Archives For executive order

Biden’s Data Flows Order: Does It Comport with EU Law?

Mikolaj Barczentewicz —  30 November 2022

European Union officials insist that the executive order President Joe Biden signed Oct. 7 to implement a new U.S.-EU data-privacy framework must address European concerns about U.S. agencies’ surveillance practices. Awaited since March, when U.S. and EU officials reached an agreement in principle on a new framework, the order is intended to replace an earlier data-privacy framework that was invalidated in 2020 by the Court of Justice of the European Union (CJEU) in its Schrems II judgment.

This post is the first in what will be a series of entries examining whether the new framework satisfies the requirements of EU law or, as some critics argue, whether it does not. The critics include Max Schrems’ organization NOYB (for “none of your business”), which has announced that it “will likely bring another challenge before the CJEU” if the European Commission officially decides that the new U.S. framework is “adequate.” In this introduction, I will highlight the areas of contention based on NOYB’s “first reaction.”

The overarching legal question that the European Commission (and likely also the CJEU) will need to answer, as spelled out in the Schrems II judgment, is whether the United States “ensures an adequate level of protection for personal data essentially equivalent to that guaranteed in the European Union by the GDPR, read in the light of Articles 7 and 8 of the [EU Charter of Fundamental Rights]” Importantly, as Theodore Christakis, Kenneth Propp, and Peter Swire point out, “adequate level” and “essential equivalence” of protection do not necessarily mean identical protection, either substantively or procedurally. The precise degree of flexibility remains an open question, however, and one that the EU Court may need to clarify to a much greater extent.

Proportionality and Bulk Data Collection

Under Article 52(1) of the EU Charter of Fundamental Rights, restrictions of the right to privacy must meet several conditions. They must be “provided for by law” and “respect the essence” of the right. Moreover, “subject to the principle of proportionality, limitations may be made only if they are necessary” and meet one of the objectives recognized by EU law or “the need to protect the rights and freedoms of others.”

As NOYB has acknowledged, the new executive order supplemented the phrasing “as tailored as possible” present in 2014’s Presidential Policy Directive on Signals Intelligence Activities (PPD-28) with language explicitly drawn from EU law: mentions of the “necessity” and “proportionality” of signals-intelligence activities related to “validated intelligence priorities.” But NOYB counters:

However, despite changing these words, there is no indication that US mass surveillance will change in practice. So-called “bulk surveillance” will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not “proportionate” (under the European understanding of the word) twice.

It is true that the Schrems II Court held that U.S. law and practices do not “[correlate] to the minimum safeguards resulting, under EU law, from the principle of proportionality.” But it is crucial to note the specific reasons the Court gave for that conclusion. Contrary to what NOYB suggests, the Court did not simply state that bulk collection of data is inherently disproportionate. Instead, the reasons it gave were that “PPD-28 does not grant data subjects actionable rights before the courts against the US authorities” and that, under Executive Order 12333, “access to data in transit to the United States [is possible] without that access being subject to any judicial review.”

CJEU case law does not support the idea that bulk collection of data is inherently disproportionate under EU law; bulk collection may be proportionate, taking into account the procedural safeguards and the magnitude of interests protected in a given case. (For another discussion of safeguards, see the CJEU’s decision in La Quadrature du Net.) Further complicating the legal analysis here is that, as mentioned, it is far from obvious that EU law requires foreign countries offer the same procedural or substantive safeguards that are applicable within the EU.

Effective Redress

The Court’s Schrems II conclusion therefore primarily concerns the effective redress available to EU citizens against potential restrictions of their right to privacy from U.S. intelligence activities. The new two-step system proposed by the Biden executive order includes creation of a Data Protection Review Court (DPRC), which would be an independent review body with power to make binding decisions on U.S. intelligence agencies. In a comment pre-dating the executive order, Max Schrems argued that:

It is hard to see how this new body would fulfill the formal requirements of a court or tribunal under Article 47 CFR, especially when compared to ongoing cases and standards applied within the EU (for example in Poland and Hungary).

This comment raises two distinct issues. First, Schrems seems to suggest that an adequacy decision can only be granted if the available redress mechanism satisfies the requirements of Article 47 of the Charter. But this is a hasty conclusion. The CJEU’s phrasing in Schrems II is more cautious:

…Article 47 of the Charter, which also contributes to the required level of protection in the European Union, compliance with which must be determined by the Commission before it adopts an adequacy decision pursuant to Article 45(1) of the GDPR

In arguing that Article 47 “also contributes to the required level of protection,” the Court is not saying that it determines the required level of protection. This is potentially significant, given that the standard of adequacy is “essential equivalence,” not that it be procedurally and substantively identical. Moreover, the Court did not say that the Commission must determine compliance with Article 47 itself, but with the “required level of protection” (which, again, must be “essentially equivalent”).

Second, there is the related but distinct question of whether the redress mechanism is effective under the applicable standard of “required level of protection.” Christakis, Propp, and Swire offered a helpful analysis suggesting that it is, considering the proposed DPRC’s independence, effective investigative powers,  and authority to issue binding determinations. I will offer a more detailed analysis of this point in future posts.

Finally, NOYB raised a concern that “judgment by ‘Court’ [is] already spelled out in Executive Order.” This concern seems to be based on the view that a decision of the DPRC (“the judgment”) and what the DPRC communicates to the complainant are the same thing. Or in other words, that legal effects of a DPRC decision are exhausted by providing the individual with the neither-confirm-nor-deny statement set out in Section 3 of the executive order. This is clearly incorrect: the DPRC has power to issue binding directions to intelligence agencies. The actual binding determinations of the DPRC are not predetermined by the executive order, only the information to be provided to the complainant is.

What may call for closer consideration are issues of access to information and data. For example, in La Quadrature du Net, the CJEU looked at the difficult problem of notification of persons whose data has been subject to state surveillance, requiring individual notification “only to the extent that and as soon as it is no longer liable to jeopardise” the law-enforcement tasks in question. Given the “essential equivalence” standard applicable to third-country adequacy assessments, however, it does not automatically follow that individual notification is required in that context.

Moreover, it also does not necessarily follow that adequacy requires that EU citizens have a right to access the data processed by foreign government agencies. The fact that there are significant restrictions on rights to information and to access in some EU member states, though not definitive (after all, those countries may be violating EU law), may be instructive for the purposes of assessing the adequacy of data protection in a third country, where EU law requires only “essential equivalence.”

Conclusion

There are difficult questions of EU law that the European Commission will need to address in the process of deciding whether to issue a new adequacy decision for the United States. It is also clear that an affirmative decision from the Commission will be challenged before the CJEU, although the arguments for such a challenge are not yet well-developed. In future posts I will provide more detailed analysis of the pivotal legal questions. My focus will be to engage with the forthcoming legal analyses from Schrems and NOYB and from other careful observers.

In Administrative Law, Data Privacy & Security, European Union, Facebook, Google, International, Truth on the Market , , , , , ,
permalink

FTC UMC Roundup – Happy EOnniversary Edition

Gus Hurwitz —  15 July 2022

Welcome to the FTC UMC Roundup for the middle of July. As we sit between the Fourth of July and August recess, the  first images from the James Webb space telescope are a nice way to put the day-to-day grind of antitrust law into perspective. In part, that’s my way of saying that as Congress rushes towards recess, POTUS is out of the country, and several Senators are fighting Covid (we hope all get well soon), it hasn’t been the busiest week in antitrust law. But it’s also a useful framing for this week’s headline.

This week’s headline: Just as the Webb telescope peers back into the history of the universe, this is a week to look back into recent competition history: the one year anniversary of the President’s Executive Order on competition policy. Aspen Digital hosted a discussion about the Order with National Economic Council director Brian Deese. As one would expect, the discussion started with brief remarks in which Deese was able to very briefly outline the Order’s very several impacts over the past year. 

Deese’s remarks were followed by a Q&A hosted by NYT reporter Cecilia Kang. Kang pressed Deese on a few topics. She asked how the recent Major Questions Doctrine ruling in West Virginia v. EPA affects the administration’s thinking about competition policy. Deese’s response – undoubtedly the correct one – is that the administration is looking for areas where there is bipartisan legislative interest in Congress. She asked whether the administration would ask Senate leader Chuck Schumer (D-NY) to move on pending antitrust legislation (that is, AICOA); when Deese dodged the question about Schumer, she asked again. Curiously, Deese refused to mention Senator Schumer, instead saying that the administration has been working with the bill’s sponsors, Senator Klobuchar (D-MN) and Chuck Grassley (R-IA). (Ben Brody has a piece on the pressures being brought to bear upon Schumer to act on AICOA.)

Deese’s National Economic Council colleague Tim Wu offered some comments on Deese’s speech on Twitter, explaining that the Executive Order has “become a means of trying ensure that competition policy is in line with our macro-economic policy goals.” “In a sense, the agencies are doing microeconomic competition policy, while the Competition Council has an eye on macro effects, and is setting micro priorities from that perspective.”

Continuing with this week’s lede that there’s not much going on: AICOA continues to go nowhere, fast. Supporters of the bill are lobbying the intelligence community to assuage concerns that it could harm national security interests. A spokesperson for the Office of the Director of National Intelligence responded that “the [Intelligence Community] does not weigh in on the merits of policy options.” Conservative continue to support AICOA as a tool for cracking down on content moderation policies – contrary to Democratic assurances that it can’t be used in that way. And Access Now has sent a letter to Congress on behalf of various global NGOs arguing that AICOA is necessary to address Big Tech’s human rights violations facilitated by its “reign over the world.” Antitrust law truly is everything to everyone.

Advocacy aside, AICO continues to appear to be dead bill stalling. Cristiano Lima at the Washington Post did a whip call of its own, finding “the number of senators willing to publicly say at this point they back the bills is well short of 60.” Importantly, this includes several senators who had previously publicly supported the bill. Adam Kovacevich walks through the challenging calculus: Senator Klobuchar is focused on getting Republicans to support the bill, and is losing Democratic support along the way. He also screams the loud part out louder: “It’s awfully hard for AICOA backers to claim the bill doesn’t impact content moderation when MAGA conservatives … just come right out and say they’re backing the bill because it would stop Apple/Amazon from banning Parler.”

Lest we forget about small businesses, let’s not forget about small businesses: AICOA would be bad for them, too.

The irony of it all is mercatus uber alles. The Wall Street Journal is reporting that Amazon may be scaling back its private-label brands.

Is anything going on at the FTC? Surprisingly little. Perhaps everyone’s getting ready for the next open meeting. It’s not yet on the calendar, but rumors are flying that rulemakings could be on the agenda

A lack of activity, however, won’t keep bad news out of the FTC. In what is truly heartbreaking, if not unsurprising, news, under Chair Khan the FTC has fallen from one of the best to one of the worst federal agencies to work for in the latest “Best Places to Work in the Federal Government.” It’s not just FTC employees who have questions about Khan’s leadership. Leah Nylen reports that the US Chamber of Commerce has sued the FTC, asking for disclosure of information under FOIA that the Commission has refused to provide. The Chamber recently prevailed in its efforts to require the Commission to disclose its operations manual.

What should you be reading and watching during this lazy month of July? Well, you could start with contributions to the Truth on the Market FTC UMC Rulemaking Symposium. We have had recent contributions summarizing chapters from Dan Crane’s recent book on the topic. These chapters were presented at a recent CCIA/Concurrences conference, recordings of which are also now online. TechFreedom is hosting its 2022 Policy Summit on July 20 and on July 27 Punchbowl is hosting a conversation with Representative Eric Swalwell on “the importance of privacy and security in existing and new technologies.”

Signing off with a recommended deep read: Adam White helps to contextualize West Virginia v. EPA and the Major Questions Doctrine in the broader scheme of the Court’s recent jurisprudence. It’s easy for those in the trenches to focus on what individual opinions mean for specific agencies and issues. But these cases are dots in a much larger mosaic of shifting jurisprudential and political theory.

In Antitrust at the Agencies Roundup, Truth on the Market , , , ,
permalink