Schrems II and Individual Redress—Where There’s a Will, There’s a Way

The issue of individual redress has bedeviled negotiations between the European Union and the United States for more than two decades. Three adequacy deals—the Passenger Name Record (PNR) Agreement, Schrems I and Schrems II—have now unraveled because the European Court of Justice (CJEU) insists on an effective judicial remedy and the U.S. is unable to to provide one. The latest ruling in Schrems II, invalidating the Privacy Shield, emphasized that the requirements of adequacy or “essential equivalence” apply to all systemic transfer provisions under the General Data Protection Regulation (GDPR). 

The EU and the U.S. must find a durable arrangement for data transfers. If they do not, then complaints and court rulings will perpetually impede international transfers. This requires, as a matter of substance, solving the problems of necessity and proportionality, and, as a matter of governance, solving the problem of individual redress.

The ruling in Schrems II that the Ombudsperson mechanism was inadequate did not come as a surprise. After all, one of the two central issues in Schrems I, an earlier cross-border data case brought by the same Austrian activist, was the right to an effective judicial remedy under Article 47 of the EU Charter of Fundamental Rights. In the aftermath of Schrems II, Theodore Christakis recommends against another quick fix like the Privacy Shield and pushes for a long-lasting EU-U.S. arrangement providing legal certainty for years to come, and Christopher Kuner hopes that the governance issues may be easier to deal with in a legal sense, “assuming the political will to do so in the US.” 

One practical idea has come from Kenneth Propp and Peter Swire in the U.S., who have published their “Proposal to Meet the Individual Redress Challenge.” They offer a pragmatic analysis of the lack of individual redress and the tools available in the U.S. that could arguably be modified without great administrative or legislative overhaul to permit a third and more durable adequacy regime. Crucially, Propp and Swire assert that existing institutional mechanisms within U.S. surveillance law can be adapted to this task and there is no need to start from scratch. 

The objective of this post is to respond to Propp and Swire from a European perspective, to underline the acceptable elements of their proposal and clarify which questions remain. While the discussion in this post is focused on the U.S. and the EU, it affects many other third countries confronted with similar issues.

The CJEU will Enforce EU Fundamental Rights

Before diving into the Propp and Swire proposal, it’s important to get a bit of background. While negotiating data privacy with the EU has seemed lengthy and sometimes maddening for the U.S, the EU is equally frustrated by its failure to convey its deep commitment to the rights and values at stake. These are embodied in the EU Charter of Fundamental Rights, which itself complements and modernizes the more venerable and pan-European Convention on Human Rights (ECHR). Since the Lisbon Treaty came into force, the charter has enjoyed constitutional status and has been applied consistently in the case law of the CJEU. 

Some commentators in the U.S. assert that the information processed by intelligence agencies simply falls outside EU law, but this is a red herring. Yes, Article 4 of the EU Treaty, reflected in the exception to scope under Article 2(d) of the GDPR, does reserve national security to the EU Member States. However, Article 4 excludes from EU law only the activities that intelligence agencies carry out themselves, exercising sovereign authority. In contrast, information collected by private operators for commercial purposes is covered by EU law:  when it is then accessed for intelligence purposes it is covered by the requirements laid down in Article 23(a)-(d) of the GDPR. The CJEU has reiterated this point in multiple rulings, and it was simply extended to international transfers in Schrems I. The same distinction exists in the ePrivacy Directive, and on Oct. 6, the CJEU confirmed the distinction definitively in rulings on bulk surveillance programs in Belgium and France  and in the U.K. 

In the data protection area, the CJEU has prioritized the rights to privacy, protection of personal data and access to an effective judicial remedy, enshrined in Articles 7, 8 and 47 of the EU Charter, over inconsistent EU and national law. Privacy Shield is not the only provision to be rejected by the court for these reasons. The CJEU has set aside EU statutes such as the Data Retention Directive, statutory instruments such as the Safe Harbor and Privacy Shield Decisions (Schrems I and IIAdvertise on IT Security News.