Schrems 2.0: Expert Testimony

On this page, the International Association of Privacy Professionals is pleased to publish testimony from a potentially landmark case currently before the High Court of Ireland. The current case follows the 2015 decision by the Court of Justice of the European Union in Schrems v. Facebook, in which the CJEU struck down the EU-U.S. Safe Harbor. The current case was also brought by Austrian lawyer Max Schrems against Facebook, this time challenging the adequacy of protection for personal data transferred from the EU to the U.S. under standard contractual clauses by companies subject to U.S. surveillance law. For the current case, experts in U.S. law filed testimony in October and November, 2016. The Irish High Court held a trial lasting several weeks in February and March, 2017, including extensive public testimony by five experts in U.S. law. In May 2017, several of the experts filed a supplemental submission to address recent U.S. legal developments. The Court’s decision is expected this fall.

Following, below, is the testimony of the expert in U.S. law selected by Max Schrems, Ashley Gorski of the American Civil Liberties Union, followed by testimony of two experts selected by Facebook, Professor Peter Swire of the Georgia Institute of Technology and Professor Stephen Vladeck of the University of Texas. The IAPP also invited the two experts who were selected by the Data Protection Commissioner of Ireland, but they declined to publish their testimony. The rules for expert witnesses are different under Irish law than under U.S. law. Under Irish rules, experts are required to be independent of the party that selected them. Experts swear to the following statement: “I understand that it is my duty as an expert to assist the Court as to matters within my field of expertise and this overrides any duty or obligation that I may owe to the party by whom I have been engaged or to any party liable to pay my fees.”

The IAPP believes there is a public benefit to publishing this testimony in the current case. A decision of the Irish High Court may be referred to the CJEU, which could then face the issue of whether standard contractual clauses provide inadequate protection, similar to the inadequate protection it found with the Safe Harbor. Because these contract clauses are used very widely by business, a finding of inadequacy could have a large effect on flows of personal information. In addition, the matters of U.S. law discussed in the testimony can inform other cases and legal debates in Europe, such as legal challenges to the EU-U.S. Privacy Shield. 

Testimony of Ashley Gorski, Staff Attorney, National Security Project of the American Civil Liberties Union.

This testimony describes (1) the legal frameworks governing U.S. government surveillance, and (2) the barriers to achieving redress for rights violations resulting from that surveillance.

The discussion of U.S. law and practice focuses on two of the most significant surveillance authorities: Section 702 of the Foreign Intelligence Surveillance Act, which authorizes warrantless surveillance that takes place on U.S. soil; and Executive Order (“EO”) 12333, which authorizes warrantless electronic surveillance that largely takes place abroad. The report also discusses Presidential Policy Directive 28, a 2014 directive that has resulted in modest but insufficient reforms to surveillance law.

In sum, under Section 702 and EO 12333, the U.S. government claims extraordinary access to the private communications and data of U.S. and non-U.S. persons around the world. Indeed, the U.S. government maintains that it is authorized to engage in what is known as “bulk collection” when it is operating abroad. Even when the government conducts so-called “targeted” surveillance under Section 702 or EO 12333, the standards for targeting a non-U.S. person abroad are extraordinarily low. In addition, in order to locate communications to, from, and about its targets, the government routinely searches the contents of countless communications in bulk.

The report also describes how the U.S. government seeks to prevent individuals from obtaining redress for Section 702 and EO 12333 surveillance through civil litigation in U.S. courts. Notably, no plaintiff in a civil case has obtained a judicial ruling on the lawfulness of Section 702 or EO 12333 surveillance, or obtained a remedy of any kind for such surveillance. Finally, the report briefly addresses other purported redress mechanisms highlighted by the U.S. government in the Privacy Shield agreement.

Download Gorski testimony (PDF 137K)

Testimony of Professor Peter Swire, Holder Chair of Law and Ethics, Georgia Institute of Technology; Senior Counsel, Alston & Bird LLC.

This testimony of more than 300 pages essentially explains U.S. surveillance law to a non-U.S. audience. Short essays explaining the key points of the testimony are available here. Key points include:

1. U.S. systemic remedies: Chapter 3 of the testimony provides a detailed explanation documenting systemic protections under U.S. law for foreign intelligence surveillance. Chapter 4 documents strong safeguards for law enforcement surveillance. Chapter 6 shows how well the U.S. safeguards compare with EU safeguards, agreeing with a team of Oxford experts who found “the U.S. now serves as a baseline for foreign intelligence standards.”

2. U.S. individual remedies: Chapter 7 documents how the U.S. legal system provides numerous ways for an individual to remedy violations of privacy. Chapter 8 explains reasons for a national security exception to individual access to surveillance records, where such access would threaten national security by revealing sources and methods.

3. Foreign Intelligence Surveillance Court oversight: Chapter 5 reviews the FISC opinions declassified post-Snowden. Based on this research, the FISC provides independent and effective oversight over U.S. government surveillance.

4. Broader implications of the SCC case: Standard contract clauses are used pervasively for transfers of personal data out of the European Union. Chapter 1 explains why an inadequacy finding would likely have broader geographic implications, applying for instance to the BRIC countries – Brazil, Russia, India, and China. It may also apply to other legal bases for transfers of personal data, including Privacy Shield and binding corporate rules.

Download Swire testimony (PDF 4.8M)

Testimony of Stephen I. Vladeck, Professor of Law, University of Texas School of Law

This testimony was prepared in reaction to the Data Protection Commissioner’s May 2016 Draft Decision Under Section 10(1)(b)(ii) of the Data Protection Acts, 1988 & 2003, in the matter of Complainant Maximillian Schrems, and (1) summarizes the DPC’s assessment of U.S. surveillance authorities and accountability and oversight mechanisms for violations thereof; (2) provides a standalone summary of the relevant authorities and accountability and oversight mechanisms; and (3) compares the DPC’s assessment of the relevant accountability and oversight mechanisms with what has been true in practice.

After introducing the DPC Draft Decision and the most significant U.S. surveillance authorities as relevant to the matter in dispute, the testimony identifies eight relevant respects in which the DPC Draft Decision “paint[ed] a rather incomplete picture of contemporary U.S. law,” especially in its assessment of the potential remedies available to an EU citizen whose data is wrongly obtained by the U.S. government from a U.S. service provider. Most significantly, as the testimony explained, the DPC Draft Decision (1) failed to account for the general cause of action available to challenge unlawful agency action under the Administrative Procedure Act, 5 U.S.C. § 702; (2) misread limits on the remedies provided by the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. § 1810, and the Privacy Act, 5 U.S.C. § 552a; (3) ignored the significance of the criminal and suppression remedies provided by FISA; (4) overstated the significance of Article III standing as an obstacle to suits challenging surveillance programs; and (5) wrongly implied that Rule 11 of the Federal Rules of Civil Procedure would serve as a disincentive to the pursuit of potentially meritorious claims.

Taking these shortcomings together, the testimony concluded that “although there are shortcomings in the existing U.S. legal regime with regard to redress of unlawful government data collection, I do not believe that they are nearly as comprehensive — or that standing is as categorical an obstacle — as the DPC Draft Decision [and related materials] suggest.”

 Download Vladeck testimony (PDF 1.7M)