The much-anticipated Data Protection Commissioner v. Facebook Ireland, Maximilian Schrems decision has been characterized as an “opportunity” to reshape the relationship between global data flows and national security. The petitioner, Maximilian Schrems began pursuing this case before the enactment of the U.S. Clarifying Lawful Overseas Use of Data Act in 2018. Consequently, the Court of Justice of the European Union may have missed an opportunity to examine the impact of the CLOUD Act in its adequacy determination. The CLOUD Act is indeed a step toward obtaining consensus between the U.S. and foreign countries to increase efficiency in data sharing for the purposes of law enforcement. Reportedly, “Schrems II” has led the U.S Department of Commerce and European Commission to initiate discussions to further enhance the EU-U.S. Privacy Shield framework. This willingness may indicate potential reform in existing surveillance practices.
In a post-“Schrems II” world, as a part of its endeavors to reform its surveillance practices, the U.S. should focus on entering into CLOUD Act–like agreements with the EU or individual EU member states. A carefully thought-out model (as we do note that the current CLOUD Act model is not close to perfection at all) could potentially harmonize the need for a sufficiently high privacy standard. This would at the same time satisfy the need for expedient access to information by law enforcement and intelligence agencies when necessary in the interests of national security.
Reopening the debate on the CLOUD Act
The CLOUD Act allows the U.S. to enter into bilateral agreements with foreign countries for mutual access to data for the investigation and prosecution of serious crimes. The agreement must meet certain baseline requirements: (1) The retrieval of data is targeted to specific accounts, address or persons (no bulk collection); (2) these actions are subject to review or oversight by a judge, magistrate or independent authority; (3) the retrieval of data must have “articulable and credible facts”; and (4) the data must be in the “possession, custody, or control of the provider.” The U.S. can only enter into these agreements with countries that respect and abide by basic human rights obligations.
Article 48 of the EU General Data Protection Regulation restricts the transfer of data to non-EU authorities unless it is based on, for instance, a Mutual Legal Assistance Treaty. Moreover, Article 6 and Article 49 allow for the processing of data for public interest purposes. The European Data Protection Board has raised some doubts as to whether the CLOUD Act promotes mutual privacy safeguards for the treatment of data. It, therefore, becomes crucial to assess the CLOUD Act and whether it satisfies a future adequacy determination under the GDPR.
The 'essentially equivalent standard’ and CLOUD Act
In “Schrems II,” the CJEU found the surveillance measures in the U.S. to be disproportionate and not strictly necessary. To satisfy the standard, it would need to be “particularised” and not amount to “bulk” surveillance. Further, Article 45(2)(a) warrants that EU persons must be able to access “effective and enforceable rights” before a “tribunal.” The CJEU further noted that EU individuals do not share similar remedies as U.S. citizens because the Fourth Amendment does not apply to EU individuals.
To sum up, an essentially equivalent standard broadly requires proportionality, independent oversight (over the exercise of executive discretion) and judicial redress. Indeed, requests made under the CLOUD Act need to be particularized, articulable and credible facts that are subject to “review or oversight by a court, judge or magistrate.” As pointed out here, the CLOUD Act privacy protections may be considered adequate since the requests pertain to a particular individual, i.e., they do not necessarily enable mass surveillance. Some have likened these requirements to the “probable cause” standard under U.S. Fourth Amendment. Yet, it is unclear what “oversight” should entail or what precisely is the difference between “review” and “oversight.” At the same time, it has been suggested that a case-by-case review of each request is not absolutely necessary. It could be general and often post facto.
The CJEU emphasized the lack of effective judicial remedy for EU persons. The CLOUD Act could face the same issue. There may, however, be room to create a framework in this instance, especially since the CJEU did not specifically point out the requirements for an appropriate level of judicial review. However, foreign persons do have redress opportunities under the Judicial Redress Act of 2015. Although there are missed opportunities within the JRA, it is an available mechanism that can be clearly incorporated within the CLOUD Act. The JRA allows for foreign citizens of a covered country to present cases that are “intentional or willful unlawful disclosure of a covered record and improper refusal to grant access to or amendment of a covered record” committed by certain agencies designated by the U.S. attorney general. But, designating to only certain agencies based on the attorney general’s discretion undermines the independence of the JRA.
Furthermore, efforts toward creating a robust framework for judicial remedy within the CLOUD Act framework by either strengthening the JRA or something else are welcome. To begin, the JRA could be strengthened by, inter alia, widening its scope of applicability.
To improve oversight, the Privacy and Civil Liberties Oversight Board could also serve as the proper and impartial intermediary to address any complaints by foreign counterparts with regards to data transfers. However, there are concerns that the board could be overwhelmed with complaints owing to its small staffing size. PCLOB is its own independent bipartisan agency charged with overseeing the intelligence and counterintelligence activities conducted by the executive branch. Once the JRA coupled with PCLOB undergo necessary improvements, they could be those two mechanisms that can be incorporated within the CLOUD Act to assist with complying with the judicial and independent oversight that the CJEU urged in “Schrems II.”
The way ahead
There is some contrast between the treatment of data discussed in “Schrems II” versus the treatment under the CLOUD Act. The CJEU was concerned with the mass surveillance efforts under U.S. intelligence programs, mostly to ensure the minimal level of particularity in its collection. Meanwhile, the CLOUD Act, although imperfect, does require a minimal level of Fourth Amendment-like requirements that must be met. “Schrems II” was not just aimed at invalidating the Privacy Shield, but also in ensuring an impetus of analogous standards of privacy safeguards as to the use and transfers of data for EU citizens. Therefore, the CLOUD Act model could potentially become a good framework to promote mutual privacy safeguards; clear definitions and agreed-upon terms that span across each country.
Photo by Sam Schooler on Unsplash