Cybersecurity & Tech

Will the New EU-U.S. Data Privacy Framework Pass CJEU Scrutiny?

Cameron Kerry
Thursday, August 10, 2023, 10:00 AM
Changes to U.S. surveillance safeguards will test the practical limits of the EU court’s abstract principles.
The CJEU's Palais de la Cour de Justice in Kirchberg, March 25, 2023. (Luxofluxo, bit.ly/45pzIfx; CC BY-SA 4.0, https://creativecommons.org/licenses/by-sa/4.0/legalcode)

Published by The Lawfare Institute
in Cooperation With
Brookings

For the third time, the European Commission has issued a decision on the “adequacy” of U.S. privacy protections, enabling continued flows of personal data between the United States and the European Union after three years of uncertainty. Like its two predecessors in EU-U.S. data transfers, the Safe Harbor framework from 2000 and the 2016 Privacy Shield, this new EU-U.S. Data Privacy Framework will face legal challenges that will ultimately be resolved by the Court of Justice of the European Union (CJEU). The next case is likely to test the boundaries of the court’s interpretation of the EU Charter of Fundamental Rights in the context of government surveillance.  

The CJEU has authority to review the commission’s adequacy decisions involving the U.S as well as EU and member-state legislation for compliance with EU law. It leveraged this authority in the U.S. adequacy cases and in some cases where EU or member-state legislation allowed government access via commercial actors to apply the charter to limit government surveillance and access to information. The U.S. cases reflect the continuing fallout from Edward Snowden’s leaks about National Security Agency surveillance in 2013 and the perception the leaks engendered that U.S. intelligence agencies have broad access to personal data about Europeans. The previous cases compared the U.S. limits on access to information outside of U.S. borders against those under the EU Charter as applied by the CJEU. In both cases, the CJEU faulted a commission adequacy decision for failing on its face to ensure safeguards against surveillance that exceeds “what is necessary in a democratic society.”

Max Schrems, the Austrian privacy activist who instigated the two earlier challenges, immediately announced plans to initiate another. He called the new framework “a copy” of the Privacy Shield and said that “[w]e would need changes in U.S. surveillance law to make this work—and we simply don’t have it.” 

Despite Schrems’s assertions, the Data Privacy Framework makes significant changes to both the procedures that govern U.S. foreign intelligence surveillance and the oversight of their implementation, going well beyond those in the Privacy Shield. The commission’s June 10 adequacy decision will present the CJEU with a very different case. The commission and its U.S. counterparts have taken pains to ensure that, this time, the framework stands up, developing a sophisticated understanding of the comparisons between each other’s laws and evolving norms among democratic states about safeguards for government access to information. In the decision, the European Commission has appreciated these differences in systems and understood the operation of U.S. surveillance within the context of its particular structure of democratic governance. Now, the CJEU will have to be persuaded to do the same.

The Data Privacy Framework Decision

The Edward Snowden leaks in 2013 and subsequent CJEU cases produced a long-running transatlantic public debate and a give-and-take between EU institutions and the U.S. government about legal boundaries on government surveillance and the systems of law and government in which they operate. The U.S. made a number of changes to intelligence law and procedure in response, including a radical change in transparency about intelligence-gathering starting in 2013, followed by additional safeguards that were extended to people outside of the U.S. by former President Barack Obama’s January 2014 Presidential Policy Directive; and, after the CJEU invalidated the Safe Harbor framework in Schrems I, a mechanism for EU residents to complain to the State Department as part of the Privacy Shield.  

In the process, the European Commission, the European Data Protection Board, the U.S. Department of Justice, the U.S. Commerce Department, and U.S. intelligence agencies have deepened their understanding of each other’s respective laws and systems. The U.S. and European negotiators each have parsed the CJEU’s 2020 judgment in Schrems II to address its requirements within the context of their laws and systems of government. Both also were actively involved in developing the December 2022 Declaration on Government Access to Personal Data Held by Private Sector Entities, endorsed by the 38 members of the Organization for Economic Cooperation and Development (OECD) with input from an expert group, and involving major EU member states with the EU participating as an active observer.  

The commission decision focuses on safeguards added to U.S. intelligence law to address specific concerns raised in Schrems II: (a) insufficiently specific grounds for surveillance and bounds on the scope of surveillance to meet the EU requirement of “necessity and proportionality” and (b) insufficiently independent mechanisms for individual Europeans to seek “redress’’ relating to surveillance that affects them. Executive Order 14086 issued in October 2022 specifically addressed the first point by placing further specifications around the grounds for collection enumerated in the Foreign Intelligence Surveillance Act (FISA) and additional specifications for “bulk surveillance.” The executive order also established a new redress mechanism, a special Data Protection Review Court to be established in the Justice Department, pursuant to regulations for the appointment of special counsel, to exercise independent authority, with that authority reinforced by obligations imposed on the intelligence community under the executive order as well as regulations issued by the attorney general. The commission’s decision was helped by the fact that, by the time it came out, the U.S. Office of the Director of National Intelligence (ODNI) was able to report that intelligence agencies had implemented changes to their practices to comply with the executive order.

The limits on collection established in Executive Order 14086 are more concrete and detailed than both those listed in the text of the FISA and the additional bounds instituted by the 2014 Presidential Policy Directive 28. And those on bulk collection are narrower still, with a higher predicate to justify collection. In addition, the order applies to signals intelligence conducted under presidential powers over national security and foreign relations pursuant to Executive Order 12333, which is not subject to the FISA. This is, perhaps, the most significant revision to scope of that executive order since it was issued in 1981. The redress mechanism pieces together extraordinary oversight powers and independent authority for the ODNI privacy and civil liberties officer and the review court with, as surveillance law expert Peter Swire points out, the president and attorney general legally limiting their own powers to bound collection and processing and afford redress.  

Through this intricate but elegant structure, the Data Privacy Framework manages what otherwise could not be achieved without enacting legislation to revise surveillance laws as well as amending the Constitution to extend Bill of Rights protection to people outside U.S. borders, enlarge standing to sue in federal courts, and reduce presidential powers over national security and foreign relations.  

Judging EU adequacy

The Data Privacy Framework includes a reciprocal element—in effect, a form of U.S. adequacy decision about the safeguards in countries other than the U.S.—that highlights similarities and differences in laws and systems. Reciprocity was an aspect of the Judicial Redress Act in 2015, which helped pave the way for a U.S.-EU law enforcement information-sharing agreement by enabling EU residents to pursue remedies under federal privacy acts. Reciprocity was also a feature in enabling transnational access to electronic evidence in judicial proceedings governed by the Clarifying Lawful Overseas Use of Data Act, also known as the CLOUD Act.  

In the Data Privacy Framework, reciprocity comes into play in the redress mechanisms for non-U.S. nationals established under Executive Order 14086 and the order’s implementing regulations. Redress is available only to residents of “qualifying states”—countries or regional bodies like the EU. Redress is available only where the laws “require appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information,” where the country permits “the transfer of personal information for commercial purposes” to the U.S., and where the decision would advance U.S. “national interests.” For EU redress rights to kick in, therefore, the attorney general had to find that countries covered by the framework qualify under these tests. Days before the EU adequacy decision, Attorney General Merrick Garland issued findings that the rule of law and safeguards for government access in EU member states and the European Economic Area (EEA) make them qualifying states. One effect of this reciprocity is that the qualifying states have to permit data flows with the U.S. or these privacy protections will be withdrawn.

The Justice Department later released a memorandum by its National Security Division explaining the rationale for this decision. The memorandum frames its approach to the meaning of “appropriate safeguards” as considered “holistically” and not with a “rigid ‘one-size-fits-all’ model.” This approach takes into account that:

Different countries, even those sharing democratic values and a commitment to the rule of law, will have legal and national security systems with differing histories and institutions, such that they may legitimately take differing approaches towards enacting privacy safeguards for signals intelligence activities.

The Justice Department considered European law, for the purpose of the designation decision, as presented in a letter from the EU’s justice commissioner describing all 30 countries at issue as contracting to the European Convention on Human Rights, which is applied by the European Court of Human Rights (ECtHR). In addition, 27 of these countries are EU members subject to the EU’s treaty and Charter of Fundamental Rights, and 22 are signatories to the December 2022 OECD Declaration on Government Access to Personal Data Held by Private Sector Entities. The Justice Department fleshed out this information with its own examination of the safeguards called for in the law of the ECtHR and CJEU, as well as a “limited analysis” of publicly available information on the domestic laws of “representative EU/EEA countries.”  

In 2016, following the Schrems I case, I led an effort at Sidley Austin similar to the Justice Department’s, preparing a lengthy report that compared the EU and U.S. legal regimes for privacy protection in light of the legal standard enunciated in the CJEU judgment: that protections for data transferred outside the EU must be “essentially equivalent” to those under EU legal regime. The target audience for that report was primarily EU institutions—and, above all, the CJEU. Like the Justice Department, we relied significantly on the jurisprudence of the Court of Human Rights, which has long experience with government surveillance cases, and distilling from CJEU and ECtHR jurisprudence an “EU benchmark” that closely resembled what the body of EU data protection authorities subsequently termed the “essential guarantees” and the Justice Department describes as a “baseline.” We also emphasized what both the ECtHR and the CJEU have termed a “margin of appreciation” as to how states choose to protect public safety and security. And we selected “representative member states” to evaluate how the “EU benchmark” was applied in practice and benefited from studies of member intelligence laws and practices by the EU’s Fundamental Rights Agency.

The Justice Department’s memorandum provides an even more detailed analysis, covering more countries, with the benefit of more specific guidance from the Schrems II judgment and subsequent CJEU cases involving member-state laws. It takes a granular look at various ways that these countries implement safeguards on the necessity and proportionality of signals intelligence collection (including bulk collection) and processing, oversight of intelligence agencies, and forms of individual redress. It cites examples where member-state laws provide less extensive individual protection than the October 2022 executive order, including (a) for the collection of international communications (communications from outside the country, which are the equivalent of the communications covered by FISA Section 702, a key focus of EU concerns about the U.S.), where a number of member states allow collection without requiring selectors for targeting; (b) while the U.S. has banned domestic bulk surveillance, a number of member states allow such collection subject to safeguards; and (c) nonjudicial redress mechanisms are frequently nonbinding and less independent than what is enabled by Executive Order 14086, and redress is widely unavailable to people outside national borders in almost all member states. 

The Justice Department memo concludes that such “divergence” in safeguards can be “reasonably accommodated” because the countries’ “commitment to privacy in this area when considered as a whole is clear.” Accordingly, the U.S. “does not require that the foreign country match the same privacy safeguards and standards set out in U.S. law, but rather that the foreign country’s laws, viewed holistically, provide safeguards that are appropriate for a rights-respecting democratic society that follows the rule of law.”

The ECtHR jurisprudence and the “margin of appreciation” figured in the arguments before the CJEU in Schrems II but gained little traction with the court. The EU Charter incorporates rights under the Convention of Human Rights, and the CJEU often refers to ECtHR jurisprudence (as it did in other 2020 cases involving member states), but the Schrems II judgment sidestepped the bearing of ECtHR jurisprudence. It reasoned that, because the EU itself is not a party to the convention, it would look exclusively to the charter, treaty, and legislation in reviewing a decision of the commission as an EU body. 

What is “Necessary in a Democratic Society”?

In the aftermath of Schrems II, I wrote that “it is tempting—but futile—to say the CJEU got it wrong.” That case could not be reargued. But a new case can present some of the same issues with new facts and a different context. As described above, the Data Privacy Framework and the record the European Commission and the U.S. government have assembled to support this latest adequacy decision will present the CJEU with a different and more difficult case.

In turn, this stronger posture also brings to the fore an issue that flows from the CJEU’s test for the necessity and proportionality of government surveillance. In Schrems II, the court concluded that the FISA as presented in the Privacy Shield case goes beyond “what is necessary in a democratic society” (emphasis added). The EU benchmark, baseline, or essential guarantees frame some general principles as to what this broad standard means, especially applied to necessity and proportionality, but they do little to calibrate the meaning of “in a democratic society.”

Schrems I presented an easy case in this regard because the 2000 adequacy decision simply did not address government access at all. Perhaps the safeguards for government access considered in Schrems II fell far enough short in implementing the EU principles that it was an easy decision too. The more difficult case presented by the 2023 adequacy decision will call for much more nuanced judgments.  

The ECtHR has dealt with judging what is “necessary … in a democratic society” through the “margin of discretion” for democratic states to decide how and to what extent to protect the security and safety of their people. This margin may be wider where “there is no consensus ... as to the relative importance of the interest at stake or how best to protect it.” The CJEU has allowed similar latitude where member states are involved but chose not to read this case law into EU law as applied in Schrems II. Understanding of what is necessary in a democratic society should be based not on some Platonic ideal, but with respect for real-world judgments reached through the democratic processes in democratic states. In their well-calibrated analysis of the issues presented by Schrems II, Thorsten Wetzling, Lauren Sarkesian, and Charlotte Dietrich observe that “[p]olicymakers need to flesh out the how the abstract data protection standards in the CJEU’s Schrems II ruling can be applied in concrete situations of intelligence collection and data processing as well as how they should be written into national intelligence legislation.” 

This latitude must also respect differences in systems of government and laws. In Schrems I, the CJEU said that “essentially equivalent” does not require “a level of protection identical to that guaranteed in the EU legal order,” and the means by which that protection is implemented “may differ from those employed within the European Union” under its charter. Will the CJEU stand by this declaration?  

If the court were to apply the charter to say that the U.S. regime for foreign intelligence goes beyond what is necessary in a democratic society despite the safeguards underlying the Data Privacy Framework, that not only would jeopardize the transatlantic digital economy but also could significantly affect the interests of EU member states. The Lisbon Treaty reordering the EU requires the union to “respect their essential State functions” and provides that “national security remains the sole responsibility of each Member State.” With the Rome Declaration in 2017, the EU is taking a larger role in collective security augmented by the war in Ukraine, but that does not modify the Lisbon Treaty. 

The U.S. has implemented the EU principles within the context of its system of government and laws, and the Data Privacy Framework is a product of these distinct systems. Like the EU, the U.S. has an executive, a legislature, and a judiciary, but it structures these branches and allocates powers among them differently (as EU member states do too). Like the EU, it does so within the ambit of democratic governance and rule of law. And, also like the EU, it faces challenges to democracy. No country or government has an exclusive understanding of what it means to be a democracy or what is necessary in democratic society, and, with Russia’s invasion of Ukraine and China’s heightened authoritarianism and fractiousness, the U.S., EU, and other allies have a renewed appreciation of their shared democratic foundations and interests. (Indeed, it was in the context of a summit on Ukraine that U.S. President Joe Biden and European Commission President Ursula von der Leyen announced the initial agreement on the U.S. and EU Data Privacy Framework.)

Additionally, the comity of nations calls for some degree of respect for sovereignty, and EU treaties (the Treaty on Functioning of the European Union, Treaty on the European Union (TEU) and Lisbon Treaty), which establish the powers of European institutions, provide for EU law to be interpreted in accordance with international law and agreements. As an EU institution, the CJEU is subject to the principle of proportionality in Article 5(4) of the TEU that measures cannot exceed what is “necessary to achieve the objectives of the Treaties.” International allies and trading partners should also be treated with a sense of proportion.

The holistic and flexible approach of the Justice Department memorandum offers an instructive example in allowing some range of variation for “a rights-respecting democratic society that follows the rule of law.” Its catalog of how EU member states address the safeguards required under EU law provides a concrete illustration of this range of variation. This is not a matter of “everybody does it,” finger pointing, or a lowest common denominator, as I sometimes heard in response to that 2016 report I worked on. Rather, the Justice Department’s analysis, the EU Fundamental Rights Agency studies, and other information on actual practices of democratic governments provide some understanding of what is necessary in a democratic society. As the Justice Department memo discusses, the OECD recommendations for regulating government access to information and the exchanges on laws and practices that went into them have deepened this understanding. As EU law expert Kenneth Propp put it, these recommendations are “a promising beginning” that “demonstrate the surprising degree of commonality in data access safeguards applied by developed democracies’ national security and law enforcement agencies.” 

International norms for foreign intelligence surveillance are evolving. Wetzling, Sarkesian, and Deitrich see existing privacy protection as “too dependent on either nationality or residency even though personal data is de facto rarely confined by national borders.” As reflected in the Justice Department memo, the U.S. is an outlier in this regard, as it extends privacy safeguards to foreign nationals. Since the Snowden affair, the U.S. has become a leader in transparency about procedures and programs that in other countries still remain largely secret. In that time, other democratic countries—France, Germany, and the U.K., among others—have revised surveillance laws and oversight to respond to the times and to the ECtHR, CJEU, and national courts.

Max Schrems is wrong that only changes in legislation can save the Data Privacy Framework from the same fate as its predecessors. That’s not to say such changes wouldn’t help. Language in reauthorization of the FISA codifying the protection of foreign nationals and other safeguards in Executive Order 14086 would stabilize these against changes in the executive branch and help to overcome the cognitive dissonance that judges and others in Europe have with U.S. law that is not systematically codified like their own laws. And passage of comprehensive commercial privacy legislation would help allay perceptions that the U.S. is the Wild West when it comes to data collection, even though that has not been at issue in the previous cases. Such changes would not alter the substance of the Data Privacy Framework, but they would reinforce it against the inevitable challenge before the CJEU. 


Cameron F. Kerry is the Ann R. and Andrew H. Tisch Distinguished Visiting Fellow in Governance Studies at the Brookings Institution, and is Senior Counsel at Sidley Austin. He previously served as general counsel and acting secretary of the Department of Commerce.

Subscribe to Lawfare