Privacy Shield 2.0 —Third Time’s the Charm?
What commitments has the United States made in the recent Trans-Atlantic Data Privacy Framework? And will those reforms be enough to pass muster when this next agreement goes before the Court of Justice for the European Union?
Published by The Lawfare Institute
in Cooperation With
In March, European Union President Ursula von der Leyen and U.S. President Joe Biden announced that they had agreed to a Trans-Atlantic Data Privacy Framework. This follows nearly two years of negotiations, across two U.S. administrations, because the 2015 agreement struck by the U.S. and EU—Privacy Shield—was found to be deficient by the Court of Justice for the European Union (CJEU) in 2020. The CJEU’s findings centered on U.S. surveillance laws and their inadequacy to meet standards in the EU Charter of Fundamental Rights, specifically the Foreign Intelligence Surveillance Act (FISA) Amendments Act Section 702 (FAA 702) and Executive Order 12333.
So, for almost two years, companies that rely on trans-Atlantic data flow for business purposes have been operating under a regime in which they must conduct case-by-case analyses of individual agreements for data transfers to comply with EU standards. For these companies, the announcement was viewed positively, even if all that has been agreed to so far is a plan to draft an agreement and the subjects covered in the agreement.
While it certainly acknowledged the need to address the challenges the private sector faces in the absence of a U.S.-EU agreement on trans-Atlantic data transfer, the announcement focused on the issue at the heart of the CJEU’s decision: the reach of U.S. surveillance law against non-U.S. persons (and particularly for the EU, Europeans) located outside the United States, and the steps the U.S. would be taking to address the CJEU’s concerns. Particularly since the 2013 unauthorized disclosures of classified information by a government contractor, the U.S. intelligence community’s surveillance authorities, capabilities and global reach have been the target of the privacy community, which is particularly opposed to programmatic surveillance authorized by FAA 702. The commitments to reform intelligence community surveillance practices and create new oversight mechanisms are unsurprising. After all, there is a strongly held belief that U.S. surveillance law is far too sweeping in its reach and the compliance regime too lax. But it is also true that reform has come in many forms over the past decade, and from many corners, so what new compliance and oversight mechanisms will come to be as a result of this agreement? And will those reforms be enough to pass muster when this next agreement goes before the CJEU? What follows below the fold is a brief refresher on this nearly decade-long saga, followed by analysis of the framework. (American University’s Privacy Across Borders initiative is a great resource for those looking to dive deeper into this subject.)
How We Got Here
In 2020, the European Court of Justice struck down the European Commission’s adequacy decision on the 2015 U.S.-EU Privacy Shield agreement. The court reasoned that U.S. surveillance programs, in particular, Executive Order 12333 and FAA 702, do not meet the necessity and proportionality standards in Article 52 of the EU Charter on Human Rights, or the requirement for actionable judicial redress for EU citizens in the charter. This decision invalidated the 2015 compromise struck by the EU and U.S. in the wake of a previous CJEU decision invalidating Privacy Shield’s predecessor agreement, Safe Harbor, which was agreed upon in 2000. Both CJEU cases were brought by the same complainant, Max Schrems, resulting in the cases shorthand Schrems I and Schrems II.
FAA 702 permits the government to issue orders requiring companies in the U.S. to disclose the communications data of particular non-U.S. persons located outside the United States to obtain specific foreign intelligence. European officials had additional concerns about the authorities found in Executive Order 12333, a 1980s-era presidential order that governs the intelligence community’s conduct of intelligence activities outside the United States, including signals intelligence collection against non-U.S. persons (but in no way creating any authority for the intelligence community to compel companies to provide data like FISA does).
The intelligence community in its engagements with the EU since 2013 has strived to prove the stringency of its compliance regime. The white paper released in the wake of the 2020 decision contains perhaps the most comprehensive collection of the intelligence community’s advocacy. The white paper exhaustively explained the legal and policy framework governing the U.S. government’s intelligence operations and pointed out that the security of its European partners and allies is an integral element of the intelligence community’s mission. The paper even publicly described intelligence about threats to European partners—intelligence that one can only assume likely involves the use of the authorities at the heart of the CJEU’s findings. It also reminded the EU that European security services have authorities to conduct surveillance activities as well, and even at times without privacy protections inherent in the U.S. system—including independent federal judges, prompt destruction of data that is not relevant, and tight controls over how that data is handled and reported to intelligence customers. But those arguments haven’t won the day with the CJEU in the past.
Of course, the Europeans were far from alone in their concern over the 2013 unauthorized disclosures. Broadly, the U.S. government has since taken significant steps to increase transparency regarding its mission—particularly regarding surveillance and signals intelligence activities—and to undertake meaningful reform. Public ire over the unauthorized disclosures has been directed primarily at the National Security Agency, responsible for the intelligence community’s foreign signals intelligence mission, which encompasses surveillance authorized by FAA 702. Much of this initial transparency was forced, but one can argue that the intelligence community has embraced this transparency in many ways after the initial shock subsided. Of course, most intelligence operations are, and must remain, secret. But over time, the U.S. government has released redacted and declassified materials and issued new directives and policy documents restricting and clarifying surveillance authorities. Take, for example, Presidential Policy Directive 28 (PPD-28), issued by President Obama in January 2014: It affirmed, among other things, that signals intelligence activities must include safeguards for the protection of personal information for all individuals, not merely U.S. persons.
Transparency has taken other forms, too. A few examples include the public testimony of intelligence community leaders before Congress each year at the Worldwide Threats hearing, the now-frequent release of cyber threat indicators and attribution of malicious cyber actors targeting both government and private-sector networks, and the steady flow of declassified court opinions and other documents regarding FISA activities coming from both the Foreign Intelligence Surveillance Court (FISC) and the intelligence community itself. Intelligence community leaders and lawyers write, speak and participate in public events frequently and make themselves available for media interviews with far greater frequency than in the past. (And more reforms and changes should be anticipated, including when Congress considers whether to reauthorize FAA 702 and a few other important FISA authorities before a scheduled sunset at the end of 2023.)
The intelligence community has also engaged productively with Congress and the privacy community, and has not opposed—some might even argue it has embraced—legislative reforms to its surveillance practices, in the course of reauthorizing those same programs. In 2015, Congress enacted sweeping changes to a surveillance authority exposed in the unauthorized disclosures, the telephony records program, which imposed additional judicial oversight over the collection of telephony records under the business records provision of FISA and also established new declassification and disclosure obligations for significant FISC opinions on the intelligence community. In 2017, while reauthorizing FAA 702, Congress imposed restrictions on how the FBI conducts queries of FAA 702 data to enhance oversight (queries in 702 data are a particularly controversial aspect of the FAA 702 program). And more recently, the intelligence community embraced and still supports legislation that would reform its process for developing FISA applications to address significant concerns over accuracy and candor with the FISC (though it remains to be seen whether that legislation will become law).
What We Know About the Framework From the Fact Sheet
This brings us back to the framework, or more specifically, the fact sheet about the framework, which outlines the commitments the United States has made. It states that the United States will:
- Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
- Establish a new redress mechanism with independent and binding authority; and
- Enhance its existing rigorous and layered oversight of signals intelligence activities.
The fact sheet also states that the framework will ensure that:
- Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
- EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
- U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
The fact sheet also confirms that the United States will implement its obligations and commitments pursuant to an executive order. Before diving into the substance of the U.S. commitments, first, some observations about the text itself.
Language: In its past attempts to explain U.S. legal and policy governing surveillance authorities, the United States has referred to EU legal principles such as proportionality and necessity. But as it has sought to implement reforms to address EU concerns, the U.S. has chosen not to invoke such language in its governing documents. In the statement and the fact sheet, however, these European terms are used. Could that mean that a more explicit crosswalk between U.S. and EU legal frameworks may be a component of the executive order? Another interesting language choice: The fact sheet also calls the new redress mechanism a “court” but describes it as an independent, nongovernment body, with functions that don’t align with those commonly associated with courts.
Mechanism: The fact sheet makes it clear that an executive order to implement these commitments is forthcoming. This makes sense as a practical matter, since the alternative, legislation, is far less likely to come to pass. But given the type of commitments the U.S. is signing up for, and the CJEU’s past findings, is that enough? As Alex Joel has explained in detail, executive orders are subject to judicial review and have the same force of law as statutes. It is true that the United States’ implementation of its obligations in Privacy Shield 1.0 did not rise to the level of an executive order, and that could have contributed to its not passing muster with the CJEU. But if the European Court’s primary concern—FAA 702—is statutory in nature, will an executive order that concerns the implementation of a statute passed by Congress be enough? Further, what sort of “court” can be established via an executive order?
Timing: It appears there is an intent to finalize the U.S.-EU agreement in the coming months. This timing is interesting, because the debate over reauthorizing FAA 702 will commence around that same time. Since the private sector has been in limbo for nearly two years, it is natural that the negotiators are seeking to address the issue with all due speed (signaling their preference for an executive order). But as the government, privacy community and private sector gear up for yet another debate over surveillance law, and indeed the very surveillance law that is the subject of these negotiations, might the subject of these negotiations become part of the congressional debate, or, conversely, might someone insert this issue into the congressional debate over FAA 702? Or might the mere fact that the authority is up for reauthorization at the same time the executive order is finalized influence how it is received in the EU?
Policies and Procedures (Read: More Oversight)
Lawfare readers will be familiar with the complex, multilayered, acronym-filled world of intelligence oversight—CLPOs, PCLOB, PIAB, AG procedures, the FISC, Congress, compliance professionals and lawyers. When government officials talk about intelligence oversight, and particularly FISA oversight, they speak of individual analysts reviewing targeting justifications, compliance officers vetting those justifications and ensuring they remain valid throughout the period of surveillance, lawyers reviewing and verifying the facts around an intelligence operation, and the incident response process that takes place the moment someone in the intelligence community identifies a problem. These individual components can feel like abstractions or theories to anyone who has not been a part of the intelligence community, but for those who have lived through it, they are very real and demanding standards to meet. And they absolutely should be demanding. After all, FISA surveillance is among the most intrusive intelligence tools the United States has. So when the fact sheet refers to creating new civil liberties and privacy safeguards and the adoption of new procedures, what do they have in mind?
The executive order may contain a new and overt articulation of the United States’ translation of the U.S. legal and policy framework into EU terminology and principles, such as explaining how U.S. surveillance law and policy will meet EU principles of necessity and proportionality. Perhaps the executive order will also elevate and affirm those foundational policies and procedures that are already on the books—AG procedures, PPD-28, consequential FISC opinions—at the highest level of the executive branch. It might even impose restrictions on the manner in which the intelligence community uses FAA 702, or create a new regime through which the intelligence community must obtain approval in order to surveil certain types of non-U.S. persons, or govern particular categories of foreign intelligence that are sought.
Will the executive order be separate or revise an existing one, such as Executive Order 12333, which was last amended in 2008? If it stands on its own, will it focus specifically on signals intelligence activities, or might it encompass activities that may not be defined as signals intelligence activities but that also involve the collection of data through means other than FISA or the procedures governing signals intelligence? For example, might the executive order govern the intelligence community’s collection of commercial data through means other than the compulsory legal process, which has recently come under scrutiny as a result of recent reviews by the Privacy and Civil Liberties Oversight Board.
A “Court”
Establishing a mechanism through which EU citizens may submit complaints against the intelligence community for surveillance activities and receive redress for improper surveillance is the other key element of the CJEU’s previous rulings on the inadequacy of U.S.-EU agreements. In Privacy Shield 1.0, the redress required under Article 47 was accomplished through a State Department ombudsperson, who delivered claims submitted by EU citizens to the intelligence community, which reviewed and adjudicated them and returned responses to the State Department to be returned to the EU. That arrangement having been found insufficient, the new arrangement will involve creating an independent “Data Protection Review Court” that would take on this responsibility. At least two questions arise: Is this a “court”? And, given the entity’s functions, how exactly will an executive order establish it?
On the first question: The use of the word “court” naturally evokes images of judges convening over judicial proceedings. But in the case of this “court,” the functions as described by the fact sheet do not seem to fit that description. They also leave one wondering how a president can establish a court through an executive order.
So, how could an executive order create an entity that accomplishes the functions the United States is committing to in the fact sheet? The most obvious approach is to create an advisory committee. Advisory committees exist across the federal government. They comprise nongovernment experts in a particular field who make recommendations to the particular agency or office they advise to aid in its decision-making. Of course, unlike an advisory committee, this entity would need to adhere to the fact sheet’s commitment that its decisions have some sort of binding authority on the government rather than serving in a purely advisory capacity. Practically speaking, if the entity’s activities involve reviewing the details of intelligence activities to determine whether a particular EU complaint warrants redress (it would be hard to imagine the entity wouldn’t), the entity members will likely need to maintain security clearances in order to access the classified information that will require their review.
Third Time’s the Charm?
Ultimately, this new agreement will almost certainly find its way back to the CJEU for review. And while that process will take some time, this new agreement could very well be struck down, too, and along similar lines. Some tech companies aren’t relying on the U.S. to solve this problem for them—there is evidence some companies are actively taking steps to shield themselves from having to deal with trans-Atlantic data transfers moving forward, such as by migrating EU citizen data to data centers located in the EU. This may solve the issue for individual companies with the resources and international presence to do so, and may satisfy the EU. But it may not wholly resolve the matter from the CJEU’s perspective, leaving the U.S. and EU heading back to the negotiation table for another go.