By now, most members of privacy circles have become well versed in the details of the Court of the Justice of the European Union's recent ruling in Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems. As has been explained thoroughly elsewhere, the major outcome of the CJEU’s decision in the case was to invalidate the EU-U.S. Privacy Shield, a framework for transferring personal data from the EU to the U.S., for failing to provide essentially equivalent protection as EU data protection law. The court did so because it reasoned that U.S. bulk surveillance lacked what it deemed to be necessary safeguards or limitations, based on the EU’s legal standard of “proportionality.” It also took issue with the fact that EU data subjects lack access to redress or legal remedy if their data were unjustly intercepted in U.S. intelligence efforts. Regarding the validity of standard contractual clauses, the court upheld them in principle with the understanding that the EU General Data Protection Regulation anticipates “other clauses or additional safeguards” could be used to transfer data to countries in cases where SCCs cannot offer adequate protection.

Given the intense discussions that have occurred around the outcome of the case over the past several weeks, we are afforded the chance to step back and consider the insights from these deeper analyses of the case. Although there are too many to list exhaustively, a few excellent ones can be found here, here and here. For example, George Washington University Law School Leroy Sorenson Merrifield Research Professor of Law Francesca Bignami has analyzed the case within the context of key political developments that have occurred over the past several years. She argues cogently that the CJEU’s judgment in this case — and its privacy jurisprudence more broadly — can be read as a critique of recent developments such as the Facebook-Cambridge Analytica scandal, Russia’s interference in U.S. elections, the way in which the Trump administration has “undermined fundamental principles of US liberal democracy,” Brexit and the EU’s expansion of its own surveillance laws.

This piece turns the focus to one of the central consequences of the ruling, which is the rise in uncertainty around trans-Atlantic data transfers, in particular, and international data transfers, in general. To overcome this uncertainty, numerous privacy scholars and researchers have sought to map out the space of possibility with regard to U.S. surveillance reform, for which simple policy solutions are all but absent.

SCCs did not really survive 'Schrems II'

While the interpretation of the status of SCCs as a data transfer mechanism has varied widely, even among European data protection authorities, an increasing number of voices have raised serious concerns about their continued use. As Georgetown University Law Center's Kenneth Propp and Alston & Bird Senior Counsel Peter Swire, CIPP/US, have explained, the CJEU’s ruling “cast substantial doubt on the validity” of SCCs to transfer data from the EU to the U.S. In this vein, the Brookings Institution's Joshua Meltzer has argued that the CJEU’s decision in "Schrems II" makes clear that “all the key GDPR mechanisms for transferring personal data from the EU to third countries are unstable,” including not only SCCs and BCRs, but adequacy decisions, as well.

In more emphatic language, SCCs are “in a coma on life support,” according to George Washington University Law School Professor Dan Solove. In his detailed analysis of the implications of the decision, Solove explains that “A close look at the decision reveals that the SCC [and BCRs] don’t really survive, at least not for the U.S.” Perhaps in reference to the 101 complaints filed by NOYB Aug. 17, the organization for which Max Schrems serves as the honorary chairman, for continued use of Google Analytics or Facebook Connect by European companies, Propp and Swire have also suggested that SCCs “appear[] unlikely to survive ensuing European litigation.” Similarly, Steptoe & Johnson Partner Stewart Baker has stated that “very few lawyers think those clauses will provide any protection when challenged.”

Wilson Sonsini Goodrich & Rosati Senior Privacy Counsel Christopher Kuner has remarked that the court’s reasoning regarding the use of SCCs “seems weak and betrays a lack of familiarity with the practical implications of using them.” He also points out that, although the court suggested that “supplemental measures” can be used to protect data transferred with SCCs, it did not say what such measures could be. Similarly, Indiana University Vice President for Research, Distinguished Professor, and C. Ben Dutton Professor of Law Fred Cate (whom I have the privilege of referring to as my doctoral dissertation advisor, as well as my favorite privacy scholar) notes the inconsistency in the judgment to strike down Privacy Shield but leave intact other mechanisms for EU-U.S. data transfers. As he astutely puts it, “if U.S. surveillance poses a threat to European data, it poses it no matter what method is used to transfer the data into the U.S.”

Given that the CJEU seems to now expect companies to conduct the type of assessments of third country’s laws that the European Commission would undertake under Article 45 of the GDPR, SCCs have in effect become “mini adequacy decisions.” As Kuner has also explained, the CJEU’s decision in "Schrems II" “will require data controllers to become experts in third-country law in a way that is probably beyond the capabilities of many of them.”

The EU’s problem with US surveillance

Concern over abuses of surveillance powers has not only been at the heart of years-long negotiations around EU-U.S. data transfers but was central to the foundational discussions of the GDPR. As Bignami explains, “In the long fallout from the Snowden revelations, U.S. diplomacy has been geared at assuring the EU that the surveillance of non-U.S/ persons in the institutional practice of the executive branch is far less expansive and much more privacy protective than it might seem from the letter of the law.”

While this diplomatic outreach may have been responsible for bringing European regulators to the negotiating table for the Safe Harbor and Privacy Shield agreements, it has not convinced the EU’s judicial authorities. Indeed, one of the key reasons the CJEU decided to strike down the Privacy Shield agreement was the primacy of U.S. surveillance law over it.

Yet, numerous analyses of the "Schrems II" decision have pointed out the disconnect it evinces between the standards to which the CJEU holds surveillance systems in third countries and the standards to which it holds surveillance systems within the EU, with the former allegedly being higher. Expounding upon this point, Meltzer argues that, “GDPR uses the threat of withdrawing access to EU personal data as a tool to seek reform of other country’s security agencies to reflect the CJEU notion of proportionality, while exempting [EU] member state governments from similar expectations or threats.”

In this vein, another has referred to the CJEU’s ruling in "Schrems II" as a “confession of hypocrisy” in its treatment of third countries versus member states.

Apropos these claims, it should be acknowledged that the European Court of Human Rights can provide a mechanism for redress for individuals targeted by unlawful surveillance. No equivalent institution exists within the U.S. legal order, and the threshold for Americans and non-Americans alike to challenge the legitimacy of U.S. surveillance laws is virtually unreachable.

The inability to assert standing to challenge US surveillance laws

In the U.S. court system, the three elements needed to establish Article III standing are for a plaintiff to have suffered an “injury in fact,” for that injury to be fairly traceable to an action of the defendant and for the injury suffered to be redressable by a court of law. On the grounds of national security, however, intelligence agencies can exempt themselves from legal provisions that would require them to provide access and/or redress to surveilled individuals. From a national security perspective, having intelligence agencies exempt from strict transparency or disclosure requirements seems reasonable. As Brown University’s Watson Institute Senior Fellow Timothy Edgar has put it, “it makes no sense … [to] grant[] targets of legitimate surveillance activities access to their files.” But, this exemption itself holds back challenges from individuals that could prove that a particular surveillance activity was not legitimate.

The consequence of these dynamics is that only in only the rarest of circumstances would an individual have the evidence needed to demonstrate they were the target of surveillance, which makes it virtually impossible for an individual to have the standing to challenge them in court. As TeachPrivacy Founder Dan Solove explains, “even people in the U.S. have difficulties challenging government surveillance because the government can maintain the secrecy of the surveillance and then get people’s constitutional or legal challenges to the surveillance thrown out of court because people can’t prove that they are under surveillance.”

In perhaps the highest-profile case of this nature, Clapper v. Amnesty International, 568 U.S. 398 (2013), the U.S. Supreme Court agreed with a lower court’s finding that the plaintiff did not have the standing to challenge Section 702 of the Foreign Intelligence Surveillance Act because they could not demonstrate that they had been subject to surveillance and, therefore, could not demonstrate that an injury had occurred.

Thus, the secrecy of surveillance activities in the U.S. often functions as an insurmountable hurdle for plaintiffs who wish to challenge specific surveillance programs or the laws upon which they are based in court.

The EU’s solution: Maintaining secrecy while allowing legal challenges

Reconciling oversight of surveillance harms with the desire to maintain the secrecy of surveillance activities has not eluded EU legal authorities. Indeed, the case law of the European Court of Human Rights provides a way out of this deadlock. The ECHR has accepted that “an individual could, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures, without having to allege that such measures had been in fact applied to him or her.”

Thus, individuals can claim that one of their rights protected by the European Convention on Human Rights has been violated without having to demonstrate that any specific surveillance of them occurred. The court has thereby reviewed numerous complaints over the years about surveillance brought about by individuals, considering the validity of their claims by “determining whether the contested legislation was in itself compatible with the Convention’s provisions” and has done so “irrespective of any [surveillance] measures actually taken” against the complainants.

Is there a way forward?

Whether the lack of individual redress in U.S. surveillance law can be overcome will depend upon the threshold that would satisfy the CJEU. Legal reforms meeting the CJEU’s standards would likely need to be significant. Indeed, the consensus among observers seems to be that “it is impossible to solve the judicial redress issue without U.S. structural reform.”

A recent set of proposals from Propp and Swire suggests that the deficiency in judicial redress for U.S. bulk surveillance pointed out by the CJEU might be remedied by a process composed of at least two dimensions: one being “ a credible fact-finding inquiry into classified surveillance activities,” and the other being “the possibility of appeal to an independent judicial body.” Although such reforms would likely suffice in theory, the likelihood of their enactment is a separate and important question. Indeed, it is also worth mentioning that many have advocated for the U.S. government to take a much less conciliatory approach to the ruling.

Regardless of which direction, if any, the U.S. moves from here, only action by Congress seems likely to resolve the issues regarding U.S. surveillance raised by the CJEU in "Schrems II" and clarify the issues of legal uncertainty that have clouded the transatlantic waters.

Conclusion

The issues raised by the CJEU regarding the absence of a mechanism for individual redress for unlawful surveillance defy easy fixes. Untangling the implications of the court’s findings has proved significantly challenging for privacy observers, regulators and professionals alike. While the judgment has been clarifying in some respects, it has been mystifying in others. Indeed, no one should deceive themselves about the difficulty of the problems now facing regulators, companies, privacy professionals and advocates around the world. One of the few traces of certainty to cling to is that the "Schrems II" ruling has made a global impact — in a year marked by a once-in-a-century pandemic, nonetheless — and will continue to impact data protection and privacy in practice for many years to come.

Photo from Unsplash