The issue of individual redress has bedeviled negotiations between the European Union and the United States for more than two decades. Three adequacy deals—the Passenger Name Record (PNR) Agreement, Schrems I and Schrems II—have now unraveled because the European Court of Justice (CJEU) insists on an effective judicial remedy and the U.S. is unable to to provide one. The latest ruling in Schrems II, invalidating the Privacy Shield, emphasized that the requirements of adequacy or “essential equivalence” apply to all systemic transfer provisions under the General Data Protection Regulation (GDPR).
The EU and the U.S. must find a durable arrangement for data transfers. If they do not, then complaints and court rulings will perpetually impede international transfers. This requires, as a matter of substance, solving the problems of necessity and proportionality, and, as a matter of governance, solving the problem of individual redress.
The ruling in Schrems II that the Ombudsperson mechanism was inadequate did not come as a surprise. After all, one of the two central issues in Schrems I, an earlier cross-border data case brought by the same Austrian activist, was the right to an effective judicial remedy under Article 47 of the EU Charter of Fundamental Rights. In the aftermath of Schrems II, Theodore Christakis recommends against another quick fix like the Privacy Shield and pushes for a long-lasting EU-U.S. arrangement providing legal certainty for years to come, and Christopher Kuner hopes that the governance issues may be easier to deal with in a legal sense, “assuming the political will to do so in the US.”
One practical idea has come from Kenneth Propp and Peter Swire in the U.S., who have published their “Proposal to Meet the Individual Redress Challenge.” They offer a pragmatic analysis of the lack of individual redress and the tools available in the U.S. that could arguably be modified without great administrative or legislative overhaul to permit a third and more durable adequacy regime. Crucially, Propp and Swire assert that existing institutional mechanisms within U.S. surveillance law can be adapted to this task and there is no need to start from scratch.
The objective of this post is to respond to Propp and Swire from a European perspective, to underline the acceptable elements of their proposal and clarify which questions remain. While the discussion in this post is focused on the U.S. and the EU, it affects many other third countries confronted with similar issues.
The CJEU will Enforce EU Fundamental Rights
Before diving into the Propp and Swire proposal, it’s important to get a bit of background. While negotiating data privacy with the EU has seemed lengthy and sometimes maddening for the U.S, the EU is equally frustrated by its failure to convey its deep commitment to the rights and values at stake. These are embodied in the EU Charter of Fundamental Rights, which itself complements and modernizes the more venerable and pan-European Convention on Human Rights (ECHR). Since the Lisbon Treaty came into force, the charter has enjoyed constitutional status and has been applied consistently in the case law of the CJEU.
Some commentators in the U.S. assert that the information processed by intelligence agencies simply falls outside EU law, but this is a red herring. Yes, Article 4 of the EU Treaty, reflected in the exception to scope under Article 2(d) of the GDPR, does reserve national security to the EU Member States. However, Article 4 excludes from EU law only the activities that intelligence agencies carry out themselves, exercising sovereign authority. In contrast, information collected by private operators for commercial purposes is covered by EU law: when it is then accessed for intelligence purposes it is covered by the requirements laid down in Article 23(a)-(d) of the GDPR. The CJEU has reiterated this point in multiple rulings, and it was simply extended to international transfers in Schrems I. The same distinction exists in the ePrivacy Directive, and on Oct. 6, the CJEU confirmed the distinction definitively in rulings on bulk surveillance programs in Belgium and France and in the U.K.
In the data protection area, the CJEU has prioritized the rights to privacy, protection of personal data and access to an effective judicial remedy, enshrined in Articles 7, 8 and 47 of the EU Charter, over inconsistent EU and national law. Privacy Shield is not the only provision to be rejected by the court for these reasons. The CJEU has set aside EU statutes such as the Data Retention Directive, statutory instruments such as the Safe Harbor and Privacy Shield Decisions (Schrems I and II), and treaties such as the draft EU-Canada PNR Agreement, as well as national statutes and even national constitutional laws that failed to respect these rights. It should be noted how often these three rights were invoked in Schrems II.
Possible Solutions
Propp and Swire argue that individual redress entails, at a minimum, constructing a system of administrative fact-finding and judicial review to respond to individual complaints. But unsurprisingly, the situation is more complicated from an EU perspective.
The key to identifying potential points of future compromise by the EU is understanding the nature of three different types of institutions: data protection officers (DPOs), independent supervisory authorities (DPAs) and courts. It is essential to recognize the differences between a DPO and a DPA, with regard to independent oversight; between administrative oversight by a DPA and redress before a court, with regard to effective legal redress; and between a court under the charter and an authority under the ECHR, with regard to providing an effective remedy. These three differences are examined in detail below.
Independent Oversight and the Difference Between a DPO and DPA
The difference between a DPA and a DPO is crucial when establishing whether there is independent supervision. Under the GDPR, DPOs are part of the organization of the data controller but have the right and duty to act independently in carrying out their roles. A similar, though not legally identical, role of chief privacy officer is well established in the United States.
In contrast, the right to independent supervision by a DPA is enshrined as a specific element of the right to protection of personal data in Article 8(3) of the EU Charter and in Article 16(2) of the EU Treaty itself. In a series of cases interpreting and applying Article 8(3) of the charter, the CJEU has insisted on the “complete” independence of DPAs in setting aside state law, national law and national constitutional law. In July 2017, the CJEU applied this requirement to international transfers in EU-Canada PNR. Because this last ruling was handed down a year after the adoption of the Privacy Shield, it was not an issue for the negotiators of the Privacy Shield. However, in the interests of ensuring a durable solution, it would be prudent now to consider the need for an “essentially equivalent” form of independent supervision.
Kristina Irion and other commentators have pointed to possible problems for the U.K. in obtaining an adequacy decision due to its broad surveillance laws and, hence, the same problems of substance, necessity and proportionality raised in the two Schrems rulings. These fears have been given more weight in the rulings of Oct. 6 referenced above. However, the governance issues of independent supervision and individual redress should not be problematic for the U.K.: It has a specific supervisory authority for intelligence oversight, the investigatory powers commissioner (who must be a present or former judge), as well as a specific court, the Investigatory Powers Tribunal, to provide a legal remedy.
In the U.S., the Federal Trade Commission is unquestionably an independent data protection regulator. However, like many EU national DPAs, it has no jurisdiction over state surveillance. A report by the Fundamental Rights Agency, volumes I and II, shows that in many EU Member States such jurisdiction is exercised by expert bodies supervising the intelligence community. In this respect, there exist mechanisms in the U.S. system that could be adapted to meet this requirement.
Propp and Swire’s proposal references the privacy and civil liberties officers (PCLOs), senior officers established in a number of U.S. government departments and agencies with statutory responsibility for investigating and addressing complaints about violations of privacy and civil liberties. They suggest that PCLOs could be an acceptable “fact-finder” to the EU, given their statutory responsibility for investigating and addressing complaints about violations of privacy and civil liberties and other “relevant virtues.” They add that PCLOs could be empowered to conduct factual investigations, including of non-U.S. persons, simply by administrative direction, and thus be converted into a sort of oversight mechanism. However the PCLO, like the chief privacy officer, has a role comparable to a DPO, as the authors themselves recognize. The PCLO therefore cannot serve alone, from an EU perspective, either for independent oversight or for judicial redress. Recourse to a court does not cure either inadequacy. As Justice Caroline Costello noted in her 2017 High Court ruling, the judicial remedy is there for when the administrative oversight fails—it is not a replacement for adequate administrative oversight all together.
The U.S. mechanism best suited to cure the inadequacy of the PCLO may be the Office of Inspector General. According to the Irish High Court ruling, inspectors general are present in all the law enforcement and intelligence departments, hold the necessary security clearances and are empowered to issue nonbinding recommendations for corrective action. It could be useful to explore whether the powers of the inspectors general could be strengthened to hear complaints referred by PCLOs and adopt binding orders for corrective action. Inspectors general, in some cases, report directly to Congress and are typically regarded as independent. However, inspectors general are political appointees of the executive and can be easily removed, as recent experience shows. Any further measures would have to address how far it is legally possible to increase the security of such appointments.
In any event, the independence of the Office of Inspector General would always have its limits, as the office would remain situated within the executive branch. In the European context, the CJEU specifically criticized the presence of the Austrian DPA within the Austrian administration. However, the test for adequacy is not absolute equivalence (between the level of protection in the third country and that level present inside the EU) but, rather, essential equivalence, so the presence of the Office of Inspector General in the executive branch should be acceptable so long as its powers of oversight were extended to permit it to act as an independent supervisory authority with binding powers to deal with complaints.
The CJEU has a similar arrangement. The court has set up a supervisory authority within its own structure. The independence of this authority is based on the fact that its members are independent members of the judiciary. This exceptional example underlines that the presence of a supervisory authority within the structure of a public authority is not necessarily fatal to its independence, so long as that independence is real.
The combination of PCLOs and inspectors general would begin to meet the requirement of independent supervision. And it would not be challenging to add another layer of review to this model. Building on the Propp and Swire proposal, the results of this independent administrative oversight could then be challenged before the Foreign Intelligence Surveillance Court (FISC).
Finally, to ease legitimate concerns that details of specific intelligence activities might inadvertently be publicized by regulatory authorities, Propp and Swire suggest that the PCLO, or the inspector general, could make a finding similar to the one assigned to the ombudsperson under the Privacy Shield: advising the complainant either that there has been no violation of U.S. surveillance law or that any violation has been corrected. This would mean reporting the final decision, without divulging the specific details of any collection activity. Such limited reporting should be acceptable to the European side if it is entrusted to an independent supervisory authority, such as the combination of PCLOs and inspectors general discussed above. For example, this type of reporting can be found in Article 17 of the Law Enforcement Directive (EU) 2016/680.
The Difference Between Administrative Oversight by a DPA and Redress Before a Court…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
