A proposal to create a new Justice Department agency for fielding European complaints about U.S. surveillance of Europeans’ digital data is the latest bid to resolve a sticking point in transatlantic talks over data flows, but it’s unclear whether the option will satisfy the bloc’s negotiators.
The proposed Foreign Intelligence Redress Authority is meant to address one of the issues raised when the European Union’s top court struck down the previous EU-U.S. data transfer tool more than 18 months ago: that European citizens lacked a proper mechanism for raising concerns about the use of their data for U.S. intelligence purposes. It’s part of an overarching worry that U.S. spying laws allow for unchecked mass surveillance of individuals in Europe and elsewhere.
Negotiators are currently discussing the “building blocks” of the proposed agency, according to Peter Swire, a law professor at Georgia Tech and senior counsel with Alston & Bird LLP.
Both sides have remained tight-lipped about their progress. It’s not certain the proposed authority would go far enough to withstand EU legal scrutiny.
U.S. tech companies like
“The risks for businesses are ramping up and their compliance options are dwindling,” said Caitlin Fennessy, former Privacy Shield director for the U.S. and now vice president and chief knowledge officer at the International Association of Privacy Professionals.
France’s data authority found in February that Google’s web analytics tool doesn’t sufficiently protect Europeans’ data from potentially illegal U.S. surveillance. The finding echoed an earlier ruling against Google Analytics by Austria’s data watchdog.
Solving the redress challenge, while not the only issue pending in ongoing policy negotiations, would go a long way toward finding a solution to replace the Privacy Shield.
With standard contractual clauses as one of the only remaining tools governing data transfers to the U.S., a broader agreement would quell continued legal uncertainty facing businesses on both sides of the Atlantic, sparing lawyers from having to craft contractual agreements for each data transfer.
As contractual clauses come under regulatory pressure in Europe, thanks to a looming decision from Ireland’s privacy watchdog, there’s a greater sense of urgency on negotiators to reach agreement on a tool to replace the defunct Privacy Shield. The Irish watchdog is expected to weigh in soon on the legality of Facebook’s contracts for data flows, after casting doubt on the tool in an interim opinion due to spying fears.
Redress is meant to provide an answer to European citizens who allege that their data has been misused by U.S. intelligence agencies. Typically, a redress provider investigates such complaints and issues a finding that there weren’t any data abuses, or that any unlawful uses have been corrected.
A new redress authority, as put forth by Swire and other legal scholars, would replace an existing ombudsman in the State Department that was criticized by the EU Court of Justice, in striking down the Privacy Shield in July 2020, for not being politically independent or possessing the power to influence intelligence activities.
But the authority is still only a concept. Swire co-authored a piece outlining the legal reasoning behind the option and how it could be stood up through a combination of regulatory and executive action.
Earlier suggestions included assigning Europeans’ surveillance complaints to the Privacy and Civil Liberties Oversight Board or to U.S. intelligence officials.
Bruno Gencarelli, the European Commission’s head of data flows and protection, wouldn’t say which approach—building on existing U.S. legal structures or creating an entirely new authority—negotiators are leaning toward.
“We are working on a solution,” that meets necessary European requirements while fitting into the U.S. legal framework, Gencarelli said during a virtual event last month hosted by Sidley Austin LLP and OneTrust.
Christopher Hoff, the U.S. official charged with overseeing Privacy Shield talks, didn’t respond to a request for comment on potentially creating a new redress mechanism within the Justice Department. Spokespeople for the European Commission and the U.S. Commerce Department also didn’t respond to comment requests.
Whichever shape a new redress mechanism takes, privacy negotiators will likely dissect it for possible pitfalls that could come up in any future court challenge. One question is whether the proposed DOJ body would be able to halt unlawful surveillance. Another issue is how its work could remain independent from political pressure.
The replacement redress mechanism also may need to offer an opportunity for judicial review of its decisions. That aspect could run up against legal barriers for individuals to show that they have standing to bring a court complaint over surveillance.
Negotiators must align any agreement for providing redress with both the EU’s laws and constitution, as well as U.S. constitutional requirements and judicial precedents for establishing standing, according to John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council. The trade group represents companies including Google and Meta.
“While the EU and U.S. are aligned on the importance of protecting fundamental rights such as privacy and security, navigating the sometimes divergent constitutional, legal and judicial systems presents a complex challenge,” Miller said.
Redress is especially challenging because of the climate of secrecy surrounding government surveillance, said Alex Joel, a former U.S. intelligence officer who’s currently a law professor at American University.
“Unless you know whether you’ve been surveilled, it becomes difficult to get redress,” Joel said.
But governments, Joel said, can still put in place measures assuring citizens that an oversight body will investigate any surveillance complaints that do arise, and ensure proper procedures were followed.