Privacy Shield 2.0: More Than “Lipstick on a Pig”

April 28, 2022

The US and EU have announced a new privacy accord to guarantee transatlantic data flows. With political will and judicial common sense, it can succeed.

Photo: Privacy activist Max Schrems. Credit: Ars Electronica/Creative Commons.

A new Data Privacy Review Court should provide sufficient “democratic controls” over US government access to Europeans’ data.

Privacy activist Max Schrems successfully convinced the European Court of Justice that the 2016 US-EU “Privacy Shield” agreement was, as he had claimed, “an attempt to put a lot of lipstick on the same old data-sucking pig.” He seems to think the same of the new Transatlantic Data Privacy Framework that US President Biden and European Commission President von der Leyen announced in March, and will surely challenge it.

In this case, however, the proposed make-over should work. Faced with Russia’s horrific invasion of Ukraine, the two sides summoned the political will to resolve a seemingly impossible conundrum with a new “Data Privacy Review Court.” Details are still being worked out, but, as noted below, creative approaches exist that should satisfy the European Court.

In its judgements against previous transatlantic privacy accords, the European Court of Justice ruled that Edward Snowden’s 2013 revelations showed the United States lacked effective “democratic controls” over law enforcement and intelligence agency access to personal information,. It pointed specifically to the Foreign Intelligence Surveillance Act (FISA) Section 702 (which governs the National Security Agency’s use of signals intelligence) and the Executive Order 12333 (which provides guidelines for U.S. intelligence operations). The Court was also concerned that Europeans did not have an adequate redress mechanism to correct inaccurate information or appeal decisions based on it. EU policymakers argued that anything less than a change in US law would fall short of the Court’s judgement; Congress, however, will not change US law to satisfy a foreign court.

Even so, there is a way forward. President Biden for years served on (and chaired) the US Senate’s Judiciary and Foreign Relations committees. His Ambassador to the European Union, Mark Gitenstein, was one of his closest Judiciary Committee advisors as well as counsel to the Senate Select Committee on Intelligence when FISA was adopted. The two are thus uniquely well-placed to know how the US government protects against unwarranted intrusion, and to explain how these protections could be further strengthened with additional non-legislative measures.

Indeed, the White House announced “unprecedented” steps to meet the concerns expressed in the ECJ ruling:

Strengthening privacy and civil liberties safeguards over US intelligence activities (going beyond the Presidential Policy Directive 28 measures President Obama promulgated after the 2013 Snowden revelations) to ensure information is collected only where necessary for “legitimate” national security objectives and in a way that does not “disproportionately” affect individual privacy and liberties.
Establishing a “multi-layered” redress system, including a new independent Data Protection Review Court that would have “full authority to adjudicate claims and direct remedial measures (by intelligence and law enforcement agencies) as needed.”
Reinforcing oversight of new privacy and civil liberties standards in the law enforcement and intelligence agencies.

The Data Protection Review Court is, in particular, a novel idea that could help address the European Court’s redress complaint. It could address the Court’s broader concern about the “lack” of “democratic controls” over US intelligence agency activity. We do not have the details, but one excellent analysis argues that the President can establish a fully-independent “Redress Authority” within the Department of Justice, as is done when naming a Special Prosecutor. This could be established by a legally binding administrative act, making it fully independent, and enjoying investigatory and remedial powers. Such an approach enjoys strong credibility based on previous Supreme Court decisions, including those related to the infamous Watergate scandal. Importantly, a new president could not immediately unwind this, as doing so would require a lengthy “notice and comment” process, itself subject to judicial review.

A “multi-layered” approach could also call on the US Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency created in 2007 to ensure efforts to fight terrorism do not trammel on civil liberties. PCLOB members are independent and highly respected, confirmed by the Senate and have full authority to review and make recommendations on intelligence agency activity (including in recent reports on EO 12333 and Section 702), and as such are an integral part of the “democratic controls” the United States has over those agencies.

Indeed, the PCLOB (working with agency privacy and civil liberties offices) would be a better place to provide the “Ombudsman” function that Privacy Shield previously vested in an Under Secretary in the State Department, although this may require minor legislative amendments to broaden PCLOB’s scope beyond terrorism-related issues. More imaginatively, PCLOB members could also function as a tribunal under the Transatlantic Data Privacy Framework, as PCLOB staff would receive complaints through the ombudsman function, could research them (including through access to classified information), and could then bring them to a panel of PCLOB members to review and, if need be, recommend remedial action.

If necessary, additional judicial review could be provided by the FISA Court. In its rulings, Europe’s top court complained about the difficulty of Europeans getting “standing” under US law. This could be avoided by appealing decisions under the Administrative Procedures Act requirement that agency action not be “arbitrary, capricious, an abuse of discretion or otherwise not in accordance with the law.” The amici curiae who under the 2015 Freedom Act advise the FISC Court on “legal arguments that advance the protection of privacy and civil liberties” could represent the individual complainants, in the few cases that would require it.

Of course, Europe’s judges could reject such a solution. They may be troubled by a recent March 2022 Supreme Court ruling that seems to strengthen the “state secrets privilege” that can make it difficult to complain against intelligence agency activities.

In the end, though, the European Court must be reasonable. The US exerts more robust controls over its intelligence and law enforcement activities than most other countries in Europe, never mind China, India, and Russia. Europe does not prohibit transfers of personal information to these countries, and many more. When it faces Mr. Schrems’ complaints for the third time, the Court should recognize the many useful changes the United States has made in response to its concerns, and bring some badly-needed judicial restraint to its sometimes overly fundamentalist findings.

Peter Chase is a Resident Senior Fellow at the German Marshall Fund of the United States.