Final Thoughts on Reforming Surveillance and European Privacy Rules

Although it is a close call, the decision of the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner may turn out to be the most important consequence of the Snowden revelations. The CJEU invoked fears of NSA surveillance to strike down the safe harbor agreement that makes it easy for American companies to transfer personal information of Europeans to the United States. How the US and the EU address the decision could shape the legal landscape of global surveillance for many years to come.

Even before Schrems, the United States took bigger steps in the direction of reforming surveillance than many appreciate. There has been increased transparency from the US intelligence community, and now the Office of the Director of National Intelligence has provided a mechanism for institutionalizing it. Presidential Policy Directive 28 (PPD-28) provides limited privacy protections for non-US citizens located abroad. The USA FREEDOM Act replaces bulk collection with a sensible alternative, and makes other reforms to the Foreign Intelligence Surveillance Act.

These reforms do not have the same global implications as Schrems. Increased transparency and privacy protections for foreigners set a good example, but at bottom these are still policy changes that other countries are free to ignore. FISA offers one model for judicial review of intelligence surveillance, but it remains a peculiarly American law. The CJEU’s decision in Schrems, by contrast, provides specific requirements for reforming government surveillance that apply to any nation who wishes to do business with the European Union.

European privacy law is based on fundamental human rights principles. The CJEU has laid down the gauntlet, demanding that countries provide “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.” ¶ 73. Countries that fall short will find their companies at a disadvantage. Doing business in the twenty-first century means being able to transfer personal data.

In previous posts, I have explored how the disconnect between the way Europeans and Americans view data privacy obscures some inconvenient truths about surveillance. First, the NSA has a much freer hand to collect data if it stays in Europe than if it is transferred to the US. Second, European standards for surveillance have long been even more permissive than those that apply to the NSA. Over the past year, they have been getting worse, not better. A possible exception is the UK’s proposed “snoopers' charter,” which offers significant surveillance reforms, including judicial review.

Despite Europe’s double standards, I still believe surveillance reform is the only hope for reviving safe harbor. Reform will require changes to American law in two areas – (1) limiting “generalised” surveillance, and (2) providing expanded redress for foreign citizens. Reform should start with narrowing the grounds under section 702 of FISA for obtaining data located inside the United States that belongs to foreign citizens. Reform will have a cost. As Peter Margulies observes, it will require sacrificing surveillance for broader “foreign affairs” purposes.

We should insist on reciprocity. Joel Benner suggests a lawsuit by Americans demanding protection for their data in Europe. I’m happy to participate. Europe is indulging in rank hypocrisy when it faults the NSA for broad “foreign affairs” surveillance that its own intelligence services routinely conduct.

Responding to the CJEU’s demand for meaningful redress for intelligence surveillance is trickier. Extending the Privacy Act to foreign citizens does next to nothing. Cameron Kerry, former acting secretary of the Department of Commerce, and Alan Raul, former member of the Privacy and Civil Liberties Oversight Board, have pointed out that foreign citizens may already sue for civil damages if they can show they have been subject to unlawful surveillance under FISA. 50 U.S.C. § 1810.

True, but the problem is that the NSA’s targets are secret – and we would like to keep it that way.

Congress might provide a way for people with entirely reasonable fears of surveillance to bring challenges without the need to prove they are on the NSA’s list. Such a law would have to meet the constitutional requirement of standing – a rule that is in sharp tension with international human rights law. Increased transparency may make it easier to do so.

Realistic surveillance reforms will require adjustment to principles that most privacy lawyers in Europe – indeed, most people, everywhere – hold dear, but that simply cannot be applied inflexibly to intelligence surveillance. American privacy organizations could be helpful in bridging the gap. The Center for Democracy and Technology has provided useful suggestions for reform of section 702 of FISA. They are a good start.

There already appears to be a strong push to muddle through with temporary arrangements that will not require any changes in law on either side of the Atlantic. Even in the short run, this strategy is unlikely to succeed. Last month, European data protection commissioners issued a strong statement. It promises, “If by the end of January 2016, no appropriate solution is found with the US authorities,” the commissioners will take “all necessary and appropriate actions, which may include coordinated enforcement actions.”

Whatever reforms are needed will be required for other countries doing business with the EU – which is to say, most if not all of the world. EU member states won’t be able to avoid scrutiny either. The CJEU made clear “the European Union is a union based on the rule of law” and is bound by “general principles of law and fundamental rights.” The CJEU has explained those principles in terms that make abundantly clear that most EU member states do not meet them. There is no escaping the global logic of Schrems.