This post is the second installment on the Biden administration’s executive order on signals intelligence collection and use. Below, I address the administration’s new procedures for handling complaints of unlawful surveillance, my initial take on why these procedures are unlikely to satisfy the Court of Justice of the European Union (CJEU), and why Congress must step in to ensure individuals can fairly pursue redress in Article III courts. Read Part I of the series, by Liza Goitein, here.
Background: The Schrems II Decision and the End of Privacy Shield
The executive order and accompanying DOJ regulations are intended to facilitate a new EU–U.S. data-transfer agreement, following the July 2020 decision by the CJEU in Data Protection Commissioner v. Facebook Ireland & Maximillian Schrems. (In that litigation, I provided expert testimony on U.S. surveillance law and remedies in the Irish High Court, and I submitted a report on U.S. law to the CJEU on behalf of Max Schrems, an Austrian privacy advocate.) The CJEU’s decision resulted in the invalidation of a previous EU–U.S. agreement, known as “Privacy Shield.” The ruling also made it more challenging for companies to rely on alternative mechanisms for transferring data from the European Union to the United States, due to the scope of U.S. surveillance and lack of legal remedies for unlawful surveillance.
Why do we need these special data-transfer mechanisms at all? Under EU law, companies face a variety of restrictions on transferring personal data outside of the Union. The purpose of Privacy Shield was to allow EU companies to transfer data to the United States more easily, based on the theory that U.S. businesses could, by subscribing to certain principles, ensure an “adequate” level of protection for Europeans’ data and compliance with EU law.
That theory was belied by reality. Even if U.S. companies adopt privacy-protective principles, they cannot stop the U.S. intelligence community from conducting surveillance—and, as the CJEU held, the breadth of that surveillance is at odds with EU law. The court further held that U.S. redress mechanisms for unlawful surveillance are insufficient. (Notably, in 2015, the court made similar observations about U.S. law when invalidating the precursor agreement to Privacy Shield, known as “Safe Harbor.”)
More than 5,000 U.S. companies—including many small- and medium-sized businesses—relied on Privacy Shield for transatlantic data transfers. Since its demise, data transfers to the United States have become more complicated, costly, and shrouded in legal uncertainty. For example, over the summer, the Irish Data Protection Commission issued a draft decision that would prevent Meta, Facebook’s parent company, from sending large volumes of user data from Europe to the United States. In response, Meta warned that if the draft decision becomes final, the company would be forced to shut down Facebook and Instagram in Europe.
For a new transatlantic agreement to survive judicial scrutiny in the European Union, the CJEU must find that U.S. law provides a level of protection for Europeans’ rights that is “essentially equivalent” to EU law—both with respect to the scope of surveillance and the right to judicial redress. In my view, President Biden’s executive order and regulations fail to provide the necessary protections. As Liza explained in her post, the executive order expressly permits “bulk” collection of private information—a form of surveillance that the CJEU has condemned as violating the “essence” of the right to privacy. And although the new redress procedure is an improvement over the status quo, it is unlikely to meet EU law’s “independence” standard, which requires a judicial body to operate “wholly autonomously” and free from “any hierarchical constraint.”
Article 47 of the Charter of Fundamental Rights and the Redress Conundrum
Under Article 47 of the EU Charter of Fundamental Rights (CFR), individuals whose privacy rights are violated are entitled to an effective remedy, including a hearing by an “independent” and “impartial” tribunal. Other provisions of the CFR and the EU’s General Data Protection Regulation guarantee the right to obtain an end to unlawful surveillance and the right to erasure of unlawfully collected data.
In theory, an ordinary U.S. federal court under Article III of the U.S. Constitution would satisfy the standard of an “independent” and “impartial” tribunal to protect privacy rights. But once again, theory is belied by reality, because vanishingly few plaintiffs in U.S. surveillance cases ever have the merits of their claims heard by a judge or jury.
Indeed, the U.S. government relies on multiple layers of secrecy to thwart virtually all civil litigation challenging foreign intelligence surveillance in U.S. courts. As a matter of U.S. government policy, people generally do not receive notice of this surveillance, even after the surveillance has ended and even where notice would not jeopardize an active investigation. When people have reason to believe that they are subject to surveillance—for example, due to press accounts—the government’s assertions of secrecy make it exceedingly difficult to establish standing to challenge that surveillance. Although surveillance plaintiffs may meet the plausibility threshold at the outset of a case, plaintiffs are eventually required to prove their standing with admissible evidence. Yet the executive branch routinely invokes secrecy to block litigants from accessing the relevant evidence, even under a protective order or via security-cleared counsel.
The government also routinely argues that courts should not be permitted to review secret surveillance materials in civil cases, even ex parte and in camera. Moreover, in the few cases where plaintiffs manage to obtain public, admissible evidence establishing their standing, the executive branch often seeks (and courts often grant) wholesale dismissals of lawsuits based on the “state secrets” privilege. As the Wikimedia Foundation has argued in a recent cert petition in a challenge to Section 702 “Upstream” surveillance, these dismissals are improper where a plaintiff may be able to make its case based on public evidence. But unless and until the Supreme Court weighs in, lower courts will continue to dismiss meritorious suits on state secrets grounds.
Due to this combination of policy and doctrinal hurdles, no civil lawsuit challenging the lawfulness of surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) or Executive Order 12333 has resulted in a U.S. court opinion addressing the legality of that surveillance. Nor has any litigant obtained a remedy of any kind for Section 702 or EO 12333 surveillance.
As discussed below, Congress must enact legislation to address these issues, so that Americans and Europeans alike can meaningfully pursue remedies for unlawful surveillance in Article III courts. But rather than bringing proposed legislative reforms to Congress, the Biden administration instead established a new administrative redress procedure—one designed to substitute for judicial review of surveillance complaints. The problem is that this administrative procedure likely fails to satisfy Article 47 of the CFR.
From “Privacy Shield Ombudsperson” to the New Administrative Redress Procedure
In Schrems II, the CJEU held that U.S. law failed to provide an avenue of redress “essentially equivalent” to that required by Article 47. The court observed that neither Executive Order 12333 nor Presidential Policy Directive-28 grants rights that are enforceable in U.S. courts, and it quoted the European Commission’s assessment of obstacles to U.S. judicial redress. The Court of Justice went on to consider whether a novel mechanism for alleging unlawful surveillance, the “Privacy Shield ombudsperson,” satisfied Article 47. In concluding that the ombudsperson was inadequate, the court emphasized several problems. The ombudsperson was housed within the State Department, reporting to the Secretary of State; the Secretary of State could dismiss the ombudsperson without consequence, underscoring the position’s lack of independence; and there was no indication that the ombudsperson had the power to adopt binding decisions, other than the U.S. government’s representation that the intelligence agencies would correct violations found by the Ombudsperson. For these reasons, the court concluded that U.S. legal remedies did not satisfy the standards of EU law.
The Biden administration’s new redress procedure is designed to address at least some of these shortcomings. It involves a two-layer review process.
First, an individual from a “qualifying state”—the list of which is to be determined by the Attorney General—may file a complaint with an appropriate public authority in that state, who will in turn submit the complaint to a Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence (ODNI). The CLPO will then determine whether there was a “covered violation”—i.e., a violation arising from signals intelligence activities regarding data transferred to the United States from a qualifying state—that contravenes one or more of the U.S. Constitution, FISA, EO 12333, the new EO, or applicable implementing procedures.
Notably, the CLPO must “giv[e] appropriate deference to any relevant determinations made by national security officials.” It is unclear exactly what level of deference the CLPO will apply. Nor is it clear whether individual CLPOs will be free to take legal positions that differ from other CLPOs, or whether they will conduct an independent analysis of a critical question: whether some foreign targets of U.S. surveillance may, by virtue of their substantial connections to the United States, have Fourth Amendment rights. (In U.S. litigation, the executive branch has taken the position that foreign targets of Section 702 collection categorically lack Fourth Amendment rights.)
If the CLPO concludes that there was a covered violation, he or she determines the appropriate remedy and informs the Assistant Attorney General for National Security. After the review, the CLPO provides the complainant with a scripted response: “the review either did not identify any covered violations or the Civil Liberties Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation.”
Second, the complainant or an element of the intelligence community may seek review of the CLPO’s determinations by a new administrative tribunal, the Data Protection Review Court. The judges on the court are appointed by the Attorney General and serve four-year terms. They may not be removed by the Attorney General except for malfeasance, incapacity, or similar misconduct, but notably, there is no limitation on the President’s removal power. Upon an application for review, DOJ convenes a three-judge panel, and then the panel selects a security-cleared “Special Advocate.” The Special Advocate is not an agent of or counsel for the complainant; its job is to assist the court’s work, “including by advocating regarding the complainant’s interest in the matter.” If the complainant filed the application for review, the Special Advocate may transmit written questions to the complainant, but only after DOJ review of these questions.
The court’s mandate is to review the determinations made by the CLPO with respect to whether a covered violation occurred and the appropriate remediation, based on the record created by the CLPO’s review and any information provided by the complainant, Special Advocate, or the intelligence community. The court may also ask the CLPO to supplement the record or make additional factual findings.
If the court finds a covered violation, the executive order provides that the intelligence community “shall comply” with the court-determined remediation. After a review in response to a complainant’s application (but not in response to a government application, because that could disclose that the complainant was in fact subject to surveillance), the court informs the complainant that “the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation.”
The New Redress Procedure Likely Fails to Satisfy Article 47
While the new procedure is an improvement over the Privacy Shield ombudsperson, there appear to be several significant problems under EU law.
The first problem is independence, which is an essential requirement for “effective judicial protection” under EU law. As the CJEU recently explained: “The concept of independence presupposes, in particular, that the body concerned exercises its judicial functions wholly autonomously, without being subject to any hierarchical constraint or subordinated to any other body and without taking orders or instructions from any source whatsoever.”
Although the Biden administration has taken several steps to try to ensure the independence of the second tier of the redress mechanism, both tiers are fundamentally administrative ones, housed within the executive branch. The fact-finding will be conducted by an ODNI office, not a court; the Data Protection Review Court judges will be selected by the Attorney General, not a third-party agency outside of the intelligence community; there’s no limitation on the President’s ability to remove the judges; and the court’s decisions can be overruled by the President. Indeed, the President could presumably overrule these decisions in secret, since the court’s opinions are not issued publicly. Thus, the Data Protection Review Court does not function “wholly autonomously,” nor is it free from “hierarchical constraint.”
Relatedly, the CJEU has emphasized the importance of “protect[ing] against external interventions or pressure liable to impair the independent judgment of [judges] and to influence their decisions.” Rules concerning length of service and dismissal of judges must “dispel any reasonable doubt in the minds of individuals as to the imperviousness of that body to external factors and its neutrality with respect to the interests before it.” The executive order and related regulations set forth several rules that restrict the removal of the Data Protection Review Court judges. However, the judges’ terms are renewable every four years, which may indirectly result in pressure to rule in the government’s favor to ensure renewal.
The second problem is that the one-sided nature of the proceedings violates Article 47’s “fair trial” principles, which require that litigants have the right to take cognizance of evidence submitted to the court; to exchange views on that evidence, so that they may seek to persuade the court; and to have procedural equality with other side. Under EU law, a government may limit these rights only insofar as is necessary and proportionate. Here, however, it is doubtful that the constraints, secrecy, and procedural unfairness of the redress process satisfy that standard—particularly because there is no case-by-case assessment of whether the limitations are necessary; the fact-finding will be conducted by an ODNI office; and vast majority of the fact-finding will take place at the first stage of the process, without even the opportunity for a Special Advocate’s input.
The third problem is the boilerplate nature of the ODNI and Data Protection Review Court’s responses to a complainant. In an analogous context, the CJEU has held that Article 47 requires that:
the person concerned must be able to ascertain the reasons upon which the [governmental] decision taken in relationship to him is based . . . so as to make it possible for him to defend his rights in the best possible conditions and to decide, with full knowledge of the relevant facts, whether there is any point in his applying to the court having jurisdiction.
Yet the response from the ODNI office fails to provide a complainant with any more information than the complainant had at the outset of the process, making it impossible for the complainant to bring a meaningfully informed appeal. And even if a complainant appeals, the Data Protection Review Court’s response has likewise been scripted by the executive branch, which raises questions about whether it qualifies as an independent “judgment” under EU law, and whether this categorical rule can satisfy the proportionality test under EU law. At a minimum, one would expect that where a surveillance violation has been found and redressed, that fact would be disclosed to the complainant. Similarly, where the challenged surveillance is no longer taking place, and where disclosure would not jeopardize an ongoing investigation, these scripted responses are at odds with the fact-specific proportionality analysis that EU law requires.
Fourth, U.S. government data purchases are excluded from the definition of “covered violation.” When a U.S. government agency collects Europeans’ private data in bulk, but does so by paying for it, rather than using electronic surveillance, that collection is simply beyond the scope of the new executive order. Given intelligence and defense agencies’ extensive practice of buying data in bulk, this is cause for concern.
Finally, the lack of notice to people subject to U.S. foreign intelligence surveillance remains an issue. In the Schrems II litigation, the Advocate General’s opinion critiqued the U.S.’s failure to provide notice to individuals even after the surveillance had concluded, and after the point at which notice would no longer jeopardize an investigation. He observed that notification concerning access to data is a “prerequisite to the exercise of the right to a remedy under Article 47 of the Charter.” As the CJEU had previously explained, “That notification is, indeed, necessary to enable the persons affected to exercise their rights under Articles 7 and 8 of the Charter to request access to their personal data that has been the subject of those measures and, where appropriate, to have the latter rectified or erased, as well as to avail themselves . . . of an effective remedy before a tribunal[.]” Without notice of U.S. government surveillance, Europeans would rarely have a reason to file a complaint or an appeal in pursuit of a remedy.
U.S. Legislative Reform Would Put Transatlantic Data Transfers on a Sound Legal Footing
Ultimately, the new redress procedure does not appear to meet basic legal requirements in the European Union, leaving EU–U.S. data transfers in jeopardy going forward. Congress, however, could solve this problem with three targeted reforms to improve access to U.S. courts. These reforms would benefit Americans as well as Europeans, both of whom face significant obstacles to redress when seeking to challenge unlawful foreign intelligence surveillance.
First, Congress should reform the state secrets privilege. It can begin by addressing the Supreme Court’s ruling in FBI v. Fazaga, which held that FISA’s ex parte, in camera review procedures did not preempt the state secrets privilege because Congress did not speak clearly enough to the issue. Through a simple fix, Congress could expressly state its intent to preempt the state secrets privilege where a complaint plausibly challenges FISA surveillance. In these cases, ordinary Article III courts would evaluate both the plaintiff’s standing and their entitlement to redress through ex parte, in camera review. Congress should also specify that FISA’s in camera, ex parte review procedures apply to claims involving EO 12333 surveillance. These reforms would ensure that legal challenges to surveillance are not prematurely dismissed on the basis of the privilege.
Second, Congress should require the executive branch to provide delayed notice of foreign intelligence surveillance to targets of that surveillance, where such notice would not result in an imminent threat to individual safety or jeopardize an active investigation.
Third, Congress should pass legislation to define what constitutes an “injury” in cases challenging government surveillance, as U.S. Sen. Ron Wyden and others proposed in a 2017 reform bill. The Supreme Court has been clear that Congress has a role to play in defining what qualifies as an “injury” for standing purposes, and Congress could expand the set of potentially relevant injuries in surveillance cases—to include, for example, the diversion of time or resources associated with using encrypted communications channels to avoid U.S. surveillance. The idea behind the reform is that it’s easier for a litigant to produce evidence of protective measures than evidence of secret surveillance itself.
Earlier this month, Théodore Christakis, Kenneth Propp, and Peter Swire criticized a version of this “standing fix” as underinclusive because it would not necessarily provide standing to every European. But what they miss is that this fix is not the sole proposed reform; it would work alongside state-secrets and notice reform to provide multiple avenues for affected individuals to establish standing, alleviating the existing obstacles to redress in Article III courts. Some plaintiffs could show a diversion of time or resources to protect against U.S. government surveillance, thus avoiding any need to rely on secret evidence to establish the “injury in fact” element of standing. Other plaintiffs would be able to trigger a court’s ex parte, in camera review at the pleading stage, and a court—applying special safeguards to protect secret evidence—could find that the plaintiff’s communications were interfered with directly. Together, the reforms would prevent the government from invoking secrecy to block lawsuits challenging illegal surveillance—and would instead channel cases into specialized in camera, ex parte review procedures where necessary, so that courts could fairly and independently assess both the plaintiff’s standing and their entitlement to redress.
Discussions of the new redress procedure take place in the shadow of a broader problem: the U.S. statutory and regulatory protections against surveillance are far too modest, and there are relatively few privacy rights for most Europeans to vindicate. But regardless of whether the redress procedure is seldom used, or whether complainants seldom prevail, the procedure must provide protections “essentially equivalent” to Article 47 to accomplish its intended purpose. In all likelihood, the CJEU will hold that the new executive order fails to do so. Nevertheless, there’s still hope for a solution. Congress will take up the question of Section 702 reauthorization in 2023, and it should use that opportunity to enact common-sense reforms that would improve access to justice for all.
(Editor’s Note: The author is one of the ACLU attorneys representing Wikimedia in this suit, alongside co-counsel at the Knight First Amendment Institute at Columbia University and Cooley LLP.)