EU Judges US Surveillance Law

The Irish High Court is considering a potential landmark case on the legality of transferring personal data from the European Union to the United States. A large portion of E.U. data transfers operates under “Standard Contract Clauses” (SCCs), boilerplate language widely adopted in written agreements. A central issue in Schrems v. Facebook is whether U.S. surveillance, when conducted within the U.S., is so pervasive that data transferred to the U.S. via SCCs lack “adequate” protection of privacy.

In an earlier case brought by Max Schrems against Facebook, the Court of Justice for the European Union (CJEU) struck down the E.U./U.S. Safe Harbor Agreement as a legal basis for transferring data between the E.U. and the U.S. In the current case, Schrems once again filed a complaint to the Irish Data Protection Commissioner, asking whether there are adequate U.S. safeguards against surveillance under SCCs. The Irish Data Protection Commissioner referred the case to the High Court, determining Mr. Schrems’s allegation to be “well founded.” Once the High Court issues its ruling, the current case may proceed to the CJEU.

Along with the testimony of other experts, my expert report was made public this week by the International Association of Privacy Professionals. In more than 300 pages, my report explains U.S. surveillance law to a non-U.S. audience. The testimony draws on my longstanding work on U.S. surveillance law, including as one of five members of President Obama’s Review Group on Intelligence and Communications Technology. It also draws on many years of work on E.U. data protection law, including a 1998 book on the topic and participation in the negotiation of the 2000 Safe Harbor agreement. Under Irish court rules, Facebook selected me to testify in the SCC case, but I was required to provide my independent expert opinion on U.S. law to the court.

Below is an overall summary of my testimony. Additional essays on specific aspects of the testimony and a French translation of the summary chapter are available here.

My testimony highlights four findings:

1. U.S. systemic remedies: As found by a team of Oxford experts, “the US now serves as a baseline for foreign intelligence standards.” Chapter 3 of the testimony provides a detailed explanation documenting systemic protections under U.S. law for foreign intelligence surveillance. Chapter 4 describes strong safeguards for law enforcement surveillance. Based on the Oxford study, Chapter 6 shows how well the U.S. safeguards compare with EU safeguards.
2. U.S. individual remedies: Chapter 7 documents how the U.S. legal system provides numerous ways for an individual to remedy violations of privacy, including individual suits against service providers; Federal Trade Commission and other agency enforcement; state law protections; and class action litigation. Chapter 8 explains reasons for a national security exception to individual access to surveillance records, where such access would threaten national security by revealing sources and methods.
3. Foreign Intelligence Surveillance Court oversight: Chapter 5 presents original research: a review of all of the FISC opinions and related materials declassified between 2013 and the filing of my testimony in November 2016. The overall conclusion is that the FISC provides far stronger oversight than many critics have alleged. My opinion to the Irish court is that the FISC provides independent and effective oversight over US government surveillance.
4. Broader implications of the SCC case: Standard contract clauses are used pervasively for transfers of personal data out of the European Union. An inadequacy finding in the current case would have a great impact even if the finding applies only to a single country (transfers to the U.S.) under a single basis for cross-border data flows (SCCs). Chapter 1 of the testimony, however, explains why an inadequacy finding, particularly in this case, likely would have far greater implications. The implications appear to go beyond the EU and US, , as shown by analysis of surveillance rules in the BRIC countries – Brazil, Russia, India, and China. For those and other countries whose safeguards are weaker than in the U.S., a finding of inadequate protections in the U.S. would logically mean that transfers from the E.U. to these countries would similarly be prohibited. The testimony also explains why an inadequacy finding for SCCs may also apply to other legal bases for transfer of personal data, including Privacy Shield and Binding Corporate Rules. Taken together, a finding of inadequacy in the current case in Ireland could have far more sweeping ramifications than many observers have contemplated.

In conclusion, the European Commission has emphasized the economic importance of trans-border data flows between the E.U. and U.S. by stating the economic relationship – the world’s largest – accounts for “nearly one trillion dollars in goods and services trade . . . supporting millions of jobs on both sides of the Atlantic.” The Commission also said that data flows “are an important and necessary element” of the strategic alliance between the E.U. and the U.S. as “a crucial component of EU-US co-operation in the law enforcement field” and “in the field of national security.”

The testimony provides an independent, detailed, and comprehensively footnoted record for the Irish High Court's consideration. The testimony can inform broader policy debates about the nature of US surveillance and European data protection law. It can also be of service in other pending litigation, such as current challenges to the Privacy Shield. The U.S. has implemented many surveillance reforms since 2013, including the new protections in the USA-FREEDOM Act passed by Congress in 2015. I hope this testimony can inform the public debate on these vital issues.