Kenneth Propp
Ever since Edward Snowden revealed a decade ago that U.S. government signals intelligence was collecting information on Europeans transmitted via U.S. electronic communications providers, transatlantic transfers of data from the continent have been on insecure footing. In the space of five years, the Court of Justice of the European Union (CJEU) twice invalidated European Commission decisions finding U.S. surveillance law protections to be “adequate” to the requirements of European Union fundamental rights law. Each negative court judgment has demonstrated painfully that economically vital data flows to the United States depend on unilateral EU determinations.
On July 10, the European Commission, the EU’s executive arm, issued a third adequacy decision for the United States, this one taking account of changes in U.S. surveillance law made by Executive Order 14086, a key component of the newly christened EU-U.S. Data Privacy Framework. The commission action temporarily returns stability to transatlantic data transfers, until the CJEU rules on the sufficiency of the latest set of U.S. safeguards.
The executive order took the novel step of creating a Data Protection Review Court within the U.S. Department of Justice, charged with adjudicating complaints about U.S. signals intelligence collection emanating from foreign “qualifying states.” A foreign jurisdiction is eligible for recourse to the new court if (a) it provides safeguards for U.S. persons’ data collected by its own signals intelligence services; (b) it permits the transfer of personal information for commercial purposes from its territory to the United States; and (c) U.S. national interests support the designation.
On July 13, the attorney general formally designated the European Union and Iceland, Liechtenstein, and Norway—the three other countries that make up the European Economic Area (EEA)—as qualifying jurisdictions. In so doing, the United States joined the EU in the business of adjudging foreign surveillance law regimes, at least for purposes of affording access to an important new U.S. tribunal. The new U.S. process has “a reciprocal element—in effect, a form of U.S. adequacy decision about the safeguards in countries other than the U.S.,” as Cameron Kerry noted recently in Lawfare.
Here, I explore the nature and implications of this U.S. turn to reciprocity. Is it more than a political tit-for-tat? Might the U.S. finding have an impact on the next round at the CJEU? Could it encourage greater multilateral coherence on what rule-of-law safeguards are appropriate for foreign surveillance activities? I suggest that the U.S. reciprocity analysis, by holding up a mirror to Europe’s foreign surveillance regimes, could have positive effects.
The Worldwide Spread of Reciprocity
According to research by the International Association of Privacy Professionals, 73 countries condition international transfers on a threshold finding that the recipient country’s data protection regime is “adequate.”
The European Commission views the globalization of adequacy as leading to greater convergence around EU criteria. In a recent interview, a senior commission data protection official cited the 2019 mutual adequacy findings between Japan and the EU, and forthcoming mutual ones between the EU and Brazil, as evidence for increasing acceptance of the EU adequacy model. He added that some countries simply apply extant EU adequacy findings in lieu of making their own independent determinations for third countries. In addition, the official noted that the commission informally “compares notes” with other jurisdictions on their respective adequacy analyses.
However, some countries’ data protection laws contain criteria for adequacy that vary from Europe’s. Their laws may even lack clear decisional criteria, impeding transparency into their decisions. According to the Information Technology and Innovation Foundation, some countries appear paralyzed in making adequacy decisions, for fear of “angering” large regional powers such as China, and so fail to exercise their decisional power at all. The global reality is an increasingly varying and sometimes inconsistent web of national adequacy determinations—what two leading privacy scholars have termed a “spaghetti tangle.”
U.S. Reciprocity Requirements for Law Enforcement Data Access
The United States has previously passed unilateral judgment on foreign data transfer regimes but only in the law enforcement context. In 2015, Congress adopted the Judicial Redress Act to grant persons from “covered countries” the same access to judicial remedies that the Privacy Act of 1974 provides to U.S. persons. The attorney general may designate countries for this benefit if they have an agreement with the United States for protecting personal privacy in the law enforcement setting, effectively share law enforcement information with the United States, and allow commercial data transfers to the United States. In return for a 2017 U.S. designation of the countries of the European Union, the two parties finally were able to conclude a long-lasting negotiation on a law enforcement data protection agreement.
A similar reciprocal approach was taken in the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which authorizes the U.S. executive branch to conclude agreements with foreign countries on access to electronic evidence. Before doing so, the attorney general must determine that the foreign country affords robust privacy and civil liberties protections for e-evidence and that providers in its territory legally can supply such data in response to a U.S. law enforcement request. The Justice Department has made these findings in connection with CLOUD Act agreements with the United Kingdom and Australia. If successful, ongoing negotiations on a CLOUD/e-evidence agreement with the European Union would require a similar examination of EU member states’ laws.
U.S. Reciprocity Requirements for Signals Intelligence Data Access
The reciprocity finding under Executive Order 14086 differs by scrutinizing foreign national security surveillance. As Peter Swire observed in an early analysis, there are two clear motivations for injecting reciprocity into this context. A “privacy-based explanation,” he noted, is that just as foreign governments seek to protect their own citizens who may be subject to foreign signals intelligence, “so the privacy of Americans should be similarly protected by those other countries.” Swire also points to the “practical politics” dimension, noting that a reciprocity requirement helps ensure that once data flows begin, they will continue unimpeded. A third—though unarticulated—rationale for the reciprocity provision undoubtedly was Washington’s long-standing frustration with EU data transfer negotiations and subsequent judicial interrogations before the CJEU.
But the United States appears to harbor even greater unspoken ambitions for playing the reciprocity card in the signals intelligence setting. One is indirectly to influence the CJEU’s thinking when the judicial challenge to the Data Privacy Framework arrives. A second is to steer ongoing multilateral work on signals intelligence safeguards. Both goals can be detected in the meticulously detailed 34-page Justice Department memorandum that accompanied the attorney general’s designation of the EU/EEA.
Comparing EU and U.S. Surveillance Safeguards
The Justice Department had assistance from the European Commission in determining the state of European surveillance safeguards for U.S. persons’ data. The commission’s legal service prepared an eight-page letter, appended to the Justice Department memo, describing protections resulting from the European Convention on Human Rights (ECHR), the EU Charter of Fundamental Rights, and the jurisprudence interpreting both instruments. The commission letter is conspicuously silent, however, on how these protections are reflected in the surveillance laws of individual EU member states. The U.S. government reportedly had pressed the EU for this additional information.
As a result, the Justice Department had to rely entirely on publicly available information to assess the state of surveillance law protections in EU member states. One valuable resource was a series of reports prepared by the EU Fundamental Rights Agency. The reports are based on member state voluntary responses to questionnaires, inevitably leaving gaps in coverage. The Justice Department memo acknowledges that its inability to canvass member state laws comprehensively resulted in a “limited analysis,” and it rather plaintively encourages the European Commission and its member states to be more forthcoming in the future.
The Justice Department memo marshals the available evidence to identify a series of weaknesses in EU member states’ surveillance laws, compared to those of the United States. For example, not all member state intelligence oversight bodies have binding authority to order remedial action by intelligence agencies; some have administrative redress mechanisms that are not available to U.S. persons; and a number provide more limited avenues for complainant representation than is the case in the United States. Several member states allow broad collection of communications originating outside their territories, and some also permit bulk surveillance of domestic communications. Finally, the Justice Department points out that only a small number of EU member states have even enacted detailed legislation on general communication surveillance.
Nonetheless, the Justice Department concludes that these weaknesses do not render the EU/EEA ineligible for access to the Data Protection Review Court. That is because the Justice Department chose to assess European law “holistically,” rather than requiring protections directly comparable to U.S. law. It defends taking this “deferential approach” because the EU/EEA is, like the United States, a “rights-respecting democratic society that follows the rule of law.”
The Utility of Judging Foreign Surveillance Law Protections
The contrast between this relatively relaxed U.S. standard of review for the EU and the strict standard that the CJEU applies to the United States could not be more obvious. In the Schrems II litigation testing the prior Privacy Shield framework, the U.S. government had urged the CJEU to grant a “margin of discretion” to a foreign sovereign in respect of its surveillance law protections, pointing to the use of this more generous standard in ECHR jurisprudence. The EU Charter of Fundamental Rights does recognize ECHR jurisprudence as a relevant source of law for the CJEU to draw upon, and on occasion the CJEU does so. However, in Schrems II, these U.S. arguments “gained little traction with the court,” as Cameron Kerry has drily observed. Instead, the CJEU applied a strict standard of review and did not take the jurisprudence of the Strasbourg-based European Court of Human Rights into account.
The Justice Department reciprocity finding, and its analysis of EU member-state surveillance laws, is unlikely to figure overtly in the next CJEU ruling. That is because the Luxembourg court is competent only to interpret EU law—a task that, in this case, consists solely of measuring the European Commission’s adequacy decision for the United States against a standard derived from EU fundamental rights law. (Indirectly, of course, the CJEU will review the changes in U.S. surveillance law made by the U.S. executive order, since they are the substantive core of the new adequacy decision.) Additionally, the court likely would steer clear of examining member-state surveillance law protections, because safeguarding national security is their “sole responsibility,” according to Article 4 of the Treaty on European Union.
Nonetheless, the U.S. government can be expected to renew its comparative arguments before the CJEU about the relevance of ECHR cases and of EU member-state surveillance laws when the expected challenge to the Data Privacy Framework materializes—and doing so could yield indirect benefits. A vocal minority of EU member states with active foreign surveillance programs are known to be sympathetic to the U.S. position; some of them even intervened in Schrems II to point out that their national laws and practices resembled those of the United States. The Justice Department’s detailed and carefully documented comparative memo could well encourage more member states to weigh in with the CJEU in the forthcoming challenge to the Data Privacy Framework. In recent years, there have been instances in which the CJEU adjusted its data protection jurisprudence in response to strong member-state national security concerns, as it did in a 2020 case involving data retention (La Quadrature du Net).
The Justice Department memo relies heavily on common principles on surveillance law safeguards articulated in the 2022 Organization for Economic Cooperation and Development Declaration on Government Access to Personal Data Held by Private Sector Entities (OECD Declaration). The memo breaks new ground in not merely invoking the OECD Declaration, but in explicitly relating its safeguards to publicly available EU member-state law.
U.S. invocation of the OECD Declaration could yield benefits at the CJEU. Although the declaration is nonbinding as a matter of international law, it represents a notable degree of multilateral consensus on government surveillance safeguards that the CJEU could choose to acknowledge. The OECD Declaration is a “demonstration that U.S. privacy and due process safeguards in the national security and law enforcement context are in fact in the international mainstream,” as I have written previously in these pages.
The Justice Department’s analysis also could inspire the OECD itself. The OECD has not yet officially documented how its member governments embody the declaration principles in their national laws and procedures. Creating a multilateral record that OECD governments in fact are living up to the commitments they made in the declaration would bolster the instrument’s international credibility, deepen trust among OECD members, and further differentiate their practices from those of authoritarian governments.
Conclusion
Mutual adequacy findings have limitations. They can become almost foregone conclusions once governments have made the initial decision to liberalize data transfers between themselves. They have strong political and economic dimensions: Major trading partners tend to be the beneficiaries, and broader “national interest” considerations are relevant, as the U.S. executive order makes explicit.
The EU occasionally has used its adequacy process as leverage to elicit privacy law reforms in countries including Japan, but—the U.S. example aside—such changes rarely venture onto sensitive national security law territory. Later this year, the European Commission is expected to announce the results of its review of its long-standing adequacy finding for Israel, another country with an extensive national security surveillance apparatus. Its Israel decision, following on the heels of the U.S. one, could offer additional insight into how closely the EU is prepared to examine the surveillance law protections of an important political ally.
In the end, it is difficult to untangle the political, economic, and legal strands of adequacy findings. But they nonetheless can be useful. The U.S. “qualifying state” determination for the EU/EEA offers a welcome degree of transparency into Europe’s own signals intelligence protections and a bulwark against future backsliding on the continent. In addition, it shows growing convergence in transatlantic thinking and the promise of further multilateral dialogue in this area. Born in part out of a desire for revenge, reciprocal adequacy findings could end up contributing to a more coherent articulation of the relationship between international data flows and foreign surveillance laws.
No comments:
Post a Comment