, discriminate on a prohibited basis, or advantage American economic interests. One hopes that such activities were effectively nonexistent even before the executive order was issued, but, again, their articulation in a binding order is novel.
More to the point, and even more powerfully, the executive order innovates when it says that prohibited types of collection may not even be an incidental result of otherwise legitimate signals collection. As the order puts it, the director of national intelligence, in creating intelligence priorities, must consult with the civil liberties protection officer (CLPO) of the Office of the Director of National Intelligence and get a sign-off that the proposal both advances one or more of the legitimate objectives identified—and, far more importantly, that the program “neither was designed nor is anticipated to result in signals intelligence collection in contravention of the prohibited objectives[.]” In other words, if a signals intelligence collection program might be anticipated to have some prohibited impact, it is suspect.
This new language has echoes of other privacy versus security debates and resolves the balance in a manner that is intended to be quite broadly protective of privacy—a new limitation that is both significant and substantive.
In short, one aspect of the new executive order is an effort to put additional practical and legal constraints on when and how the intelligence community collects certain types of SIGINT—a step intended to answer the E.U.’s long-standing objections as to the overbroad scope of American intelligence collection.
A second major concern from European counterparts has always been the lack of what is, in their view, an adequate review and redress process. That objection has always lacked real persuasive force from U.S. policymakers (including myself). Though our review processes were different from those in Europe, they were effectively equivalent. Of equal note, to a very real degree, Europeans complaining of privacy violations were in no worse a place than Americans who had privacy complaints about American activities—both had more limited rights in America than either would have had in Europe.
President Biden’s second innovation responds to this concern. Absent a change in the statutes governing access to U.S. courts (a change that is, quite frankly, as likely to happen as the sun rising in the West), the administration has leaned forward as far as it might in providing new independent review and redress mechanisms.
To begin with, the order establishes internal review procedures within all of the intelligence community components. The newly articulated restrictions on SIGINT collection will, as with all such limitations in the intelligence community, be subject to internal audits, reviews by inspectors general, and the like.
Beyond that, the order also creates a new two-layer review process for individual cases and a third layer of systematic review. For individual complaints (only from qualifying countries—more about this below), the CLPO will initially conduct a review. The CLPO’s conclusions will then be subject to further review by a newly created Data Privacy Review Court (DPRC) to be housed in the Department of Justice. The DPRC’s review is intended to be both plenary and binding on the intelligence community. And, finally, the operation of the CLPO and the DPRC will itself be subject to review for, essentially, procedural adequacy, by the Privacy and Civil Liberties Oversight Board.
This may not satisfy those who think only truly independent judicial review is adequate. Long-time critic of American privacy, Max Schrems, has already indicated that he thinks the order will not satisfy European requirements for true independence. Others, however, have taken a more generous approach and argued that executive-created independence is essentially equivalent and, thus, will satisfy the European need for effective redress.
It seems to me, however, that the Biden administration has gone as far as it can go within the constraints of American law. There is virtually no chance that an American Congress will afford access to American courts for EU citizens who feel aggrieved by U.S. intelligence activity. And there may well be standing limits on Congress’s ability to do so based on Article III concerns in the absence of a requirement that the government disclose the fact of surveillance to interested persons—a highly unlikely scenario. Nobody would colorably be able to allege and prove injury in fact sufficient to satisfy constitutional requirements. The proposed DPRC is intended to have significant, wide-ranging impact and, properly implemented, may well transform how privacy complaints are resolved within the context of American intelligence activities.
The final innovation is a bit of a sting in the scorpion’s tail—one that probably brings a smile to the faces of many who have toiled in the diplomatic mines of the U.S.-EU privacy dispute. For many years, American leadership has suggested there was a faint whiff of hypocrisy in the European argument. What was sauce for the European goose was not, it was observed, sauce for the American gander—in that American data was seemingly unprotected from use by European intelligence agencies.
No longer. Access to the newly created redress process will be available only to complainants who come from “qualifying states” designated by the U.S. attorney general. And to become a qualifying state, a nation (or a supranational organization like the European Union) will be obliged to provide assurance as to the safeguards with which it treats American data it receives. More importantly, it must permit the transfer of data to the United States for commercial purposes. In other words, the redress process is contingent on agreement to the continued ability of American companies to freely transfer commercial data across the Atlantic and also on at least some assurances that the processing of U.S.-originating data for signals intelligence purposes in Europe is subject to legal safeguards.
To be sure, the order does not specify what those safeguards might look like. And one suspects that the attorney general will be rather lenient in their characterization. But for the first time (at least in my memory), there is the beginning of a suggestion that Europe will have to, as it is demanding of the United States, begin putting in place processes to which aggrieved Americans might have access. That, too, would be a sea change.
Is all this going to be enough for the EU? For some, the answer is already clear. Some Europeans are privacy imperialists—and nothing short of full equivalence to European data privacy conceptions of a fundamental right will suffice. This, of course, is almost tautologically impossible because the European Union does not purport to regulate European signals intelligence activity, which is a matter of member state competence, while it does purport to have a say in U.S. signals intelligence activity through its regulation of data transfers outside of the EU.
But for others, including the European Commission, it seems as though President Biden has offered a practical, realistic, and ultimately rather generous set of concessions. In the end, the European Court of Justice will, once again, have to weigh the matter. The judges would be wise to see this offer for what I suspect it really is—the very best that is feasible within the construct of American statutory and constitutional law. If that is insufficient, then, candidly, nothing is likely to satisfy the EU’s legal demands. Then, it will be time for a wholesale reconsideration of the contours of the privacy dispute—a result that would be deeply problematic on many levels. This new order is a good off-ramp for all parties to ride on—and the European Commission, at least, seems to recognize that fact. It would be wise for other institutions to do likewise.