On Oct. 7, U.S. President Joe Biden issued an “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities,” and the Department of Justice supplemented it with a new regulation.
As explained by the Commission of the European Union, the executive order and regulation establish “a new two-layer redress mechanism, with independent and binding authority.” In the first layer, “EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protection Officer' of the US intelligence community.” In the second layer, EU individuals would have the right to appeal that decision to the newly created Data Protection Review Court.
In explaining how the new redress mechanism is different from the previous Privacy Shield ombudsperson, the commission states: “The Court will be composed of members chosen from outside the US Government, appointed on the basis of specific qualifications, can only be dismissed for serious causes (such as being convicted of a crime, or being deemed mentally or physically unfit to perform the tasks) and cannot receive instructions from the government.”
The DPRC “will have powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and will be able to take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it will be able to order the deletion of the data.”
The new U.S. regime will only pass muster in the Court of Justice of the European Union if it meets EU legal requirements. In this initial article, we focus on one key set of issues — would the decisions of the new Data Protection Review Court meet the relevant EU legal requirements for independence and effectiveness in deciding upon a complaint for redress by an EU person? We suggest that this could indeed be the case.
Our discussion here draws on two detailed articles we wrote in early 2022 on EU-U.S. adequacy negotiations and the redress challenge: “Whether a New U.S. Statute is Necessary to Produce an ‘Essentially Equivalent’ Solution” and “How to Create an Independent Authority with Effective Remedy Powers.” As a general matter, what the new U.S. regime announced this week is consistent with the approach suggested in the articles. In both articles, we identified the redress-related deficiencies of Privacy Shield stated by the CJEU and other relevant EU legal institutions, and then discussed what possibilities existed under U.S. law to meet those legal requirements.
This article focuses only on certain specific aspects of the signals intelligence redress mechanism established by the U.S. legal reforms. It will not discuss the first layer of the redress mechanism entrusted to the CLPO, who will function analogously to a data protection officer for the U.S. intelligence community. We understand this first layer will allow the intelligence community to adopt any necessary corrective measures and to facilitate the work of the DPRC, where all complainants can have recourse without any condition, and where a fully independent review is to take place.
Here we will not deal with the exact word choice in the name of the DPRC. The new executive order and DOJ regulation call it a “court.” In Europe it may be seen similarly to an independent administrative authority exercising quasi-judicial functions, as with several intelligence oversight/redress bodies in Europe such as France’s Commission nationale de contrôle des techniques de renseignement or Germany’s G10 Commission. We will also not discuss the sufficiency of the summary response that the DPRC is authorized to provide to the complainant, which follows the “Neither Confirm Nor Deny” principle widely used in Europe, including by the CNCTR. In other words, the DPRC will neither confirm nor deny the complainant was subject to United States signals intelligence activities, but will instead inform the applicant either that “the review did not identify any covered violations” or that the DPRC “issued a determination requiring appropriate remediation.” Finally, the article will not address the issue of whether and how the DPRC’s decisions could be challenged in an Article III U.S. Court — an issue we analyzed in the "Effective Remedy” article.
We will focus instead on three specific major issues.
First, we will explain the reasons why the U.S. government created the redress mechanism through acts of the executive branch, instead of using a statute.
Second, we will assess whether the DPRC could be considered “independent” under EU law standards, despite the fact that it has been created by acts of the executive power.
Finally, we will assess if the DPRC could be considered as having “effective powers” to investigate complaints and issue binding decisions as required by EU law.
Executive acts or statute?
Although many observers, both in the EU and the U.S., have called for a statutory approach to respond the CJEU’s “Schrems II” judgment, this is not the approach taken in the executive order or the DOJ regulation.
One solution, often proposed, would have been to entrust redress for surveillance measures to existing U.S. federal courts, instead of creating a new administrative tribunal. One major obstacle to such a statutory solution is the U.S. Supreme Court’s constitutional jurisprudence about who has “standing” to sue in U.S. federal courts. Indeed, no commentator has been able to devise a statutory approach that complies with this jurisprudence, enables individual redress complaints to be heard in federal court, and meets the requirements of EU law.
U.S. standing doctrine derives from Article III of the U.S. Constitution, which governs the federal court system. The federal judicial power extends only to “cases” and “controversies” — meaning there has to be an “injury in fact” in order to have a case heard. The Supreme Court made standing related to privacy injuries even more difficult to establish in its TransUnion LLC v. Ramirez decision in June 2021. As discussed here, the majority in that case made it significantly more difficult for privacy plaintiffs henceforth to sue in federal court. The Court restated its 2016 Spokeo decision holding that a plaintiff does not automatically satisfy “the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” More bluntly, the court stated, “An injury in law is not an injury in fact.” The majority in TransUnion found “concrete harm” for some plaintiffs but not others. Even individuals whose credit histories were badly mistaken — stating they were on a government list as “potential terrorists” — did not enjoy a right of action created by statute.
The only proposed “standing fix” that we have seen was drafted by the American Civil Liberties Union. Its proposal would enable suit in federal court where a person "takes objectively reasonable protective measures in response to a good-faith belief that she is subject to surveillance.” Under the ACLU’s proposal, these “protective measures” (such as using specialized software to avoid surveillance) would constitute the “injury-in-fact” the Supreme Court has required. However, the proposal would not establish standing for the many individuals who did not take protective measures. As we discussed in the “Statute” article, the ACLU proposal thus would be too narrow to meet the CJEU requirements for redress for all those potentially affected by U.S. surveillance.
An alternative solution could have been for Congress to create the DPRC via statute. This path could be considered more appropriate in Europe, where data protection authorities and other oversight and redress bodies are most often specifically created by acts of Parliament, not acts of the executive power. However, we tried to explain a series of pragmatic, political and legal difficulties to doing so in the current context in the United States. Among other things, we noted that, due to the separation of powers in the U.S., Congress might be reluctant to intervene ex nihilo in a national security area such as “direct” foreign surveillance.
Such surveillance — access to data undertaken directly by intelligence agencies without making requests to private actors such as telecommunications companies or cloud service providers — is conducted under the long-standing executive order 12333, reflecting that it belongs to the executive power under the U.S. Constitution. Congress may be more willing in the future to enact legislation endorsing an effective redress mechanism if, as a first step, the executive branch itself has created an independent redress authority with quasi-judicial functions within the executive branch.
Creating independent adjudication by executive action
When one path is effectively blocked, it makes sense to take a different path. In the absence of any other published proposal, the “Effective Remedy” article set forth an approach based on the combination of a presidential executive order and a binding regulation issued by the DOJ. This structure was adopted in the Oct. 7 executive order issued by President Biden and the DOJ regulation promulgated by the U.S. attorney general. The DOJ regulation creates the DPRC and guarantees its independent functioning. The regulation also guarantees independence for the members of the DPRC, including protections against removal from office.
Under the U.S. legal system, an agency-issued regulation has the binding force of law, making it a suitable vehicle for defining the procedures for the review of redress requests and complaints. The DOJ regularly issues such regulations under existing statutory authorities and pursuant to established and public procedures. To protect against arbitrary or sudden change, modifying or repealing the regulation would require following the same public procedural steps as enacting it in the first place as the Supreme Court found in Motor Vehicles Manufacturers Association v. State Farm Mutual Automobile Insurance Co. This would provide both the EU and members of the DPRC protection against summary revocation of the regulation, ensuring the authority would continue to act independently unless the regulation were definitively and publicly changed. In addition, an EU adequacy decision could be made contingent on DOJ keeping the regulation in place, thereby creating a strong incentive for the U.S. government not to change it without prior approval by the European Commission, in case, for instance, both sides decide to improve mechanism in the future.
Crucially, key U.S. Supreme Court decisions have affirmed the binding force of a DOJ regulation and the legal conclusion that all of the executive branch, including the president and the attorney general, are bound by it. In a unanimous 1974 Supreme Court decision, United States v. Nixon, it was held that a special prosecutor’s decision to issue a subpoena to the president had the force of law, despite the attorney general’s objection. The Supreme Court observed “[t]he regulation gives the Special Prosecutor explicit power” to conduct the investigation and issue subpoenas and that “[s]o long as this regulation is extant, it has the force of law.” The court added, “So long as this regulation remains in force, the Executive branch is bound by it, and indeed the United States, as the sovereign composed of the three branches, is bound to respect and to enforce it.”
The Nixon decision reaffirmed an earlier case specifically addressing the independent decisions of adjudicators whose positions were created by a DOJ regulation. In a 1954 case, Accardi v. Shaughnessy, the attorney general by regulation had delegated certain of his discretionary powers to the Board of Immigration Appeals. The regulation required the board to exercise its own discretion on appeals from deportation decisions. As noted in U.S. v. Nixon, the Supreme Court in Accardi held that, “so long as the Attorney General's regulations remained operative, he denied himself the authority to exercise the discretion delegated to the Board even though the original authority was his and he could reassert it by amending the regulations.”
In addition to providing these protections for the decisions of the DPRC, the new DOJ regulation provides independence through its rules for appointment. It states the attorney general shall “appoint not fewer than six individuals to serve as judges on the DPRC for four-year renewable terms, choosing individuals who at the time of their initial appointment have not been employees of the Executive Branch in the previous two years.” (§ 201.3) While serving on the DPRC, the judges would not hold any other “official duties or employment within the United States Government.” At least half the judges should have prior judicial experience, and selection should be based on “appropriate experience in the fields of data privacy and national security law.”
The DOJ regulation similarly creates independence through its supervision and removal provisions. Section 201.7 states that “A DPRC panel and its judges shall not be subject to the day-to-day supervision of the Attorney General.” The regulation in general provides the “Attorney General shall not remove a judge from a DPRC panel, remove a judge from the DPRC prior to the end of the judge’s term of appointment under § 201.3(a) of this part, or take any other adverse action against a judge arising from service on the DPRC.”
As is true under European law, however, a judge can be removed for good cause. The regulation states that removal is allowed only for “instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity,” and refers to existing law to define those terms. As in the Nixon and Accardi cases, the attorney general here constrains their otherwise broader powers. Just as the regulation narrows the attorney general’s discretion to assess complaints, so do the appointment and removal provisions narrow their otherwise greater discretion to hire and fire.
By contrast, the Privacy Shield ombudsperson lacked independence in appointment, supervision and removal. The ombudsperson was an existing senior official in the Department of State, designated by the Secretary of State and under the secretary’s day-to-day supervision. In addition, under the longstanding constitutional rule from the 1926 case of Myers v. United States, such a senior officer in the U.S. executive branch is subject to removal by the president.
In the case of the DPRC, however, the president has limited his discretion by issuing the executive order, which orders the attorney general to adopt a regulation creating an independent redress body. Such legal limits on the powers of the president and the attorney general remain operative for so long as the executive order and DOJ regulation remain in effect. Exactly as in the U.S. v. Nixon case, all members of the executive branch must respect the executive order and DOJ regulation as long as they are in force. An adequacy finding by the EU Commission could be conditioned on those legal limits remaining in place.
Effective investigative and decisional powers of the DPRC
As explained in the “Effective Remedy” article, a surveillance redress body must meet, under EU law standards, two conditions in order to be considered “effective.” First, it must have robust investigative powers. Indeed, the European Data Protection Board had criticized the ombudsperson mechanism of Privacy Shield by stating it was “not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance, (…)” (see here, Section 103).
The new executive order and DOJ regulation include several provisions enabling effective investigation by the DPRC. The executive order provides DPRC judges must “hold the requisite security clearances to access classified national security information.” Under the executive order, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence conducts an initial investigation. It mandates that “each element of the Intelligence Community shall provide the CLPO with access to information necessary to conduct the reviews … and shall not take any actions designed to impede or improperly influence the CLPO's reviews.” Once the CLPO investigation and review is complete, the complainant has the unqualified right to seek a determination by the DPRC.
Under the executive order, each element of the intelligence community “shall provide access to information necessary to conduct the review … that a Data Protection Review Court panel requests.” Additionally, each element of the intelligence community “shall not take any actions for the purpose of impeding or improperly influencing a panel's review.” These are not simply vague statements without legal effect — disobeying the executive order is disobeying an order from the President of the United States. Executive branch personnel who disobey lawful orders from the president are subject to serious consequences and sanctions.
Second, along with conducting an independent investigation, a redress body needs to be able to adopt binding decisions. The CJEU found in “Schrems II” the ombudsperson mechanism of Privacy Shield did not meet this condition. The court said “there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely.”
The new executive order is crystal clear on this issue: “Binding effect. Each element of the Intelligence Community, and each agency containing an element of the Intelligence Community, shall comply with any determination by a Data Protection Review Court panel to undertake appropriate remediation.” It contains multiple oversight procedures, including review by the Privacy and Civil Liberties Oversight Board, that are too detailed to address in this article.
Those inclined to be skeptical of the new regime may question an approach based on the president’s executive order and a Department of Justice regulation. As previously noted, however, we are not aware of any proposal that could provide standing in federal court for all EU persons who have the right to redress. In addition, it appears that only an administrative body created within the executive branch currently can enjoy both the requisite independence and overcome the standing requirement applicable to all U.S. federal courts.
That does not exclude the possibility of Congress subsequently codifying the DPRC in a statute.
Former Department of Commerce General Counsel Cameron Kerry writes that while “Executive orders exercising presidential powers have been recognized as the law of the land throughout our history ... Congress could emphasize the point for the ECJ by codifying key elements of this order when the Foreign Intelligence Surveillance Act comes up for reauthorization in 2023.” However, there would be significant issues about whether and to what extent such a statute would infringe on the president’s constitutional powers as Commander-in-Chief in foreign intelligence matters, which are relied upon by the military as well as in national security and foreign affairs generally.
We leave for future consideration the extent to which enacting such a statute would be constitutional.
In summary, the new regime addresses at least three challenging problems. First, it creates standing that cannot be provided in federal courts. Second, it affords guarantees that the decision-makers are independent despite being housed within the executive branch. And third, it ensures the decisions of the DPRC, a body created by a regulation, are binding on all U.S. intelligence agencies.
As we have discussed, the Supreme Court holdings in Nixon and Accardi create a mechanism for independent and binding decisions by independent decision makers. The executive order requires other federal agencies to follow those decisions.
In the immediate aftermath of the announcement of the details of the EU-U.S. Data Privacy Framework, we have not attempted to analyze all the potentially important legal issues concerning the redress mechanism. Today’s article, however, suggests that the U.S. legal mechanisms for creating an independent redress body capable of issuing decisions binding on the intelligence agencies and all members of the executive branch, could meet the “independence” and “binding” requirements of EU law. In our view, the newly announced approach thus represents a creative and good-faith effort to meet the relevant EU requirements on “independent” redress, while complying with U.S. law.
The IAPP is publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.
If you want to comment on this post, you need to login.