Earlier this month, the Court of Justice of the European Union heard argument in Schrems II, a case that could limit companies’ ability to transfer data into the United States from the European Union—and, as a result, could dramatically increase pressure for U.S. surveillance reform. One of the central questions in the lawsuit is whether U.S. government surveillance violates the rights of Europeans whose data is sent to the United States. If the court concludes that it does, the decision will have significant implications for Silicon Valley’s bottom line, and we should expect business interests to push quickly and aggressively for reform of U.S. surveillance laws.
I attended the hearing alongside Max Schrems, an Austrian lawyer and privacy advocate. Six years ago, Schrems filed a complaint against Facebook Ireland for transferring his data to the United States, given the scope of U.S. government surveillance. While Schrems’ suit involves an array of issues under E.U. law, here, my aim is to provide context for the case and to survey several of the questions of U.S. law and practice before the Court of Justice. (Full disclosure: I submitted a report on U.S. surveillance law and remedies to the Court of Justice on Schrems’ behalf, and, at an earlier stage in the litigation, I provided expert testimony on U.S. law in the Irish High Court.)
I. History of the Case
Schrems I: The demise of “Safe Harbor”
Under E.U. law, companies have long faced a variety of restrictions on transferring data outside of the Union. In the 1990s, the European Union and the United States negotiated an agreement known as “Safe Harbor,” which allowed companies doing business in Europe to more easily transfer data to the United States. The agreement was based on the theory that U.S. businesses could, by subscribing to certain privacy principles, ensure an “adequate” level of protection for Europeans’ data and comply with E.U. law.
In 2013, Edward Snowden’s revelations about the scope of NSA surveillance radically undermined that theory. After learning about the PRISM program and other forms of U.S. government spying, Schrems, a privacy-rights advocate, filed a complaint against Facebook Ireland with the Irish Data Protection Commissioner. He argued that, given the breadth of U.S. surveillance, his data was not adequately protected in the United States—and, accordingly, Facebook should not be permitted to rely on Safe Harbor to transfer his data there.
The case made its way to the Court of Justice, and in 2015, the court invalidated the Safe Harbor agreement. Although the court’s decision technically rested on the fact that the European Commission failed to make sufficient findings about U.S. law, the court indicated serious concerns about the nature of U.S. surveillance and the lack of meaningful remedies. After describing the record on NSA surveillance, the court explained that, given E.U. privacy protections, governments may interfere with personal data “only in so far as is strictly necessary.” It further observed that
“legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”
Finally, the court emphasized that E.U. law requires “effective judicial protection” and access to legal remedies for privacy violations.
After the court’s ruling, the United States and the European Union rushed to negotiate a new data-transfer agreement called “Privacy Shield.” At the same time, companies in the European Union relied on alternate protocols to send data to the United States, such as “Standard Contractual Clauses”—contract templates that are pre-approved by the European Commission for data transfers. But neither Privacy Shield nor Standard Contractual Clauses fix the fundamental problem: the scope of U.S. government surveillance and the obstacles to judicial redress.
Schrems II: The Irish High Court Proceedings
In 2015, Schrems renewed his complaint, challenging Facebook’s reliance on Standard Contractual Clauses to transfer data, and again arguing that the scope of U.S. government surveillance renders Facebook’s data transfers unlawful. For procedural reasons, the Irish Data Protection Commissioner brought the case to court in Ireland, with Schrems and Facebook as defendants. Unsurprisingly, Facebook argued that its users’ data is adequately protected, and that if Europeans are illegally surveilled, sufficient remedies are available.
My testimony explained why that’s not the case. Europeans’ data is vulnerable to mass surveillance by the NSA and other U.S. agencies under two broad surveillance authorities: Section 702 of the Foreign Intelligence Surveillance Act and Executive Order (EO) 12,333.
Section 702 allows the U.S. government to target any non-U.S. person abroad to collect “foreign intelligence information,” defined broadly to encompass information related to the “foreign affairs” of the United States. The government’s targets need not have any connection to terrorism investigations or criminal activity, and can include academics, journalists and human rights workers. Last year, the United States targeted more than 164,000 individuals and groups under the law, resulting in the mass collection of hundreds of millions of communications. Relying on Section 702, the United States asserts it can surveil law-abiding Europeans under programs such as PRISM, which pulls information from American tech firms, and Upstream, which involves copying and searching through vast quantities of Internet communications in transit, to locate the communications of the government’s targets.
Under EO 12,333, the United States contends that it can search through and collect Europeans’ communications in bulk—without any target whatsoever—to obtain “foreign intelligence” information. The order defines “foreign intelligence” as including “information relating to the capabilities, intentions, or activities of . . . foreign organizations [and] foreign persons”—sweeping even more broadly than the definition under Section 702.
Redress is also a problem. Within the U.S. legal system, there are substantial obstacles to obtaining remedies for these privacy violations, because the United States almost never officially notifies the millions of people it subjects to this spying. Without notice, it is extraordinarily difficult to establish standing to sue—especially in light of the U.S. government’s aggressive invocation of the “state secrets” doctrine to withhold evidence and seek dismissal.
After hearing from several experts on U.S. law, the Irish High Court ruled that U.S. surveillance results in the “mass indiscriminate” processing of Europeans’ private data. It also found that Schrems’ and the Irish Data Protection Commissioner’s concerns about the lack of remedies for this surveillance are “well-founded.” In addition to these factual findings, the court referred several legal questions to the Court of Justice about Standard Contractual Clauses and the Privacy Shield agreement.
II. The Court of Justice Hears Schrems II
At the day-long hearing on July 9, the Court of Justice heard from the three parties, the European Commission, several E.U. member states, the U.S. government, and the Electronic Privacy Information Center, among others. The oral presentations and the court’s questions repeatedly returned to U.S. surveillance law and practice, and four issues seemed especially important to the court:
The Scope of Upstream Searches Under Section 702: The court asked the European Commission whether, at present, the U.S. government searches through the contents—as opposed to the metadata alone—of transiting Internet communications to locate those to and from its targets. This question bears on whether Upstream surveillance involves “generalised access” to the contents of communications, contrary to E.U. law.
For many years, it was obvious that the NSA (with the compelled assistance of telecommunications providers) searched through the contents of communications in transit, because the NSA was retaining communications that were merely “about” selectors associated with the government’s targets. In 2017, as a result of the agency’s systemic failure to comply with court-imposed restrictions on surveillance, the NSA ended the collection of communications merely “about” its targets. However, there’s no indication that the NSA has stopped searching the full contents of communications as they pass through its surveillance devices, prior to what the U.S. government calls “acquisition” or “collection”—i.e., prior to the NSA’s long-term retention of communications to or from its targets. Even Facebook’s expert agreed on this point in the proceedings in the Irish High Court.
After hesitating briefly, the barrister for the European Commission represented that the NSA is searching only metadata now, not the contents of transiting Internet communications. Yet the basis for this assertion was unclear. The U.S. government has never publicly made this claim itself. And, by all indications, it has been reluctant to share classified details about its surveillance with the European Commission.
Regardless, given the court’s concerns, what should be most relevant is that the U.S. government claims the legal authority to resume Section 702 “about” collection in the future, following Foreign Intelligence Surveillance Court (FISC) approval of revised targeting and minimization procedures. Congress’ 2018 modifications to Section 702 allow the NSA to restart the practice if it obtains FISC approval, and if, following notification to certain congressional committees, Congress fails to pass legislation preventing the practice within one month.
Alternatives to Section 702 Surveillance: Describing the U.S. government’s access to the world’s communications, the barrister for Schrems analogized the “targeted” surveillance of Europeans’ communications under Section 702 to a person with a library card: Even if she can check out only one book at a time, she has access to the entire library. In other words, Schrems argued that because Section 702’s targeting threshold is so low, the statute effectively grants the NSA the power to access the entire library of international communications. (Indeed, this analogy actually understates the nature of the NSA’s reading habits: The library patron here is checking out more than a billion books a year.)
In response, the barrister for the European Commission claimed that the U.S. government had “no alternatives” to the current library regime—but that’s not the case. For instance, under Section 702, Congress (or the executive branch) could raise the targeting threshold, so that the U.S. government is permitted to target only those individuals for whom there is probable cause to believe they are agents of a foreign power. And with respect to Upstream surveillance in particular, the United States could do far more to isolate the communications of its targets based on metadata, rather than searching the entire contents of international communications. Regardless of whether these alternatives would satisfy E.U. law—to say nothing of the Fourth Amendment to the U.S. Constitution—it’s plain that the U.S. government has ways of conducting surveillance that are more protective of privacy.
The Significance of EO 12,333 Surveillance: Schrems and the Irish Data Protection Commissioner argued that, in evaluating whether the United States ensures an adequate level of protection for Europeans’ data, the court must take into account U.S. surveillance of communications under EO 12,333. As noted above, EO 12,333 authorizes bulk, indiscriminate collection of Europeans’ electronic communications—unquestionably the kind of “generalised access” that, according to Schrems I, violates the essence of the right to privacy.
In response, Facebook and the U.S. government argued that EO 12,333 surveillance is irrelevant. That’s because this electronic surveillance is largely conducted outside the United States, and they contend that the Court of Justice should consider only surveillance that occurs on U.S. soil. However, as Schrems observed, it would be nonsensical for E.U. law to require stringent protections for data transferred to U.S. territory, while allowing the U.S. government to do whatever it likes with the data as it crosses the Atlantic Ocean.
Although the court didn’t indicate how it would rule on the relevance of offshore EO 12,333 surveillance, it did ask the U.S. government whether any forms of EO 12,333 electronic surveillance take place inside the United States.
Surprisingly, the barrister representing the U.S. government responded by stating that EO 12,333 surveillance doesn’t take place inside the United States. That’s flatly incorrect. For example, the U.S. government conducts a form of EO 12,333 surveillance, known as “Transit Authority,” inside the United States. Although relatively little is known about this surveillance, it is designed to acquire foreign-to-foreign communications transiting U.S. soil. In follow-up remarks, the U.S. government’s barrister emphasized that, “after” communications are transferred to the United States, the U.S. government can acquire them only pursuant to statutory authority, not the executive order. It is true that, once the communications arrive at a U.S. server and are at rest, statutory law governs. But that’s not the case for communications that are transiting U.S. soil. The U.S. government’s description of EO 12,333 raises questions about whether it has provided a complete picture of how it may access private data that is being transferred to or through the United States.
Obstacles to Redress: In their briefing and at argument, Schrems and the Irish Data Protection Commissioner explained the standing and state secrets doctrines are substantial obstacles to redress in U.S. courts. In response, the U.S. government and the European Commission have been quick to point to ACLU v. Clapper, in which the ACLU established standing to challenge the U.S. government’s bulk collection of Americans’ call records under Section 215 of the USA Patriot Act.
But Clapper was a highly unusual case. In the immediate aftermath of the Snowden revelations, the Director of National Intelligence officially acknowledged the authenticity of a court order directing Verizon Business Network Services to produce to the NSA all call detail records of its customers’ calls. In light of this official acknowledgment, and the fact that the ACLU was a Verizon Business Network Services customer, it was indisputable that the ACLU’s call records were among those collected under the program.
With the exception of this unprecedented disclosure, parties who challenge U.S. government surveillance continue to encounter severe obstacles when seeking remedies in U.S. courts—discussed at length in the ACLU’s report to the Court of Justice.
The court’s Advocate General plans to issue his opinion on December 12, and the court’s ruling will likely follow a few months later. (While the Advocate General’s opinion carries significant weight, the court will not necessarily adopt its reasoning or conclusions.)
Although it’s not clear whether or how the court will ultimately rule on the adequacy of U.S. protection for Europeans’ data, its decision has the potential to make transatlantic data transfers much more difficult and costly. If the court concludes that U.S. surveillance is a problem, we can expect business interests to advocate forcefully for surveillance reform, so that future E.U.–U.S. data-transfer mechanisms will satisfy E.U. law.