Schrems II and individual redress-where there’s a will, there’s a way
The issue of individual redress has bedeviled negotiations between the European Union and the United States for more than two decades. Three adequacy deals - the Passenger Name Record (PNR) Agreement, Schrems I and Schrems II - have now unraveled because the European Court of Justice (CJEU) insists on an effective judicial remedy and the U.S. is unable to provide one.
The latest ruling in Schrems II, invalidating the Privacy Shield, emphasized that the requirements of adequacy or “essential equivalence” apply to all systemic transfer provisions under the General Data Protection Regulation (GDPR).
The EU and the U.S. must find a durable arrangement for data transfers. If they do not, then complaints and court rulings will perpetually impede international transfers. This requires, as a matter of substance, solving the problems of necessity and proportionality, and, as a matter of governance, solving the problem of individual redress.
The ruling in Schrems II that the Ombudsperson mechanism was inadequate did not come as a surprise. After all, one of the two central issues in Schrems I, an earlier cross-border data case brought by the same Austrian activist, was the right to an effective judicial remedy under Article 47 of the EU Charter of Fundamental Rights. In the aftermath of Schrems II, Theodore Christakis recommends against another quick fix like the Privacy Shield and pushes for a long-lasting EU-U.S. arrangement providing legal certainty for years to come, and Christopher Kuner hopes that the governance issues may be easier to deal with in a legal sense, “assuming the political will to do so in the US.”
One practical idea has come from Kenneth Propp and Peter Swire in the U.S., who have published their “Proposal to Meet the Individual Redress Challenge.” They offer a pragmatic analysis of the lack of individual redress and the tools available in the U.S. that could arguably be modified without great administrative or legislative overhaul to permit a third and more durable adequacy regime. Crucially, Propp and Swire assert that existing institutional mechanisms within U.S. surveillance law can be adapted to this task and there is no need to start from scratch.
The objective of this post is to respond to Propp and Swire from a European perspective, to underline the acceptable elements of their proposal and clarify which questions remain. While the discussion in this post is focused on the U.S. and the EU, it affects many other third countries confronted with similar issues.
The CJEU will Enforce EU Fundamental Rights
Before diving into the Propp and Swire proposal, it’s important to get a bit of background. While negotiating data privacy with the EU has seemed lengthy and sometimes maddening for the U.S, the EU is equally frustrated by its failure to convey its deep commitment to the rights and values at stake. These are embodied in the EU Charter of Fundamental Rights, which itself complements and modernizes the more venerable and pan-European Convention on Human Rights (ECHR). Since the Lisbon Treaty came into force, the charter has enjoyed constitutional status and has been applied consistently in the case law of the CJEU.
Some commentators in the U.S. assert that the information processed by intelligence agencies simply falls outside EU law, but this is a red herring. Yes, Article 4 of the EU Treaty, reflected in the exception to scope under Article 2(d) of the GDPR, does reserve national security to the EU Member States. However, Article 4 excludes from EU law only the activities that intelligence agencies carry out themselves, exercising sovereign authority. In contrast, information collected by private operators for commercial purposes is covered by EU law: when it is then accessed for intelligence purposes it is covered by the requirements laid down in Article 23(a)-(d) of the GDPR. The CJEU has reiterated this point in multiple rulings, and it was simply extended to international transfers in Schrems I. The same distinction exists in the ePrivacy Directive, and on Oct. 6, the CJEU confirmed the distinction definitively in rulings on bulk surveillance programs in Belgium and France and in the U.K.
In the data protection area, the CJEU has prioritized the rights to privacy, protection of personal data and access to an effective judicial remedy, enshrined in Articles 7, 8 and 47 of the EU Charter, over inconsistent EU and national law. Privacy Shield is not the only provision to be rejected by the court for these reasons. The CJEU has set aside EU statutes such as the Data Retention Directive, statutory instruments such as the Safe Harbor and Privacy Shield Decisions (Schrems I and II), and treaties such as the draft EU-Canada PNR Agreement, as well as national statutes and even national constitutional laws that failed to respect these rights. It should be noted how often these three rights were invoked in Schrems II.
Propp and Swire argue that individual redress entails, at a minimum, constructing a system of administrative fact-finding and judicial review to respond to individual complaints. But unsurprisingly, the situation is more complicated from an EU perspective.
The key to identifying potential points of future compromise by the EU is understanding the nature of three different types of institutions: data protection officers (DPOs), independent supervisory authorities (DPAs) and courts. It is essential to recognize the differences between a DPO and a DPA, with regard to independent oversight; between administrative oversight by a DPA and redress before a court, with regard to effective legal redress; and between a court under the charter and an authority under the ECHR, with regard to providing an effective remedy. These three differences are examined in detail below.
Independent Oversight and the Difference Between a DPO and DPA
The difference between a DPA and a DPO is crucial when establishing whether there is independent supervision. Under the GDPR, DPOs are part of the organization of the data controller but have the right and duty to act independently in carrying out their roles. A similar, though not legally identical, role of chief privacy officer is well established in the United States.
In contrast, the right to independent supervision by a DPA is enshrined as a specific element of the right to protection of personal data in Article 8(3) of the EU Charter and in Article 16(2) of the EU Treaty itself. In a series of cases interpreting and applying Article 8(3) of the charter, the CJEU has insisted on the “complete” independence of DPAs in setting aside state law, national law and national constitutional law. In July 2017, the CJEU applied this requirement to international transfers in EU-Canada PNR. Because this last ruling was handed down a year after the adoption of the Privacy Shield, it was not an issue for the negotiators of the Privacy Shield. However, in the interests of ensuring a durable solution, it would be prudent now to consider the need for an “essentially equivalent” form of independent supervision.
Kristina Irion and other commentators have pointed to possible problems for the U.K. in obtaining an adequacy decision due to its broad surveillance laws and, hence, the same problems of substance, necessity and proportionality raised in the two Schrems rulings. These fears have been given more weight in the rulings of Oct. 6 referenced above. However, the governance issues of independent supervision and individual redress should not be problematic for the U.K.: It has a specific supervisory authority for intelligence oversight, the investigatory powers commissioner (who must be a present or former judge), as well as a specific court, the Investigatory Powers Tribunal, to provide a legal remedy.
In the U.S., the Federal Trade Commission is unquestionably an independent data protection regulator. However, like many EU national DPAs, it has no jurisdiction over state surveillance. A report by the Fundamental Rights Agency, volumes I and II, shows that in many EU Member States such jurisdiction is exercised by expert bodies supervising the intelligence community. In this respect, there exist mechanisms in the U.S. system that could be adapted to meet this requirement.
Propp and Swire’s proposal references the privacy and civil liberties officers (PCLOs), senior officers established in a number of U.S. government departments and agencies with statutory responsibility for investigating and addressing complaints about violations of privacy and civil liberties. They suggest that PCLOs could be an acceptable “fact-finder” to the EU, given their statutory responsibility for investigating and addressing complaints about violations of privacy and civil liberties and other “relevant virtues.” They add that PCLOs could be empowered to conduct factual investigations, including of non-U.S. persons, simply by administrative direction, and thus be converted into a sort of oversight mechanism. However the PCLO, like the chief privacy officer, has a role comparable to a DPO, as the authors themselves recognize. The PCLO therefore cannot serve alone, from an EU perspective, either for independent oversight or for judicial redress. Recourse to a court does not cure either inadequacy. As Justice Caroline Costello noted in her 2017 High Court ruling, the judicial remedy is there for when the administrative oversight fails—it is not a replacement for adequate administrative oversight all together.
The U.S. mechanism best suited to cure the inadequacy of the PCLO may be the Office of Inspector General. According to the Irish High Court ruling, inspectors general are present in all the law enforcement and intelligence departments, hold the necessary security clearances and are empowered to issue nonbinding recommendations for corrective action. It could be useful to explore whether the powers of the inspectors general could be strengthened to hear complaints referred by PCLOs and adopt binding orders for corrective action. Inspectors general, in some cases, report directly to Congress and are typically regarded as independent. However, inspectors general are political appointees of the executive and can be easily removed, as recent experience shows. Any further measures would have to address how far it is legally possible to increase the security of such appointments.
In any event, the independence of the Office of Inspector General would always have its limits, as the office would remain situated within the executive branch. In the European context, the CJEU specifically criticized the presence of the Austrian DPA within the Austrian administration. However, the test for adequacy is not absolute equivalence (between the level of protection in the third country and that level present inside the EU) but, rather, essential equivalence, so the presence of the Office of Inspector General in the executive branch should be acceptable so long as its powers of oversight were extended to permit it to act as an independent supervisory authority with binding powers to deal with complaints.
The CJEU has a similar arrangement. The court has set up a supervisory authority within its own structure. The independence of this authority is based on the fact that its members are independent members of the judiciary. This exceptional example underlines that the presence of a supervisory authority within the structure of a public authority is not necessarily fatal to its independence, so long as that independence is real.
The combination of PCLOs and inspectors general would begin to meet the requirement of independent supervision. And it would not be challenging to add another layer of review to this model. Building on the Propp and Swire proposal, the results of this independent administrative oversight could then be challenged before the Foreign Intelligence Surveillance Court (FISC).
Finally, to ease legitimate concerns that details of specific intelligence activities might inadvertently be publicized by regulatory authorities, Propp and Swire suggest that the PCLO, or the inspector general, could make a finding similar to the one assigned to the ombudsperson under the Privacy Shield: advising the complainant either that there has been no violation of U.S. surveillance law or that any violation has been corrected. This would mean reporting the final decision, without divulging the specific details of any collection activity. Such limited reporting should be acceptable to the European side if it is entrusted to an independent supervisory authority, such as the combination of PCLOs and inspectors general discussed above. For example, this type of reporting can be found in Article 17 of the Law Enforcement Directive (EU) 2016/680.
The Difference Between Administrative Oversight by a DPA and Redress Before a Court
Article 47 of the EU Charter frames the right to an effective judicial remedy as an overarching fundamental right applying across the board to the fundamental rights in the charter. Judicial redress must be available separately from independent supervision—neither alone is sufficient to satisfy the standard set by the charter. The GDPR distinguishes between the right to complain to a DPA (Article 77), and the right to bring a legal action against a controller or processor (Article 79) and to claim compensation for damage suffered (Article 82).
In Schrems II, the CJEU criticized the fact that EU litigants who seek a remedy before the U.S. courts often lack standing to bring suit. To reconcile the requirements of Article 47 of the EU Charter with the U.S. restrictive approach to standing, Propp and Swire suggest that the finding of the PCLO (or the inspector general) could be appealed to the Foreign Intelligence Surveillance Court. They describe the FISC as having specialized expertise in U.S. surveillance law, well-established procedures for dealing with classified matters and a proven track record of effective judicial oversight. As with other decisions by the FISC, Propp and Swire point out that FISC decisions in this domain could be appealed to the Foreign Intelligence Surveillance Court of Review and ultimately to the U.S. Supreme Court.
This does not enable EU complainants to resort directly to the FISC. They would first have to complain to an administrative body, such as the inspector general or the PCLO. However, this arrangement could well be acceptable from an EU perspective. The CJEU has accepted that countries can require recourse to an independent administrative body so long as the administrative procedure does not cause a substantial delay to bringing legal proceedings before a court.
Remedies From a Court Under the Charter or an Authority Under the ECHR
Another alternative to the approach Propp and Swire suggest would be to change the jurisdiction, tasks and powers of the Privacy and Civil Liberties Oversight Board (PCLOB) so that it could provide individual redress as well as independent oversight. This change would not be unprecedented. For example, Congress has conferred an additional, internal adjudicative process on the Federal Trade Commission. Propp and Swire describe the PCLOB as a small federal agency currently charged with protecting privacy and civil liberties in relation to U.S. counterterrorism programs. The authors note the PCLOB’s reputation for independence, its powers of oversight and policy at the programmatic level, and its access to Top Secret and other classified databases. At the same time, they note the limitations of the agency’s role and its jurisdiction. In particular, the PCLOB receives reports from PCLOs on the number and nature of the complaints received by their agencies, and it may make recommendations to PCLOs—but it has no authority to hear complaints itself. The necessary changes would require a remedy from Congress, although Congress would not have to create a brand new structure.
How could the PCLOB be reconfigured to make it an effective remedy that satisfies the standard set in Schrems II? Article 47 of the EU Charter provides for the right to an “effective remedy before a tribunal.” In Schrems II, the advocate general enumerated the criteria laid down by the CJEU to assess whether a body is a tribunal. The decision hinges on “whether the body is established by law, whether it is permanent, whether its jurisdiction is compulsory, whether its procedure is inter partes, whether it applies rules of law and whether it is independent[.]” Probably the most important of these criteria is the requirement of independence. This means acting autonomously, without being subject to decisions or pressure by any other body that could impair the independent judgment of its members.
The ECHR has the same standard of independence, but its standard for review differs in one important respect. Article 13 of the ECHR enshrines the right to an “effective remedy before a national authority.” The case law of the ECHR confirms that an authority does not need to be a court or tribunal in the strict sense. It may be a quasi-judicial or administrative body so long as it satisfies the criteria to determine that the remedy is effective—namely that it is independent, that it affords the necessary procedural safeguards to the applicant and that it has the power to hand down a legally binding decision.
This difference between the EU Charter standard and the ECHR standard is crucial to understand. The effective remedy provided by an authority under Article 13 of the ECHR is distinct from the effective remedy by a tribunal under Article 47 of the EU Charter. And the EU Charter standard is more rigorous than the ECHR standard. According to the Explanations relating to the EU Charter, the protection under Article 47 is more extensive than under Article 13 of the ECHR because “it guarantees the right to an effective remedy before a court.”
But the CJEU itself in Schrems II may have offered a slightly different reading of Article 47 and articulated a slightly more flexible standard for assessing the adequacy of an extrajudicial remedy in a third country than would be available within the EU. It reiterated the need for “an independent and impartial court[,]” but it indicated two minimum elements required for an adequacy assessment of effective judicial review. Namely, it criticized the ombudsperson mechanism for lacking legal guarantees of independence from the executive and the power to adopt decisions binding the intelligence services. That is, it indicated that the minimum standard for review required is independence and the power to impose binding decisions.
Thus the question is whether the PCLOB meets the criterion of independence articulated in the case law of the CJEU and the ECHR, and whether Congress could enhance its powers and procedures to provide the PCLOB in particular for the necessary procedural safeguards and binding legal powers. If so, the PCLOB would satisfy the requirement of an effective remedy both under Article 13 of the ECHR and under Article 47 of the EU Charter laid down in Schrems II.
This could be an opportunity for the CJEU to give meaning to the difference between essential equivalence and absolute equivalence mentioned above when deciding on the standard of individual redress to be applied in the specific case of international transfers. If the content of the right under Article 47 is ensured, then the form should not be an obstacle.
Finally, it would be prudent to apply the granular approach that Propp and Swire spell out, providing for appeal from decisions by the PCLOB to the FISC.
Propp and Swire’s proposal provides a valuable framework for discussions by U.S. policymakers on a durable solution to individual redress in the United States.
The U.S. side has to consider some unavoidable facts. The EU Charter requires both an effective remedy and independent supervision. This post adds to the discussion possible roles for the inspector general and the PCLOB.
The EU side has to consider what “essentially equivalent” means, and whether an effective remedy ensured by a third country, whatever its form, would be sufficient in the case of international transfers to that country. This post argues that the ECHR standard is sufficient to satisfy the requirement of “essential equivalence,” particularly in view of the requirements of independence and binding legal powers.
It is time to grasp the nettle. A compromise is worth the effort. And if there is the will, there is a way.
Written by Christopher Docksey for Lawfare - More blogs on Law Blogs Maastricht