After Schrems II: A Proposal to Meet the Individual Redress Challenge

In the aftermath of the July 16 Schrems II judgment by the Court of Justice of the European Union (CJEU) invalidating a principal legal method for transferring personal data from EU territory to the United States, the future of data flows for transatlantic commerce is dangerously uncertain. The more than 5,300 companies that relied on the U.S.-EU Privacy Shield are scrambling to find another basis under EU law for transferring personal data to the United States, and their principal alternative—standard privacy protection clauses in international data transfer contracts—also appears unlikely to survive ensuing European litigation. In these circumstances, the United States government should look closely at whether the perceived defects in U.S. surveillance law identified by the EU’s judicial branch can be fixed.

Establishing a lasting foundation for data transfers in transatlantic commerce means addressing the core fundamental rights concerns expressed by the CJEU. In particular, this would require making some provision for meaningful individual redress when the government obtains personal data by means of surveillance. Redress entails, at a minimum, constructing a system of administrative fact-finding and judicial review to respond to individual complaints. Fortunately, there’s no need to start from scratch. As we propose here, existing institutional mechanisms within U.S. surveillance law can be adapted to this task, albeit with certain modest statutory adjustments.

The Legal Importance of Individual Redress

The Schrems II case already has elicited multiple responses on Lawfare alone, including our own, Stewart Baker’s stern criticism of the judgment and Henry Farrell’s and Abraham Newman’s more hopeful view that the case creates an opportunity for positive reform of U.S. intelligence law. From Europe, among other commentaries, Théodore Christakis has offered detailed analysis of the issues the judgment raises under European Union law.

In essence, the Luxembourg-based Court of Justice for the European Union (CJEU) repeated the legal standard developed in its 2015 Schrems I judgment: that the privacy protections in nations receiving data from the EU must be “essentially equivalent” to those afforded within the EU. Companies may satisfy this standard if they apply the same safeguards both within the EU and in a third country such as the U.S. that receives personal data from the EU. The challenge is that essential equivalence is also required with respect “to any access by the public authorities to the personal data transferred [and] the relevant aspects of the legal system of that third country.” In other words, when the personal data arrives in the U.S., China or any other third country, there must be “essential equivalence” to EU safeguards with respect to how the government might access the data.

Specifically, the CJEU observed that the U.S. surveillance programs conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) or EO 12333 do not grant surveilled persons “actionable” rights of redress before “an independent and impartial court.” The Court emphasized that “the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.” It added that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her” fails to “respect the essence of the fundamental right to effective judicial protection,” as set forth in Article 47 of the EU Charter of Fundamental Rights.

The CJEU identified two ways in which U.S. surveillance law lacks essential equivalence to EU safeguards.  The first, and the focus of this article, is that the U.S. lacks an “effective and enforceable” right of individual redress. The second, which is beyond the scope of the proposal we offer here, is the finding that there is a lack of “proportionality” in the scale of U.S. intelligence activities. The Court did not dwell much on the issue of proportionality, other than expressing its disapproval of the scope of bulk personal data collection programs conducted under the authority of FISA Section 702 and EO 12333.

The CJEU thus insisted on measuring U.S. surveillance law protections against an idealized, formal standard set forth primarily in EU constitutional law. In the real world, as Professor Kristina Irion recently explained, an EU member state’s own national security agency need not meet this standard, because the Union’s governing treaties state that “national security remains the sole responsibility of each member state.” (A set of challenges to member state bulk personal data collection programs, expected to be decided by the CJEU this fall, will determine whether this exclusion is as absolute as it appears on its face to be.) Thus, the standards for each member state’s surveillance depend on that country’s legal order, as well as the standards developed by the European Court of Human Rights in a series of surveillance cases. But the CJEU relied on neither source of law for its analysis of U.S. surveillance law protections. The court’s legal analysis similarly did not cite the EU Fundamental Right Agency’s survey of member state surveillance laws, many of which lack safeguards the CJEU appears to require of the United States. Nor did it cite an assessment by Oxford scholars that reviewed U.S. surveillance reforms after Snowden and found “much clearer rules on the authorization and limits on the collection, use, sharing, and oversight of data relating to foreign nationals than the equivalent laws of almost all EU Member States.”

The CJEU’s finding of a fundamental right for a citizen of one nation to receive redress concerning surveillance by another nation is similar to a major ruling in May by the German Federal Constitutional Court. The Constitutional Court there held that the German federal intelligence service (BND) must take foreign persons’ interests into account in devising a proportionate surveillance regime. However, even the German court did not go so far as to accord foreigners an individual constitutional right of judicial redress. On the contrary, it expressly acknowledged the attendant difficulties, since German intelligence law very narrowly circumscribes the circumstances in which the BND must notify an individual of the fact of surveillance. Germany has not to date enacted surveillance legislation to implement the constitutional court’s holding.

Getting Privacy Right in Transatlantic Data Negotiations Takes Time

Understandably, some in the U.S. national security community have reacted to Schrems II with anger and disbelief. Stewart Baker, a regular Lawfare contributor, termed it a “mix of judicial imperialism and Eurocentric hypocrisy.” He went on to propose an aggressive U.S. government response aimed at compelling the EU to overturn the effects of the judgment. By contrast, a coalition of major industry groups took a more conciliatory approach, calling for “immediate negotiations on a successor agreement” for U.S.-EU data transfers, and saying “disruption must be avoided” to cross-border data flows between the U.S. and Europe, which it claimed are valued at approximately 1.3 trillion U.S. dollars annually.

Both sides have strong motivation to pursue a further agreement—and past agreements show that negotiations can lead to meaningful results. In recent decades, it has often taken multiple attempts to fashion U.S. privacy protections into a form satisfactory to persuade the EU to authorize data transfers to the United States for security purposes. In one instance, the Court rejected an agreement negotiated between the U.S. Department of Homeland Security and the European Commission on the transfer of airline passenger name records for flight security purposes; however, a revised version has proven durable for the past eight years. Similarly, the U.S. Treasury Department required two tries before concluding a 2010 agreement on the Terrorist Finance Tracking Program that provides US authorities with a steady flow of international bank transfer data from EU territory.

More broadly, in 2016, the U.S. and EU reached an “umbrella” agreement providing baseline privacy protections for criminal law enforcement transfers generally. That agreement could only be reached after the United States agreed to change the Privacy Act to grant foreign persons a right to sue equivalent to that enjoyed by U.S. persons. There is no evidence that this has resulted in burdensome litigation by Europeans in U.S. courts.

For the United States, negotiating lasting data privacy protections with the EU, whether in the commercial or security context, has often been a lengthy and sometimes maddening process. It has required repeated adjustment—including to U.S. law—to accommodate evolving CJEU jurisprudence and complicated dynamics between Brussels and EU member states. After Schrems II, the endgame inevitably will include some modification to U.S. surveillance law and practice, specifically to address the clear concerns expressed by the CJEU about lack of individual redress. Despite the demise of Privacy Shield, history shows that a further agreement may yet be possible.

Lessons from Schrems II About Redress

The Privacy Shield was itself an iterative response to the criticisms of U.S. surveillance law voiced by the CJEU in striking down its predecessor, the Safe Harbor Framework, in 2015. In that prior ruling, the Court emphasized the importance of effective redress to protect surveilled persons, with an independent decision-maker providing protection for the individual’s rights.

In response, the United States agreed in the Privacy Shield to designate an Ombudsperson, an Under Secretary of State, to receive requests from Europeans regarding possible U.S. national security access to their personal data, and to facilitate action by the U.S. intelligence community to remedy any violation of U.S. law. This role was built on top of the Under Secretary’s previously assigned responsibilities under Presidential Policy Directive 28 as a point of contact for foreign governments concerned about U.S. intelligence activities. No change in U.S. surveillance law was needed to establish the Ombudsperson—only the conclusion of an interagency memorandum of understanding between the Department of State and components of the U.S. intelligence community.

In Schrems II, the CJEU made short work of the Privacy Shield’s Ombudsperson innovation. The Court observed that the Under Secretary of State was part of the executive branch, not independent from it, and in any case lacked the power to take corrective decisions that would bind the intelligence community. An inquiry conducted by an administrative official, with no possibility of appealing the result to a court, did not meet the EU constitutional standard for independence and impartiality, the CJEU held. The U.S. bid to finesse the judicial redress requirement in the Schrems I judgment by creatively repurposing the role of the Under Secretary of State had fallen well short of the mark.

Any future attempt by the United States to successfully address this perceived deficiency in judicial redress thus must have two dimensions: a credible fact-finding inquiry into classified surveillance activities in order to ensure protection of the individual’s rights, and the possibility of appeal to an independent judicial body that can remedy any violation of rights should it occur.  

Possible Factfinders

In devising a system of individual redress for potential surveillance abuses, the first question is how best to create an effective factual inquiry. Our tentative recommendation is that this review be conducted by existing Privacy and Civil Liberties Officers (PCLOs) within the intelligence community, as established by Advertise on IT Security News.