[Senate Hearing 116-629] [From the U.S. Government Publishing Office] S. Hrg. 116-629 THE INVALIDATION OF THE EU-U.S. PRIVACY SHIELD AND THE FUTURE OF TRANSATLANTIC DATA FLOWS ======================================================================= HEARING BEFORE THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED SIXTEENTH CONGRESS SECOND SESSION __________ DECEMBER 9, 2020 __________ Printed for the use of the Committee on Commerce, Science, and Transportation [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available online: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 52-856 PDF WASHINGTON : 2023 ----------------------------------------------------------------------------------- SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED SIXTEENTH CONGRESS SECOND SESSION ROGER WICKER, Mississippi, Chairman JOHN THUNE, South Dakota MARIA CANTWELL, Washington, ROY BLUNT, Missouri Ranking TED CRUZ, Texas AMY KLOBUCHAR, Minnesota DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts CORY GARDNER, Colorado TOM UDALL, New Mexico MARSHA BLACKBURN, Tennessee GARY PETERS, Michigan SHELLEY MOORE CAPITO, West Virginia TAMMY BALDWIN, Wisconsin MIKE LEE, Utah TAMMY DUCKWORTH, Illinois RON JOHNSON, Wisconsin JON TESTER, Montana TODD YOUNG, Indiana KYRSTEN SINEMA, Arizona RICK SCOTT, Florida JACKY ROSEN, Nevada John Keast, Staff Director Crystal Tully, Deputy Staff Director Steven Wall, General Counsel Kim Lipsky, Democratic Staff Director Chris Day, Democratic Deputy Staff Director Renae Black, Senior Counsel C O N T E N T S ---------- Page Hearing held on December 9, 2020................................. 1 Statement of Senator Wicker...................................... 1 Statement of Senator Cantwell.................................... 3 Statement of Senator Blackburn................................... 82 Statement of Senator Blumenthal.................................. 84 Statement of Senator Thune....................................... 86 Statement of Senator Peters...................................... 88 Statement of Senator Schatz...................................... 91 Statement of Senator Scott....................................... 94 Statement of Senator Rosen....................................... 95 Witnesses James M. Sullivan, Deputy Assistant Secretary for Services, International Trade Administration, U.S. Department of Commerce 5 Prepared statement........................................... 7 Hon. Noah Joshua Phillips, Commissioner, Federal Trade Commission 11 Prepared statement........................................... 13 Victoria A. Espinel, President and Chief Executive Officer, BSA | The Software Alliance.......................................... 20 Prepared statement........................................... 21 Peter Swire, Elizabeth and Tommy Holder Chair of Law and Ethics, Scheller College of Business, Georgia Institute of Technology.. 28 Prepared statement........................................... 31 Prof. Neil M. Richards, Koch Distinguished Professor in Law; Director, Cordell Institute for Policy in Medicine and Law, Washington University in St. Louis............................. 70 Prepared statement........................................... 71 Appendix Letter dated December 9, 2020 to Hon. Roger Wicker and Hon. Maria Cantwell from Ronald Newman, National Political Director, National Political Advocacy Department; Kathleen Ruane, Senior Legislative Counsel, National Political Advisory Department; and Ashley Gorski, Senior Staff Attorney, National Security Project........................................................ 99 Response to written questions submitted by Hon. Amy Klobuchar to: Hon. Noah Joshua Phillips.................................... 103 Response to written questions submitted to Prof. Neil M. Richards by: Hon. Amy Klobuchar........................................... 104 Hon. Kyrsten Sinema.......................................... 105 Hon. Brian Schatz............................................ 107 THE INVALIDATION OF THE EU-U.S. PRIVACY SHIELD AND THE FUTURE OF TRANSATLANTIC DATA FLOWS ---------- WEDNESDAY, DECEMBER 9, 2020 U.S. Senate, Committee on Commerce, Science, and Transportation, Washington, DC. The Committee met, pursuant to notice, at 10:02 a.m., in room SR-253, Russell Senate Office Building, Hon. Roger Wicker, Chairman of the Committee, presiding. Present: Senators Wicker [presiding], Thune [presiding], Blackburn, Scott, Cantwell, Blumenthal, Schatz, Peters, and Rosen. OPENING STATEMENT OF HON. ROGER WICKER, U.S. SENATOR FROM MISSISSIPPI The Chairman. Good morning, and welcome to today's hearing on the ``Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows''. I extend a special welcome to our distinguished panel of witnesses and thank them for appearing today. Today we will hear from Mr. James Sullivan, Deputy Assistant Secretary for Services with the International Trade Administration at the Department of Commerce; the Honorable Noah Phillips, Commissioner at the Federal Trade Commission; Ms. Victoria Espinel, President and Chief Executive Officer at BSA; the Software Alliance, Mr. Peter Swire, who is the Elizabeth and Tommy Holder Chair of Law and Ethics at the Georgia Tech Scheller College of Business and Research Director at the Cross-Border Data Forum; and Mr. Neil Richards, Koch Distinguished Professor of Law at Washington University and St. Louis School of Law. And I assume Mr. Richards is appearing by video. I have been told that. That is great. Data is the lifeblood of the global digital economy. Free movement of data across national borders underpins trillions of dollars of international trade, commerce, and investment. Data serves as a catalyst for innovation, productivity, and economic growth, and helps promote U.S. competitiveness in technology leadership around the world. According to one estimate, digitally-enabled trade amounted to between $800 and $1,500 billion globally in 2019, and is projected to raise global GDP by over $3 trillion this year. To sustain digital trade and the free flow of data, governments have sought to eliminate trade barriers and safeguard the privacy and security of consumers' personal data, a top priority of this committee. Maintaining a shared commitment to protecting consumers' personal data has been particularly important to our trade relationship with Europe. In 2016, the United States and the European Union agreed to the Privacy Shield framework. This framework established a legal mechanism to provide for transfer of EU citizens' personal data to the United States in compliance with EU data protection laws. The establishment of the Privacy Shield was intended to ensure that over 5,000 small and medium sized businesses spanning several economic sectors in both the U.S. and EU could continue engaging in transatlantic digital commerce without disruption. Among other things, the Privacy Shield required participating organizations to give notice about their collection and use of the data of EU citizens, and give individuals the right to opt out of having their personal information disclosed to a third party. Organizations were also required to implement effective redress mechanisms for EU citizens to file complaints about how their data is used outside of the EU. And the United States was required to appoint an ombudsperson at the State Department to ensure complaints were properly investigated. The Privacy Shield included additional assurances that there would be clear conditions, limitations, and active oversight concerning Government access to EU citizens' personal data for National Security purposes. In July of this year, the European Court of Justice invalidated the Privacy Shield, and that is the reason we are here today, citing inadequate data protections in the U.S. based on our surveillance laws and an alleged lack of redress rights for EU citizens in the United States. Today's hearing is an opportunity to discuss what can be done to develop a durable and lasting data transfer framework between the United States and the EU that provides meaningful data protections to consumers, sustains free flow of information across the Atlantic, and encourages continued economic and strategic partnership with our European allies. A tall order, but an essential order. A solution begins with understanding the underlying issues that led to the invalidation of the Privacy Shield this summer. I hope our witnesses will discuss the merits of the Privacy Shield to redress rights for EU citizens and how U.S. intelligence practices compare to those of the EU member states. I also look forward to witnesses addressing how the invalidation of the Privacy Shield affects the viability of other data transfer mechanisms. To take one example, in a mechanism called Standard Contractual Clauses, exporters of EU citizens? data to the U.S. now have to carry out an assessment of whether U.S. law provides adequate protections. The EU's Data Protection Board recently issued guidance on how to comply with EU law while relying on standard contractual clauses to transfer data across the Atlantic. But in issuing this guidance, the EU Data Protection Board acknowledged that the implementation of these measures may still be insufficient to transfer data legally to the U.S. and other non-EU countries. With this in mind, I hope witnesses will discuss how U.S. businesses can confidently conduct transatlantic data transfers in compliance with EU laws as we continue bilateral negotiations to replace the Privacy Shield. I welcome the European Commission's commitment to continue working with the United States to ensure continuity of safe data flows in a manner that reflects the values we share as democratic societies. And I had a very productive and informative conversation with members of the European Commission just yesterday. Finally, a major priority of this committee has been strengthening consumer data privacy through the development of bipartisan Federal data privacy law. I look forward to witnesses discussing how a comprehensive data privacy law with strong enforcement and meaningful privacy and redress rights for consumers might be able to aid efforts to develop a successor data transfer framework between the United States and the EU. Having said that mouthful and gone 3 minutes over, I thank you for your participation and I turn to my dear friend and colleague, Ranking Member Cantwell, for her opening remarks. STATEMENT OF HON. MARIA CANTWELL, U.S. SENATOR FROM WASHINGTON Senator Cantwell. Thank you, Mr. Chairman, and thank you for holding this hearing. Also, thank you for your leadership on the Helsinki Commission. I certainly appreciate your hard work in both of those roles and trying to solve and--resolve these issues between the United States and the European Union. So I also want to thank our colleagues, Senators Cardin and Shaheen, for also working on that Helsinki Commission and these important issues. The decision by the European Court of Justice earlier this summer makes it abundantly clear we need to have a new agreement between the United States and Europe to address the transatlantic data flow. It must be a top priority by the Biden Administration. We must ensure the continued free flow of commercial data between the United States and Europe. When I think about the Mexico Free Trade Agreement and getting the digital provisions in there, this is something that is now the norm. This is not an obscure thing. It is going to become more and more and more about trade and figuring out trade. Trade is digital. So a lot is at stake. The U.S. and EU digital trade is worth more than $300 billion annually, including more than $218 billion in U.S. exports to Europe. So a very important export issue. And every business that exports and imports, has a presence or investment in the U.S. and Europe will face difficulties if there are barriers to cross- border data transfer. In all, more than $1 trillion in U.S.- European trade is at risk. With the invalidation of the Privacy Shield Agreement, we now have lost the most straightforward legal tool for transferring data from the EU to the US. And this is a particular problem for small and medium sized businesses. It also puts some of our largest and more sophisticated companies at a disadvantage and cast doubt on the protection of their digital services and what they provide. Europe and the United States have had a long history of working together, and to address our global challenges and security issues at the same time, we must redouble those efforts. We must continue to work closely to defend our shared values for democracy and the rule of law. And I want to see the U.S. and Europe working together on these very important national concerns, trade and technology, so that we can continue to improve economic opportunities and avoid moves toward protectionism. We need to start by coming together on protecting data, but we also must increase bilateral cooperation on a broad digital agenda, 5G, 6G, a regulatory framework for artificial intelligence, autonomous vehicles, cybersecurity-disinformation standards. So I support the European proposal to create a US, European Technology Council for dialogue. Maybe the Commission, the Helsinki Commission and others can help on this. We can work together in a multilateral organizations like OECD and the G7 to confront the challenges from China and Russia so that we can more focus on what the standards are for the next generation of technology and to ensure for the proper protection of intellectual property. This must be our larger goal. If we fail to increase our cooperation on digital issues, our economy will suffer the consequences. The free flow of data between the United States and Europe is especially critical to 5,000-plus tech companies in the State of Washington, which generate more than $2.8 billion in digital export. And so equally important here today are the privacy issues that we are still working on as a committee. These are important issues. So we don't want consumers left behind. We want them to have control over their personal, privacy data. We want, at the State and Federal level, to make sure that we have the right safeguards in place for consumers. So I guarantee you the United States and European citizenry are on the same page. These are the concerns that we all share, that the U.S. may have, at a Government level, a bulk collection of intelligence information that might violate those privacy rights. So we have to work hard to resolve this issue of the Privacy Shield and work hard on privacy legislation next year. So thank you, Mr. Chairman. I look forward to working with you in resolving the issues between us on our two bills, and certainly we have made progress. It is a very hard issue. But the digital world is not going away, so we have to not only pioneer it, but pioneer the laws and safeguards that go along with it. Thank you very much. The Chairman. And thank you for that very fine statement, Madam Ranking Member. And we now have an opportunity for opening statements by our distinguished panel. Prepared statements will be submitted and included in full in the record at this point, and we ask each witness to summarize in 5 minutes or less. Let me also say, we have a vote--we have a series of three roll call votes at 11 a.m., and I think what we will do, Senator Cantwell, is just continue the hearing and we will ask members, two members of the Committee to preside while we go back and forth. Three, 15 minute votes, takes us well over an hour in the U.S. Senate. So we would be advised that that will not be a particularly steep hill for us to climb. Mr. Jim Sullivan, what do you have to tell us in 5 minutes? You bet, yes. STATEMENT OF JAMES M. SULLIVAN, DEPUTY ASSISTANT SECRETARY FOR SERVICES, INTERNATIONAL TRADE ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE Mr. Sullivan. Good morning, Chairman Wicker, Ranking Member Cantwell, distinguished members of the Committee. Thank you for the invitation to testify about the EU-U.S. Privacy Shield Framework and the recent Schrems II decision by the Court of Justice of the European Union. I am heartened by your bipartisanship on the importance of cross-border data flows. I appreciate the Committee's very active engagement on Privacy Shield and the five months since the court's ruling. As the Deputy Assistant Secretary for Services in the International Trade Administration, I oversee the Office of Digital Services Industries and the team responsible for U.S. Government, administration, and oversight of the Privacy Shield framework. During the 3-year period between July 2017 and July 2020, the Privacy Shield team and I led three successful joint annual reviews of the functioning of the framework with our partners in the European Commission and European data protection authorities. We also facilitated a 125 percent increase in the number of Privacy Shield participants, from 2,400 to 5,400 companies, that relied on the framework to conduct transatlantic trade. Our Office of Digital Services Industries has long advocated for policies that support the free flow of data across borders as essential to global commerce, and I welcome this opportunity to comment on the status of transatlantic data flows today. And with the growth in Internet connectivity and the accelerating digitization of the global economy, cross- border data flows have become just as important to growing American jobs and competitiveness as U.S. trade in goods and services. Because the United States has been a preeminent innovator and early adopter of information and communications technology, our Nation occupies a singular leadership role in the digital economy today. With the July 16th decision in the Schrems II case, however, data transfers from one of our largest trading partners are now under serious threat. In addition to invalidating the European Commission's adequacy decision for the Privacy Shield framework, Schrems II decision has also called into question the reliability of other key mechanisms for moving personal data from Europe to the United States. That ability to transfer data, including personal data, seamlessly across borders generates enormous benefits for our Nation. It affords Americans greater opportunities and a better quality of life by allowing us all to interact with people in organizations anywhere in the world. It allows our businesses, no matter how large or small, to use the Internet to market and deliver their goods and services wherever data is allowed to flow. And with technologies like 5G, the Internet of Things, and AI, the next wave of digital innovation is already here and the ability to transfer data across borders is an essential driver of innovation, competitiveness, and economic growth. At this particular moment in history, moreover, international data flows enable the data sharing and collaborative research critical to understanding the COVID-19 virus, to mitigating its spread, and to expediting the discovery and the development of treatments and vaccines. The United States and the European Union enjoy a $7.1 trillion economic relationship with $5.6 trillion in transatlantic trade annually. By some estimates, nearly $450 billion of this trade involves digital services. In truth, given the ongoing digitization of virtually every sector of our economy and the fact that transatlantic data flows are the highest in the world, far more of that $5.6 trillion in trade is facilitated in some fashion by cross- border transfers of data. Now, despite our shared recognition of the importance of privacy and data protection, the United States and the European Union do differ in our respective legal approaches. As a general matter, the United States has adopted a sectoral approach to privacy with Federal laws focused on protecting certain types of particularly sensitive data, such as financial or medical information. The European Union, by contrast, largely protects all personal data under a single set of rules set forth in one law, the General Data Protection Regulation, or GDPR. And it prohibits companies from transferring EU personal data outside Europe, except under special circumstances. Transfers are expressly permitted to a recipient in a third country, for example, if the European Commission has determined that the laws of that country provide an adequate level of data protection, which is essentially equivalent to that afforded under EU law. If there is no adequacy decision for a country, a company may still transfer EU personal data to a recipient in that country by using an EU-approved data transfer mechanism. As the European Commission has not made an adequacy decision for the United States, the primary transfer mechanisms used by U.S. companies have been standard contractual clauses, or SCCs, and until recently, Privacy Shield. Privacy Shield was negotiated as a successor to the 15 year old Safe Harbor Framework, which itself was invalidated by the EU Court of Justice in the 2015 Schrems I case in the wake of the Snowden disclosures. Finalized in July 2016, Privacy Shield created the ombudsperson mechanism at the State Department to investigate certain requests from EU individuals related to U.S. National Security access to their personal data. Because the privacy---- The Chairman. Mr. Sullivan, we are going to put your whole statement into the record. If you could summarize in 30 more seconds so we can move along. Mr. Sullivan. Sure. As framed by the court, the central question in Schrems II was whether in view of U.S. law and practice regarding Government access to personal data for National Security purposes, Privacy Shield and SCCs provide sufficient safeguards to EU personal data transferred to the United States? Although the European Commission and several EU member states joined the U.S. Government in arguing that U.S. law and practice do, in fact, satisfy EU data protection standards, the court answered the question with respect to Privacy Shield with a definitive, no. And that ruling has created enormous uncertainties for U.S. companies and the transatlantic economy at a particularly precarious time. Effective immediately, the 5,400 Privacy Shield participants could no longer rely on the framework as a basis for transferring personal data. And because neither the court nor the European data protection authorities provided for any enforcement grace period, these companies were basically left with three choices: they could do nothing and risk huge fines for violating GDPR, they could withdraw from the European market altogether, or they could switch right away to other more expensive data transfer mechanisms---- The Chairman. OK, we will take the rest of the statement for the record. Mr. Sullivan. Thank you. [The prepared statement of Mr. Sullivan follows:] Prepared Statement of James M. Sullivan, Deputy Assistant Secretary for Services, International Trade Administration, U.S. Department of Commerce 1. INTRODUCTION Good morning, Chairman Wicker, Ranking Member Cantwell, and distinguished Members of the Committee. Thank you for the invitation to testify about the EU-U.S. Privacy Shield Framework and the recent Schrems II decision by the Court of Justice of the European Union. I am heartened by your bipartisanship on the importance of cross-border data flows and appreciate the Committee's active engagement on Privacy Shield in the five months since the Court's ruling. As the Deputy Assistant Secretary for Services in the International Trade Administration, I oversee the Office of Digital Services Industries and the team responsible for U.S. Government administration and oversight of the Privacy Shield Framework. During the three-year period between July 2017 and July 2020, the Privacy Shield Team and I led three successful joint annual reviews of the functioning of the Framework with the European Commission and European data protection authorities, and facilitated a 125 percent increase in the number of Privacy Shield participants--from 2,400 to 5,400 U.S. companies that relied on the Framework to conduct transatlantic trade. The International Trade Administration's Office of Digital Services Industries has long been focused on digital trade and data governance issues, advocating for policies that support the free flow of data across borders as essential to global commerce. As such, I welcome this opportunity to comment on the status of transatlantic data flows today. With the growth in Internet connectivity and accelerating digitization of the global economy, cross-border flows of data have become just as important to growing American jobs and global competitiveness as U.S. trade in goods and services. Because the United States has been a preeminent innovator and early adopter of information and communications technology, our Nation occupies a singular leadership role in the digital economy today. With the July 16, 2020 decision by the Court of Justice of the European Union in the Schrems II case, however, data transfers from one of the United States' largest trading partners are now under serious threat. In addition to invalidating the European Commission's adequacy decision for the EU-U.S. Privacy Shield Framework, the Schrems II decision has also called into question the reliability of the other key mechanisms for moving personal data from Europe to the United States. My testimony will first explore why transatlantic data flows are so important to the U.S. economy. I will then review briefly the differing regulatory approaches to data privacy in the United States and the European Union, and how we have managed to bridge those differences in the past through innovative frameworks like Privacy Shield. Finally, I will discuss the Schrems II decision, its implications for U.S. businesses, and the Administration's efforts to restore legal certainty around transatlantic data flows by negotiating mutually acceptable standards of data privacy through targeted enhancements to the Privacy Shield Framework. At the outset, I should note that I am limited as to what details I can share at this time with respect to discussions with the European Commission. 2. IMPORTANCE OF TRANSATLANTIC DATA FLOWS The ability to transfer data--including consumers' personal data-- seamlessly across borders generates enormous benefits for our citizens, our businesses, and our Nation. It affords Americans greater opportunities and a better quality of life--by allowing us all to interact with people and organizations anywhere in the world and access an ever-growing number of goods and services that can be tailored to our individual needs and preferences. It allows our businesses, no matter how large or small, to use the Internet to more easily market and deliver their ideas, goods and services--wherever data is allowed to flow. Today, solo entrepreneurs and small- and medium-sized enterprises can reach global markets--and the 4.5 billion people now connected to the Internet--with unprecedented ease. American businesses of all sizes in every industry rely on personal data to facilitate transactions; enhance efficiencies; reduce costs; generate new customer insights; improve the quality of products and services; prevent and mitigate fraud; and manage their international networks of employees, customers, and suppliers. With technologies like 5G, the Internet of Things, robotics, and artificial intelligence, the next wave of digital innovation is already here, and the ability to transfer data across borders--to and from Europe and other places in the world--is an essential driver of commercial competitiveness, economic growth, innovation, job creation, and wage growth worldwide. The economic benefits are clear not only for the United States but for Europe itself. At this particular moment in history, moreover, international data flows enable the data sharing and collaborative research critical to understanding the COVID-19 virus, mitigating its spread, and expediting the discovery and development of treatments and vaccines. The United States and the European Union enjoy a $7.1 trillion economic relationship--with $5.6 trillion in transatlantic trade annually. According to some estimates, nearly $450 billion of this trade involves digital services. In truth--given the ongoing digitization of virtually every industry sector and the fact that cross-border data flows between the U.S. and Europe are the highest in the world--far more of that overall $5.6 trillion in trade is facilitated in some way by cross-border transfers of data. 3. DIFFERENT APPROACHES TO DATA PRIVACY Despite our shared recognition of the importance of consumer privacy and data protection, the United States and the European Union differ in our respective legal approaches. As a general matter, the United States does not have one comprehensive data protection or privacy law. Privacy is regulated through a number of laws enacted at the Federal and state level. Federal laws often vary considerably in their purpose and scope. Many Federal laws impose data protection requirements tailored to specific sectors, such as finance, health, and communication. Several Federal laws focus on protecting certain types of particularly sensitive and at-risk consumer data. These include an individual's financial and medical information; children's online information; background investigations and ``consumer reports'' for credit or employment purposes; and certain other specific categories of data. All 50 states have also enacted legislation requiring private or governmental entities to notify individuals of security breaches of personally identifiable information. The European Union, by contrast, largely protects all personal data under a single set of rules set forth in one law--the General Data Protection Regulation or ``GDPR.'' As a general matter, EU law also prohibits a company from transferring EU personal data outside Europe except under special circumstances. First, transfers are expressly permitted to a recipient in a third country if the European Commission has determined that the national laws of that country provide an ``adequate level of protection'' for personal data which is ``essentially equivalent'' to the level afforded under EU law. There are only 12 jurisdictions in the entire world that the European Commission currently considers to ensure an adequate level of protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan. And second, if there is no adequacy decision for a country, a company may still transfer EU personal data to a recipient in that country by using an EU-approved ``transfer mechanism'' that ensures sufficient data protection by the recipient. Standard Contractual Clauses or ``SCCs'' are the main transfer mechanism used by 90 percent of companies that transfer EU personal data internationally. Another option, Binding Corporate Rules or BCRs, is a set of legally enforceable internal policies for data transfers within a group of enterprises, typically large multinational organizations. Owing to a lengthy and expensive approval process, however, relatively few organizations--only about a hundred around the world--have adopted BCRs. As the European Commission has not made an adequacy decision for the United States as a whole, the primary EU-approved data transfer mechanisms used by U.S. companies have been SCCs and, until recently, the EU-U.S. Privacy Shield, which was a ``partial'' adequacy decision in that it only covered transfers to Privacy Shield-certified companies in the United States. The EU-U.S. Privacy Shield Framework Privacy Shield was negotiated as a successor to the 15-year old Safe Harbor Framework. Under Safe Harbor, over 4,000 U.S. companies made legally enforceable promises that allowed for the transfer of EU personal data to the United States in compliance with EU law. In 2013, Austrian data privacy activist Max Schrems challenged Safe Harbor, and in 2015--spurred by Edward Snowden's unauthorized disclosures of national security information--the Court of Justice of the European Union invalidated the European Commission's adequacy decision that had underpinned the Framework since 2000. To address the Schrems I decision, and in anticipation of GDPR's implementation in 2018, the Department of Commerce and its interagency partners worked with the European Commission to develop and maintain a modernized and durable transatlantic data protection framework. After months of intense negotiations, the United States and the European Commission finalized the EU-U.S. Privacy Shield Framework in July 2016. Under the terms of the new Framework, the United States created the Privacy Shield Ombudsperson Mechanism at the State Department to investigate certain requests from EU individuals related to national security access to EU personal data transmitted to the United States. Because the Privacy Shield Ombudsperson Mechanism applied to EU personal data transmitted to the United States pursuant to any transfer tool approved under EU law (including SCCs and BCRs), Privacy Shield became a key enabler of all transfers of EU personal data to the United States. The International Trade Administration's Privacy Shield Team serves as the interagency lead for the Framework and administers the day-to- day functioning of the Privacy Shield Program. It works with eligible organizations seeking to certify to the Framework by verifying that they have developed a Privacy Shield-compliant privacy policy; identified an independent recourse mechanism to investigate complaints; contributed to an arbitration fund; implemented compliance procedures; and designated a representative to handle questions, complaints, data access requests, and other issues related to the organization's participation in the Program. Once the Privacy Shield Team finalizes an organization's certification, it then adds that organization to the public-facing ``Privacy Shield List''. This list enables European companies or other interested parties to verify whether data can be transferred to the organization under the Framework. An organization's public commitments to abide by the Framework's requirements are legally enforceable. Accordingly, to support the integrity of the Program, the Privacy Shield Team monitors organizations' compliance and potential ``red flags'' on an ongoing basis--and refers matters that may warrant further investigation to the Federal Trade Commission or the Department of Transportation for potential enforcement action as necessary. In addition, each year since 2017, senior U.S. and EU officials have convened to conduct intensive two-day reviews of the functioning of the Privacy Shield Program. As noted earlier, the Privacy Shield Team and I led three successful annual reviews of the Program together with the European Commission, European data protection authorities, and U.S. Government colleagues from the Departments of State, Justice, and Transportation, the Office of the Director of National Intelligence, the Federal Trade Commission, and the Privacy and Civil Liberties Oversight Board, among others. Our regular interactions with EU officials before, during, and after these annual Privacy Shield reviews afforded numerous constructive opportunities for transatlantic coordination and cooperation on promoting trust in the digital economy. Following the third annual review in Washington, DC in October 2019, for example, European Commissioner for Justice Vera Jourova enthusiastically acclaimed Privacy Shield a ``success story''. For four years, Privacy Shield was the most straightforward and cost-effective EU-approved transfer mechanism for U.S. and European companies of all sizes in virtually every industry. For many firms--and for small- and medium-sized firms especially--Privacy Shield was often the only viable data transfer mechanism. Many such firms simply do not have the resources or administrative capacity to utilize more costly and burdensome mechanisms like SCCs or BCRs. Of the 5,400 Privacy Shield participants on July 16, 2020, over 70 percent were small-and medium-enterprises with fewer than 500 employees. 4. SCHREMS II The July 16, 2020 Schrems II decision was the latest development in a long-running legal battle that has been waged in the Irish courts and the EU Court of Justice by Max Schrems. As framed by the Court, the central question in the case was whether--in view of U.S. law and practice regarding government access to personal data for national security purposes--Privacy Shield and SCCs provided sufficient safeguards to EU personal data transferred to the United States. Although the European Commission and several EU Member States joined the U.S. Government in arguing that U.S. law and practice do in fact satisfy EU data protection standards, the Court answered the question with respect to Privacy Shield with a definitive ``no''. The Court based its decision on two principal grounds. First, after analyzing the European Commission's 2016 adequacy decision for Privacy Shield, it found that certain U.S. intelligence access to EU personal data transferred under the Framework was not constrained in a way that satisfies the EU's legal requirement for ``proportionality''. Second, the Court concluded that the Privacy Shield Ombudsperson Mechanism did not afford sufficient redress for violations of EU individuals' right to data protection. The Schrems II decision has created enormous uncertainties for U.S. companies and the transatlantic economy at a particularly precarious time. Immediately upon issuance of the ruling, the 5,400 Privacy Shield participants and their business partners in the EU could no longer rely on the Framework as a lawful basis for transferring personal data from Europe to the United States. Because neither the Court nor European data protection authorities provided for any enforcement grace period, Privacy Shield companies were left with three choices: (1) risk facing potentially huge fines (of up to 4 percent of total global turnover in the preceding year) for violating GDPR, (2) withdraw from the European market, or (3) switch right away to another more expensive data transfer mechanism. Unfortunately, because of the Court's ruling in the Privacy Shield context that U.S. laws relating to government access to data do not confer adequate protections for EU personal data, the use of other mechanisms like SCCs and BCRs to transfer EU personal data to the United States is now in question as well. Since the Schrems II decision, the lack of legal clarity regarding data transfers from Europe to the United States has prompted some companies to begin considering data localization in Europe. Storing and processing all EU personal data in Europe, however, would be exceedingly expensive--especially for small- and medium-sized enterprises--and pose numerous technical problems for the global business models of most U.S. companies operating in Europe. Beyond the costs to individual firms, data localization measures can increase cybersecurity and other operational risks and make regulatory compliance and global risk management more difficult. Moreover, in our increasingly digitized economy, embracing data localization in Europe would set a damaging precedent for other countries and could imperil the open, interoperable, secure, and reliable Internet on which our citizens and businesses of all sizes have come to depend so heavily. Suffice to say, the Schrems II ruling also calls into question the ability of European governments to share data with the United States for national security and law enforcement purposes, putting citizens on both sides of the Atlantic at risk. European authorities should recognize that the mere location of data does not ensure information security or privacy, and there are other public policy objectives that are equally important, including financial stability, operational resilience, and innovation--all objectives that depend on cross-border data flows. U.S. Government Response to Schrems II While we were deeply disappointed and do not agree with the Court's decision, we are committed to working with our European Commission partners to address the Court's concerns and enable companies to continue to transfer personal data from the EU to the United States. The Administration seeks to ensure the continuity of transatlantic data flows in a manner consistent with U.S. economic and national security interests. It is important to note that the Schrems II ruling focused exclusively on government access to data. The Court did not question the extensive protections Privacy Shield offers EU individuals with respect to the commercial collection and uses of personal data. We believe Privacy Shield already provides strong and predictable protections for EU individuals and any enhancements to the Framework will build on this strong foundation. As a first step in our efforts to return stability to transatlantic data flows, we engaged with the European Commission to begin working on a solution to Privacy Shield's invalidation. On August 10, Secretary Ross and European Commissioner for Justice Reynders released a joint statement announcing that the U.S. Department of Commerce and the European Commission had initiated discussions on potential enhancements to Privacy Shield Framework that address the Court's concerns. Thereafter, in view of the considerable uncertainties concerning the use of SCCs, we worked with our interagency colleagues to bolster companies' ability to utilize the SCCs while we worked to negotiate the necessary enhancements to Privacy Shield. To that end the U.S. Government released a White Paper to assist organizations using SCCs in making the case-by-case assessments called for under Schrems II as to whether U.S. law concerning government access to personal data meets EU standards. The White Paper includes a wide range of information about the extensive privacy protections in current U.S. law and practice relating to government access to data for national security purposes-- and sets forth clearly the strong and multilayered protections provided under our system. While it is ultimately up to companies to make their own assessments under EU law, the White Paper has, by all accounts, proven to be a useful tool in conducting those assessments. The objective of any potential agreement between the United States and the European Commission to address Schrems II is to restore the continuity of transatlantic data flows and the Framework's privacy protections by negotiating targeted enhancements to Privacy Shield that address the Court's concerns in Schrems II. Any such enhancements must respect the U.S. Government's security responsibilities to our citizens and allies. To be clear, we expect that any enhancements to the Privacy Shield Framework would also cover transfers under all other EU-approved data transfer mechanisms like SCCs and BCRs as well. The Schrems II decision has underscored the need for a broader discussion among likeminded democracies on the issue of government access to data. Especially as a result of the extensive U.S. surveillance reforms since 2015, the United States affords privacy protections relating to national security data access that are equivalent to or greater than those provided by many other democracies in Europe and elsewhere. To minimize future disruptions to data transfers, we have engaged with the European Union and other democratic nations in a multilateral discussion to develop principles based on common practices for addressing how best to reconcile law enforcement and national security needs for data with protection of individual rights. It is our view that democracies should come together to articulate shared principles regarding government access to personal data--to help make clear the distinction between democratic societies that respect civil liberties and the rule of law and authoritarian governments that engage in the unbridled collection of personal data to surveil, manipulate, and control their citizens and other individuals without regard to personal privacy and human rights. Such principles would allow us to work with like-minded partners in preserving and promoting a free and open Internet enabled by the seamless flow of data. 5. CONCLUSION In closing, the International Trade Administration, the Commerce Department, and the Administration remain committed to restoring clarity and certainty to transatlantic data flows and privacy as quickly as we can. We are hopeful that our European Commission partners share our sense of urgency, and we appreciate the support and attention you and your colleagues here in Congress have brought--and can continue to bring--to the critical issue of cross-border data flows. Thank you again for this opportunity to appear today. The Chairman. Thank you very much. Mr. Phillips. STATEMENT OF HON. NOAH JOSHUA PHILLIPS, COMMISSIONER, FEDERAL TRADE COMMISSION Mr. Phillips. Thank you, Mr. Chairman. Chairman Wicker, Ranking Member Cantwell, members of the Committee, thank you for the opportunity to testify before you today. My testimony is my own and does not necessarily reflect the views of other Federal Trade Commissioners or the Commission itself. The Schrems II decision and the growth of other impediments to cross-border data flows deserve serious attention. This committee has engaged already and today's hearing is an important continuation of that effort. I thank you. Mr. Sullivan testified about the terrific work the Administration is doing, and with Presidential transition already underway, your leadership and your support for a path forward are essential. The privacy work of the FTC helps support the free and open Internet. Since the 1990s, we have pursued hundreds of privacy cases, hosted dozens of workshops, and produced many reports relating to privacy and data security. On the Privacy Shield framework and its predecessor specifically, we have brought over 60 cases enforcing commitments that companies make. I submitted a written statement that I will briefly address the importance of cross-border data flows, the FTC's role in supporting them, impediments they face, and suggestions on moving forward. From small startups to our largest technology companies, connected cars to contact tracing, American companies are competing and winning by offering products and services built on data. Our businesses employ data to support new technologies like artificial intelligence, and as the COVID-19 crisis makes clear, to meet longstanding needs like education, worship, health, and work. Cross-border data flows are an essential component to that. Companies of all sizes, but particularly small businesses, rely on them to reach new customers abroad, to enhance security, and to reduce costs. That means jobs for American workers, and products and services for American consumers. At FTC, our enforcement approach emphasizes harms with a substantial impact on consumers, permitting both innovation and enforcement. Recent cases include TikTok, before the company was a matter of national conversation, Facebook, YouTube, and just recently Zoom. By any reasonable metric, our enforcement program has had a greater impact than any in the world. We have been a key partner in Privacy Shield and are committed to working with the Department of Commerce to support the free transatlantic flow of data. Today, those flows are at risk. The European Court of Justice struck down Privacy Shield, expressing concerns about U.S. protections for European data, including redress. The decision also raised questions about standard contractual clauses, the other common legal basis for transfers. That creates legal uncertainty, a cost borne disproportionately by smaller companies, the bulk of Privacy Shield participants. The court's decision concerned National Security and three things strike me as noteworthy. First, U.S. law and practice incorporate substantial civil liberty protections against Government surveillance. Second, the U.S. is at least as protective of privacy as the domestic laws of many of our European allies. Finally, as Adam Klein, Chairman of the Privacy and Civil Liberties Oversight Board recently noted, European allies regularly partner with the U.S. to assist in their collection of intelligence data. Beyond Schrems II, prominent European voices have called for data localization requirements, sometimes under the rubric of data sovereignty. Localization also poses a threat to cross-border data flows. Historically, we associate it with a kind of State- controlled Internet governance in countries like China. Liberal democracies, which have distinct but fundamentally common approaches to privacy and civil liberties, should be uniting, not splintering. Not only will this aid U.S. commerce, it will demonstrate a better way for those countries yet to decide on a path for their digital future. So, what can we do? First, we need to find a path to permit transfers between the U.S. and EU. As exemplified by Jim and his team, this has been a priority for the Administration, and I have every hope and expectation that it will remain one for the incoming Administration, and I ask for your help in ensuring that it is. Second, we must continue to engage with nations evaluating their approach to digital governance to promote the benefits of a free and open Internet. Third, we should vocally defend American values. When it comes to civil liberties and the enforcement of privacy laws, we are second to none. Fourth, as European leaders call to strengthen ties with the U.S., we should prioritize making our regimes interoperable. Relatively minor differences should not impede mutually beneficial commerce. Finally, any lines should be drawn between allies with shared values and others, like China, which offer a starkly different vision of Internet governance. I thank the Committee for engaging with these challenges and for inviting me, and I look forward to your questions. [The prepared statement of Mr. Phillips follows:] Prepared Statement of Hon. Noah Joshua Phillips,\1\ Commissioner, Federal Trade Commission --------------------------------------------------------------------------- \1\ My comments today are my own and do not necessarily reflect the views of the Commission or my fellow Commissioners. --------------------------------------------------------------------------- Chairman Wicker, Ranking Member Cantwell, Members of the Committee, thank you for the opportunity to testify before you today. As the agency charged with enforcing the bulk of U.S. privacy law, the Federal Trade Commission supports cross-border data flows through law enforcement, cooperation with the Department of Commerce and other agencies in international engagement, and research and advocacy concerning privacy and data security law and policy. Specifically with respect to the EU-U.S. Privacy Shield Framework (``Privacy Shield'') and its predecessor, we have brought over 60 enforcement actions against companies that have failed to live up to their commitments, participated in the Privacy Shield annual review process, and worked with counterpart independent data protection authorities on a host of issues. A free and open Internet is vital to the national interest, but it is at risk. The impact on U.S. commerce and cross-border data flows from the ``Schrems II'' decision by the European Union Court of Justice (``ECJ''),\2\ and the growth of other impediments to that commerce, deserve our serious and immediate attention. This Committee has engaged actively since the ECJ's decision was rendered in August, and today's hearing marks an important, bipartisan, continuation of that effort. With terrific work ongoing by this Administration--about which you will hear today--and a presidential transition underway, your leadership in drawing attention to this issue and your support for a path forward are essential. --------------------------------------------------------------------------- \2\ Case C-311/18, Data Prot. Comm'r v. Facebook Ireland & Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020) (``Schrems II''). --------------------------------------------------------------------------- My testimony will address the importance of cross-border data flows, the Federal Trade Commission's role in supporting them, the impediments they nonetheless face, and some suggestions on how to move forward. The Importance of Cross-Border Data Flows Data help power the U.S. economy. From small startups to our largest technology companies, connected cars to contact tracing, American companies are competing and winning by offering consumers and clients products and services built on data. Our businesses employ data to develop new technologies like artificial intelligence and also to help meet longstanding needs, like education, worship, health, and office work, in novel ways. The COVID-19 crisis makes this abundantly clear. Cross-border data flows are an essential component enabling all of this. Companies of all sizes rely on these data flows to innovate, reach new customers abroad, improve efficiency, enhance security, and reduce costs,\3\ permitting the expansion and innovation that draws investment capital and creates jobs at home. That is particularly true for small companies, which cannot afford to, for example, establish offices or host data centers overseas. Cross-border data flows allow these companies to gain scale more rapidly and compete internationally at lower cost and with less risk. That is doubtless why 65 percent of companies participating in Privacy Shield are small and medium businesses.\4\ A 2016 study found that almost two-thirds of worldwide startups surveyed had customers or users in other countries.\5\ Take Etsy, the Brooklyn-based custom craft marketplace that offers small businesses a turnkey option to reach a global customer base. In 2019, cross-border transactions made up the largest component of the 36 percent of business attributable to Etsy's international business.\6\ Or consider that PayPal--based in San Jose and serving many smaller businesses--has processed over $400 billion in cross border payments since 2003.\7\ The list goes on. --------------------------------------------------------------------------- \3\ See, e.g., Joshua P. Meltzer & Peter Lovelock, Regulating for a Digital Economy: Understanding the Importance of Cross-border Data Flows in Asia 6 (Brookings Inst. Global Econ. & Dev. Working Paper No. 113) (Mar. 20, 2018), https://www.brookings.edu/wp-content/uploads/ 2018/03/digital-economy_meltzer_lovelock_web.pdf (discussing access to new markets and capabilities of ``digital inputs such as cloud computing [which] provides on-demand access to computing power and software that was previously reserved for large companies''); ICC Comm'n on Trade & Inv. Pol'y & ICC Comm'n on the Digit. Econ., Int'l Chamber of Com., Trade in the Digital Economy: A Primer on Global Data Flows for Policymakers 2 (2016), https://cdn.iccwbo.org/content/ uploads/sites/3/2016/09/Trade-in-the-digital-economy-A-primer-on- global-data-flows-for-policymakers.pdf (``Access to digital products and services, such as cloud applications, provides SMEs with cutting edge services at competitive prices, enabling them to participate in global supply chains and directly access customers in foreign markets in ways previously only feasible for larger companies. Indeed, the Internet is a great equalizer, enabling small companies to compete globally using the same tools as large and established companies.''); Bus. Roundtable, Putting Data to Work: Maximizing the Value of Information in an Interconnected World 6 (2015), https:// s3.amazonaws.com/brt.org/archive/reports/BRT%20PuttingDataToWork.pdf (discussing how Caterpillar uses sensor data to allow it ``and its customers to remotely monitor assets across their fleets in real time''); Demetrios Marantis, Cross-border data flows power small business recovery, Visa, Inc. (Nov. 9, 2020), https://usa.visa.com/ visa-everywhere/blog/bdp/2020/11/09/cross-border-data-flows- 1604955432332.html (noting that cross-border data flows are used to improve AI the provides fraud detection). \4\ Oliver Patel & Dr. Nathan Lea, UCL Eur. Inst, EU-U.S. Privacy Shield, Brexit and the Future of Transatlantic Data Flows 12 (May 2020), https://www.ucl.ac.uk/european-institute/ sites/european-institute/files/ privacy_shield_brexit_and_the_future_of_transatlantic_data_flows _1.pdf. \5\ James Manyika & Susan Lund, Digital Protectionism and Barriers to International Data Flows, Bretton Woods Comm. (Jun. 25, 2018), https://www.brettonwoods.org/article/digital-protectionism-and- barriers-to-international-data-flows. \6\ Etsy, Inc., Annual Report (Form 10-K) 66 (Feb. 27, 2020), https://d18rn0p25nwr6d.cloud front.net/CIK-0001370637/d63aa848-ac0c-474c-9350-5b18888e84bf.pdf. International business includes all transactions ``where either the billing address for the seller or the shipping address for the buyer at the time of sale is outside of the United States.'' Id. \7\ Peggy Abkemeier, Cross-Border Trade: PayPal's $400B Business, PayPal Holdings, Inc. (Apr. 6, 2017), https://www.paypal.com/stories/ us/cross-border-trade-paypals-400b-business. --------------------------------------------------------------------------- The impact of cross-border digital commerce numbers in the trillions of dollars, adding by some estimates hundreds of billions of dollars annually to U.S. GDP.\8\ And there is every reason to believe that, if allowed to do so, those numbers will continue to grow. Cross- border data flows are a critical input to our technology sector, in which American companies lead the way. Of technology firms in the Fortune Global 500, the U.S. has 12, nearly double the number of Japan, the next on the list.\9\ With our increasingly data-driven economy, cross-border data flows also drive innovation and growth in other sectors as well. At the end of the day, all of that means jobs for American workers and products for consumers. --------------------------------------------------------------------------- \8\ James Manyika et al., McKinsey & Co., Digital Globalization: The New Era of Global Flows 10 (Feb. 24, 2016), https:// www.mckinsey.com//media/McKinsey/Business%20Functions/ McKinsey%20Digital/Our%20Insights/ Digital%20globalization%20The%20new%20era%20of%20 global%20flows/MGI-Digital-globalization-Full-report.pdf (estimating impact on global GDP of $2.8 trillion in 2014); Gary Clyde Hufbauer & Zhiyao (Lucy) Lu, Can Digital Flows Compensate for Lethargic Trade and Investment?, Petersen Inst. for Int'l Econ. (Nov. 28, 2018), https:// www.piie.com/blogs/trade-investment-policy-watch/can-digital-flows- compensate-lethargic-trade-and-investment (estimating impact on global GDP of over $3.5 trillion in 2020); U.S. Int'l Trade Comm'n, No. 4485, Digital Trade in the U.S. and Global Economies, Part 2, at 13 (Aug. 2014), https://www.usitc.gov/publications/332/pub4485.pdf (estimating 2011 impact on U.S. GDP of over $500 billion). \9\ Fortune Global 500, Fortune (2020), https://fortune.com/ global500/. --------------------------------------------------------------------------- Role of the FTC The Federal Trade Commission plays an important role in supporting the promise of the free and open Internet, including cross-border data flows. With respect to data privacy and security, we help ensure that companies communicate honestly with their customers about their privacy and security practices and refrain from unfair privacy or security practices. Since the enactment of the Fair Credit Reporting Act (``FCRA'') in 1970,\10\ the FTC has served as the primary Federal agency protecting consumer privacy. With the development of the Internet as a commercial medium in the 1990s, the Commission expanded its focus on privacy to reflect the growing collection, use, and sharing of consumer data in the commercial marketplace. The Commission's main source of legal authority in the privacy and data security space is Section 5 of the FTC Act, which prohibits deceptive or unfair commercial practices.\11\ Under Section 5 and other statutes such as the Gramm-Leach-Bliley Act,\12\ the Children's Online Privacy Protection Act,\13\ and the FCRA, the FTC has aggressively pursued cases in children's privacy, financial privacy, health privacy, the Internet of Things, and beyond. In total, we have brought hundreds of data security and privacy cases and we have hosted about 75 workshops and issued approximately 50 reports in the privacy and security area, on topics from data brokers \14\ to portability.\15\ --------------------------------------------------------------------------- \10\ Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 et seq. \11\ 15 U.S.C. Sec. 45. \12\ Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended in scattered sections of 12 and 15 U.S.C.); Standards for Safeguarding Customer Information, 16 C.F.R. Sec. 314. \13\ Children's Online Privacy Protection Act, 15 U.S.C. Sec. Sec. 6501-6506; Children's Online Privacy Protection Rule, 16 C.F.R. Sec. 312. \14\ See FTC Report, Data Brokers: A Call for Transparency and Accountability (May 2014), https://www.ftc.gov/system/files/documents/ reports/data-brokers-call-transparency-accountability-report-federal- trade-commission-may-2014/140527databrokerreport.pdf. \15\ See FTC Workshop, Data To Go: An FTC Workshop on Data Portability (Sept. 22, 2020), https://www.ftc.gov/news-events/events- calendar/data-go-ftc-workshop-data-portability. --------------------------------------------------------------------------- Our approach emphasizes addressing harms that have a tangible, substantial impact on consumers' well-being. This allows for both innovation and enforcement. There are scores of Data Protection Authorities in nations around the world, but no agency has engaged in more, or more significant, privacy and data security enforcement than the FTC. In just the few years of my tenure and those of my fellow commissioners, we have finalized settlements with Facebook \16\ and Google/YouTube \17\ that mandated both substantial monetary relief and significant improvements in privacy governance practices. In early 2019, we resolved a case against TikTok, long before the company was a matter of national conversation.\18\ And, just a few weeks ago, we settled a case against Zoom, including allegations regarding representations the company made about the security of stored and transferred data.\19\ In my view, by any reasonable metric, our enforcement program has had a greater impact than any other in the world. --------------------------------------------------------------------------- \16\ See FTC Press Release, FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook (July 24, 2019), https:// www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion- penalty-sweeping-new-privacy-restrictions. \17\ See FTC Press Release, Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children's Privacy Law (Sept. 4, 2019), https://www.ftc.gov/news-events/press-releases/2019/09/google- youtube-will-pay-record-170-million-alleged-violations. \18\ See FTC Press Release, Video Social Networking App Musically Agrees to Settle FTC Allegations That it Violated Children's Privacy Law (Feb. 27, 2019), https://www.ftc.gov/news-events/press-releases/ 2019/02/video-social-networking-app-musically-agrees-settle-ftc. \19\ See FTC Press Release, FTC Requires Zoom to Enhance its Security Practices as Part of Settlement (Nov. 9, 2020), https:// www.ftc.gov/news-events/press-releases/2020/11/ftc-requires- zoom-enhance-its-security-practices-part-settlement. --------------------------------------------------------------------------- The Commission has played an important role in Privacy Shield \20\ and its predecessor, the U.S.-EU Safe Harbor Framework (``Safe Harbor'').\21\ Under the EU's General Data Protection Regulation (``GDPR'') and its predecessors, companies are required to meet certain data protection requirements in order to transfer consumer data from the EU to other jurisdictions.\22\ Privacy Shield and Safe Harbor are voluntary mechanisms ensuring compliance with European requirements that have provided legal bases for companies to transfer data from Europe to the United States.\23\ --------------------------------------------------------------------------- \20\ See FTC Business Guidance, Privacy Shield (2020), https:// www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy- shield. While I focus here on the U.S.-EU agreements, there was previously a U.S.-Swiss version of Safe Harbor that was replaced by a U.S.-Swiss version of Privacy Shield. The Swiss data protection authorities recently reached a similar decision as the court in Schrems II. Mark Smith, ANALYSIS: Swiss-U.S. Privacy Shield Suffers from Schrems, Too, Bloomberg L. (Sept. 10, 2020), https:// news.bloomberglaw.com/bloomberg-law-analysis/analysis-swiss-u-s- privacy-shield-suffers-from-schrems-too. \21\ See FTC Business Guidance, Federal Trade Commission Enforcement of the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks (2016), https://www.ftc.gov/tips-advice/business-center /guidance/federal-trade-commission-enforcement-us-eu-us-swiss-safe- harbor. \22\ Regulation (EU) 2016/679 of the European Parliament and of the Council, Art. 45, General Data Protection Regulation, 2016 O.J. (L 119) 1, 41. \23\ Privacy Shield is not the only mechanism for transferring data to the U.S. from the EU. As discussed below, GDPR permits transfers made using Standard Contractual Clauses and Binding Corporate Rules. --------------------------------------------------------------------------- The FTC can bring enforcement actions against companies that misrepresent their participation in or compliance with Privacy Shield. We have brought over 60 cases enforcing companies' commitments under Safe Harbor and Privacy Shield. We also fill a similar role with the APEC Cross-Border Privacy Rules system, designed to protect privacy and data flows in the Asia-Pacific region.\24\ --------------------------------------------------------------------------- \24\ See FTC Press Release, FTC Becomes First Enforcement Authority in APEC Cross-Border Privacy Rules System (July 26, 2012), https:// www.ftc.gov/news-events/press-releases/2012 /07/ftc-becomes-first-enforcement-authority-apec-cross-border-privacy. --------------------------------------------------------------------------- Even though the court declared the Privacy Shield invalid, which I discuss below, the FTC continues to expect companies to comply with their ongoing obligations with respect to transfers made under Privacy Shield. If companies do not keep their promises, we will enforce the law against them. We also encourage companies to continue to follow robust privacy principles, such as those underlying Privacy Shield, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to cross-border data transfers. The Commission remains committed to working with the Department of Commerce to help support the free flow of data across borders. Schrems II Notwithstanding these efforts, the privacy protections U.S. law provides U.S. citizens and non-citizens, and the tremendous work this Administration and the prior one have done with their counterparts on the European Commission (the Executive Branch of the EU), transatlantic data flows are threatened. In 2016, the European Commission deemed Privacy Shield ``adequate'', thus permitting transfers to the U.S. under the framework.\25\ In its recent ruling in Schrems II, the ECJ struck down Privacy Shield. The court expressed concerns about U.S. protections described in the European Commission's Privacy Shield Adequacy Decision, including the independence of the Ombudsman mechanism established in the U.S. Department of State and the perceived lack of redress for EU data subjects.\26\ Additionally, the court required companies that rely on Standard Contractual Clauses (``SCCs'') to assess the level of protection in the importing country for all of their transfers, raising questions about SCCs as a legal basis for transfers to the U.S.\27\ --------------------------------------------------------------------------- \25\ Eur. Comm'n, Commercial Sector: EU-US Privacy Shield, https:// ec.europa.eu/info/law/ law-topic/data-protection/international-dimension-data-protection/eu- us-data-transfers_en#: :text=The%20adequacy%20decision%20on%20the,United%20States%20for%20comme rcial%20 purposes. \26\ Schrems II, supra note 2, 186-198. \27\ Schrems II, supra note 2, 142. To be sure, it is the view of many, including the Commerce Department, that SCCs are still available, at least for some transfers. But even where SCCs may still be available, the complexity and risk of using them has increased. See Dep't of Com. et al., Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (Sept. 2020), https://www.commerce.gov/sites/default/files/ 2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF. --------------------------------------------------------------------------- The Schrems II decision and recent recommendations from the European Data Protection Board,\28\ the coordinating body of local data protection authorities under the GDPR, create substantial legal uncertainty and risk for cross-border data transfers. Those costs are borne disproportionately by small companies, which cannot afford the more expensive options, and for that reason constitute the bulk of companies that participate in Privacy Shield. --------------------------------------------------------------------------- \28\ Eur. Data Prot. Bd., Recommendations 01/2020 on Measures That Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data (Nov. 10, 2020), https://edpb.europa.eu/ sites/edpb/files/consultation/edpb_recommendations_202001_supple mentarymeasurestransferstools_en.pdf. --------------------------------------------------------------------------- The court's decision concerned national security access to personal data, not consumer privacy in the sense that we enforce at the FTC. Meaning, what was at issue in Schrems II was not the absence of a GDPR- like national consumer privacy law in the U.S. Looking at how the court considered U.S. national security access to personal data, three things strike me. First, U.S. law and practice incorporate civil liberty protections against government surveillance that are substantial, including statutes such as the Electronic Communications Privacy Act \29\ and the Judicial Redress Act \30\ and executive actions like Presidential Policy Directive 28.\31\ Second, as researchers in the U.S. and Europe have found, U.S. law and practice are at least as protective of privacy as the domestic laws of many of our European allies.\32\ The court, however, deemed European domestic laws irrelevant, focusing instead on what Professor Peter Swire has referred to as ``an idealized, formal standard set forth primarily in EU constitutional law'', rather than the national security laws and practices of members states.\33\ Finally, as Adam Klein, Chairman of the Privacy and Civil Liberties Oversight Board recently noted, those allies regularly partner with the U.S. to assist in their collection of valuable intelligence data.\34\ --------------------------------------------------------------------------- \29\ Electronic Communications Privacy Act of 1986, Pub. L. No. 99- 508, 100 Stat. 1848 (codified as amended in scattered sections of 18 U.S.C.). \30\ Judicial Redress Act, 5 U.S.C. Sec. 552a note. \31\ Presidential Policy Directive 28--Signals Intelligence Activities, 1 Pub. Papers 46 (Jan. 17, 2014), https://www.govinfo.gov/ content/pkg/PPP-2014-book1/pdf/PPP-2014-book1-doc-pg46 .pdf. \32\ See, e.g., Jacques Bourgeois et al., Sidley Austin LLP, Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States, at iv (Jan. 2016), https://www.sidley.com/-/media/publications/essentially- equivalent-final.pdf (arguing that ``the U.S. legal order for privacy and data protection embodies fundamental rights consistent with the Charter, principles of proportionality, and checks and balances in both form and substance, and that these protections of privacy and data protection rights are essentially equivalent to those in the EU''). \33\ Kenneth Propp & Peter Swire, Geopolitical Implications of the European Court's Schrems II Decision, Lawfare (July 17, 2020), https:// www.lawfareblog.com/geopolitical-implications-european-courts-schrems- ii-decision. \34\ Adam Klein, Chairman, Priv. & C.L. Oversight Bd., Statement on the Terrorist Finance Tracking Program (Nov. 19, 2020), https:// documents.pclob.gov/prod/Documents/EventsAnd Press/b8ce341a-71d5-4cdd-a101-219454bfa459/ TFTP%20Chairman%20Statement%2011_19_20 .pdf. --------------------------------------------------------------------------- Schrems II is not the only risk factor for cross-border data flows. Both before and since the decision, sometimes under the rubric of ``data sovereignty'', a number of prominent European voices \35\ have called for data localization requirements in Europe--that is, for all data about Europeans to be kept in Europe. --------------------------------------------------------------------------- \35\ See, e.g., Vincent Manancourt, Europe's data grab, Politico (Feb. 12, 2020), https://www.politico.eu/article/europe-data-grab- protection-privacy/; Thierry Breton, Comm'r, Europe: The Keys To Sovereignty, Eur. Comm'n (Sept. 11, 2020), https://ec.europa.eu/ commission/commissioners/2019-2024/breton/announcements/europe-keys- sovereignty_en. --------------------------------------------------------------------------- By no means are data localization concerns unique to Europe. By some estimates, localization efforts have grown fourfold since 2000, including many sector-specific rules requiring that certain data be processed or maintained in-country.\36\ Countries that have, or are considering, localization requirements include India, Vietnam, Australia, and Turkey.\37\ --------------------------------------------------------------------------- \36\ Christian Ketels & Arindam Bhattacharya, Global Trade Goes Digital, Bos. Consulting Grp. (Aug. 12, 2019), https://www.bcg.com/ publications/2019/global-trade-goes-digital; Jennifer Huddleston & Jacqueline Varas, Impact of Data Localization Requirements on Commerce and Innovation, Am. Action F. (June 16, 2020), https:// www.americanactionforum.org/insight/impact-of-data-localization- requirements-on-commerce-and-innovation/#ixzz6YgQOlW4C (``The data covered by these laws can range from all personal data to only specific types of data such as health or financial information.''). \37\ Pablo Urbiola et al., Inst. of Int'l Fin., Data Flows Across Borders: Overcoming Data Localization Restrictions 1, 2 (Mar. 2019), https://www.iif.com/Portals/0/Files/32370132_iif_data _flows_across_borders_march2019.pdf; David Meyer, Here's Why PayPal Is About to Suspend Operations in Turkey, Fortune (May 31, 2016), https:// fortune.com/2016/05/31/paypal-turkey-suspension/. --------------------------------------------------------------------------- Adopting data localization around the world poses a threat to U.S. commerce as well as the free and open Internet. To do business in multiple countries, companies will need servers, local staff, and so on. For smaller companies and startups, this may spell the end of cross-border commerce. The result will negatively impact not only American companies looking to grow but American consumers who benefit from products improved by cross-border data flows. For larger firms that can add processing capacity overseas, there still are downsides. For instance, localization inhibits the global backup and redundancy that a distributed network allows, and the privacy and security that come with it.\38\ Even something as uncontroversial as bug and error reporting from individual computers-- which allows companies to analyze and correct software issues--may become a local function deprived of critical inputs. And research institutions will feel the impact, with cross-border collaboration in areas like medicine and computer science--where access to large and global data sets are essential--newly subject to digital boundaries.\39\ --------------------------------------------------------------------------- \38\ For example, data may be divided into shards, with any individual's data split up across multiple machines across the world. H Jacqueline Brehmer, Data Localization: The Unintended Consequences of Privacy Litigation, 67 Am. U. L. Rev. 927, 967-986 (2018), https:// digitalcom mons.wcl.american.edu/cgi/viewcontent.cgi?article=2009&context=aulr; Dillon Reisman, Where Is Your Data, Really?: The Technical Case Against Data Localization, Lawfare (May 22, 2017), https://www.lawfareblog.com/ where-your-data-really-technical-case-against-data-localization. \39\ See, e.g., PHG Found., Impact of Schrems II on Genomic Data Sharing (2020), https://www.phgfoundation.org/documents/schrems-ii- discussion-paper.pdf (noting how Schrems II impacts genomic research). --------------------------------------------------------------------------- Data localization requirements are nothing new but historically have more often been associated with alternative visions of Internet governance in countries like China and Russia. The hallmark of this alternative is state control: the opposite of a free and open Internet. China uses technical controls (its ``great firewall'') and legal controls to filter what is available to Chinese citizens.\40\ There is active censorship at the national level, such that you can't type Winnie the Pooh--a reference used by critics of President Xi--into Weibo without it being deleted.\41\ And, not surprisingly, China also requires that substantial amounts of data be stored on servers in China.\42\ Data stored locally are accessible to the government upon request, and without due process.\43\ --------------------------------------------------------------------------- \40\ Elizabeth C. Economy, The great firewall of China: Xi Jinping's Internet shutdown, Guardian (June 29, 2018), https:// www.theguardian.com/news/2018/jun/29/the-great-firewall-of-china-xi- jinpings-internet-shutdown. \41\ Yuan Yang, Winnie the Pooh blacklisted by China's online censors, Fin. Times (July 16, 2017), https://www.ft.com/content/ cf7fd22e-69d5-11e7-bfeb-33fe0c5b7eaa. \42\ Yuxi Wei, Chinese Data Localization Law: Comprehensive but Ambiguous, Henry M. Jackson Sch. of Int'l Stud., Univ. of Wash. (Feb. 7, 2018), https://jsis.washington.edu/news/chinese-data-localization- law-comprehensive-ambiguous/ (localization requirements in China are comprehensive but also confusing and ambiguous). \43\ Afef Abrougi, Chinese law and state security requirements stunt companies' progress in 2019 RDR Index, Ranking Digit. Rts. (July 17, 2019), https://rankingdigitalrights.org/2019/07/17/chinese-law-and- state-security-requirements-stunt-companies-progress-in-2019-rdr-index/ (Chinese law requires ``to keep user activity logs and relevant data for six months and to hand it over to the authorities when requested without due process''); Martina F. Ferracane & Hosuk Lee-Makiyama, Eur. Ctr. For Int'l Pol. Econ., China's Technology Protectionism and its Non-negotiable Rationales 3 (June 2017), https://ecipe.org/wp-content/ uploads/2017/06/DTE _China_TWP_REVIEWED.pdf (``[T]he State Security Law (passed in 1993) provides the state security organs with access to any information or data held by an entity in China whenever they deem it necessary. Without doubt, the scope of the State Security Law has grown exponentially in the digitalisation era.''); Adrian Shahbaz, Freedom House, The Rise of Digital Authori tarianism (2018), https://freedomhouse.org/report/freedom-net/2018/ rise-digital-authoritaria nism (``China was once again the worst abuser of Internet freedom in 2018.''). --------------------------------------------------------------------------- Russia also maintains strict data localization laws (though not always enforced);\44\ allows for blacklisting of Internet sites;\45\ and has experimented with creating, in effect, its own internet, with exclusively in-country routing, DNS, and the like.\46\ --------------------------------------------------------------------------- \44\ Vera Shaftan, Russian Data Localization law: now with monetary penalties, Data Prot. Rep. (Dec. 20, 2019), https:// www.dataprotectionreport.com/2019/12/russian-data-localization-law-now- with-monetary-penalties/ #::text=By%20way%20of%20recap%2C%20in,using%20databases %20located%20in%20Russia (``[I]n 2015, Russia introduced a data localization law, requiring ``data operators'' to ensure that recording, systematisation, accumulation, storage, refinement and extraction of personal data of Russian citizens is done using databases located in Russia.''). \45\ Freedom House, Freedom on the Net 2019, Russia (2019), https:/ /freedomhouse.org/country/russia/freedom-net/2019 (``The government gives several state bodies--including Roskomnadzor, the Prosecutor General's Office, the Federal Service for Surveillance on Consumer Rights Protection and Human Wellbeing (Rospotrebnadzor), the Federal Drug Control Service, and, most recently, the Federal Agency for Youth Affairs--the authority to block various categories of online content.''). \46\ Isabelle Khurshudyan, Russia is bolstering its Internet censorship powers--is it turning into China?, Independent (Feb. 3, 2020), https://www.independent.co.uk/news/world/europe/russia-internet- censorship-norway-putin-a9306666.html (observing that a 2019 law ``aims to route Russian web traffic and data through points controlled by state authorities and to build a national domain name system. This, supporters claim, would give Russia greater control of Internet content and traffic.''). --------------------------------------------------------------------------- Let me stress that the liberal democracies of Europe are nothing like China and Russia, but impeding cross-border data flows and erecting unnecessary barriers--the ``Splinternet'', as Stanford Law Professor Mark Lemley refers to it in a recent article \47\--will reverberate. In many parts of the world, including nations with which the U.S. does substantial commerce, which path to follow remains an open question. Liberal democracies should be uniting--not dividing--to light the better path. --------------------------------------------------------------------------- \47\ Mark A. Lemley, The Splinternet (Stan. Law & Econ. Olin Working Paper No. 555, 2020), http://dx.doi.org/10.2139/ssrn.3664027. Professor Lemley is not the first to use this term. --------------------------------------------------------------------------- Next Steps All of this demonstrates the need to foster transatlantic data flows, and international ones more broadly. First, we need to find a path forward after Schrems II, to permit transfers between the U.S. and EU. I want to recognize the efforts of U.S. and EU negotiators to find a replacement for Privacy Shield. While no doubt challenging, I have confidence in the good faith and commitment of public servants like Jim Sullivan, with whom I have the honor of appearing today, and our partners across the Atlantic. I have every hope and expectation that protecting cross-border data flows will be a priority for the incoming Administration, and I ask for your help in ensuring it is. Second, we must actively engage with nations evaluating their approach to digital governance, something we at the FTC have done, to share and promote the benefits of a free and open Internet. There is an active conversation ongoing internationally, and at every opportunity-- whether in public forums or via private assistance--we must ensure our voice and view is heard. Third, we should be vocal in our defense of American values and policies. While we as Americans always look to improve our laws--and I commend the members of this committee on their important work on privacy legislation and other critical matters--we do not need to apologize to the world. When it comes to civil liberties or the enforcement of privacy laws, we are second to none. Indeed, in my view, the overall U.S. privacy framework--especially with the additional protections built into Privacy Shield--should certainly qualify as adequate under EU standards. Fourth, as European leaders call to strengthen ties with the U.S., we should prioritize making our regimes compatible for the free flow of data. This extends to the data governance regimes of like-minded countries outside of Europe as well. Different nations will have different rules, but relatively minor differences need not impede mutually-beneficial commerce.\48\ We need not and should not purport to aim for a single, identical system of data governance. And we should remind our allies, and remind ourselves, that far more unites liberal democracies than divides us.\49\ --------------------------------------------------------------------------- \48\ See, e.g., Remarks of Jennifer Daskal, Debate: We Need to Protect Strong National Borders on The Internet, 17 Colo. Tech. L.J., 13, 27 (``[T]he goal is to figure out a way to mediate, and manage, those differences, without yielding a fractured Internet.''). \49\ For one model of how to bridge the divide, consider the CLOUD Act, which provides for U.S. law enforcement access to data stored overseas while recognizing and respecting the citizens and laws of the hosting country. See, e.g., Alan Charles Raul, Global Overview, Privacy, Data Prot. and Cybersecurity L. Rev., 1, 2 (Alan Charles Raul ed., 2020), https://www .sidley.com/-/media/publications/the-privacy-data-protection-and- cybersecurity-law-review-2020-global-overview.pdf?la=en; Daskal, supra note 48, at 29. --------------------------------------------------------------------------- Fifth and finally, if we must draw lines, those lines should be drawn between allies with shared values--the U.S., Europe, Japan, Australia, and others--and those, like China and Russia, that offer a starkly different vision. I am certainly encouraged when I hear recognition of this distinction from Europe. European Data Protection Supervisor Wojciech Wiewiorowski recently noted that the U.S. is much closer to Europe than is China and that he has a preference for data being processed by countries that share values with Europe.\50\ Some here in the U.S. are even proposing agreements to solidify the relationships among technologically advanced democracies, an idea worth exploring in more detail.\51\ --------------------------------------------------------------------------- \50\ Peter Swire, `Schrems II' backs the European legal regime into a corner--How can it get out?, IAPP (July 16, 2020), https://iapp.org/ news/a/schrems-ii-backs-the-european-legal-regime-into-a-corner-how- can-it-get-out/. \51\ See, e.g., Robert K. Knake, Council on Foreign Rels., Weaponizing Digital Trade: Creating a Digital Trade Zone to Promote Online Freedom and Cybersecurity (Sept. 2020), https://cdn.cfr.org/ sites/default/files/report_pdf/weaponizing-digital- trade_csr_combined_final.pdf; Jared Cohen & Richard Fontaine, Uniting the Techno-Democracies, Foreign Affs., Nov.-Dec. 2020, https:// www.foreignaffairs.com/articles/united-states/2020-10-13/uniting- techno-democracies (suggesting an informal group of technologically advanced states which would hold regular meetings). --------------------------------------------------------------------------- However we proceed will require vision and leadership, and that is why I am so glad that this committee is prepared to engage thoughtfully with these challenges. Again, thank you for inviting me today, and I look forward to your questions. The Chairman. Thank you very much. Ms. Espinel, you are recognized. STATEMENT OF VICTORIA A. ESPINEL, PRESIDENT AND CHIEF EXECUTIVE OFFICER, BSA | THE SOFTWARE ALLIANCE Ms. Espinel. Good morning--and members of the Committee. My name is Victoria Espinel and I am President and CEO of BSA | the Software Alliance. Data flows are not often the topic of headlines or congressional hearings, even though they are integral to our daily lives. That is because when they are permitted and when the data is kept private, our expectations as consumers are met and our businesses can operate effectively. However, if they are disrupted, we all face problems. I commend the Committee for holding this hearing on the critical issue of cross-border data transfers and for the opportunity to testify here today. Today's consumers and businesses of all sizes and in all industries expect services that offer privacy and security. Those services often require connecting people who sit on different sides of the globe, yet need access to the same data. And that requires moving data between countries and across legal systems. As individuals, we rely on data transfers in our jobs and lives every day without even thinking about it. It might be the H.R. system that ensures you are paid on time. It might be your company's e-mail contacts that includes colleagues that are abroad. It might be your credit card which checks for and stops fraudulent transactions. Data transfers are foundational to any business with employees, customers, vendors, or locations outside the United States. For example, farmers use global data to understand weather patterns and soil conditions around the world to increase their crop yields and lower their cost. Similarly, manufacturers use data from factory floors across the world to monitor the safety and performance of their machines. It is difficult to overstate the importance of cross- border data transfers to U.S. consumers, U.S. businesses of all sizes and sectors, and the entire U.S. economy, particularly in light of COVID. The crosscutting importance of this issue led BSA to launch a new initiative earlier this year, the Global Data Alliance, that brings together companies and a range of industries who are united by the importance of transferring data across borders in a manner that strongly protects personal privacy. At BSA, we represent the enterprise software perspective and our members create the technology that other businesses use. Those businesses trust BSA members to maintain the privacy and security of their most sensitive data, and our companies work hard to earn that trust. I want to emphasize that there should be no tradeoff between the need to transfer data and the need to protect the privacy of that data. Both are essential. In our view, personal data should only be transferred or used in any way with real effective privacy protections. BSA also supports strong privacy legislation. I was honored to testify before this committee at the beginning of this Congress on privacy legislation. And I want to thank Chairman Wicker, Ranking Member Cantwell, and Senators Moran, Blumenthal, Thune, Schatz, Markey, Klobuchar and others for their hard work and leadership to develop concrete proposals that will form the basis for passing privacy legislation next year. While I have focused on the ability to send data across borders in general, today's hearing focuses on the specific and importance of transfers, those between the United States and the European Union. The EU requires transferring personal data use a transfer mechanism. The U.S.-EU Privacy Shield was for many years a trusted way to do this. When the Privacy Shield and other transfer mechanisms were challenged in the European court, BSA participated as an amicus alongside the U.S. Government and the European Commission. This July, the Court of Justice of the European Union invalidated the Privacy Shield in its so-called Schrems II decision that had an immediate impact on 5,300, mostly small and medium sized businesses that relied on the Privacy Shield. I want to emphasize that the decision did not question the privacy practices of the companies participating in the Privacy Shield. The court also upheld the use of standard contractual clauses, which will become even stronger when a new U.S.-EU agreement is reached. We applaud the quick response by policymakers on both sides of the Atlantic. I want to thank Mr. Sullivan and Commissioner Philips for their immediate response. We particularly appreciate the leadership efforts by this committee and the strong, bipartisan, bicameral support. Chairman Wicker, Ranking Member Cantwell, thank you for the letter that you and your House counterparts sent to the FTC and Commerce shortly after the court's decision. In addition to these urgent near-term efforts, I want to encourage this committee to think boldly about longer term, sustainable ways to address the underlying intelligence gathering issues, and to work toward building consensus among like-minded countries. We all realize that some amount of signals intelligence is necessary in a democratic society to ensure safety and security. The question is, what guardrails and safeguards are needed? Building mutual recognition around these issues is vital over the long term. BSA stands ready to work with the Committee on promoting reliable and secure mechanisms for international data transfers. And I look forward to your questions. [The prepared statement of Ms. Espinel follows:] Prepared Statement of Victoria A. Espinel, President and CEO, BSA | The Software Alliance Good morning Chairman Wicker, Ranking Member Cantwell, and members of the Committee. My name is Victoria A. Espinel. I am President and CEO of BSA | The Software Alliance (``BSA''). BSA is the leading advocate for the global software industry.\1\ Our members are at the forefront of developing cutting-edge, data- driven services that have a significant impact on U.S. job creation and growing the global economy. I commend the Committee for holding this hearing on the important topic of transatlantic data transfers and the EU-US Privacy Shield Framework (``Privacy Shield''), and I thank you for the opportunity to testify. --------------------------------------------------------------------------- \1\ BSA | The Software Alliance (www.bsa.org) is the leading advocate for the global software industry before governments and in the international marketplace. Its members are among the world's most innovative companies, creating software solutions that spark the economy and improve modern life. With headquarters in Washington, DC, and operations in more than 30 countries, BSA pioneers compliance programs that promote legal software use and advocates for public policies that foster technology innovation and drive growth in the digital economy. BSA's members include: Adobe, Atlassian, Autodesk, Bentley Systems, Box, Cadence, CNC/Mastercam, DocuSign, IBM, Informatica, Intel, MathWorks, Microsoft, Okta, Oracle, PTC, Salesforce, ServiceNow, Siemens Industry Software Inc., Sitecore, Slack, Splunk, Trend Micro, Trimble Solutions Corporation, Twilio, and Workday. --------------------------------------------------------------------------- Cross-border data transfers are critical to the success of a broad range of companies, of all sizes and industries, and to consumers on both sides of the Atlantic. For that reason, the issues before this Committee reach far beyond the technology sector. Companies large and small, across the entire U.S. economy, depend on services that send data across international borders. BSA represents the perspective of enterprise software companies. Our members create the technology products and services that help other businesses innovate and grow. Businesses trust BSA members to maintain the privacy and security of their most sensitive data, including personal information. Those businesses--in sectors as diverse as agriculture, healthcare, manufacturing, and banking--produce a broad range of products and services and are united by the need to send data across international borders. Indeed, everyday technologies like cloud storage services, customer relationship management software, human resource management programs, identity management services, workplace collaboration software, and supply chain management services all depend on the ability to transfer data across national boundaries. Transferring data across borders is not only vital to businesses, but also to consumers and workers. In our professional lives, we transfer data when we send e-mails to colleagues, manage staff and budgets, attend videoconferences, and in thousands of other routine business activities. In our personal lives, we transfer data across borders when we engage in e-commerce or use messaging platforms to stay in touch with friends and relatives overseas. In each of these scenarios, we rightly expect to use global services that can connect us with others worldwide--in a manner that protects the privacy and security of our data. These issues are even more important amid the COVID-19 pandemic, as companies across the economy rely more heavily on remote workplace tools and cloud-based technologies that help employees remain productive while working outside of their physical offices. Online tools are also opening new avenues for medical researchers, hospitals, and pharmaceutical companies to coordinate research and treatment efforts, and for regulators to more quickly and accurately assess potential vaccines and treatments. Small businesses are increasingly serving customers not only in physical stores but also through online models that let them reach customers worldwide. As individuals, we are also shifting our lives even further online--whether it is to buy goods and services or to gather with relatives and friends. In short, it is difficult to overstate the importance of cross- border data transfers to U.S. consumers, businesses of all sizes and sectors, and the entire economy. That is why I want to focus my testimony on the need to ensure companies can continue transferring data across international borders, so they can provide the products and services their customers demand, in a way that respects the privacy and security of the transferred data. Today's hearing focuses on the Privacy Shield, which until recently served as a privacy-protective way for companies to transfer data from the EU to the United States, consistent with EU legal requirements and privacy expectations of EU and U.S. citizens. The Privacy Shield was invalidated in July, when the Court of Justice of the European Union (``CJEU'') issued its decision in Schrems II. We applaud the swift response to that decision by policymakers on both sides of the Atlantic and their shared recognition that a new agreement is needed to replace the Privacy Shield. In particular, I would like to thank Chairman Wicker and Ranking Member Cantwell for leading a bipartisan and bicameral letter shortly after the Court's decision. Your efforts helpfully demonstrated strong congressional support for the Administration to negotiate with the European Commission to ensure data flows are not unduly disrupted. We welcome this Committee's efforts to continue supporting the important work of developing a successor to the Privacy Shield, to provide a responsible way for companies to transfer data across the Atlantic. At the same time, along with these important near-term efforts, we also encourage the Committee to think boldly about longer-term, sustainable ways to address the underlying issues about intelligence gathering and privacy--and to work toward building consensus on those issues among like-minded countries. The Ability to Send Data Across International Borders is Critical to Consumers and Companies Worldwide International data transfers are an essential part of modern-day commerce. They underpin a wide range of everyday business activities. For instance, when an employee joins a video conference with an overseas customer, shares documents with colleagues in a foreign office, sends an order to a supplier in another country, or simply communicates online with someone overseas, that person invariably engages in the cross-border transfer of data. As just one example, modern IT support offered on a 24-hour/7-days-a-week basis--which became critical for many companies even before the current pandemic-- would be impossible without the ability to transfer data across borders. Robust cybersecurity likewise relies on sharing data to help companies quickly identify and respond to threats that, by their nature, do not respect national borders. Indeed, sharing information on how bad actors in one country attempted to breach a system can help companies in other countries thwart similar efforts. International data transfers are an essential component of products and services across industries. For example:Detecting fraud. Cross-border data flows help stop credit card fraud on a global scale. By efficiently transmitting data across borders, banks can detect and block fraud attempts in a matter of seconds, regardless of where a purchase is attempted. This process has prevented billions of dollars in losses to online fraudsters. Healthcare. Cross-border data transfers allow healthcare facilities to make treatments more effective by using clinical support software that analyzes electronic medical records, insurance claims, and datasets across a large and diverse sample size. It can also enable digitized medical images to be shared with non-local specialists for consultations anywhere in the world, improving the quality of medical care regardless of where a patient lives. E-commerce. Cross-border data flows are at the heart of e- commerce. Retailers send data across borders when they check inventory in an overseas warehouse, accept and process customer orders, and enable customers to track shipments en route to their destination. Human resources management. Global companies across industries rely on cloud-based human resources systems to hire employees and conduct performance reviews, and to administer benefits and payroll across offices in different countries. The ability to send data across national borders is critical to ensuring companies can coordinate personnel management across a multi-national workforce. In short, it is difficult to conceive of how commerce in the modern economy could continue to function without the ability to transfer data across international borders. And, in BSA's view, personal data should only be transferred--or used in any way--with real, effective privacy protections. BSA sees no tradeoff between data transfers and data privacy--both are essential. Indeed, BSA has long called for Congress to pass a clear and comprehensive national law that gives consumers meaningful rights over their personal data; imposes obligations on companies to safeguard consumers' data and prevent misuse; and provides strong, consistent enforcement. In all of these conversations, ensuring that companies handle data in privacy-protective ways that honor consumers' expectations is paramount. Cross border data transfers are critical across all industry sectors. They are also vital to the ability of U.S. companies to grow and compete worldwide. Although most data transfers today involve digital products and services, it would be a mistake to view international data transfers as an issue unique to technology companies. Global companies of all sizes in every industry rely on cross-border data transfers to conduct business, innovate, and compete more effectively. Data transfers are estimated to contribute $2.8 trillion to global GDP--a share that exceeds the global trade in goods and is expected to grow to $11 trillion by 2025.\2\ This value is shared by traditional industries like agriculture, logistics, and manufacturing, which realize 75 percent of the value of the Internet.\3\ U.S. companies of all sizes and industry sectors must be able to transfer data across borders to complete in a global market. --------------------------------------------------------------------------- \2\ OECD, Measuring the Economic Value of Data and Cross-Border Data Flows, 297 OECD Digital Economy Papers 24 (Aug. 2020), https:// www.oecd-ilibrary.org/docserver/6345995e- en.pdf?expires=1606762530&id=id&accname=guest&checksum=E07406A96BD78AB99 291D0F7D 411F923. \3\ McKinsey Global Institute, Internet Matters: The Net's Sweeping Impact on Growth, Jobs, and Prosperity (May 2011), https:// www.mckinsey.com//media/McKinsey/Industries/Techno logy%20Media%20and%20Telecommunications/High%20Tech/Our%20Insights/ Internet%20mat ters/MGI_internet_matters_full_report.ashx. --------------------------------------------------------------------------- Indeed, the cross-cutting importance of this issue spurred BSA to launch a new initiative earlier this year--the Global Data Alliance-- bringing together companies in industries ranging from consumer goods to healthcare to aerospace technology. Members of the Global Data Alliance provide a diverse range of products and services, serve different types of customers, and operate in different geographic markets--and they all recognize the critical importance of transferring data across borders in a manner that strongly protects personal privacy. We also should recognize the ultimate beneficiaries of enabling data to travel freely across borders are consumers. Organizations that rely on cross-border data flows produce the food we eat, the cars we drive, the medicines we take, the clothing we wear, and the myriad other goods and services we enjoy. Consumers also depend on these transfers when communicating with loved ones abroad, engaging in banking transactions, and purchasing goods online. The benefits to individuals of online services has been particularly apparent during the COVID-19 pandemic, with studies indicating 50 percent of U.S. employees are working remotely.\4\ Moreover, global collaboration between researchers, hospitals, and regulators has been critical to the development and testing of treatments and vaccines for COVID-19. --------------------------------------------------------------------------- \4\ Global Data Alliance, Cross-Border Data Transfers & Remote Work at 2 (Oct. 5, 2020), https://www.globaldataalliance.org/downloads/ 10052020cbdtremotework.pdf. --------------------------------------------------------------------------- The importance of cross-border data transfers to the economy will only grow. By 2022, 60 percent of global GDP is expected to be digitized, with growth in every industry driven by data flows and digital technology.\5\ By 2025, six billion consumers--amounting to over 75 percent of the world's population--are predicted to be digitally connected, through over 25 billion connected devices.\6\ Ensuring data transfers can happen securely and reliably is therefore fundamental not only to current economic growth, but also to future prosperity. --------------------------------------------------------------------------- \5\ Daniel D. Hamilton & Joseph P. Quinlan, The Transatlantic Economy 2020 at 28 (2020), https://transatlanticrelations.org/ publications/transatlantic-economy-2020/ (``The Transatlantic Economy 2020''). \6\ Global Data Alliance, Cross-Border Data Transfer Facts and Figures, https://globaldata alliance.org/downloads/gdafactsandfigures.pdf (``GDA Facts and Figures''). --------------------------------------------------------------------------- Transatlantic data transfers are particularly important.\7\ Data transfers to the EU account for about 50 percent of U.S. data transfers, while data transfers to the United States account for an even greater share of EU data transfers.\8\ These data flows are support the roughly $312 billion in annual U.S. services exports to Europe.\9\ --------------------------------------------------------------------------- \7\ Recent studies indicate transatlantic cables carry 55 percent more data than transpacific routes, and the quantity of these transatlantic data transfers are growing rapidly. The Transatlantic Economy 2020 at 41. \8\ BSA | The Software Alliance, The Future of Transatlantic Data Flows at 1 (Sept. 23, 2020), https://www.bsa.org/files/policy-filings/ bsa_transatlanticdataflows.pdf (``BSA Transatlantic Data Flows''). \9\ The Transatlantic Economy 2020 at iii. --------------------------------------------------------------------------- These numbers underscore a simple but critically important fact: maintaining stable and secure mechanisms for data transfers between the United States and the European Union is essential to the success of both economies, and to the global economy more broadly. II. EU-US Data Transfers: The Need for Reliable, Privacy-Protective Mechanisms The need for specific legal mechanisms to transfer data across the Atlantic is rooted in EU law, and is currently embodied in the EU's General Data Protection Regulation (``GDPR''). Under the GDPR, companies may only transfer personal data from the EU to another country if the country has been deemed to provide an ``adequate'' level of privacy protection, or if the data is transferred pursuant to a legal mechanism recognized by the GDPR.\10\ The European Commission has only recognized twelve countries as providing an ``adequate'' level of protection. When data is transferred to other countries, then, companies must use another legal mechanism recognized by the GDPR. --------------------------------------------------------------------------- \10\ See GDPR, Chapter V. The GDPR took effect in May 2018; the EU's prior data protection law similarly restricted the transfer of personal data to third countries. See Directive 95/46/EC. --------------------------------------------------------------------------- The Privacy Shield created a way for companies to transfer data to the U.S. under privacy-protective principles the EU deemed ``adequate.'' By invalidating the Privacy Shield, the Schrems II judgment has created an urgent need for a new mechanism for transatlantic data transfers. Transfer Mechanisms. The GDPR recognizes several legal mechanisms for transferring data across borders, including Standard Contractual Clauses (``SCCs'') and Binding Corporate Rules (``BCRs'').\11\ --------------------------------------------------------------------------- \11\ The other mechanisms include legally binding instruments between public authorities; codes of conduct; and approved certifications. The GDPR also permits companies to transfer data pursuant to derogations for limited, specific situations. Standard Contractual Clauses. SCCs are a standardized set of contractual obligations that companies can adopt when transferring data outside the EU. The SCCs are approved by the European Commission and reflect commitments that implement EU legal requirements to safeguard data. Companies that transfer data pursuant to SCCs typically include the Commission-approved contract language in all of their relevant contracts with suppliers and other vendors. SCCs are widely used, and they underpin transfers of personal data from the EU not only to the US, but to more than 180 countries. In 2019, one survey found that nearly 90 percent of companies that transferred data outside of the EU relied on SCCs.\12\ --------------------------------------------------------------------------- \12\ IAPP-EY Annual Governance Report 2019 (Nov. 6, 2019), https:// iapp.org/resources/article/iapp-ey-annual-governance-report-2019/ (survey of 370 companies) Binding Corporate Rules. BCRs are corporate rules that govern international data transfers within a company. The GDPR sets out a list of topics that must be addressed by BCRs, which must specify how the company will apply certain data protection principles and data subject rights to the transferred data. BCRs may take several years to develop and must be approved by a data protection authority in the EU before they can take effect. Even so, their use is limited to a specific set of intra-company transfers; BCRs accordingly do not provide a basis for transferring data to third parties, such as --------------------------------------------------------------------------- customers, partners, or suppliers. Privacy Shield. The Privacy Shield provided an important and cost- effective alternative mechanism for transferring data from the EU to the United States. It was negotiated by the U.S. Government and the European Commission to allow companies to commit to privacy principles that ensured data transferred to the U.S. was ``adequately'' protected. As a result, transfers under the Privacy Shield were deemed ``adequate''--thus allowing companies to transfer data from the EU to the U.S. under the Privacy Shield program without using other mechanisms such as SCCs or BCRs. The Privacy Shield established a voluntary program for companies to transfer data--but once a company publicly committed to comply with its requirements, that commitment becomes enforceable by the Federal Trade Commission. Companies that participate in the Privacy Shield therefore commit to handle data transferred from the EU to the U.S. in line with seven privacy-protective principles on notice, choice, onward transfers, security, data integrity and purpose limitation, access, and enforcement. Participants also adhere to sixteen supplemental principles, which address additional protections for sensitive data and dispute resolution, among other issues. To help ensure these protections remained meaningful in light of changes involving technologies and developments in EU or U.S. law, the Privacy Shield created an internal review mechanism for the United States and the EU to update the Privacy Shield over time. Its most recent annual review, released in October 2019, confirmed that the Privacy Shield remained a trusted mechanism for companies and individuals alike.\13\ --------------------------------------------------------------------------- \13\ European Commission, Report from the Commission to the European Parliament and The Council on the Third Annual Review of the Functioning of the EU-U.S. Privacy Shield, Oct. 23, 2019, https:// ec.europa.eu/info/sites/info/files/ report_on_the_third_annual_review_of_the_eu_ us_privacy_shield_2019.pdf. --------------------------------------------------------------------------- The Privacy Shield program was well-used, particularly by small- and medium-sized entities transferring data from the EU. Over 5,300 organizations, in industries ranging from manufacturing to hospitality, participated in the Privacy Shield program,\14\ and more than 70 percent of those companies were small- or medium-sized businesses.\15\ Its benefits reached more broadly, though, to the networks of suppliers and customers that depended on these Privacy Shield-certified companies. --------------------------------------------------------------------------- \14\ Congressional Research Service, U.S.-EU Privacy Shield (Aug. 6, 2020), https://fas.org/sgp/crs/row/IF11613.pdf. \15\ US Department of Commerce Department, Commerce Secretary Wilbur Ross Welcomes Privacy Shield Milestone-Privacy Shield Has Reached 5,000 Active Company Participants (Sept. 11, 2019), https:// www.trade.gov/press-release/commerce-secretary-wilbur-ross-welcomes- privacy-shield-milestone-privacy-shield-has. --------------------------------------------------------------------------- The U.S. Government also made significant commitments in connection with the Privacy Shield, to address the protection of data transferred under the program. These include not only the annual review mechanism discussed above, but also the establishment of an ombudsperson mechanism, which was designed to respond to requests by EU individuals regarding U.S. signals intelligence practices.\16\ Officials at the U.S. Department of Justice and the Office of the Director of National Intelligence also described the many limitations and safeguards applicable to U.S. government access for law enforcement and for national security purposes.\17\ These include Presidential Policy Directive 28 (``PPD-28''), which was issued in 2014 to set out principles and requirements that apply to all U.S. signals intelligence activities. In addition to these commitments, the U.S. Privacy and Civil Liberties Oversight Board has issued oversight reports or conducted oversight reviews of many of these national security authorities. --------------------------------------------------------------------------- \16\ See John F. Kerry, Letter to Commissioner Jourova (July 7, 2016), https://www.privacy shield.gov/servlet/servlet.FileDownload?file=015t00000004q0b. \17\ See Bruce C. Schwartz, Letter to Justin Antonipillai and Ted Dean (Feb. 19, 2016), https://www.privacyshield.gov/servlet/ servlet.FileDownload?file=015t00000004q0W; Robert Litt, Letter to Justin Antonipillai and Ted Dean (Feb. 22, 2016), https:// www.privacyshield.gov/servlet/ servlet.FileDownload?file=015t00000004q1F; and Robert Litt, Letter to Justin Antonipillai and Ted Dean (June 21, 2016), https:// www.privacyshield.gov/servlet/servlet.FileDownload?file =015t00000004q1A. --------------------------------------------------------------------------- Schrems II Litigation. The Schrems II decision arose after a series of complaints filed by Max Schrems, who in 2013 challenged the predecessor to the Privacy Shield, which was known as the Safe Harbor. In October 2015, the CJEU annulled the Safe Harbor, creating the need for the U.S. and EU to negotiate the Privacy Shield. Later the same year, Schrems filed a reformulated complaint challenging the ability of Facebook to transfer data from the EU to the U.S. using SCCs. Even though the reformulated complaint centered on the use of SCCs, proceedings before both the Irish High Court and the CJEU sparked substantial discussion on the Privacy Shield. BSA participated in the Schrems II litigation as an amicus curiae. We argued before the CJEU, asking it to uphold the SCCs and not address the Privacy Shield, which we felt it did not need to reach in order to decide that case. Throughout the litigation, BSA emphasized SCCs are intended to support transfers to jurisdictions the European Commission has not already deemed ``adequate''--and therefore companies using the SCCs should focus on the protections provided by those clauses rather than on the protections offered by the laws of the third country to which data is exported. In July 2020, the CJEU's Schrems II decision invalidated the Privacy Shield, taking away this critical mechanism for transferring data.\18\ Importantly, the CJEU did not take issue with the privacy practices of companies that use the Privacy Shield. Rather, the Court based its decision on U.S. intelligence practices it found were not consistent with the EU Charter of Fundamental Rights. The Court focused specifically on signals and intelligence collection under Executive Order 12333 and Section 702 of the FISA Amendments Act of 2008. --------------------------------------------------------------------------- \18\ Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems (Schrems II), 180-85, 191-92, 197- 201 (July 16, 2020). --------------------------------------------------------------------------- At the same time, the CJEU upheld the validity of SCCs. While we agree with the European Commission and the U.S. Government that the safeguards and commitments contained in the Privacy Shield should have been sufficient, we were pleased the Court affirmed the validity of SCCs. Like BCRs, SCCs can create commercial privacy protections beyond those included in the Privacy Shield, because companies may use them to make additional binding commitments.\19\ For companies using SCCs, the CJEU stressed the need to determine, on a case-by-case basis and in light of all the circumstances of the transfer, including any additional safeguards that parties may add to SCCs, whether the data can be protected adequately. We agree with that approach. In October, BSA published a set of principles to guide companies in developing additional safeguards for EU-US data transfers. The principles can be turned into specific clauses appropriate to the specific nature of the transfer.\20\ --------------------------------------------------------------------------- \19\ In fact, BSA members were making commitments beyond what is included in Commission-approved SCCs before the Schrems II case began. \20\ BSA | The Software Alliance, Principles: Additional Safeguard for SCC Transfers (Oct. 2020), https://www.bsa.org/files/policy- filings/10222020bsascctransfers.pdf. --------------------------------------------------------------------------- Last month, the European Data Protection Board (``EDPB''), which comprises representatives of the national data protection authorities within the European Union, published draft recommendations for the use of SCCs for transferring data. We understand the concern many companies have raised about whether the recommendations would effectively prohibit transfers to the US. We appreciate that the EDPB has opened its recommendations to public comment. We also respect the difficulty of providing examples that account for all of the circumstances of all data transfers. We remain optimistic the draft recommendations can be revised to better reflect the CJEU's judgment, which envisions greater flexibility and use of additional safeguards to protect privacy. For example, the CJEU's decision directs companies to consider ``all'' circumstances of a transfer in determining whether additional safeguards are appropriate to supplement SCCs. The full set of relevant circumstances may include the nature of the data transferred and the likelihood of government access to that data, yet the range of these circumstances are not fully reflected in the current draft recommendations. Despite the widespread use of SCCs, we should not forget that the use of SCCs creates burdens, particularly on smaller businesses that may be forced to re-negotiate all of their relevant contracts to include terms of SCCs. This option should therefore not be viewed as a replacement for the Privacy Shield. Given the breadth and diversity of companies that rely on transatlantic data transfers, it is imperative to ensure there are multiple practical and privacy-protective ways for companies to transfer data. III. There is Broad Support for the U.S. Government and the European Commission to Develop an Enhanced Privacy Shield We commend the U.S. Government and the European Commission for recognizing the need for a new agreement to improve on the Privacy Shield. Shortly after the CJEU's judgment, the Department of Commerce and the European Commission jointly announced the initiation of discussions to evaluate the potential for an enhanced Privacy Shield framework.\21\ In doing so, both governments ``recognize[d] the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies,'' and stressed their mutual commitment to supporting privacy, the rule of law, and the close economic relationship between the United States and Europe.\22\ --------------------------------------------------------------------------- \21\ Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders (Aug. 10, 2020), https://www.commerce.gov/news/press-releases/2020/08/joint- press-statement-us-secretary-commerce-wilbur-ross-and-european. \22\ Id. --------------------------------------------------------------------------- These efforts have strong bipartisan, bicameral support. Again, we very much appreciate the letter Chairman Wicker and Ranking Member Cantwell sent after the Schrems II decision to the Commerce Department and the Federal Trade Commission, along with your counterparts on the House Energy and Commerce Committee, encouraging them to work closely with the European Commission to develop a new data transfer mechanism to replace the Privacy Shield.\23\ --------------------------------------------------------------------------- \23\ Letter from Senator Roger Wicker et al., to Secretary Wilbur Ross & Chairman Joseph Simons (Aug. 5, 2020), https:// energycommerce.house.gov/sites/democrats.energycommerce.house .gov/files/documents/ FTC.DOC.2020.8.5.%20Letter%20re%20Privacy%20Shield%20ECJ%20De cision.CPC_.pdf. In addition, several members of the House of Representatives, led by Representatives Welch, LaHood, and DelBene, have echoed this support. Letter from Representative Peter Welch et al., to Secretary Wilbur Ross & Chairman Joseph Simons (Oct. 2, 2020), https://www.bsa.org/files/policy-filings/ 10022020congresslettersupportprivacyshield.pdf --------------------------------------------------------------------------- All sectors of the U.S. economy have also demonstrated support for this effort to reach an improved agreement. BSA and the U.S. Chamber of Commerce led a letter signed by dozens of trade associations spanning a broad range of industries, which together encouraged the U.S. Government to work collaboratively with its EU counterparts to develop a stable and sustainable mechanism to replace the Privacy Shield.\24\ --------------------------------------------------------------------------- \24\ Letter from BSA | The Software Alliance et al., to Secretary Wilbur Ross (July 17, 2020), https://www.bsa.org/files/policy-filings/ 07172020multiindustryresponselettertoschremsii.pdf. --------------------------------------------------------------------------- The U.S. Government and the European Commission have also repeatedly expressed their support for the Privacy Shield framework. Prior to the Court's judgment in Schrems II, European regulators described the Privacy Shield as a ``success story,'' that offered strong privacy protections to EU data subjects and exemplified the productive partnership between the EU and U.S. governments.\25\ In the Schrems II litigation, both the U.S. Government and the European Commission argued in support of the Privacy Shield, stressing its importance to both sides of the Atlantic. As an amicus in Schrems II and in a separate challenge to the Privacy Shield, BSA argued in support of the Commission and of the Privacy Shield. Moreover, at BSA, we have a longstanding relationship with the European Commission and are committed to working collaboratively and closely with them to address the need for robust data transfer mechanisms and find long-term solutions. --------------------------------------------------------------------------- \25\ European Commission, EU-U.S. Privacy Shield: Third Review Welcomes Progress While Identifying Steps for Improvement (Oct. 23, 2019), https://ec.europa.eu/commission/press corner/detail/en/IP_19_6134. --------------------------------------------------------------------------- We are confident the U.S. Government and the European Commission can work together to develop an enhanced successor to the Privacy Shield. In its decision invalidating the Privacy Shield, the CJEU focused on concerns around two specific U.S. intelligence-gathering programs, including whether those programs appropriately safeguard privacy and fundamental rights, whether they are subject to independent oversight, and whether they provide EU data subjects with rights to judicial redress. Given the targeted nature of the Court's concerns, we are optimistic the U.S. Government and European Commission can work together to address them. Indeed, it is important to recognize the CJEU expressed no concerns about the adequacy of the privacy protections imposed on commercial entities by the Privacy Shield. Developing an enhanced Privacy Shield should not require a complete overhaul of the existing model but instead should address the specific concerns highlighted in the Schrems II judgment. We fully support those efforts and stand ready to provide whatever assistance we can. IV. Over the Long Term, Countries Must Work Together to Recognize Shared Values on Appropriate Safeguards for Intelligence Practices The ongoing work by the Administration and the European Commission to develop an enhanced Privacy Shield is urgent, and we appreciate their constructive approach and this Committee's focus on the issue. Creating a new and enhanced mechanism for such transfers is vital to the continued prosperity of both the United States and Europe. We also urge this Committee, the U.S. Government, and all like- minded democratic societies interested in both security and civil liberties to think boldly about longer-term approaches to security safeguards. Even the CJEU recognizes some amount of signals intelligence is necessary in a democratic society to ensure safety and security. The question is what guardrails and safeguards are needed. The U.S. Government has, to its credit, publicly released significant guidance about safeguards and oversight mechanisms. It is well positioned to lead a conversation with other governments about the appropriate use of safeguards to protect privacy and fundamental rights, the level of independent oversight, and the ability of individuals to obtain redress for violations. A common understanding on best practices will improve transparency among America's allies and decrease future transatlantic data conflicts. We have full confidence the U.S. Government and the European Commission can address these issues in the context of developing a successor to the Privacy Shield. At the same time, we recognize commitments and agreements addressing such practices are more durable when they reflect a broader consensus of America and its allies on the appropriate scope of intelligence-gathering practices. We accordingly encourage the U.S. Government to work with like- minded democratic countries to build a mutual recognition that many countries already share a set of values on the appropriate safeguards for intelligence-collection activities. For example, we support the U.S. Government working toward diplomatic agreements with countries that share our commitment to democracy and the rule of law, to set out a mutual understanding of the types of safeguards appropriate for intelligence-gathering activities to ensure respect for the privacy and fundamental rights of individuals. We do not underestimate the potential magnitude of such an effort, or the challenges it might present. But we believe U.S. leadership on this issue will both strengthen U.S. economic interests, and ensure the United States and its allies can are aligned in promoting economic growth based on the principles of freedom, security, democratic values, and human rights across the globe. * * * Thank you again for the opportunity to testify at today's hearing. BSA looks forward to working with the Committee on promoting reliable and secure mechanisms for international data transfers. The Chairman. Thank you very much. Since you mentioned the letter, Ms. Espinel, I think we should insert it in the record at this point. So I ask unanimous consent that the letter dated August 5, 2020 to Honorable Wilbur Ross and Honorable Joseph Simons and signed by Frank Pallone Jr., Greg Walden, Roger F. Wicker, and Maria Cantwell be admitted into the record at this point. [The letter referred to was unavailable at time of printing.] The Chairman. Thank you very much. And Mr. Swire, you are next. STATEMENT OF PETER SWIRE, ELIZABETH AND TOMMY HOLDER CHAIR OF LAW AND ETHICS, SCHELLER COLLEGE OF BUSINESS, GEORGIA INSTITUTE OF TECHNOLOGY Mr. Swire. Chairman Wicker, Ranking Member Cantwell, and members of the Committee for the opportunity to testify today. My name is Peter Swire. I am a Professor at Georgia Tech and Research Director of the Cross-border Data Forum. I have been working on these issues for quite a while. I wrote a book in 1998 for Brookings on EU-U.S. data privacy fights and have been working on that in some ways ever since. For the Schrems trial in Ireland, I submitted testimony of over 300 pages. So I have been living this quite intensively for a long time---- The Chairman. We won't put that in the record. [Laughter.] Mr. Swire. There is a nice link in the testimony, sir. This hearing is important in part to create a clear public record about these key issues. The part--one of my testimony makes eight specific points. The first is that the European Data Protection Board has issued draft guidance last month that is so strict it would massively cutoff data flows from the United States--from Europe to the United States. The second point is, a lot of these issues in Europe are constitutional law. And we know from the United States you can't go and amend the Constitution easily. So the U.S. has to be aware of their Constitutional restrictions as we negotiate eventual solutions. The third point, which has been mentioned by others, is the possibility here of strict data localization if the strict interpretations happen. And at the Cross-Border Data Forum, we are working on additional studies about how serious that would be. Point four is an appendix to my testimony that provides detailed proposals for one of the hard issues here. It is what is called ``individual redress,'' the rules in Europe that there has to be somebody who can check to make sure the citizens' rights are protected. In August with Kenneth Propp, I wrote a proposal in Lawfare on this. There has been comments from a senior European lawyer on it. And in this testimony, I have new non-statutory approaches that presumably could be implemented pretty much immediately that would take big steps toward solving the individual redress problem, and I hope that will be considered quickly. Fifth point has to do with what is called ``proportionality'' under European law, is there too much surveillance in the view of their judges. There is an Appendix to this testimony that lists all the surveillance updates, it is 25 pages, since 2016. It shows a very strong record in the United States, that safeguards that have been taken since 2016, since the Privacy Shield. So we have a record to explain to the Europeans the very strong safeguards that exist. A six point and I will take a little bit to expand on this, is that it is important to negotiate a deal, in my view, in the short term, hopefully before January 20. And I would suggest even a one-year deal that would then expire that meets the goals of both the European Union and the United States. For the EU, there have been reports in the press that they would like to have a broader negotiation on many issues, including privacy, with the new Administration. Having a year to negotiate this as part of a broader deal would meet important European goals. It would also help the European Union on its guidance, clarify things. It would allow additional work on significant U.S. actions, and it would provide time for Congress to see if there are specific statutes that might help. So even a one-year extension would provide a lot of room for what would then lead to presumably a longer term proposal that would build on the shorter term things. That might seem impossible, but having this issue negotiated in the first weeks of a new Administration would be very challenging. So getting something done soon before there is a cutoff of data flows creates a lot more room for better things down the road. In my testimony, the last part about Europe is that as the U.S. considers tough reforms on our side, we should at least understand what they can do on their side. What are their legal options for reform? Those haven't been considered very much in Europe yet, but that is a normal part of negotiations. I then have three points about the U.S. landscape. The first point, which is not fully understood in Europe, is how much continuity we have had on these issues. From the Obama Administration to the Trump Administration on Privacy Shield, on Presidential Directive 28, it has been continuity here, and we would expect the same from a new Biden Administration. So many things are very tough in a partisan world. In this one, there is a lot of agreement. A second point, which is also been made by others today, is that passing comprehensive commercial privacy legislation would help a great deal. That wouldn't directly address the surveillance issues, but the clear story from Europe is it would help the atmosphere. So if this committee in the Congress could pass a law in that direction, it would make a big difference. It is no small thing. I have worked around this city for a long time, but it would make a huge difference even to have, for instance, a committee bill reported out that showed progress would be a help in the negotiations. And then the last part of the testimony is why this Congress has a unique opportunity in my 25 years of working on these issues to pass comprehensive privacy legislation. Could I have perhaps 30 or 45 seconds to list a couple? The Chairman. Sure. Mr. Swire. OK. And you know better than I all the reasons this is impossible, but not getting there is also a great big problem. So one big reason for hope is the progress that the Chairman and the Ranking Member made in this Congress on a lot of provisions to narrow down the list of disagreements. A second reason is that industry concern about Europe has a strong reason to support legislation. A third reason that industry after the new California initiative has a strong reason to want to have some restrictions on additional things that are coming in from California. A fourth reason has to do with the favorite issue of preemption, and the testimony suggests one possible way that both sides of that difficult fight could have a victory on preemption, for instance, by allowing the current California privacy law to stay in place, but not having the new initiative go into effect. There would be some State action, but not other State action that might provide more room. And the last point is, in a Congress where bipartisan accomplishments are difficult, this is an issue where for business and for consumers, for Republicans and Democrats, there may actually be the possibility of bipartisan action. Thank you, Chairman and Ranking Member, for once again the opportunity for being here today. [The prepared statement of Mr. Swire follows:] Prepared Statement by Peter Swire,\1\ Elizabeth & Tommy Holder Chair of Law and Ethics Scheller College of Business, Georgia Institute of Technology --------------------------------------------------------------------------- \1\ Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia Tech Scheller College of Business; Research Director, Cross-Border Data Forum; senior counsel, Alston & Bird LLP. The opinions expressed here are my own, and should not be attributed to the Cross-Border Data Forum or any client. --------------------------------------------------------------------------- Chairman Wicker, Ranking Member Cantwell, and Members of the Committee, thank you for the opportunity to testify today on ``The Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows.'' I am Peter Swire, the Elizabeth and Tommy Holder Chair of Law and Ethics at the Scheller College of Business at Georgia Tech, and Research Director of the Cross-Border Data Forum. Since the mid-1990s I have worked intensively on the topic of data flows between the European Union (EU) and U.S., including as lead author of the 1998 book called ``None Of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive.'' I have worked on these issues as a government official and private citizen, and wrote expert testimony of over 300 pages for the 2017 trial in Ireland of the Schrems II case. A biography appears at the end of this testimony. This hearing is important in part to create a clear public record about these complex and important issues concerning the European Union, the United States, and international flows of ``personal data,'' which is often called PII or ``personally identifiable information'' in the U.S. Part I of this testimony offers observations on legal and policy issues in the European Union. Key points include: A. The European Data Protection Board in November issued draft guidance with an extremely strict interpretation of how to implement the Schrems II case. B. The decision in Schrems II is based on EU constitutional law. There are varying current interpretations in Europe of what is required by Schrems II, but constitutional requirements may restrict the range of options available to EU and U.S. policymakers. C. Strict EU rules about data transfers, such as the draft EDPB guidance, would appear to result in strict data localization, creating numerous major issues for EU-and U.S.-based businesses, as well as affecting many online activities of EU individuals. D. Appendix 1 to this testimony provides detailed proposals for one of the requirements of the EU Charter--individual redress for violation of rights in the U.S. surveillance system. E. Along with concerns about lack of individual redress, the CJEU found that the EU Commission had not established that U.S. surveillance was ``proportionate'' in its scope and operation. Appendix 2 to this testimony seeks to contribute to an informed judgment on proportionality, by cataloguing developments in U.S. surveillance safeguards since the Commission's issuance of its Privacy Shield decision in 2016. F. Negotiating an EU/U.S. adequacy agreement is important in the short term. G. A short-run agreement would assist in creating a better overall long-run agreement or agreements. H. As the U.S. considers its own possible legal reforms in the aftermath of Schrems II, it is prudent and a normal part of negotiations to seek to understand where the other party--the EU--may have flexibility to reform its own laws. Part II of the testimony provides observations on the U.S. political and policy landscape: A. Issues related to Schrems II have largely been bipartisan in the U.S., with substantial continuity across the Obama and Trump administrations, and expected as well for a Biden administration. B. Passing comprehensive privacy legislation would help considerably in EU/U.S. negotiations. C. This Congress may have a unique opportunity to enact comprehensive commercial privacy legislation for the United States. PART I: Observations on Legal and Policy Issues in the European Union In the wake of the Schrems II decision very large data flows from the EU to the U.S. and other third countries may become unlawful. The likelihood and magnitude of such a blockage are uncertain, and depend significantly on how European actors interpret the Schrems II decision. With Kenneth Propp, I have written previously on the background of the Schrems II case, its holdings, and its geopolitical implications. In Part I of this testimony, I address legal and policy issues specifically about the EU. A. The European Data Protection Board in November issued draft guidance with an extremely strict interpretation of how to implement the Schrems II case. An apparently very strict interpretation of Schrems II appears in two documents issued, subject to public comment, by the European Data Protection Board on November 11, 2020. My discussion here draws on the clear and expert three-part commentary of Professor Theodore Christakis in the European Law Blog. As the body of national data protection regulators, the EDPB's views are important due to its official role in interpreting the GDPR as well as language in the Schrems II decision about its role in defining what supplementary safeguards are sufficient for transfers outside of the EU. The EDPB issued its draft of the ``European Essential Guarantees for Surveillance Measures'' (``EEG Requirements''). This document summarized the fundamental rights jurisprudence of the European Court of Human Rights (housed in Strasbourg, and interpreting the European Convention on Human Rights) and the Court of Justice of the European Union (housed in Luxembourg, and interpreting European Union law including the EU Charter of Fundamental Rights). A key task of the EEG Requirements was to state the EDPB's understanding of what legal requirements a third country must have in order to ``offer a level of protection essentially equivalent to that guaranteed within the EU.'' To simplify the EDPB's main point--if a third country (such as the U.S.) meets the EEG Requirements, then the country can be seen as providing ``essentially equivalent'' protections; if not, then the country does not provide ``essentially equivalent'' protections, and transfers of personal data would require additional safeguards. Where ``essentially equivalent'' protections exist, then transfers to that country may be found ``adequate'' under EU law. This sort of ``adequacy'' determination was made by the EU Commission in 2016 for the Privacy Shield. Eleven countries currently have this sort of adequacy determination by the EU Commission. A new EU/U.S. agreement would presumably be based on a similar adequacy finding. If an adequacy determination is not in place, then the Schrems II court stated that transfers from the EU to a third country can exist where ``supplementary measures'' or ``additional safeguards'' are in place. Along with the EEG Requirements, the EDPB released its ``Recommendations on Supplementary Measures'' on November 11. Prior to the EDPB guidance, the U.S. government issued its ``White Paper'' on ``Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.'' Other expert commentators published detailed studies of how additional safeguards, well implemented, could create a lawful basis for continuing to use Standard Contractual Clauses or other mechanisms for transferring personal data from the EU to third countries including the U.S. As Professor Christakis has explained, the EDPB interpreted the Schrems II decision to be far stricter than had the White Paper or other commentators. The EDPB's EEG Requirements are so strict, as Christakis wrote, that ``third countries might rarely if ever meet the EEG requirements.'' Data exporters, under the EDPB approach, would then have to rely on its Recommendations on Supplementary Measures. Christakis, however, found these are also exceptionally strict: ``To sum up, the EDPB's guidance clearly indicates that no data transfer should take place to non-adequate/non-essentially equivalent countries unless the data is so thoroughly encrypted or pseudonymised that it cannot be read by anyone in the recipient country, not even the intended recipient.'' B. The decision in Schrems II is based on EU constitutional law. There are varying current interpretations in Europe of what is required by Schrems II, but constitutional requirements may restrict the range of options available to EU and U.S. policymakers. There are important and as-yet unresolved disagreements among EU experts about how to interpret the Schrems II decision. Disagreements about constitutional law are certainly familiar to the Senators and American lawyers. That sort of disagreement is what exists in Europe in the aftermath of Schrems II. Much of the Schrems II decision relied on specific provisions in the EU Charter of Fundamental Rights, which came into force in 2009 along with the Treaty of Lisbon: 1. Article 47 of the Charter addresses the right to an effective remedy: ``Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal.'' Appendix 1 to this testimony examines issues arising under Article 47, notably what sorts of individual redress the U.S. might provide for EU persons with respect to U.S. surveillance practices. 2. Article 7 of the Charter addresses respect for privacy and family life: ``Everyone has the right to respect for his or her private and family life, home and communications.'' This right to privacy is similar to the ``right to respect for private and family life'' in Article 8 of the European Convention of Human Rights, first signed in 1950. 3. Article 8 of the Charter is a data protection right. It states: ``(1) Everyone has the right to the protection of personal data concerning him or her; (2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (3) Compliance with these rules shall be subject to control by an independent authority.'' The EDPB guidance can illustrate the importance of how these fundamental rights protections will be interpreted after the Schrems II decision. To illustrate, suppose that each aspect of the draft EDPB guidance were required by the Charter of Fundamental Rights. In that instance, the European Union would have no legal authority to weaken constitutional protections, and the strict prohibitions on data transfers under the EDPB draft guidance would be required as a matter of EU constitutional law. Based on the review of that guidance by Professor Christakis, an enormous range of flows of personal data would be prohibited to the U.S., China, India and most or all other third countries in the world (except the small number with a current adequacy decision in place). The draft EDPB guidance, in fact, would appear to be clearly stricter than constitutionally required by the Schrems II decision. After all, the CJEU went to considerable lengths to say that transfers using Standard Contractual Clauses remained lawful where ``additional safeguards'' were in place; however, the EDPB guidance found no ``additional safeguards'' that would enable access to the personal data in a third country. It appears that the EDPB draft guidance would render the CJEU's discussion of additional safeguards to be a nullity. Based on my discussions with other EU legal experts, many EU legal experts would find greater flexibility under EU constitutional law than provided by the EDPB draft guidance. Going forward, EU experts on fundamental rights will engage on what restrictions on data transfers are required by the Charter of Fundamental Rights, as contrasted with decisions of non-judicial officials. In conclusion on EU constitutional requirements, a very strict interpretation of the decision may leave limited options open for policymakers. Going forward, EU experts on fundamental rights will engage on what restrictions on data transfers are required by the Charter of Fundamental Rights, as contrasted with decisions of non- judicial officials. Although the precise legal issues are different, the importance of constitutional doctrine is well known to U.S. lawmakers for free speech and other First Amendment issues. Members of this Committee will therefore understand that legal, constitutional limits may affect what the EU Commission, the European Parliament, and other EU institutions can do in the wake of the Schrems II decision. C. Strict EU rules about data transfers, such as the draft EDPB guidance, would appear to result in strict data localization, creating numerous major issues for EU-and U.S.-based businesses, as well as affecting many online activities of EU individuals. The European Union will continue its own deliberations about how strict are the limits on data flows, as a matter of either EU policy choices or fundamental rights jurisprudence. I will briefly discuss some practical effects of a strict approach, which appear considerable. I will first address what one might call the ``boy who cried wolf'' theory. After all, concerns about EU cut-off of data have arisen repeatedly since the Data Protection Directive went into effect in 1998. At that time, the EU/U.S. Safe Harbor, and other practical measures, enabled commerce to proceed without great hindrance. Later, in 2015, the CJEU issued the first Schrems decision, and privacy experts advised companies that data flows from the EU might be cut. Then, the EU and U.S. negotiated the Privacy Shield, and commerce continued. More recently, the General Data Protection Regulation (GDPR) went into effect in 2018, along with warnings that it could shut down numerous business models. In practice, after often-considerable compliance efforts, most business has been able to continue under GDPR. After these three rounds of warnings of disaster that didn't materialize, it would be easy for people to assume that the aftermath of Schrems II will once again be less impactful on data transfers than doomsayers cry out. My view, however, is that the possibility of major disruptions of data flows is far greater this time. The CJEU--the supreme court of Europe, whose decisions are binding on the member states--has reiterated its strong concerns about transferring data to countries whose surveillance systems fail to meet European standards. That same court would have the final word about any new EU-U.S. agreement, or any other legal mechanism that seeks to enable transfers to third countries. Depending on how one interprets the constitutional dimensions of Schrems II and the many other high court decisions examined by the EDPB, the apparent room for policymaker discretion now seems more limited. In addition, based on my discussions with knowledgeable persons, there is a significant possibility that one or more of the largest companies in the world may come under court order to stop transfers, before the January 20 U.S. presidential inauguration. In short, this time may fit the old story, where the boy cried wolf once again, but this time the wolf was really there. If many data transfers are cut off, then the effect would be data localization. The term ``local'' here would apply to the EU member states, the other countries in the European Economic Area, and the currently eleven countries that now have an adequacy determination. Transfers to the United Kingdom after the January 1, 2021 Brexit would appear to depend on the UK receiving an adequacy determination, which is currently being considered but has not been finalized. As the possibility of data localization increases, it becomes increasingly important for organizations to determine what it would mean to implement localization, and for policymakers to understand the effects of localization. The most detailed examination of such data flows, of which I am aware, remains the book that I wrote with Robert Litan in 1998, called ``None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive.'' Thanks to permission from its publisher, the Brookings Institution, that book is now downloadable from the Brookings website. Chapter 5 of the book addresses ``privacy issues affecting many organizations,'' such as human resources, auditing, business consulting, and customer support such as call centers. Chapter 6 examines financial services in detail, and the effects on that large sector deserve careful attention. Chapter 7 looks at ``other sectors with large trans-border flows'', including business and leisure travel and e-commerce generally; it also looks at possible interruptions of pharmaceuticals research, which would be especially important to consider during the COVID pandemic, when sharing of personal data might be so important concerning the safety and efficacy of vaccines as well as other medical information. Looking ahead, I plan to work with the Cross-Border Data Forum as soon as possible to update and extend the data localization analysis. I hope to publish initial pieces of that analysis in time to offer comments on the EDPB Guidelines, due December 21. Many types of data flows are the same as in 1998, but there are important new categories of data flows, perhaps most notably for cloud computing, where the personal data of individuals is often stored in a different country. Several current reports are also available that provide useful discussion of the impacts of cutting off data, including here and here. I welcome any information or suggestions about how to accurately describe the effects of data localization, such as under a strict interpretation of EU law. Pending such additional study, I offer the following observations about the effects of a strict requirement of data localization: 1. Companies may find it difficult or impossible to ``fix'' the problem themselves--the legal problem concerns the rules for government access to personal data. 2. Data localization would have enormous impacts on third countries other than the U.S. Schrems II clarified that its rule apply to the U.S. in particular but also to all third countries that lack essentially equivalent protections. a. Some countries, such as China, have woefully weaker safeguards against government surveillance than the U.S. does. It is therefore difficult for me to understand what additional safeguards might be taken to enable transfers to such countries. China is Germany's largest trading partner, illustrating the large effect on the EU (rather than the U.S.) of strict limits on transfers. b. Other countries, such as Canada, are democracies with strong privacy regimes, but have not thus far received an adequacy determination. Even if the EU and U.S. reach an agreement, there will be legal uncertainty about whether and how transfers can continue to these other democracies. 3. Particular study should focus on the effects on EU individuals, who may lose access to services and face reduced choice about how to live their online life. Similarly, EU-based businesses may face serious obstacles, beginning but not limited to how they operate with their non-EU affiliates, suppliers, and partners. Detailed study of the effect on the EU will help EU decisionmakers weigh how to protect privacy while also meeting other goals, as stated by the CJEU in Schrems II, that are ``necessary in a democratic society.'' 4. During the coronavirus pandemic, individuals and businesses rely more than ever before on online services, many of which are operated or managed across borders. Disruptions from data localization thus would appear to be especially great until we reach a post-pandemic time. 5. In conclusion on the effects of a strict EU approach, it is vital to consider carefully what measures can satisfy all the relevant legal constraints. New solutions quite possibly are necessary to enable continued data flows along with the legally-required improvements in privacy protection. D. Appendix 1 to this testimony provides detailed proposals for one of the requirements of the EU Charter--individual redress for violation of rights in the U.S. surveillance system. This testimony will briefly summarize key points from Appendix 1, which provides details on how the U.S. might craft a new system of individual redress to address the CJEU's concerns. The Appendix has three parts: 1. Discussion of the August 13 proposal by Kenneth Propp and myself, entitled ``After Schrems II: A Proposal to Meet the Individual Redress Problem.'' In order to provide an effective fact- finding phase, a statute could create a mandate for intelligence agencies to conduct an effective investigation when an individual (or a Data Protection Authority on behalf of the individual) makes a complaint. This mandate is similar to the Freedom of Information Act--an individual does not have to show specific injury in order to make a FOIA request, and an individual similarly would not need to show injury to request the investigation. Once the fact-finding is concluded, the statute could provide for appeal to the Foreign Intelligence Surveillance Court (FISC). 2. Discussion of the article by European legal expert Christopher Docksey on ``Schrems II and Individual Redress--Where There's a Will, There's a Way.'' This article found the Propp/Swire approach promising, while pointing out important aspects of EU law to be considered in any U.S. system for individual redress. 3. New material about how the individual redress system could be created, even without a new statute. In the fact-finding phase, Executive Branch agencies could be required to perform an investigation pursuant to a new Executive Order or other presidential action. An independent agency, such as the Privacy and Civil Liberties Oversight Board, could sign a memorandum of understanding that would bind the agency to participate in the process. One the fact-finding is complete, complaints that concern surveillance under Section 702 FISA could then go to the FISC. The FISC has continuing oversight of actions pursuant to its annual court order concerning Section 702. It appears that the government could promise to report the outcome of an investigation to the FISC, and the FISC could then review the fact-finding investigation to determine whether it complied with its court order. As discussed in Appendix 1, ``non-statutory approaches are worth considering even if a somewhat better system might be created by a statute. A non-statutory approach quite possibly is the best way to ensure that data flows and privacy protections exist during an interim period while legislation is being considered.'' Based on my experience, the fundamental rights orientation of EU data protection law has often emphasized the importance of a mechanism for an individual to make a complaint or access request. Then, there must be a mechanism with sufficient independence and authority to review the facts and issue an order to correct any violations. As the CJEU re-emphasized in Schrems II, Article 47 of the Charter requires ``an effective remedy before a tribunal.'' After working extensively on this subject, and speaking with both European and American experts, I believe it is vital and apparently feasible to construct a new system of individual redress with respect to actions by U.S. surveillance agencies. Creating such a system would directly respond to a repeated and important criticism to date of the ``essential equivalence'' of U.S. protections. E. Along with concerns about lack of individual redress, the CJEU found that the EU Commission had not established that U.S. surveillance was ``proportionate'' in its scope and operation. Appendix 2 to this testimony seeks to contribute to an informed judgment on proportionality, by cataloguing developments in U.S. surveillance safeguards since the Commission's issuance of its Privacy Shield decision in 2016. Along with lack of individual redress, the Schrems II court found that the principle of proportionality requires that a legal basis which permits interference with fundamental rights must ``itself define the scope of the limitation on the exercise of the right concerned and lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards.'' ( 180). The court held that the 2016 Privacy Shield adequacy decision by the EU Commission did not show proportionality for Section 702 and EO 12,333. ( 184). Concerning the issue of proportionality, I offer six observations: 1. Appendix 2 to this testimony provides ``Updates to U.S. Foreign Intelligence Law since 2016 Testimony.'' Appendix 2 presents updates on the U.S. legal and regulatory regime for foreign intelligence surveillance that have occurred since testimony of over 300 pages that I provided to the Irish High Court in 2016 on the same subject (the ``2016 Testimony''). Taken together, the 2016 Testimony and Appendix 2 seek to present an integrated set of references that may inform ongoing assessments, under European Union law, of the proportionality and overall adequacy of protection of personal data related to U.S. foreign intelligence law. 2. A proportionality assessment is quite different than the issue of individual redress. Redress is a specific assessment--a sufficient redress provision exists or it doesn't. by contrast, ``proportionality'' can be a more wide-ranging and fact-based assessment, similar to defining a term such as ``reasonable.'' 3. As a related point, the Schrems II decision cites European law that privacy and data protection rights ``are not absolute rights,'' but instead ``must be considered in relation to their function in society. ( 172) In addition, standard data protection clauses are lawful ``where do not go beyond what is necessary in a democratic society to safeguard, inter alia, national security, defence and public security.'' ( 144). More documentation may thus be relevant as evidence of what is ``necessary in a democratic society.'' 4. Appendix 1, concerning individual redress, discusses the possibility of incorporating concepts such as proportionality and necessity, or related terms used in U.S. law, into the targeting procedures for Section 702 approved annually by the FISC. I make this proposal for the first time in this testimony, and so there may be classified or other persuasive reasons why such an approach is inadvisable or unlawful. 5. In considering whether and how to issue an updated adequacy opinion about the United States, the EU Commission will thus have available a considerable record that evidences the large number and high quality of safeguards within the U.S. surveillance system. Chapter 6 of my 2016 Testimony cited a study led by Ian Brown, then of Oxford University, that concluded that the U.S. legal system of foreign intelligence law contains ``much clearer rules on the authorization and limits on the collection, use, sharing, and oversight of data relating to foreign nationals than the equivalent laws of almost all EU Member States.'' The U.S. government's White Paper this fall adds particulars about current safeguards. 6. With that said, European law to date has indicated that ``essential equivalence'' of a third country is judged against the standards set forth by the CJEU, rather than a comparison of U.S. practices to the practices of the EU member states. Professor Kristina Irion this year has explained the relevant EU doctrine. Supporters of U.S. or other third country adequacy might therefore complain about hypocrisy or an unfair standard, but such arguments to date have not prevailed in European courts. In conclusion on proportionality, it is important for the United States and the EU Commission to develop a strong record for why Section 702 and other surveillance programs currently are ``proportionate,'' or else consider reforms that do establish proportionality. F. Negotiating an EU/U.S. adequacy agreement is important in the short term. There are strong reasons for the EU and the U.S. to seek agreement in the short term, so that the EU Commission can issue an adequacy decision. I highlight five points: 1. Especially in the wake of the very strict EDPB draft guidance, there is now considerable uncertainty about the lawful basis for many transfers from the EU to third countries, including the U.S. As mentioned above, there may well be court orders issued, even before January 20, that prohibit transfers of personal data by one or more major companies based in the U.S. 2. My understanding is that the current administration has a process in place to engage immediately with the EU. Even though a Biden administration would have available experts on these EU/U.S. data issues, there could be a disruptive delay after January 20 if discussions are not completed by then. The immediate discussions should take account of the legal and political realities facing the EU Commission--it will only wish to enter into an agreement with a strong case that it is acting consistent with the CJEU decision in Schrems II. The U.S. thus has a stronger-than-usual incentive to make its ``best and final offer'' quickly, because of the limited time to renegotiate before January 20. 3. To avoid potentially large disruptions, it makes sense to achieve a short-term package even if additional reforms and agreements may be possible in the longer-run. For instance, an adequacy decision might be for a limited time, such as one year. That would provide a new administration and the EU time to develop longer-term agreements across both data protection and other issue areas, as the EU has indicated it would like to do. A deadline, such as one year, would provide a useful incentive for all concerned to continue to work intensively toward a longer-term solution. 4. Any short-term approach should include, if possible, clear attention to key sectors, including medical research and financial services. During the pandemic, it would be foolhardy to interrupt the ability of medical researchers and manufacturers to develop and test for the safety and efficacy of COVID-19 treatments and vaccines. In addition, the financial services sector has historically relied primarily on Standard Contractual Clauses for transfers, rather than Privacy Shield. My understanding is that to date there has been low risk within the EU of enforcement against the financial services sector, which I believe transfers large amounts of personal data daily for business and regulatory reasons. With strict approaches such as the EDPB draft guidance, there is now increased risk of disruption of the global financial system due to possible limits on transfers of personal data from the EU to third countries. 5. There is an important reason, from the EU perspective, to issue an adequacy decision for the U.S. in the short term, even though Schrems II applies to third countries generally. The specific judicial findings in Europe have been about essential equivalence and the U.S., even though the U.S. has stronger safeguards than most or all other countries for foreign intelligence surveillance and privacy. An adequacy decision initially concerning the U.S. thus provides the EU time to clarify its overall approach for transfers to third countries. Enforcement actions can meanwhile proceed with respect to other third countries, such as China, to enable the EU judicial process to make findings relevant to multiple third countries, and avoid a discriminatory impact on an allied nation--the U.S.--that has many safeguards already in place. G. A short-run agreement would assist in creating a better overall long-run agreement or agreements. As discussed through this testimony, there are urgent short-term difficulties concerning the lawful basis for transfers of personal data from the EU to third countries. I next explain four reasons why an adequacy agreement in the near future would assist in creating a better overall set of reforms and agreements in the longer-run: 1. In this testimony, I am suggesting the desirability of seeking an adequacy agreement in the short run, such as for one year. This sort of breathing period would enable a new administration to engage systematically to create durable approaches for agreements with the EU on data protection and other issues. 2. A short-term agreement would provide the Congress with time to consider any legislation that may assist in creating a durable approach to enabling trans-Atlantic transfers while also protecting privacy, meeting EU and U.S. legal requirements, and achieving other goals including national security. As one example, non-statutory approaches for individual redress may be possible, as explained in Appendix 1, but a subsequent statute might improve on the non-statutory approach. 3. One category of legislation to consider is for the U.S. to codify in statute safeguards that already exist in practice. One example would be the protections for the personal data of non- U.S. persons, as provided currently in PPD-28. More broadly, Appendix 2 to this testimony provides examples of privacy- protective practices that currently exist but are not explicitly set forth by statute. This sort of codification could address EU concerns that informal guidance or even agency policies are not ``established in law'' as effectively as a statute or other binding legal instrument. 4. On an even longer time scale, there are strong reasons for the U.S., the EU, and democratic allies to engage systematically on a realistic and protective set of guidelines for government access to personal data held by the private sector. Such a process should include input from a range of expert stakeholders, including data protection/privacy experts but also experts in areas such as national security, law enforcement, and economic policy. I understand the OECD may move forward with such an initiative, first proposed by Japan, on ``free flow of data with trust'' with respect to government access to data held by the private sector. Such guidelines, among other goals, could help define what safeguards are ``necessary in a democratic society,'' both to protect fundamental rights and achieve other compelling goals. H. As the U.S. considers its own possible legal reforms in the aftermath of Schrems II, it is prudent and a normal part of negotiations to seek to understand where the other party--the EU--may have flexibility to reform its own laws. For understandable reasons, the bulk of discussion to date has focused on what reforms the U.S. might consider in order to meet legal requirements set forth in Schrems II and other CJEU decisions. With that said, my testimony today discusses reasons to seek both short-term and longer-term agreements with the EU on cross-border data issues. It is normal and prudent, in any negotiation, to understand where each party may have flexibility to negotiate. As one example, my view is that the U.S. should seriously consider reforms to enable individual redress for EU citizens related to U.S. surveillance activities. Where might the EU also consider reforming any aspect of its regime? Recognizing that views might vary about what is possible as a legal or policy matter, I offer four observations: 1. For reasons discussed above, I believe there is room, consistent with the Schrems II decision, for the EDPB to make changes to its draft guidance--the CJEU contemplated some continuation of transfers where additional safeguards are in place, but the draft guidance is so strict that such transfers in practice appear to be eliminated. The analysis by Professor Theodore Christakis examines specific ways the EDPB guidance might be amended consistent with EU law. 2. Chapter V of the GDPR governs ``transfers of personal data to third countries or international organizations.'' Article 46 of GDPR sets forth extensive measures to enable lawful transfers to third countries that have not received an adequacy determination under Article 45. A similar approach existed under Article 26 of the Data Protection Directive, which applied from 1998 until GDPR went into effect in 2018. If the EU came to the view that Article 46 had been interpreted more narrowly than intended, then the EU could at least contemplate a targeted amendment to GDPR to clarify its intent to allow transfers under Article 46 with defined, appropriate safeguards. Any such amendment might be politically painful and challenging within the EU; massive disruptions of global trade would also be painful and challenging. 3. The legal basis for transfers to the U.S. might be stronger if the U.S. and the EU negotiated a formal international agreement, such as a treaty. I have seen draft scholarship, not yet public, that indicates that the legal basis for transfers from the EU to a third country such as the U.S. might be stronger if done pursuant to a formal international agreement, such as a treaty. The Safe Harbor and Privacy Shield were not treaties. Such a treaty would presumably not be negotiated or implemented in the short term, but may be a useful longer-term approach. 4. By contrast, in discussions with EU experts, they have clearly stated that an amendment to the Charter of Fundamental Rights would be extremely difficult or impossible to consider. Americans can readily understand this view--imagine if another country insisted that the U.S. amend the First Amendment free speech guarantees. It will thus be important, as a matter of EU law, to understand what is required under the Charter. The Commission, Parliament, and other EU institutions are legally bound to follow the Charter, but have room outside those requirements to make decisions within their competence. To date, there has been little or no visible discussion within the EU about reforming its own data protection laws, such as considering any change to GDPR. In discussing possible changes, I am not seeking to tell the EU how to write its own laws. The limited point here is that the U.S. and other third countries, in contemplating difficult reforms to their own laws, can reasonably at least consider how the EU might make reforms as well. Any eventual agreements can then be built on an understanding of what is or is not legally possible within each legal system. PART II: Observations on U.S. Political and Policy Landscape A. Issues related to Schrems II have largely been bipartisan in the U.S., with substantial continuity across the Obama and Trump administrations, and expected as well for a Biden administration. Issues related to the Privacy Shield, Schrems II, and trans-Atlantic data flows have been far more bipartisan in the U.S. than for many other policy issues. I briefly highlight six aspects of continuity 1. Privacy Shield. The EU-U.S. Privacy Shield was signed in 2016, under President Obama. The Trump administration has uniformly supported the Privacy Shield, including working closely with EU officials in its annual reviews. 2. Enforcement by the Federal Trade Commission. The FTC is an independent agency, charged with enforcing violations of the Privacy Shield, as part of its general authority to protect privacy and enforce against unfair and deceptive acts. Change in administration, in my view, has not affected and will not affect the FTC's commitment to enforce company commitments to protect privacy in cross-border data flows. 3. PPD-28. President Obama issued PPD-28, with its safeguards for non-U.S. persons in signals intelligence, in 2014. PPD-28 has remained in force under President Trump. 4. Surveillance transparency and safeguards generally. Appendix 2 to this testimony reports on safeguards and other developments in surveillance since the Privacy Shield was negotiated in 2016 and I provided my expert testimony in Ireland. The consistent theme in Appendix 2 is how transparency and surveillance safeguards have continued extremely similarly under the Obama and Trump administrations. 5. Continued attention both to privacy and other goals such as national security. As a member in 2013 of the Review Group on Intelligence and Communications Technology, I observed how seriously U.S. government officials treated both privacy and other important goals such as national security. My opinion is that similar attention to these goals has continued and will continue for each U.S. administration. 6. A Biden administration can draw upon experts in these EU/U.S. data issues. Another reason to expect policy continuity is that the Biden administration will have available experts in Privacy Shield and other EU/U.S. data issues. For example, key negotiators of the Privacy Shield, as signed in 2016, were Ted Dean, then in the U.S. Department of Commerce, and Robert Litt, then General Counsel for the Office of the Director of National Intelligence. Both Mr. Dean and Mr. Litt have been named as members of the Biden-Harris transition team. In short, even though there are many differences on other policy matters, what is remarkable for EU/U.S. data issues is bipartisan agreement on issues of trans-Atlantic data flows. B. Passing comprehensive privacy legislation would help considerably in EU/U.S. negotiations. I believe that enactment of comprehensive commercial privacy legislation would greatly improve the overall atmosphere in Europe for negotiations between the EU and the U.S. about the effects of Schrems II. This conclusion may seem counter-intuitive. After all, the CJEU holdings concerned only issues of U.S. intelligence access to personal data. By contrast, a commercial privacy statute would apply exclusively or primarily to private-sector processing of personal data. As a strict legal matter, a comprehensive commercial privacy law in the U.S. would not address the holdings in Schrems II. Nonetheless, I am confident that a meaningful, protective commercial privacy bill would make an important difference. That is not only my own intuition, developed after a quarter-century of working on EU/U.S. data issues. In addition, I have asked the question to multiple European experts. Their response has been unanimous and positive, along the lines of ``Yes, that would make a big difference.'' Here are a few reasons to think enacting a comprehensive commercial privacy law would help: 1. We have seen the link previously between U.S. intelligence surveillance and the EU reaction on commercial privacy. The clearest example is what happened after the Snowden revelations began in June, 2013. Before that, it looked like the draft of GDPR was blocked or moving slowly through the EU Parliament. After that, GDPR was amended in multiple ways to be considerably stricter, including on the U.S.-led tech sector. GDPR passed the Parliament overwhelmingly in early 2014 by a 621-10 margin. EU Vice President Viviane Reding, in her official statement on the vote, specifically referenced ``the U.S. data spying scandals'' as a reason for passage. 2. The U.S. may soon become the only major nation globally that lacks a comprehensive commercial privacy law. Whatever a person's views may be of the best approach to protecting privacy, the global trend is unmistakably in one direction-- toward each country having a comprehensive commercial privacy law. Professor Graham Greenleaf in Australia has carefully documented these trends: ``The decade 2010-2019 has seen 62 new countries enacting data privacy laws, more than in any previous decade, giving a total of 142 countries with such laws by the end of 2019.'' Perhaps more importantly, the four most significant recent exceptions to such a law have been the U.S., Brazil, India, and China. Brazil's new privacy law went into effect in 2020. India has nearly finished its parliamentary process to pass its law. China is also moving forward with a commercial privacy law (although its protections against government surveillance remain far weaker than in the U.S.). Simply put, unless the U.S. acts in the next Congress, the U.S. may be the only major nation globally that lacks a comprehensive privacy law. 3. A U.S. privacy law would strengthen the hand of U.S. allies in the EU. Currently, there are many in Brussels and throughout the EU who favor retaining a strong alliance generally with the U.S. That support for remaining allies was reflected, for instance, in the broad EU Commission draft, reported by the Financial Times, that ``seeks a fresh alliance with U.S. in face of China challenge.'' More specifically, as seen for instance in a recent DigitalEurope study on the effects of Schrems II, many in Europe understand the harsh consequences to Europeans themselves of a major cut-off in data flows. From the European perspective, the 2000 Safe Harbor agreement and the 2016 Privacy Shield are examples of ``special deals'' that make transfers to the U.S. easier than transfers to the other countries in the world that lack a general adequacy finding. As the U.S. becomes an increasingly glaring exception on privacy laws, it becomes more and more difficult for those in Europe to explain why the U.S. should be a favored partner. Put bluntly, the U.S. as the last holdout on a privacy law can look more like a ``privacy pariah'' than a ``favored partner.'' By contrast, enacting a U.S. commercial privacy law sends the message that the U.S. in general offers legal protections for privacy. With a U.S. privacy law in place, it becomes far easier in Brussels and the EU generally to complete a privacy deal with the U.S. As a related point, serious progress on U.S. privacy legislation during the next two years, such as passage in a crucial committee such as Senate Commerce, can itself help foster progress in EU/U.S. negotiations by showing that passage of a U.S. privacy law is feasible. C. This Congress may have a unique opportunity to enact comprehensive commercial privacy legislation for the United States. You as Senators have far greater insight than an outside observer can have about what is possible to enact in this Committee, the Senate, or the Congress in the next two years. With that said, my own perspective is that the 117th Congress, convening this January, has the best chance to enact comprehensive Federal privacy legislation that I have ever seen. I offer six reasons for believing that now is an unusual opportunity to pass privacy legislation: 1. This Committee has already made a great deal of progress on finding areas of agreement between the political parties. In 2020, there was significant convergence on draft legislation supported, separately, by Chairman Wicker and Ranking Member Cantwell. On the large majority of issues, the language was the same or similar. Historically, major legislation often passes after substantial work in a previous Congress. That previous work settles much of the final package. Then, there are intense and often difficult negotiations on the final issues, which for privacy appear to be Federal preemption and private rights of action. Nonetheless, however difficult those two issues may be, it is far easier to come to a final deal on two issues than to try to draft an entire bill on a blank slate. 2. Industry and all those concerned about EU/U.S. relations have a strong interest in passing comprehensive Federal privacy legislation. As just discussed above, there are compelling reasons why progress on U.S. privacy legislation would increase the possibility of a good outcome in the EU/U.S. negotiations. For the politically savvy companies that operate in both Europe and the United States, the benefit of supporting an overall U.S. law quite possibly outweighs any company-specific reasons to try to block the bill due to particular provisions in a privacy bill. 3. Passage last month of the California privacy initiative provides business with a new, compelling reason to support Federal privacy legislation. In November, the voters in California approved a ballot initiative, called the California Privacy Rights Act (CPRA), which goes into effect on January 1, 2023. The effective date, in my understanding, is no coincidence--it gives the 117th Congress time to complete action on a Federal law. CPRA, while having only mixed support from privacy and civil liberties advocates, would add new privacy restrictions, including in the area of online advertising. For this reason, online advertising companies and companies that buy online advertising have a new reason to support Federal legislation. Taken together with business support due to the EU situation, the U.S. business community in general is more prepared to accept broad national privacy rules than ever before. 4. The California privacy initiative creates the possibility of greater agreement on Federal preemption. To date, some members of this Committee have pushed for broad Federal preemption of state privacy laws, for reasons including preventing business from having to comply with multiple and possibly contradictory state laws. Other members of this Committee have pushed to have the Federal legislation be a floor but not a ceiling, allowing states to act first (as they have often done in the past) to enact greater protection of individual privacy. I have written three articles on preemption, about the history of Federal privacy preemption, identifying key issues for preemption, and a proposal (co-authored with Polyanna Sanderson of the Future of Privacy Forum) for a process to narrow disagreement, based on case-by-case examination of the numerous existing state laws. Building on this previous analysis, the recent passage of the CPRA creates a two-part proposal for how the differing sides on preemption can each achieve a substantial victory. First, as a win for those supporting privacy innovation in the states, the California Consumer Privacy Act, which went into effect already, would remain in effect. After all, businesses have already had to comply with that law, so the major costs associated with the law have already been spent. Second, the new Federal law could preempt the CPRA, which does not go into effect until 2023. Industry would thus be spared the challenge of re-engineering their data systems again, so soon after complying with CCPA. In addition, important privacy advocates, including the ACLU of California and the Consumer Federation of California, actually came out in opposition to CPRA. There may thus be an opportunity to reach agreement on a significant example of preemption. If both sides of this fierce debate win a significant victory, then there may be more room to address remaining preemption issues as something of a technical drafting matter. 5. A Biden administration will support Federal privacy legislation. The 2020 Democratic platform calls for enacting Federal privacy legislation, and the Obama administration supported privacy legislation as part of the 2012 announcement of a ``Privacy Bill of Rights.'' Joe Biden himself has long worked on these issues. He spoke to the European Parliament in 2010, garnering headlines such as this: ``Biden vows to work with EU parliament on data privacy.'' In addition, a Biden administration can draw on numerous individuals who have extensive government experience on privacy, including those who worked on the Privacy Bill of Rights and negotiated the Privacy Shield. 6. The narrow majorities in both the Senate and House likely help define the scope of the possible for Federal privacy legislation. As a resident of Georgia, I know only too well the intensity of effort for the two Senate run-off elections on January 5--my wife and I have basically given up answering our home telephone for the duration. After those run-offs, one of the parties will have a narrow working majority in the Senate, and the margin in the House of Representatives is also unusually narrow. With such narrow margins, bipartisan cooperation will be at a premium--neither party can afford to support a privacy bill alone that would lose any of its members, so the clearest path to a majority is with bipartisan support. Last year's proposals from the Senate Commerce Committee are the most logical starting point for negotiations. New proposals from the wing of either party will likely have difficulty making it into the legislation, unless the proposals can garner support from a range of political viewpoints. In conclusion on the prospects for Federal privacy legislation, the stars may finally have aligned to enact meaningful privacy protections. A new Federal privacy law would enshrine in law a considerable list of new privacy protections for individuals. The law would also have support from businesses who usually oppose new government regulation. At a time when there is risk of partisan gridlock in Congress, Federal privacy legislation could be a significant instance of bipartisan accomplishment. Background of the witness: Peter Swire is the Elizabeth and Tommy Holder Chair and Professor of Law and Ethics in the Scheller College of Business at the Georgia Institute of Technology. He is senior counsel with the law firm of Alston & Bird, and Research Director of the Cross-Border Data Forum. In 1998, the Brookings Institution published Swire & Litan, ``None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive. In 1999, Swire was named Chief Counselor for Privacy in the U.S. Office of Management and Budget, the first person to have U.S. government-wide responsibility for privacy policy. Swire was the lead White House official during negotiation of the EU/ U.S. Safe Harbor. After the Snowden revelations, Swire served as one of five members of President Obama's Review Group on Intelligence and Communications Technology, making recommendations on privacy and other reforms for the U.S. intelligence community. In 2015, the International Association of Privacy Professionals awarded Swire its annual Privacy Leadership Award. In 2016 he was an expert witness in the Irish trial for Schrems v. Facebook, and submitted testimony of over 300 pages describing the legal safeguards for the U.S. intelligence community's use of personal data. In 2018, Swire was named an Andrew Carnegie Fellow for his project on ``Protecting Human Rights and National Security in the New Age of Data Nationalism.'' In 2019, the Future of Privacy Forum honored him for Outstanding Academic Scholarship. ______ ``Statutory and Non-Statutory Ways to Create Individual Redress for U.S. Surveillance Activities'' Appendix 1 to U.S. Senate Commerce Committee Testimony on ``The Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows'' Peter Swire\1\ --------------------------------------------------------------------------- \1\ Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia Tech Scheller College of Business; Research Director, Cross-Border Data Forum; senior counsel, Alston & Bird LLP. The opinions expressed here are my own, and should not be attributed to the Cross-Border Data Forum or any client. For comments on earlier versions of the research, I thank Theodore Christakis, Dan Felz, Robert Litt, and Kenneth Propp. Errors are my own. --------------------------------------------------------------------------- This document addresses a legal issue that calls for solution to enable continued lawful basis for flows of personal data from the European Union to the United States--individual redress. In Schrems II, the Court of Justice for the European Union held that the lack of individual redress in the United States for persons in the EU purportedly surveilled by U.S. intelligence was a basis for finding that the Privacy Shield, as approved by the EU Commission, did not provide ``adequate'' protection of personal data. In this setting, individual redress refers to the ability of an individual, including an individual in the European Union, to receive a determination that their rights have not been violated by U.S. national security surveillance. For a U.S. audience, it is important to understand that the requirement of individual redress is a constitutional requirement, under Article 47 of the EU Charter of Fundamental Rights. The European Data Protection Board (EDPB) in November published the ``European Essential Guarantees'' based on the jurisprudence of the European Court of Justice and the European Court of Human Rights. One of the four essential guarantees, as described by the EDPB, is that ``effective remedies need to be available to the individual.'' This appendix to my December 9 testimony before U.S. Senate Commerce Committee seeks to identify issues and suggest possible approaches to meet the individual redress requirement. The testimony for which this is an appendix contains a summary discussion of the issue of individual redress. This appendix provides more detailed analysis and legal citations, in hopes of advancing discussion of the individual redress issue. This appendix to my testimony to the Committee has three sections: 1. Discussion of the proposal that I published on August 13 with Kenneth Propp, entitled ``After Schrems II: A Proposal to Meet the Individual Redress Problem.'' This article proposed ways that a new U.S. statute could apparently meet the EU legal standard for individual redress. 2. On October 14, European legal expert Christopher Docksey published ``Schrems II and Individual Redress--Where There's a Will, There's a Way.'' This article found the Propp/Swire approach promising, while pointing out important aspects of EU law to be considered in any U.S. system for individual redress. 3. Discussion of non-statutory approaches for individual redress. Since August, working with others at the Cross-Border Data Forum, I have examined lawful ways to meet the goals of the initial proposal, in the event that Congress does not pass a new statute to do so.\2\ This appendix includes a number of ideas that have not previously been published. --------------------------------------------------------------------------- \2\ Following the publication of the August proposal, I was asked by U.S. officials about the possibility of a non-statutory approach for individual redress. I then developed the non-statutory ideas that are published here for the first time, and described them to officials in response to their request. The discussion here necessarily addresses details of multiple areas of law, including constitutional, statutory, and administrative provisions of both U.S. and EU law, and including the complex legal provisions governing U.S. national security surveillance under the Foreign Intelligence Surveillance Act (FISA) and other laws. As Christopher Docksey emphasizes, the U.S. need not have perfect ``equivalence'' with EU law--in our different constitutional orders, there may not be any lawful way to provide precisely the same procedures as apply under the General Data Protection Regulation (GDPR) and EU fundamental rights law. Instead, the standard announced by the CJEU is ``essential equivalence,'' a legal term that has been the subject of extensive interpretation by the CJEU. As EU courts have stated, the ``essence of the right'' must be protected. The effort here is to further the discussion of how such protections might be created under U.S. law. I. Individual Redress Proposal Based on U.S. Statutory Change On August 13, Kenneth Propp and I published in Lawfare ``After Schrems II: A Proposal to Meet the Individual Redress Problem.'' \3\ In that case, the CJEU observed that the U.S. surveillance programs conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) or EO 12333 do not grant surveilled persons ``actionable'' rights of redress before ``an independent and impartial court.'' The Court emphasized that ``the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.'' It added that ``legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her'' fails to ``respect the essence of the fundamental right to effective judicial protection,'' as set forth in Article 47 of the EU Charter of Fundamental Rights. --------------------------------------------------------------------------- \3\ Kenneth Propp & Peter Swire, ``After Schrems II: A Proposal to Meet the Individual Redress Problem.'' \3\ --------------------------------------------------------------------------- The CJEU identified two ways in which U.S. surveillance law lacks essential equivalence to EU safeguards. The first, and the focus of this article, is that the U.S. lacks an ``effective and enforceable'' right of individual redress. The second, which is beyond the scope of the proposal we offer here, is the finding that there is a lack of ``proportionality'' in the scale of U.S. intelligence activities. As discussed in the initial proposal, the CJEU thus measures U.S. surveillance law protections against an idealized, formal standard set forth primarily in EU constitutional law. A. Lessons from Schrems II About Redress The Privacy Shield was itself an iterative response to the criticisms of U.S. surveillance law voiced by the CJEU in striking down its predecessor, the Safe Harbor Framework, in 2015. In that prior ruling, the Court emphasized the importance of effective redress to protect surveilled persons, with an independent decision-maker providing protection for the individual's rights. In response, the United States agreed in the Privacy Shield to designate an Ombudsperson, an Under Secretary of State, to receive requests from Europeans regarding possible U.S. national security access to their personal data, and to facilitate action by the U.S. intelligence community to remedy any violation of U.S. law. This role was built on top of the Under Secretary's previously assigned responsibilities under Presidential Policy Directive 28 as a point of contact for foreign governments concerned about U.S. intelligence activities. No change in U.S. surveillance law was needed to establish the Ombudsperson--only the conclusion of an interagency memorandum of understanding between the Department of State and components of the U.S. intelligence community. In Schrems II, the CJEU disapproved of the Privacy Shield's Ombudsperson innovation. The Court observed that the Under Secretary of State was part of the executive branch, not independent from it, and in any case lacked the power to take corrective decisions that would bind the intelligence community. An inquiry conducted by an administrative official, with no possibility of appealing the result to a court, did not meet the EU constitutional standard for independence and impartiality, the CJEU held. The implications of the CJEU's decision support the conclusion that any future attempt by the United States to provide individual redress, to meet EU legal requirements, must have two dimensions: (1) a credible fact-finding inquiry into classified surveillance activities in order to ensure protection of the individual's rights, and (2) the possibility of appeal to an independent judicial body that can remedy any violation of rights should it occur. B. Possible Factfinders In devising a system of individual redress for potential surveillance abuses, the first question is where best to house the fact-finding process. Our initial proposal mentioned two possible ways to conduct such fact-finding. The first is to task fact-finding to existing Privacy and Civil Liberties Officers (PCLOs) within the intelligence community, as established by Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007. The second is to enlist the Privacy and Civil Liberties Oversight Board, and independent agency tasked with oversight of intelligence community activities. Since we wrote the proposal, as discussed below, the suggestion has also been made that fact-finding could be carried out by the Office of the Inspector General in the relevant intelligence agency. Beyond the question of whom in the U.S. Government is best-placed to act as a factfinder, a new system of individual redress would need to define the standard for that investigation. To meet the legal standard announced by the CJEU, the system would apply at least to individuals protected under EU law; the system might also enable actions for individual redress for U.S. persons. Precise definition will require the involvement of experts within the U.S. intelligence community as well as those knowledgeable about surveillance-related redress procedures in European countries. A legal standard for all complaints, at a minimum, would likely test compliance with U.S. legal requirements, such as whether collection under FISA Section 702 was done consistent with the statute and judges' orders governing topics such as targeting and minimization. In addition, a future agreement between the U.S. and the EU or other third countries could add provisions forming part of the investigative standard. For instance, as discussed below, there may be a way to state explicitly that the surveillance will be necessary and proportionate, which are important legal terms under the EU Charter of Human Rights and the European Convention on Human Rights. Our proposal noted that the U.S. might perhaps negotiate to ensure that the EU provide reciprocal rights for U.S. persons with respect to any surveillance conducted by EU Member States. Similarly, the new redress system might address other issues, including whether individuals would ever receive actual notice some period of time after they have been surveilled. Such notice has been an element of EU data protection law, although notice of intelligence activities appears to have been a rarity there in actual practice. The fact-finding process would logically have two possible outcomes--no violation, or some violation that should be remedied. Where there is no violation, there would be a simple report to the individual, or perhaps to a Data Protection Authority acting in the EU on behalf of an individual. Under the Privacy Shield, the report was that there had been no violation of U.S. surveillance law or that any violation has been corrected. This sort of limited reporting about classified investigations exists for the U.K. Investigatory Powers Tribunal, which is prohibited from disclosing to the complainant ``anything which might compromise national security or the prevention and detection of serious crime.'' As Christopher Docksey has noted, this type of reporting can also be found in Article 17 of the Law Enforcement Directive (EU) 2016/680. Broader disclosure about classified investigations risks benefiting hostile states, terrorist groups or others. By contrast, where any violation is found, then no report could be given until the violation was remedied. For instance, if there was illegal surveillance about the person seeking redress, the personal data might be deleted or any other measure taken to remedy the violation. C. Judicial Review in the FISC In the initial article, we stated that the obvious and appropriate path for an appeal from the fact-finding stage would be to the Foreign Intelligence Surveillance Court (FISC). FISC judges, along with other Federal judges, meet the gold standard for independence, since Article III of the U.S. Constitution ensures that they have lifetime tenure and are located outside of the executive branch. Making the FISC responsible for the adjudication of individual complaints would go in some respects go beyond the FISC's current institutional responsibilities, but the Federal judges on the FISC are experienced in reviewing agency decisions in non-FISC cases. The FISC is better-suited than an ordinary Article III court would be, because of its specialized expertise in U.S. surveillance law and well-established procedures for dealing with classified matters. As discussed in more detail below, the FISC already provides judicial oversight for the FISA Section 702 program--and has a proven track record of effective oversight. In the wake of the Snowden revelations, numerous FISC decisions were declassified and made public. A detailed review of these decisions concluded: ``The FISC monitors compliance with its orders, and has enforced with significant sanctions in cases of noncompliance.'' A key legal issue in crafting such a system is ensuring that a plaintiff has ``standing'' to sue, as required by Article III of the U.S. Constitution. In the Irish High Court decision in Schrems II, Judge Costello wrote that ``All of the evidence show that [standing] is an extraordinarily difficult hurdle for a plaintiff to overcome'' in government surveillance cases. In summary, the plaintiff must show: (1) he or she has suffered injury in fact (2) that is causally connected to the conduct complained of and (3) is likely to be redressed by a favorable judicial opinion. Under EU law, an individual such as Max Schrems can bring a successful case without proving that he was ever under surveillance by the U.S. government. By contrast, as explained by Tim Edgar in Lawfare, plaintiffs in the U.S. have had to clear a high hurdle to establish standing and gain a legal ruling about the lawfulness of surveillance. To assure standing for these appeals to the FISC, a mechanism similar to the one utilized under the U.S. Freedom of Information Act (FOIA) appears feasible. Under FOIA, any individual can request that an agency produce documents, without the need to first demonstrate particular ``injury.'' The agency is then under a statutory requirement to conduct an effective investigation, and to explain any decision not to supply the documents. After the agency completes its investigation, the individual can appeal to Federal court to ensure independent judicial review. The judge then examines the quality of the agency's investigation to ensure compliance with law, and he or she can order changes in the event of any mistakes by the agency. Analogously, when seeking individual redress on a matter relating to national security, the FISC could independently assess whether the administrative investigation met statutory requirements, and the judge could issue an order to correct any mistakes by the agency--including by correcting or deleting data or requiring additional fact-finding. This sort of judicial review of agency action is extremely common under the Administrative Procedure Act that applies broadly across Federal agencies. Typically, the judge must ensure that the agency action is not ``arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.'' There is standing on the part of the individual--a ``case or controversy''--to assess whether the agency has properly discharged its statutory duties. As with FOIA, there is no need to determine whether the complaining individual has suffered injury in fact, since the statute creates a duty on the agency to act in a defined way. We identify three features worth considering with this approach. First, due to the classified nature of the fact-finding, there may not be any workable way for the complainant to decide whether to bring an appeal. Therefore, it may make sense to have an automatic appeal to the FISC. Second, the 2015 USA FREEDOM Act established a role for appointed amici curiae who have full access to classified information and can brief the FISC on ``legal arguments that advance the protection of individual privacy and civil liberties.'' These amici could play a role in advocating for the rights of the complainant, so that the FISC judge can receive briefing from both the agency and an amicus assigned to scrutinize the agency investigation. Third, Congress could consider whether the right to file a complaint be extended to U.S. persons in addition to those making complaints from the EU concerning surveillance under FISA Section 702 and EO 12333. Congress should consider how to structure a meaningful right to redress while avoiding a flood of complaints. The experience from Europe, and from prior agreements such as Privacy Shield and the Terrorist Finance Tracking Program, suggests that the actual number of complaints would likely be manageable. II. Assessment by European Data Protection Expert Christopher Docksey On October 14, Christopher Docksey published in Lawfare an article that commented on the Propp/Swire proposal, ``Schrems II and Individual Redress--Where There's a Will, There's a Way.'' Docksey is a leading expert in EU data protection law, after a career as senior lawyer for the EU Commission and then Director and Head of Secretariat of the European Data Protection Supervisor. Docksey was kind enough to state that ``Propp and Swire's proposal provides a valuable framework for discussions by U.S. policymakers on a durable solution to individual redress in the United States.'' His objective was to respond to the proposal ``from a European perspective, to underline the acceptable elements of their proposal and clarify which questions remain.'' He said: ``The key to identifying potential points of future compromise by the EU is understanding the nature of three different types of institutions: ``data protection officers (DPOs), independent supervisory authorities (DPAs) and courts.'' A. Fact-Finding Phase For the fact-finding phase, we suggested either the Section 803 Privacy and Civil Liberties Officers (PCLOs) or the PCLOB. Docksey explored having the fact-finding conducted either by the Office of Inspector General (OIG) or else the PCLOB. In assessing the PCLOs, Docksey compares them to DPO's, whom he describes as ``part of the organization of the data controller but have the right and duty to act independently in carrying out their roles.'' Because they are within the organization itself--the Federal agency-- Docksey concludes they do not meet the EU requirement of ``independent oversight.'' Docksey examines the role of the OIG, and concludes: ``It could be useful to explore whether the powers of the inspectors general could be strengthened to hear complaints referred by PCLOs and adopt binding orders for corrective action.'' As a potentially important factor for the EU legal analysis, OIG's have a reporting relationship to Congress--outside of the agency itself. As a legal risk of deploying the OIG's, Docksey observes that an Inspector General ``can be easily removed, as recent experience shows.'' Under Docksey's analysis, the PCLOB, as an independent agency, is most similar to the European institution of the data protection authority. As shown in a report by the EU Fundamental Rights Agency, national law in the EU varies in the manner of supervision. Some nations enable their usual DPA's to have oversight for national security investigations. Others, such as the Netherlands, have independent supervisory agencies specifically for intelligence activities. Docksey underscores the EU legal requirement of the right to independent supervision by a DPA, which ``is enshrined as a specific element of the right to protection of personal data in Article 8(3) of the EU Charter and in Article 16(2) of the EU Treaty itself.'' Assuming that the PCLOB has legal authority to conduct the investigation, therefore, the most analogous U.S. institution to a DPA, for conducting the fact-finding, would be the PCLOB. Concerning legal authority, the statute creating the PCLOB specifically provides that it shall have the power to review and analyze actions the Executive Branch takes to protect the U.S. from terrorism. The PCLOB's actions, however, have not been limited only to terrorism-related activities. As shown on the agency's website, the PCLOB has taken additional actions, including under Executive Order 13636 on Improving Critical Infrastructure Cybersecurity, as well as a request from the President that the Board provide an assessment of implementation of Presidential Policy Directive 28 (PPD-28), concerning protection of privacy and civil liberties in U.S. signals intelligence activities. By statute, Congress could explicitly authorize a role for the PCLOB in the individual redress process. As discussed further below, even in the absence of a statute, there would appear to be a legal basis for the PCLOB to play a role in a new individual redress process.\4\ --------------------------------------------------------------------------- \4\ The PCLOB has a staff that is small compared to employment by U.S. intelligence agencies, so a problem might arise if there are many requests for individual redress. In response, first, my understanding is that there was only one request to the Privacy Shield Ombudsman in the five years that the position existed, so staffing may not be a problem. In addition, the agency may be able to assist the PCLOB in the fact-finding, such as by ``detailing'' agency individuals to work on behalf of the PCLOB. This sort of ``detailing'' has often been used in the Federal government where expertise and staffing exist in one agency, but individuals are temporarily placed under the direction of the White House or a different agency. --------------------------------------------------------------------------- In conclusion on the fact-finding phase, there are multiple possible ways to create the independent fact-finding process required under EU law. In addition, as Docksey explains in detail, the EU legal standard is not ``absolute equivalence''; instead the U.S. must provide ``essential equivalence'' to EU legal protections. Docksey in his article explains reasons, in his view, why some U.S. approach to individual redress could indeed meet this ``essential equivalence'' standard. B. Judicial Review in the FISC Once the fact-finding phase is complete, Docksey emphasized the constitutional requirement, under EU law, for judicial review. Article 47 of the EU Charter states the constitutional text--there must be a right to an ``effective remedy before a tribunal.'' In the Schrems II case, as quoted by Docksey, ``the advocate general enumerated the criteria laid down by the CJEU to assess whether a body is a tribunal.'' The advocate general wrote that the decision hinges on ``whether the body is established by law, whether it is permanent, whether its jurisdiction is compulsory, whether its procedure is inter partes, whether it applies rules of law and whether it is independent[.]'' Docksey adds: ``Probably the most important of these criteria is the requirement of independence. This means acting autonomously, without being subject to decisions or pressure by any other body that could impair the independent judgment of its members.'' The FISC is a close fit for these announced criteria for judicial review: 1. Independence. For the most important criterion, each FISC judge meets the gold standard for independence. Decisions are made by a judge nominated by the President and confirmed by the Senate. Each judge has lifetime tenure, and cannot be removed except under the historically rare process of impeachment in the Congress. 2. Established by law and applies rules of law. The FISC is established by law in the Foreign Intelligence Surveillance Act (FISA) and other statutes. It applies rules of law, including these statutes and its published rules of procedure. 3. Permanence. The FISC is permanent, in the sense that the authorizing statutes continue in operation unless there is a new statute passed by the Congress. 4. Compulsory jurisdiction. The FISC is a Federal court, established under Article III of the U.S. constitution. A Federal judge acting in the FISC has the same judicial powers as a Federal judge operating generally in the Federal courts. For instance, the judge issues a binding order, punishable by contempt of court, in cases of non-compliance. As with Federal judges generally, the binding order can apply to a Federal agency as well as to individuals. 5. Procedure ``inter partes.'' The FISC originally acted ex parte, without opposing counsel, and now has procedures to act ``inter partes,'' with counsel in addition to the government. The Review Group on Intelligence and Communications Technology explained in 2013 the reason for this change: ``When the FISC was created, it was assumed that it would resolve routine and individualized questions of fact, akin to those involved when the government seeks a search warrant. It was not anticipated that the FISC would address the kinds of questions that benefit from, or require, an adversary presentation. When the government applies for a warrant, it must establish `probable cause,' but an adversary proceeding is not involved. As both technology and the law have evolved over time, however, the FISC is sometimes presented with novel and complex issues of law. The resolution of such issues would benefit from an adversary proceeding.'' Consistent with this recommendation, Congress created a set of amici curiae, experts in privacy and related matters, in the USA FREEDOM Act of 2015. 50 U.S.C. Sec. 1803(1)(i). A judge in the FISC ``may appoint an individual or organization to serve as amicus curiae, including to provide technical expertise, in any instance as such court deems appropriate.'' As part of any negotiation with the EU, the U.S. government could consider promising to request appointment of such an amicus curiae in any case involving the rights of an EU person. With such an appointment, the FISC would meet the EU criterion of procedure inter partes. In conclusion on the Docksey article, the discussion here has indicated options, consistent with EU law, for fact-finding concerning a complaint by an EU person about a possible violation of rights. Appeal then could be to the FISC, which meets the EU legal criteria for a ``tribunal.'' Docksey himself, after completing his analysis of the proposal, concluded: ``It is time to grasp the nettle. A compromise is worth the effort. And if there is the will, there is a way.'' III. Non-Statutory Variations on the Proposals Since our proposal was published in August, it has become more urgent to consider ways to establish an individual redress procedure without necessarily awaiting a statute passed by the Congress, for at least three reasons: 1. Drafting a statute on these novel issues is a complex task, which even with full agreement among members of Congress could take substantial time to complete. 2. The possibility has grown that there may soon be large cut-offs of personal data from the EU to third countries such as the U.S. As Professor Theodore Christakis has recently explained, the November guidance from the European Data Protection Board appears to conclude that it is illegal, for a very wide array of routine business practices, to transfer personal data from the EU to third countries. 3. Non-statutory approaches are worth considering even if a somewhat better system might be created by a statute. A non-statutory approach quite possibly is the best way to ensure that data flows and privacy protections exist during an interim period while legislation is being considered. Drafting a non-statutory approach can benefit from commentary from experts in the U.S. and EU legal systems, and the U.S. and EU officials working on the issue can identify and address nuanced issues about how to meet legal and policy goals for an agreement. In short, a non- statutory approach may be sufficient long-term to provide individual redress by non-statutory means, although European law emphasizes the strength of protections memorialized in a statute. Alternatively, a non-statutory approach might bridge the period until Congress enacts a statute. As with Parts I and II above, the discussion here addresses the fact-finding phase and then the possibility of judicial review. A. Fact-finding Phase The discussion here of the Docksey article mentioned possible roles in fact-finding for the Section 804 Privacy and Civil Liberties Officers in each agency, the agency Inspectors General, and the PCLOB. The analysis here suggests possible ways that each might play a role in fact-finding without statutory change. The Section 804 PCLO's are subject to an Executive Order or similar mandates from the President. As a general matter, an Executive Order, Presidential Policy Directive, or other executive action can take effect under the President's power under Article II of the U.S. constitution to ``take care'' that the laws are faithfully executed. For national security matters, the President also can act as Commander- in-Chief. Expertise in the possible scope of executive power resides in the Office of Legal Counsel in the U.S. Department of Justice, working with White House Counsel and other officials. As one example, the PCLO's could be ordered by the President to cooperate in specified ways with others involved in fact-finding, such as the PCLOB. As Docksey notes, there is a strong tradition of reporting from the Inspectors General to Congress, and IG's have a history of independence, in order to investigate and report on the agencies within which they reside. There may be ways by Executive Order or other executive action to strengthen IG independence, as Docksey suggests may be required by EU law. As discussed above, the PCLOB plays the role of independent supervisory agency most closely analogous to the supervisory agencies that exist in the EU. Due to its independence, I am not sure the extent to which the PCLOB would be bound by an Executive Order or other presidential action. Nonetheless, one promising approach would be if the PCLOB entered into a legally-binding Memorandum of Understanding (MOU) with an Executive Branch agency. This MOU would be a public commitment by the PCLOB and the Executive Branch agency to act in agreed-upon ways to conduct fact-finding. To the extent that the EU has questions about the legal enforceability in court of such an MOU, any agreement with the U.S. leading to adequacy could be conditional on the MOU remaining in force. As with other adequacy determinations, the EU would periodically assess how procedures are working in practice, and the EU could therefore withdraw its adequacy finding if the MOU were not followed. In conclusion on the fact-finding phase, there would appear to be considerable scope for executive action and/or agreements between agencies to put in place effective fact-finding mechanisms for individual redress. Drafting of such measures can be informed by the insights offered by Christopher Docksey in his articles, and from other experts. B. Judicial Review by the FISC As described in the Propp/Swire proposal, Congress can provide by statute for an appeal to go to the FISC. The discussion here suggests a legal approach, without the need for a statute, that may also enable appeal to the judges in the FISC. The basic idea is that the U.S. Government could request review by the FISC, as part of the court's inherent authority to review implementation of its Section 702 orders. The U.S. Government could promise, such as in an agreement with the EU, that it will petition the FISC to review each complaint under the redress system in this manner. As a result, independent Federal judges would provide judicial review of the complaints, and have authority to issue binding orders in the event of violations. The approach discussed here has not been published previously, so I offer it as an initial public draft, with relatively detailed citations to relevant authorities. 1. FISC Oversight of Section 702 Orders The proposed approach would build on existing FISC supervision of national security surveillance. Judges in the FISC issue binding legal orders about how requirements apply for any surveillance under Section 702. FISC authorizes Section 702 surveillance each year by entering an order that evaluates the conduct of the 702 program over the past year, imposes new restrictions or requirements as appropriate, and approves targeting, querying, and minimization procedures for U.S. intelligence agencies. 50 U.S.C. Sec. 1881a(j)(3) (requiring FISC to ``enter an order'' authorizing 702 program if government's annual certification meets statutory and constitutional requirements); see also, e.g., In re Government's Ex Parte Submission of Reauthorization Certifications and Related Procedures, Case caption redacted (Foreign Int. Surv. Ct. Dec. 6, 2019), available here (order authorizing 2019 Section 702 intelligence programs). In the U.S. legal system, Federal judges have ``inherent authority'' under Article III of the Constitution to take judicial action in order to ensure compliance with judicial orders. FISC has Article III authority. See, e.g., In re: Certification of Questions of Law to the Foreign Intelligence Court of Review, No. FISCR 18-01, at 8 (FISA Ct. Rev. Mar. 16, 2018), available here (``FISC's authority . . . is cabined by--and consistent with--Article III of the Constitution). Further, FISA expressly ensures FISC can exercise this authority in regards to FISC's own orders, stating that ``[n]othing in [FISA] shall be construed to reduce or contravene the inherent authority of [FISC] to determine or enforce compliance with an order or . . . a procedure approved by [FISC].'' Under the proposed approach, the U.S. Government would essentially ask the FISC to do no more than exercise its inherent authority as an Article III court, to review that 702 intelligence activities conducted in regards to a specific individual complied with the FISC's own 702 authorization order and applicable law. This approach would fit with FISC's general monitoring of the intelligence community's compliance with its orders and U.S. surveillance laws. The FISC Rules of Procedure already require the government to report any noncompliance with a FISC order. See FISC Rule of Procedure 13(b) (requiring the government to report all cases where ``any authority or approval granted by [FISC] has been implemented in a manner that did not comply with [FISC's] authorization or applicable law''). The FISC itself has not hesitated to monitor and, if warranted, aggressively enforce compliance with its orders. Examples include the FISC's questioning the NSA's compliance with FISC orders governing the post-9/11 Internet metadata program, ultimately leading to the program's termination, or the FISC's more recent orders requiring the government to respond to the DOJ Inspector General's findings relating to the Carter Page and other FISA warrant cases, both of which are discussed in Appendix 2 to today's testimony. Put another way, this approach fits well within the joint, ongoing system of oversight for 702 surveillance that the FISC and the U.S. Government already work together to provide. The Government subjects 702 surveillance to a range of oversight mechanisms, including day-to- day supervision within intelligence agencies, supervision by the Oversight Section in DOJ's National Security Division (NSD), and regular joint on-site audits of 702 surveillance by NSD and ODNI. See, e.g., Joint Unclassified Statement to the H. Comm. on the Judiciary, 114th Cong. 4 (2016), available here. Existing FISC orders also require the government to report violations of 702 authorization orders. See PCLOB 702 Report at 29-30 (referencing a still-classified 2009 FISC opinion imposing reporting requirements). All compliance incidents identified through these processes are reported to the FISC. The FISC reviews these compliance incidents as part of its annual 702 reauthorization. This review can give rise to FISC requiring remediation or imposing new restrictions on intelligence activities in its 702 authorization orders. The approach also seems to fit within procedural, jurisdictional, and national-security constraints under which the FISC operates: The U.S. Government is entitled to ask FISC for relief. The FISC Rules of Procedure generally require ``the government'' or ``a party'' to file pleadings requesting relief from FISC. See, e.g., FISC Rules of Procedure 6(a)-(b) (permitting ``the government'' to request certain relief); 6(c)-(d) (permitting ``a party'' to request certain relief); 19(a) (permitting ``the government'' to file show-cause motions); 62(a) (permitting ``a party'' to move for publication of FISC decisions). If an individual were to file a petition with the FISC, this could give rise to questions about whether she is ``a party'' entitled to request relief. But it would seem clear that a motion from the U.S. Government would be from ``the government'' as contemplated under FISC rules. The U.S. Government should not face standing hurdles. When non-governmental parties have requested relief from FISC in the past, FISC has required them to plead Article III standing. See, e.g., In re Opinions & Orders of this Court Addressing Bulk Collection of Data under [FISA], Misc. 13-08 (Foreign Int. Surv. Ct. Nov. 9, 2017), available here (chronicling litigation over whether ACLU had Art. III standing to request that FISC publish orders relating to Section 215 programs). In contrast, the U.S. Government is already entitled to obtain 702 authorization orders from FISC in ex parte proceedings, without needing to show standing. The Government should thus also be able to ask FISC to review and enforce compliance in connection with those same 702 orders. National security interests remain protected. In recent decisions, the FISA Court of Review has reasserted the FISC's ``unique'' national-security need to maintain secrecy. See, e.g., In re: Certification of Questions of Law to the Foreign Intelligence Court of Review, No. FISCR 18-01, at 3 (FISA Ct. Rev. Mar. 16, 2018), available here (emphasizing that ``[t]he very nature of [FISC's] work . . . requires that it be conducted in secret,'' and that FISC orders ``often contain highly sensitive information'' whose release ``could be damaging to national security''). The proposed approach would not require FISC to disclose classified information, or otherwise impair the secrecy under which FISC normally operates. 2. What would the FISC Review? A non-statutory proposal would need to define the scope of oversight the FISC can and would review. The statutory text of Section 702 states that the FISC oversees the targeting, querying, and minimization procedures of intelligence agencies. Based on that text, the FISC would have oversight at least over those procedures, but perhaps not more broadly. The EU potentially could seek very broad oversight, along the lines of ``full compliance with all the rights of a data subject'' under EU law. Defining the scope of oversight would quite possibly be an important subject of negotiation between the U.S. and EU. Scope of FISC's subject-matter jurisdiction. The FISC can only operate within its subject-matter jurisdiction. Recent decisions of the FISA Court of Review have discussed the FISC's defined subject-matter jurisdiction, which may prevent non-parties from requesting relief that merely ``relates to the FISC or the FISA,'' as opposed to relief expressly authorized by FISA. See, e.g., In re Opinions & Orders by the FISC Addressing Bulk Collection of Data under [FISA], FISCR 20-01 at 18-19 (FISA Ct. Rev. Apr. 24, 2020), available here (holding FISCR did not have subject-matter jurisdiction to adjudicate ACLU request to declassify portions of Section 215 orders). The proposed approach, however, would merely ask FISC to confirm compliance with its own orders, which FISA expressly authorizes FISC to do. Possibly build agreement with the EU into the scope of the targeting, querying, and minimization procedures. One potentially fruitful path is to include EU-relevant provisions in the annual authorizations by the FISC of Section 702. For instance, the targeting procedures might adopt language responsive to EU legal concerns, such as stating that targeting shall be done only as necessary and proportionate. If the FISC order concerning 702 required necessity and proportionality--key terms within EU law--then the FISC presumably could oversee implementation of those necessity and proportionality requirements. The U.S. Government would have the ability to request such language, or other language negotiated with the EU, in the targeting procedures, as part of its regular legal submissions to the FISC. The FISC could issue binding requirements on U.S. agencies to ensure compliance with its Section 702 orders. Due to the defined subject matter jurisdiction of the FISC, the court quite possibly would not have judicial authority to rule on the legality of surveillance under EO 12,333. The FISC review above is predicated on the FISC's authority to oversee implementation of Section 702 orders, but the FISC has no similar statutory authority over an executive order, such as EO 12333. I offer five observations about EO 12,333: First, the fact-finding phase, potentially including intelligence agencies and the PCLOB, could apply to both Section 702 and EO 12,333. Perhaps legal theories could be developed about how the FISC could review, as an ancillary matter, the portion of the record pertaining to EO 12,333. My tentative conclusion, however, is that review of EO 12,333 surveillance would be outside of the scope of the FISC's authority, absent statutory change. Second, EO 12,333 surveillance may be sufficiently protected by the procedural steps before the complaint gets to the FISC. The PCLOB or an agency procedure, for instance, could be the final arbiter on EO 12,333 issues. Docksey specifically presents arguments about why a PCLOB decision might meet EU legal requirements. Third, the Commerce Department White Paper contains multiple arguments about why no further legal protections should be required for companies using standard contractual clauses. Importantly, for instance, the White Paper states that it is unclear how companies can ``consider any U.S. national security data access other than targeted government requirements for disclosure such as under FISA 702.'' Under these approaches, the U.S. government has thus articulated reasons why the scope of individual redress should match Section 702, rather than including EO 12,333. Fourth, in practice, many companies are addressing EO 12,333 by taking additional safeguards with respect to secure communications when personal data leaves the EU, such as to come to the U.S. There is ongoing discussion among European actors about the extent to which use of strong encryption answers EU legal concerns about EO 12,333 surveillance. If such use of encryption turns out to meet EU legal requirements, then individual redress can apply to the cases where it is relevant, under Section 702. Fifth, and if the previous observations do not apply, I present as another possible approach the following analysis of why an effective regime of individual redress may meet the EU legal standard of ``essential equivalence,'' even if EO 12,333 is outside of that regime. In recent cases concerning data retention, the CJEU highlighted its jurisdiction where a government achieves surveillance via private actors, such as companies subject to a judicial order. By contrast, the CJEU did not say that it had jurisdiction, in the face of the national security exception to its jurisdiction, where a government performs surveillance directly (not through a private company). Judicial orders to private companies apply to Section 702, but not to government activities under EO 12,333. With the disclaimer that I am a U.S. lawyer, perhaps it is worth considering whether the EU ``essentially equivalent'' regime of individual redress, to that offered by the EU Member States, might apply only to judicially ordered actions by companies, that is, to Section 702. With the same disclaimer, the same limit on ``national security'' jurisdiction does not apply to the European Court of Human Rights, and potentially its jurisprudence would apply to the direct government actions under EO 12,333. Conclusion This document has attempted to set before this Committee and the public research to date about how to create a system of individual redress under U.S. law. Standing doctrine, under Article III of the U.S. constitution, can block many proposed ideas for offering individual redress to an individual. The Propp/Swire proposal explained how the analogy to FOIA can require an agency to act, with a court then empowered to review the agency action. Christopher Docksey has supplemented the initial proposal with his expert insights about EU legal requirements. The new discussion here then presents ways that valid individual redress might be created by the U.S. government, even before Congress is able to enact a statute. Members of this Committee and other U.S policymakers may doubt whether it is desirable as a policy matter to create such systems of individual redress for EU citizens. In response, there is this simple point--the highest court of the European Union has stated, apparently as a matter of its constitutional law, that such individual redress is required. Absent a valid system of individual redress, any future agreement between the U.S. and EU will be subject to great risk of invalidation. Faced with that reality, the proposals here seek to present possible solutions. Creative alternative proposals are most welcome, and the task is important. ______ ``Updates to U.S. Foreign Intelligence Law Since 2016 Testimony'' Appendix 2 to U.S. Senate Commerce Committee Testimony on ``The Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows'' Peter Swire\1\ --------------------------------------------------------------------------- \1\ Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia Tech Scheller College of Business; Research Director, Cross-Border Data Forum; senior counsel, Alston & Bird LLP. The opinions expressed here are my own, and should not be attributed to the Cross-Border Data Forum or any client. For research assistance on this appendix I thank Daniel Felz and Sara Guercio. This Appendix is based on publicly available information; I have not had access to any relevant classified information since 2016. The views expressed here are my own. --------------------------------------------------------------------------- This Appendix supplements written testimony I am submitting to the Senate Committee on Commerce, Science, and Transportation for the December 9, 2020 hearing on ``The Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows.'' This Appendix presents updates on the U.S. legal and regulatory regime for foreign intelligence surveillance that have occurred since testimony I provided to the Irish High Court in 2016 on the same subject (the ``2016 Testimony'').\2\ Taken together, the 2016 Testimony and this Appendix seek to present an integrated set of references that may inform ongoing assessments, under European Union law, of the adequacy of protection of personal data related to U.S. foreign intelligence law. --------------------------------------------------------------------------- \2\ Peter Swire, Testimony of Peter Swire (submitted to High Court of Ireland Nov. 3, 2016), available at https://www.alston.com/en/ resources/peter-swire-irish-high-court-case-testimony/. --------------------------------------------------------------------------- My 2016 Testimony was submitted in November 2016, several months after the EU Commission adopted the finalized Privacy Shield in July 2016. At that time, I listed over twenty significant privacy-protective changes that had been made to U.S. foreign intelligence laws since the Snowden disclosures in 2013.\3\ My 2016 Testimony then discussed the systemic safeguards present in U.S. law for foreign intelligence, including: (a) safeguards anchored in the statutes governing foreign intelligence surveillance by U.S. agencies,\4\ (b) interlocking executive, legislative, and independent oversight mechanisms that are in place for surveillance activities;\5\ (c) transparency mechanisms implemented since the Snowden disclosures that offered a level of transparency into U.S. surveillance practices unparalleled in other nations;\6\ and (d) privacy safeguards implemented within the Executive Branch to protect personal information of non-US persons.\7\ Chapter 5 of my 2016 Testimony also contained a detailed discussion of declassified opinions of the Foreign Intelligence Surveillance Court (FISC), including my assessment that the FISC has exercised careful and effective oversight over foreign intelligence surveillance.\8\ --------------------------------------------------------------------------- \3\ See id. at 3-10--3-12. \4\ See id. at 3-12--3-26. \5\ See id. at 3-26--3-34. \6\ See id. at 3-34--3-38. \7\ See id. at 3-39--3-49. \8\ See id. at 5-1--5-53. --------------------------------------------------------------------------- This Appendix highlights updates that have occurred since the 2016 period in which Privacy Shield and my Testimony was finalized. As an overview of what will be discussed in this Appendix, the following represents a summary of intervening developments that have resulted in greater safeguards, or the continued effectiveness of safeguards in place, since the 2016 period in which Privacy Shield and my prior Testimony were finalized: 1. The FISA Amendments Reauthorization Act of 2017 (FARA) introduced new safeguards for Section 702 programs, including: (a) mandating querying procedures for 702-acquired information, (b) codifying the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) practice of appointing Privacy and Civil Liberties Officers, (c) expanding whistleblower protections to Intelligence Community (IC) contractors, (d) increasing disclosure and transparency requirements for Section 702 programs, and (e) imposing significant restrictions on the recommencement of Abouts collection. 2. The FISC has continued to annually evaluate Section 702 surveillance as required under Section 702, and its reauthorization orders have resulted in new protections for Section 702 programs. 3. As a result of FISC's continued supervision of Abouts collection the NSA (a) voluntarily terminated Abouts collection and (b) segregated and deleted all Internet transactions previously acquired through its Upstream program. 4. The Office of Director of National Intelligence (ODNI) has continued to declassify significant documents relating to Section 702 surveillance, such as publishing the Section 702 trainings that NSA provides to its internal personnel that conduct Section 702 programs on a day-to-day basis. 5. Due in part to compliance incidents reported to the FISC, NSA decided to delete three years' worth of Call Detail Records (CDRs) obtained under the USA FREEDOM Act. NSA then decided to suspend its CDR program in early 2019. 6. The Privacy and Civil Liberties Oversight Board (PCLOB) issued new oversight reports on (a) the NSA's Call Detail Records program under the USA FREEDOM Act, as well as (b) the implementation of Presidential Policy Directive 28 (PPD-28) in U.S. intelligence agencies. PCLOB also recently announced it concluded an oversight review of the U.S. Treasury Department's Terrorist Finance Training Program.\9\ --------------------------------------------------------------------------- \9\ See generally U.S. Privacy and Civil Liberties Oversight Bd., Press Release: Privacy and Civil Liberties Oversight Board Concludes Review of Treasury Department's Terrorist Finance Tracking Program, (Nov. 19, 2019) available at https://documents.pclob.gov/prod/ Documents/Events AndPress/de7972f6-03f1-48fd-8acd-b719a658e4a0/ TFTP%20Board%20Statement.pdf. PCLOB Chairman Adam Klein also issued a statement describing EU decisions to rely on TFTP instead of building its own equivalent program, and identifying privacy protective measures in place for EU citizens within TFTP, such as storage of EU bank customer data in the EU. See U.S. Privacy and Civil Liberties Oversight Bd., Statement by Chairman Adam Klein on the Terrorist Finance Tracking Program, (Nov. 19, 2020) available at: https://documents.pclob.gov/ prod/Documents/EventsAndPress/b8ce341a-71d5-4cdd-a101-219454bfa459/ TFTP%20Chairman%20Statement% 2011_19_20.pdf. 7. The ODNI has continued to publish annual Statistical Transparency Reports showing numerical statistics that provide transparency on the extent to which U.S. agencies are requesting data under FISA authorities, including Section 702 --------------------------------------------------------------------------- authorities. 8. The Department of Justice (DOJ) and ODNI continue to publish Semiannual Reports on the NSA's, FBI's, and CIA's compliance with Section 702 requirements, including statistics and descriptions of instances of non-compliance. These Reports continue to be created as a result of DOJ/ODNI's regular on- site reviews of the intelligence agencies. 9. U.S. foreign intelligence law continues to permit companies to publish transparency reports. My review of leading technology companies' recent transparency reports shows that, as in 2016, U.S. intelligence appears to affect a vanishingly small percentage of their active users. 10. ODNI has continued to publish significant quantities of declassified documents related to U.S. foreign intelligence activities on the ``IC on the Record'' website. It also facilitated greater access to these documents by launching a text-searchable capability on Intel.gov. 11. FISC has continued to declassify opinions and publish statistics on its handling of government surveillance applications. The percentage of applications that the FISC has modified or denied has increased since 2016. This Appendix discussed the above developments in eight Sections that track the structure of my 2016 Testimony: 1) updates to systemic safeguards for U.S. foreign intelligence, 2) updates to Section 702 programs, 3) updates to the former 215 program, 4) updates to oversight safeguards, 5) updates to transparency safeguards, 6) updates to executive safeguards, 7) updates to Foreign Intelligence Surveillance Court (FISC) testimony, 8) updates to surveillance-related standing cases. 1. Updates to Systemic Safeguards for U.S. Foreign Intelligence: A significant portion of my 2016 Testimony discussed the systemic safeguards built into the structure of foreign intelligence in the United States.\10\ The core and structure of these safeguards has remained unchanged since I testified in 2016. The U.S. remains a constitutional democracy committed to the rule of law in conducting foreign-intelligence surveillance.\11\ Further, U.S. surveillance remains subject to an interconnected system of statutory safeguards,\12\ oversight mechanisms,\13\ transparency mechanisms,\14\ and Executive Branch safeguards.\15\ My detailed discussion of these safeguards can be read in my 2016 Testimony, as outlined in the introduction above. --------------------------------------------------------------------------- \10\ See generally Swire, supra note 2 at 3-2--3-49. \11\ See id. at 3-2--3-6. \12\ See id. 3-12--3-26. \13\ See id. at 3-26--3-34. \14\ See id. at 3-34--3-38. \15\ See id. at 3-39--3-49. --------------------------------------------------------------------------- 2. Updates to Section 702 Programs. Section 702 of FISA is the basis for significant foreign intelligence collection by U.S. intelligence agencies, and was discussed at length in my 2016 Testimony.\16\ Since 2016, the legal structure of Section 702 has remained largely unchanged. Section 702 requires the Attorney General and DNI to annually apply to the Foreign Intelligence Surveillance Court (FISC) to authorize Section 702 surveillance programs.\17\ In doing so, the FISC reviews and authorizes the targeting, minimization, and (since 2018) querying procedures under which the intelligence agencies conduct Section 702 surveillance.\18\ Throughout the ensuing year, the agencies' conduct of Section 702 programs is monitored by internal procedures, external audits, and regular reporting to the FISC and Congress.\19\ The primary programs that exist under Section 702 remain (a) the Prism program, in which agencies such as the NSA serve directives on communications providers compelling the disclosure of communications to or from a tasked selector; and (b) the Upstream program, in which Internet backbone providers acquire communications to or from a tasked selector as they traverse the Internet.\20\ My 2016 Testimony discusses the structure of Section 702 as well as its primary programs in detail.\21\ --------------------------------------------------------------------------- \16\ See id. at 3-18--3-24. \17\ See id. at 3-18--3-21. \18\ See id. \19\ See generally id.at 3-2--3-49. \20\ See generally id.at 3-18--3-24. \21\ See id. --------------------------------------------------------------------------- Despite broad continuity in Section 702 practice since my 2016 Testimony, a number of significant updates have occurred. This Section briefly summarizes a selection of these changes: (a) the FISA Amendments Act Reauthorization Act of 2017 and its privacy-protective aspects; (b) the FISC continues to reauthorize the Section 702 programs annually; (c) NSA terminated Upstream's Abouts collection in connection with 2017 FISC Reauthorization; (d) statistics on 702 programs continue to be released by the U.S. government; (e) the U.S. government continues to publish the Semiannual Assessment of compliance for 702 programs; and, (f) NSA declassified its internal guidance and training manuals for 702 programs. a. FISA Amendments Reauthorization Act of 2017 (FARA) In 2018, the FISA Amendments Reauthorization Act of 2017 (FARA) was passed, reauthorizing FISA for a five-year term and providing additional oversight and privacy protections.\22\ Specifically, FARA i) mandated that intelligence agencies adopt querying procedures governing how they may access and use Section 702 intelligence; ii) codified the appointment of Privacy and Civil Liberties Officers in the NSA and FBI; iii) expanded whistleblower protections; iv) increased agency disclosure requirements; and v) required an approval process if the NSA wishes to restart Abouts collections.\23\ --------------------------------------------------------------------------- \22\ See FISA Amendments Reauthorization Act of 2017, Pub. L. 115- 118, (2018) [hereinafter ``FARA'']. \23\ See generally id. --------------------------------------------------------------------------- i. Mandatory Querying Procedures Before FARA, Section 702 mandated that intelligence agencies adopt ``targeting'' and ``minimization'' procedures, which collectively provided the standards by which individuals are targeted for foreign intelligence surveillance and how subsequently acquired communications may be retained and used. FARA added a requirement that the NSA, FBI, CIA, and NCTC adopt ``querying'' procedures governing how these agencies are permitted to access and search 702-acquired communications.\24\ Like targeting and minimization procedures, Section 702 querying procedures must be annually submitted to the FISC for approval, and FISC must evaluate them for consistency with FISA and ``the requirements of the Fourth Amendment.'' \25\ While FARA set forth specific requirements for U.S. person queries,\26\ the querying procedures adopted by U.S. intelligence agencies contain safeguards for all individuals regardless of nationality. For example, the NSA's 2019 Querying Procedures state that ``[e]ach query of NSA systems containing unminimized content or noncontent information acquired pursuant to section 702 . . . must be reasonably likely to retrieve foreign intelligence information.'' \27\ These requirements, and FISC's annual review of how they are followed by U.S. intelligence agencies, help support proportional use of communications acquired under Section 702. --------------------------------------------------------------------------- \24\ Id. Sec. 101. \25\ Id. Sec. 101(a)(1)(B)(f)(1) (2018). \26\ Id. Sec. 109 (2018). \27\ Nat'l Sec. Agency, Querying Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence Information Pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, As Amended, 3 (Sept. 16, 2019), available at: https://www.intelligence.gov/assets/documents/702%20Documents/ declassified/2019_702_Cert_NSA_ Querying_ 17Sep19_OCR.pdf. --------------------------------------------------------------------------- ii. Ratification of Appointment of PCLOs within Agencies Under its Section 109, FARA expressly required the NSA and FBI to appoint Privacy and Civil Liberties Officers (PCLOs).\28\ This change represented more of a change in law than in practice, since both NSA and FBI already had active PCLOs in place as a matter of internal policy before FARA was enacted.\29\ Nonetheless, FARA's express codification of NSA's and FBI's prior practice represents Congress's approval of the IC practice of installing oversight and privacy protection offices directly within the agencies that conduct foreign intelligence surveillance. --------------------------------------------------------------------------- \28\ FARA Sec. 106. \29\ Office of the Dir. of Nat'l Intelligence,, The FISA Amendments Reauthorization Act of 2017: Enhanced Privacy Safeguards for Personal Data Transfers Under Privacy Shield, 3 (Oct. 15, 2018) available at: https://www.dni.gov/files/documents/icotr/Summary-FISA-Reauthorization- of-2017--10.15.18.pdf [hereinafter ``DNI FARA Summary'']. --------------------------------------------------------------------------- iii. Expansion of Whistleblower Protections FARA extended available whistleblower protections to contract employees working within U.S. intelligence agencies.\30\ Prior to FARA, ``contractors were protected from agency management retaliation,'' but not from retaliation from the contractor's direct employer.\31\ FARA thus extended whistleblower protections to prohibit retaliation against a whistleblowing IC contractor by the contractor's employer.\32\ As a result, IC contractors can report deficiencies or violation to the inspectors general of U.S. intelligence agencies and, as permitted by law, to the Senate and House intelligence committees.\33\ --------------------------------------------------------------------------- \30\ FARA Sec. 110. \31\ DNI FARA Summary, supra note 29. \32\ See id. \33\ See Swire, supra note 2 at 3-28--3-29. --------------------------------------------------------------------------- iv. Increased Disclosure Requirements FARA introduced a number of new disclosure requirements for intelligence agencies. First, FARA requires future ODNI Statistical Transparency Reports agencies to separately state the number of U.S. persons and non-US persons that were targets of electronic surveillance.\34\ Second, FARA formally mandates that agencies' Section 702 minimization procedures be published.\35\ Third, FARA requires the Attorney General to provide new reporting to Congress on the number of surveillance applications and emergency authorizations,\36\ and to make each report publicly available and unclassified ``to the extent consistent with national security.'' \37\ --------------------------------------------------------------------------- \34\ FARA Sec. 102(b). \35\ Id. Sec. 104 (2018). Although agencies' minimization procedures have already been declassified and published for each year in which the corresponding Section 702 reauthorization was published, this change may result in minimization procedures being published even when the underlying reauthorization is not. \36\ Id. Sec. 107. \37\ Id. --------------------------------------------------------------------------- v. Requirements for Resuming Abouts Collections Abouts collection was an aspect of the NSA's Upstream program. As discussed more fully in Section 2(d) below, following significant interaction with the FISC on the lawfulness of Abouts communication, the NSA voluntarily discontinued Abouts collections in March 2017. FARA now ensures that both the FISC and Congress must be informed before Abouts collection can be revived. If the NSA wishes to resume ``intentional acquisition of [A]bouts communication,'' several requirements must be met.\38\ First, FISC must issue a certification approving the program and ``a summary of the protections in place to detect any material breach.'' \39\ Second, the NSA must notify Congress in writing 30 days before resuming Abouts collection, and cannot begin Abouts collection within that thirty-day window.\40\ The FISC's order approving the recommencement of Abouts collection must be attached to the notice provided to Congress.\41\ Third, if Abouts collection resumes after having satisfied the prior two requirements, the NSA must report all material breaches to Congress.\42\ Finally, any FISC opinion certifying the recommencement of Section 702 Abouts collection will be designated as a ``novel or significant interpretation of the law,'' thus requiring appointment of an amicus curiae during authorization proceedings, as well as public release of the opinion.\43\ The presence of these requirements within the amended Section 702 adds another level of oversight to the NSA's collection of Section 702 data. --------------------------------------------------------------------------- \38\ Id. Sec. 103. \39\ Id Sec. 103(b)(3). \40\ Id. Sec. 103(b)(2). \41\ Id. Sec. 103(b)(3). \42\ Id. Sec. 103(b)(5). Material breaches include ``significant noncompliance with applicable law or an order of the FISC concerning any acquisition of Abouts communication,'' see id. Sec. 103(b)(1)(B). It can be presumed that other compliance incidents, whether material or not, would be reported to the FISC, as this is the FISC's current requirement for Section 702 programs. \43\ Id. Sec. 103(b)(6); see also USA FREEDOM Act, Pub. L. 114-23, Sec. 602(a) (2017). --------------------------------------------------------------------------- b. FISC Continued to Evaluate 702 Compliance During Annual Reauthorizations As stated above, FISC must annually review and reauthorize Section 702 programs. Since my prior testimony, FISC has reauthorized Section 702 programs on at least three occasions: in April 2017,\44\ October 2018,\45\ and December 2019.\46\ For each of these reauthorizations, the U.S. government declassified and published (a) the FISC order evaluating and reauthorizing Section 702 programs; and (b) the targeting, minimization, and (starting in 2018) querying procedures approved by the FISC to govern the conduct of Section 702 surveillance.\47\ For the 2016 reauthorization, the government also declassified the ODNI/Attorney General certification and the NSA Director's affidavit submitted to FISC.\48\ --------------------------------------------------------------------------- \44\ See generally Mem. Op. & Order [Redacted], Case Caption [Redacted] (F.I.S.C. Apr. 26, 2017) available at: https://www.dni.gov/ files/documents/icotr/51117/2016_Cert_FISC_Memo_ Opin_Order_Apr_2017.pdf [hereinafter ``FISC 2016/2017 Reauthorization'']. \45\ See generally Order [Redacted], Case Caption [Redacted] (F.I.S.C. Oct. 18, 2018) available at: https://www.intelligence.gov/ assets/documents/702%20Documents/declassified/2018_Cert_ FISC_Opin_18Oct18.pdf [hereinafter ``FISC 2018 Reauthorization'']. \46\ See generally Mem. Op. & Order [Redacted], Case Caption [Redacted] (F.I.S.C. Dec. 6, 2019) available at: https:// www.intelligence.gov/assets/documents/702%20Documents/declassified/ 2019_702_Cert_FISC_Opinion_06Dec19_OCR.pdf [hereinafter ``FISC 2019 Reauthorization'']. \47\ See generally FISC 2016/2017 Reauthorization, supra note 44; FISC 2018 Reauthorization, supra note 45; FISC 2019 Reauthorization, supra note 46. \48\ See generally FISC 2016/2017 Reauthorization, supra note 44. --------------------------------------------------------------------------- The FISC reauthorization opinions show the FISC conducting the careful and detailed oversight over Section 702 surveillance I discussed in my 2016 Testimony.\49\ FISC continued to examine how Section 702 programs ``have been and will be implemented'' in practice.\50\ It also crafted new requirements for compliance with Section 702. As brief examples of FISC's review: --------------------------------------------------------------------------- \49\ See generally Swire, supra note 2 at 5-1--5-53. \50\ Mem. Op. & Order [Redacted], Case Caption [Redacted], 3 (F.I.S.C. Aug. 26, 2014), available at https://www.dni.gov/files/ documents/0928/FISC%20Memorandum%20Opinion%20and%20 Order%2026%20August%202014.pdf; See also Swire, supra note 2 at 5-12-- 5-14. The 2016 reauthorization opinion is 99 pages long.\51\ The FISC evaluated the NSA's reports of compliance incidents relating to Abouts collection, and the NSA's decision to terminate Abouts collection in response (discussed immediately below). Further, the FISC evaluated the NCTC receiving access to Section 702 information, NSA data deletion questions, and potential issues relating to NSA's Upstream program that had occurred in the past year. The FISC also evaluated the NSA's use of automated tools for tasking decisions; determined that reliance on these tools was not sufficient to task a selector; and required the NSA to begin reporting incidents where the NSA did not conduct post-tasking review of acquired communications to determine whether a tasking decision has been proper. --------------------------------------------------------------------------- \51\ See FISC 2016/2017 Reauthorization, supra note 44; Due to extensions granted to review Abouts collection which extended reauthorization proceedings, the 2016 reauthorization appears to have covered Section 702 surveillance in both the years 2016 and 2017. The Attorney General and ODNI filed certifications to reauthorize Section 702 surveillance on September 26, 2016. See also Government's Ex Parte Submission of Reauthorization Certifications and Related Procedures, Ex Parte Submission of Amended Certifications, and Request for an Order Approving Such Certifications and Amended Certifications [Redacted], (F.I.S.C. Sept. 26, 2016) available at: https://www.dni.gov/files/ documents/icotr/51117/2016_Certification_Cover_Filing_Sep_26_ 2016_part_1_and_2_-merged.pdf. In evaluating Abouts collection issues, FISC granted extensions into March 2017, at which point NSA announced it was terminating Abouts collection. FISC then issued its reauthorization order on April 26, 2017. This reauthorization thus appears to have authorized Section 702 programs for 2016 and 2017. The 2018 reauthorization opinion is 138 pages long.\52\ In its most lengthy discussion, the FISC found FBI querying practices involving U.S. person identities were inconsistent with the Fourth Amendment; this finding was appealed to the FISA Court of Review, which affirmed the FISC,\53\ resulting in the FBI modifying its minimization and querying procedures.\54\ Additionally, in a novel and significant decision, the FISC held that FARA restrictions on Abouts collection also applied to certain non-Abouts collection. Although the precise collection technique at issue remained redacted, FISC ordered the NSA to report each time it tasked a selector using this technique within 10 days to FISC, presumably to monitor on an ongoing basis that NSA's acquisitions complied with the restrictions of FARA.\55\ For this decision, the FISC invited and received amicus briefing. --------------------------------------------------------------------------- \52\ See FISC 2018 Reauthorization, supra note 45. \53\ See In Re: DNI/AG 702(h) Certifications 2018 [Redacted], Dkt. No. [Redacted] (F.I.S.A. Ct. Rev. July 12, 2019) available at: https:// www.intelligence.gov/assets/documents/702%20Docu ments/declassified/2018_Cert_FISCR_Opinion_12Jul19.pdf. \54\ See Mem. Op. & Order [Redacted], Case No. [Redacted] (F.I.S.C. Sept. 4, 2019) available at: https://www.intelligence.gov/assets/ documents/702%20Documents/declassified/2018_Cert_ FISC_Opinion_04Sep19.pdf \55\ See FISC 2018 Reauthorization, supra note 45 at 136-138. The 2019 reauthorization opinion is 83 pages long.\56\ It addressed questions about whether the NSA may share information with FBI for targeting purposes, as well as the retention period for Upstream collection after termination of Abouts collection. Additionally, FISC addressed whether 702-acquired information could be captured by intelligence agencies' ``user- activity monitoring'' (AUM) activities, such as insider threat protection. The FISC preliminarily approved AUM activities, but required all agencies to provide further reporting on the extent of their AUM activities and the amount of 702-acquired information affected by it. --------------------------------------------------------------------------- \56\ See FISC 2019 Reauthorization, supra note 46. --------------------------------------------------------------------------- c. NSA Terminated Upstream's Abouts Collection in Connection with FISC's 2017 Section 702 Reauthorization The NSA's termination of Abouts collection represents a significant development that has occurred since my 2016 Testimony and illustrates the effectiveness of the U.S. system of safeguards for foreign intelligence surveillance. Abouts collection referred to an aspect of the NSA's Section 702 Upstream program. It acquired communications that were not to or from a tasked selector, but which instead mentioned the selector (and were thus described as being ``about'' that selector). An example would be the NSA receiving an e-mail where the selector e-mail address of the target is included in the body or text of the e-mail, but neither sent nor received that e-mail.\57\ --------------------------------------------------------------------------- \57\ Nat'l Sec. Agency, NSA Stops Certain 702 ``Upstream'' Activities, PA-014-18, (Apr. 28, 2017), available at: https:// www.nsa.gov/news-features/press-room/Article/1618699/nsa-stops-certain- section-702-upstream-activities/. --------------------------------------------------------------------------- Abouts collection first came to FISC's attention in 2011, when it raised concerns due to acquisition of Multi-Communication Transactions (MCTs).\58\ E-mails and similar communications are often not transmitted through the Internet as discrete communications, but instead as part of MCT clusters,\59\ what is often called a ``thread'' of e-mails. This resulted in Upstream acquiring not just communications containing a tasked selector, but also a further cluster of attached communications in which the selector did not appear.\60\ For Abouts communication, FISC found this raised heightened privacy concerns, since it resulted in the NSA acquiring communications that did not contain selectors.\61\ FISC thus imposed a number of restrictions on Abouts collection, such as requiring the NSA to segregate Abouts collection from other 702-acquired data, to restrict other agencies' access to Upstream collection, to restrict NSA analysts' use of Upstream-collected data, and to purge Upstream collection on a more expedited basis than other 702-acquired information.\62\ These restrictions were memorialized in NSA's Section 702 minimization beginning in 2011.\63\ --------------------------------------------------------------------------- \58\ See generally Swire, supra note 2 at 5-31--5-34. \59\ See Id. \60\ See Id. \61\ See Id. \62\ See Mem. Op. [Redacted], Case No. [Redacted] (F.I.S.C. Oct. 3, 2011) available at: https://www.dni.gov/files/documents/0716/October- 2011-Bates-Opinion-and%20Order-20140716.pdf \63\ See Mem. Op. [Redacted], Case No. [Redacted] (F.I.S.C. Nov. 30, 2011) available at: http://www.fas.org/irp/agency/doj/fisa/ fisc1111.pdf --------------------------------------------------------------------------- It appears that in 2016, NSA's Inspector General reviewed NSA's querying of Upstream collections and identified ``significant noncompliance'' with the FISC's restrictions.\64\ This was reported to FISC, which held a hearing and required the government to submit a report on the full extent of querying practices affecting Upstream data as well as a remediation plan.\65\ The government provided several rounds of updates to the FISC; however, the FISC on several occasions expressed dissatisfaction with the state of the government's investigation into how querying practices were not complying with existing FISC orders.\66\ --------------------------------------------------------------------------- \64\ FISC 2016/2017 Reauthorization, supra note 44 at 4. \65\ See id. \66\ See id. at 4-6. --------------------------------------------------------------------------- Ultimately, on March 30, 2017, the NSA reported to FISC that it would ``eliminate `Abouts' collection altogether.'' \67\ In addition, NSA stated it would ``sequester and destroy raw Upstream Internet data previously collected,'' and ``destroy such sequestered Internet transactions as soon as practicable through an accelerated age-off process.'' \68\ Going forward, NSA stated that any communications obtained by Upstream ``that are not to or from a person targeted in accordance with NSA's section 702 targeting procedures . . . will be destroyed upon recognition,'' and that NSA ``will report any acquisition of such communications to [FISC] as an incident of non- compliance.'' \69\ The NSA proffered updated minimization procedures to the FISC that memorialized these changes to Upstream.\70\ --------------------------------------------------------------------------- \67\ Id. at 6. \68\ Id. at 23-24. \69\ Id. \70\ Id. at 26. --------------------------------------------------------------------------- The FISC accepted the NSA's updated minimization procedures that prohibited Abouts collection.\71\ Further, as described above, FARA now requires the NSA to obtain FISC authorization, and provide notification to Congress, prior to recommencing Abouts communication.\72\ The NSA also publicly announced its termination of Abouts collection.\73\ --------------------------------------------------------------------------- \71\ See id. \72\ FARA Sec. 103. \73\ Nat'l Sec. Agency, NSA Stops Certain 702 ``Upstream'' Activities, PA-014-18 (Apr. 28, 2017), available at: https:// www.nsa.gov/news-features/press-room/Article/1618699/nsa-stops-certain- section-702-upstream-activities/) --------------------------------------------------------------------------- The termination of Abouts communication underscores the effectiveness of the U.S. system of safeguards for foreign intelligence. The FISC recognized privacy risks in Abouts collection and imposed heightened requirements on the NSA. Those requirements could not be met, in part due to technical challenges. Internal reviews identified the noncompliance; and it was reported to FISC. FISC insisted on compliance with its privacy restrictions, and the NSA determined this required Abouts collection to end. d. Statistics on 702 Programs Continue to be Released by the U.S. Government ODNI publishes annual Statistical Transparency Reports that identify the number of non-U.S. persons who are the targets of tasked selectors under Section 702.\74\ My 2016 Testimony referenced that in 2015, there had been 94,368 targets of Section 702 programs.\75\ Since then, the Statistical Transparency Reports have provided targeting statistics for subsequent years.\76\ The following table provides statistics for targeting of non-US persons under Section 702 since 2016:\77\ --------------------------------------------------------------------------- \74\ See 50 U.S.C. Sec. 1873(b)(2)(A); Swire, supra note 2 at 3- 36--3-37. \75\ See Swire, supra note 2 at 3-21--3-24. \76\ See generally Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2016 (Apr. 2017) available at: https:// www.dni.gov/files/icotr/ic_transparecy_report_cy2016_5_2_17.pdf; See generally Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2017 (Apr. 2018) available at: https://www.dni.gov/ files/documents/icotr/2018-ASTR-CY2017-FINAL-for-Release-5.4.18.pdf; See generally Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2018, (Apr. 2019) available at: https://www.dni.gov/ files/CLPT/documents/2019_ASTR_for_CY2018.pdf; See generally Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2019 (Apr. 2020) available at: https://www.dni.gov/files/CLPT/ documents/2020_ASTR_for_CY2019_FINAL.pdf. \77\ Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2019, 14 (Apr. 2020) available at: https:// www.dni.gov/files/CLPT/documents/2020_ASTR_for_CY2019_FINAL.pdf [hereinafter ``2019 Statistical Transparency Report'']. ------------------------------------------------------------------------ Calendar Year 2016 2017 2018 2019 ------------------------------------------------------------------------ Estimated Number 106,469 129,080 164,770 204,968 of Section 702 Targets for Non- US Persons ------------------------------------------------------------------------ I add one comment relevant to current discussions about possible changes in U.S. surveillance practices after Schrems II. One proposal I have heard would be to end the Section 702 program and have each selector be subject to the one-at-a-time prior approval by a judge under Title I of FISA, the sort of approval that applies to individuals in the U.S. where there is probable cause that they are ``agents of a foreign power.'' \78\ There are currently 11 Federal district judges on the FISC; processing over 100,000 individual orders per year would simply not be possible with anything like current staffing with the care and attention to each application that DOJ documents and a judge assesses. As discussed in my 2016 Testimony, Section 702 was created in 2008 as an increase in legal process compared to prior collection done outside of the US.\79\ Adding one-at-a-time prior approval by a judge for each selector would thus appear to be a greater change to current practice than some may have realized. That is not a conclusion about what changes the U.S. might contemplate in discussions with the EU, but instead an observation about the nature of the current 702 program. --------------------------------------------------------------------------- \78\ 50 U.S.C. Sec. 1801(b). \79\ See Swire, supra note 2 at 3-18--3-19. --------------------------------------------------------------------------- e. The U.S. Government Continued to Publish Semiannual Assessments of Compliance for 702 Programs Section 702 requires the AG and ODNI to jointly assess intelligence agencies' compliance with FISA Section 702 and publish their assessment semiannually in a declassified report (the ``Semiannual Assessments'').\80\ The AG (through its National Security Division) and ODNI conduct regular on-site reviews of NSA, FBI, and CIA on at least a bimonthly basis, and they review agencies' targeting and minimization decisions.\81\ Using the results of these reviews, the Semiannual Assessments describe types, percentages, and trends of 702 non- compliance issues. The table below summarizes the overall compliance rates, as well as compliance rates for each category of non-compliance, from December 2014 to November 2017. Note that Semiannual Assessments are published on a lag, meaning that although the statistics below date back to 2014, all of the below statistics have been published since the 2016 period in which my prior Testimony and Privacy Shield were finalized. --------------------------------------------------------------------------- \80\ 50 U.S.C. Sec. 1881(a)(l)(1). \81\ See Swire, supra note 2 at 5-20--5-23. \82\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 26-30 (Feb. 2016), available at here: https://www.dni.gov/files/documents/ icotr/14th-Joint-Assessment-Feb2016-FINAL-REDACTED.pdf \83\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 27-31 (Nov. 2016), found here: https://www.dni.gov/files/documents/icotr/ 15th-702Joint-Assessment-Nov2016-FINAL-REDACTED1517.pdf \84\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 27-31 (Aug. 2017), found here: https://www.dni.gov/files/icotr/ 16th_Joint_Assessment _Aug_2017_10.16.18.pdf \85\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 26-30 (Dec. 2017), found here: https://www.dni.gov/files/icotr/ 17th_Joint_Assessment _Dec_2017_10.16.18.pdf \86\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 28-32 (Oct. 2018); found here: https://www.dni.gov/files/icotr/ 18th_Joint_Assessment.pdf [hereinafter ``Semiannual Report 18'']. \87\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 30-36 (Dec. 2019)., found here: https://www.intelligence.gov/assets/ documents/702%20 Documents/declassified/ 19th%20Joint%20Assessment%20for%20702%20Dec%202019%20-%20Fi nal%20for%20release%20(002)OCR.pdf [hereinafter ``Semiannual Report 19'']. ---------------------------------------------------------------------------------------------------------------- Report 14 Report 15 Report 16 Report 17 Report 18 Report 19 Intelligence Agencies (Dec. 2014- (June 2015- (Dec. 2015- (June 2016- (Dec. 2016- (June 2017 Compliance Statistics May Nov. May Nov. May to Nov. 2015)\82\ 2015)\83\ 2016)\84\ 2016)\85\ 2017)\86\ 2017)\87\ ---------------------------------------------------------------------------------------------------------------- Overall Non-Compliance Rate 0.35% 0.53% 0.45% 0.88% 0.37% 0.42% Tasking Non-Compliance Rate 42.3% 58.% 50.8% 35.3% 24.9% 28.7% Detasking Non-Compliance 24.3% 21.5% 13.7% 5.9% 7.5% 7.3% Rate Notification Non-Compliance 8.7% 5.2% 6.4% 6.8% 11.2% 22.1% Rate Documentation Non-Compliance 4.9% 2.2% 12.9% 7.5% 14% 23.6% Rate Minimization Non-Compliance 14.8% 9.9% 14.3% 42.5% 39.1% 17.3% Rate Miscellaneous/Other Non- 4.9% 2.5% 2% 1.9% 0.9% 0.7% Compliance Rate Overcollection Non- Not reported Not reported Not reported 0.1% Not reported 0.3% Compliance Rate ---------------------------------------------------------------------------------------------------------------- Overall, AG/ODNI concluded in each Semiannual Assessment that ``the agencies have continued to implement [targeting and minimization] procedures and follow [applicable] guidelines in a manner that reflects a focused and concerted effort by agency personnel to comply with the requirements of Section 702.''\88\ Only two incidents of intentional non-compliance were identified in the six Semiannual Assessments that have been published since my 2016 Testimony, each of which was remedied.\89\ The Semiannual Assessments enable transparency into the conduct of foreign intelligence surveillance that, to the best of my knowledge, remains unique among leading nations. --------------------------------------------------------------------------- \88\ This conclusion is from the October 2018 Semiannual Assessment, but is representative of the conclusion of prior Semiannual Assessments. See, e.g., Semiannual Report 18, supra note 86 at 48, (``[T]he agencies continued to implement the procedures and follow the guidelines in a manner that reflects a focused and concerted effort by agency personnel to comply with the requirements of Section 702.''). \89\ In Semiannual Report 19, there were two issues of intentional non-compliance. The first issue involved FBI running batch queries under proposed, but unapproved, query procedures. These query procedures were eventually approved, but this incident still counted as intentional non-compliance. The second issue involved traditional intentional non-compliance where an FBI analyst queried his name and the name of his co-worker in the FBI database. This analyst was fired, and his security clearance was terminated. See Semiannual Report 19, supra note 87. --------------------------------------------------------------------------- f. NSA Declassified its Internal Training Manuals for 702 Programs Since my 2016 Testimony, NSA has released internal guidance and training documents related to Section 702.\90\ The documents show the multi-level training NSA provides to personnel on Section 702 compliance. They include trainings NSA provides to analysts who task selectors to be used in Section 702 surveillance, detailing the process through which NSA analysts must document their rationale for targeting a selector and submit it to an NSA ``Adjudicator'' for review. The documents also include trainings provided to Adjudicators on reviewing analyst requests to task specific selectors, and the checklists used in selector evaluations.\92\ Finally, NSA published a comprehensive Section 702 training covering aspects of NSA personnel's compliance duties relating to collecting, processing, analysis, retention, and dissemination of 702-acquired information, as well as obligations to immediately report compliance incidents.\93\ --------------------------------------------------------------------------- \90\ See Office of the Dir. of Nat'l Intelligence, IC on the Record: IC on the Record Guide to Posted Documents, IContheRecord.tumblr.com, (Oct. 2020), available at: https:// www.intel.gov/ic-on-the-record/guide-to-posted-documents. \91\ See Nat'l Sec. Agency, Updated FAA 702 Targeting Review Guidance [Redacted], (May 15, 2017), available at: https://www.dni.gov/ files/icotr/ACLU%2016-CV-8936%20(RMB)%20000911 -001000%20- %20Doc%2010.%20NSA%E2%80%99s%20702%20Targeting%20Review%20Guidance .pdf; NSA's Practical Applications Training. See also Nat'l Sec. Agency, CRSK1304: FAA Section 702 Practical Applications [Redacted]; https://www.dni.gov/files/icotr/ACLU%2016-CV-8936 %20(RMB)%20000911-001000%20- %20Doc%2011.%20NSA%E2%80%99s%20702%20Practical%2 0Applications%20Training.pdf. \92\ See Nat'l Sec. Agency, FAA702 Adjudicator Training [Redacted], available at: https://www .dni.gov/files/icotr/ACLU%2016-CV-8936%20(RMB)%20000911-001000%20- %20Doc%2012.%20 NSA%E2%80%99s%20702%20Training%20for%20NSA%20Adjudicators.pdf; Nat'l Sec. Agency, FAA 702 Adjudication Checklist [Redacted], available at: https://www.dni.gov/files/icotr/ ACLU%2016-CV-8936%20(RMB)%20001001-001049%20- %20Doc%2013.%20NSA%E2%80%99s% 20702%20Adjudication%20Checklist.pdf \93\ See Nat'l Sec. Agency, OVSC1203: FISA Amendments Act Section 702 [Redacted], available at: https://www.dni.gov/files/icotr/ ACLU%2016-CV-8936%20(RMB)%20001001-001049%20-%2 0Doc%2017.%20NSA%E2%80%99s%20Training%20on%20FISA%20Amendments20Act%20Se c tion%20702.pdf --------------------------------------------------------------------------- As one comment on possible reforms that may address EU legal concerns, the U.S. government might consider codifying training requirements and other aspects of compliance. Such codification might be done through either statutory or non-statutory means, to address European legal concerns that Section 702 and other safeguards be ``required by law.'' 3. Updates to the Former 215 Program. In my 2016 Testimony, I discussed ``[p]erhaps the most dramatic change in U.S. surveillance law'' since the Snowden disclosures: The termination of a bulk telephone record collection program that had been operated under Section 215 of the USA PATRIOT Act, and its replacement with a targeted call records program.\94\ This change began when President Obama's Review Group, in which I participated, reviewed the 215 program and found it ``not essential to preventing attacks.'' \95\ The USA FREEDOM Act was passed soon thereafter, and prohibited bulk collection under Section 215, as well as under pen register, trap-and- trace, and national security letter authorities. NSA terminated the bulk phone records program on November 29, 2015.\96\ --------------------------------------------------------------------------- \94\ Swire, supra note 2 at 3-16--3-18. \95\ See id. \96\ See Office of the Dir. of Nat'l Int., ODNI Announces Transition to a New Telephone Metadata Program, (Nov. 27, 2015), available at: https://www.dni.gov/index.php/newsroom/press-releases/ press-releases-2015/item/1292-odni-announces-transition-to-new- telephone-meta data-program. --------------------------------------------------------------------------- The USA FREEDOM Act thus introduced a targeted telephone call detail records program (the ``CDR Program'') that operated as I described in my 2016 Testimony.\97\ The government had to identify a specific selector that is reasonably suspected of being associated with terrorism (such as a phone number), and obtain a FISC order requiring a communications provider to produce records associated with that selector. The government could only obtain records that were no more than two ``hops'' from the identified selector. --------------------------------------------------------------------------- \97\ See Swire, supra note 2 at 3-16--3-18. --------------------------------------------------------------------------- Since my 2016 Testimony, the NSA voluntarily terminated the CDR Program due to compliance and data-integrity issues it did not believe could be resolved. This section briefly describes the significant events relating to the CDR Program: (a) the NSA's deletion of years' worth of CDRs, followed by its decision to terminate the CDR Program, and (b) the PCLOB's ensuring report on the CDR Program. These NSA actions are another example of the oversight and correction mechanisms built into the U.S. legal system governing foreign intelligence. a. NSA Voluntarily Deleted 3 Years' Worth of USA FREEDOM Act CDRs, then Discontinued the CDR Program Altogether The CDR Program was affected by a number of compliance issues that resulted in the NSA deciding to delete years' worth of CDR Program data, then to discontinue the program. Between 2016 and 2019, the NSA provided a number of notices to FISC detailing issues of non-compliance and data-integrity issues.\98\ Generally, the non-compliance issues included information omitted from FISA applications, providers transmitting CDRs on expired orders, and training and access incidents involving NSA personnel.\99\ The data-integrity issues generally involved the NSA receiving erroneous data from certain telecom providers.\100\ NSA notified FISC of these incidents, and deleted CDRs associated with these incidents. --------------------------------------------------------------------------- \98\ See Privacy and Civil Liberties Oversight Bd., Report on the Government's Use of the Call Detail Records Program Under the USA Freedom Act, 20 (Feb. 2020), available at: https://documents.pclob.gov/ prod/Documents/OversightReport/87c7e900-6162-4274-8f3a-d15e3ab9c2e4/PC LOB%20USA%20Freedom%20Act%20Report%20(Unclassified).pdf [hereinafter ``PCLOB CDR Report'']. \99\ See id. at 21. \100\ First, a telecom provider pushed ``inaccurate first-hop numbers to the NSA,'' which the NSA's system could not detect. ``Instead, [the system] requested second-hop records using the erroneous first-hop response.'' Subsequently, the provider fixed the issue and the NSA purged the CDRs containing inaccurate numbers. Second, a telecom provider pushed produced a number of CDRs with inaccurate data to the NSA. The NSA took immediate action to stop receipt of CDRs from the provider. The NSA also found there were four FISA applications that relied on the inaccurate information, which it quickly reported to the FISC. The NSA then deleted associated CDRs and ``recalled one disseminated intelligence report generated based on inaccurate CDRs.'' Id. at 22. --------------------------------------------------------------------------- In a further incident, when a provider produced inaccurate data, NSA searched for ``anomalous data from the other providers,'' and found data-accuracy issues distributed across providers.\101\ Further discussions by the NSA with another provider confirmed it also provided inaccurate data.\102\ Ultimately, NSA determined ``the providers could not identify for NSA all the affected records, and NSA had no way to independently determine which records contained inaccurate information.'' \103\ --------------------------------------------------------------------------- \101\ Id. at 23. \102\ See id. \103\ Id. at 24. --------------------------------------------------------------------------- In response, starting on May 23, 2018, the NSA began deleting all CDRs obtained since 2015.\104\ As required under FISA, the NSA also notified the PCLOB, Department of Justice (DOJ), and Congressional Oversight committees of its decision.\105\ In June 2018, NSA released a statement notifying the public that it had deleted all of its call records under the CDR program due to ``technical irregularities in some data received from telecommunications service providers'' that had resulted in the NSA having access to some CDRs that NSA was not authorized to receive.\106\ --------------------------------------------------------------------------- \104\ See Nat'l Sec. Agency, NSA Reports Data Deletion, Release No: PA-010-18, (June 18, 2018), available at: https://www.nsa.gov/news- features/press-room/Article/1618691/nsa-reports-data-deletion/ \105\ The DOJ subsequently notified FISC. See id. \106\ PCLOB CDR Report, supra note 98 at 24. --------------------------------------------------------------------------- Shortly after, in early 2019, the NSA allowed its last FISC order authorizing CDR collection to expire, thus discontinuing the CDR Program under the USA FREEDOM Act.\107\ This decision was based on a balancing of ``the program's relative intelligence value, associated costs, and compliance and data-integrity concerns.'' \108\ Accordingly, the number of CDRs collected by the NSA fell from over 434 million in 2018 to approximately 4.2 million in 2019.\109\ --------------------------------------------------------------------------- \107\ As a part of the discontinuation, the NSA deleted remaining data collected under the CDR Program, but not data ``that had been used in disseminated intelligence reporting or data that was considered `mission management related information.' '' PCLOB CDR Report, supra note 98 at 24. \108\ PCLOB CDR Report, supra note 98 at 24. \109\ Semiannual Report 19 supra note 87 at 32. --------------------------------------------------------------------------- b. PCLOB Assessed the USA FREEDOM Act CDR Program In February 2020, the PCLOB issued a report reviewing the CDR program under the USA Freedom Act (the ``CDR Program Report'').\110\ Since the CDR program had been discontinued by the time the PCLOB's Report was issued, the PCLOB made no recommendations regarding the Act, but did issue five key findings. First, the Board found that the CDR program had been constitutional, and second, that the NSA's collection of two hops of CDR data on an ongoing basis was statutorily authorized.\111\ Third, PCLOB found no agency abuse of the CDR Program prior to the NSA's decision to stop CDR collection, and, fourth, no evidence that the NSA received statutorily prohibited categories of information such as name, address, or financial information related to a selector. \112\ Finally, the Board found the NSA did not use its authority granted under the USA Freedom Act to attempt to gather certain kinds of metadata (the specifics of which remain redacted).\113\ More broadly, the PCLOB agreed with the NSA's decision to stop CDR collection.\114\ --------------------------------------------------------------------------- \110\ See generally PCLOB CDR Report, supra note 98. \111\ Some of the members of the Board did not join on the constitutional analysis provided in the report. See id. at 70-77. \112\ See PCLOB CDR Report, supra note 98 at 2. \113\ See id. \114\ See Privacy and Civil Liberties Bd., Fact Sheet: Report on the NSA's Call Detail Records Program Under the USA Freedom Act, 2, available at: https://documents.pclob.gov/prod/Documents/ OversightReport/e37f0efb-c85d-4053-b4c1-4159ccbf100f/ CDR%20Fact%20sheet%20FINAL .pdf --------------------------------------------------------------------------- In March 2020, Congress reauthorized the USA FREEDOM Act, extending it through December 2023.\115\ Thus, there is the possibility that NSA could revive the CDR Program in the future. However, to do so, the NSA would have to obtain FISC orders authorizing the collection of CDRs, and the FISC--as it does in other contexts--could impose safeguards on CDR collection based on the past experience of the now-discontinued CDR Program. --------------------------------------------------------------------------- \115\ See USA FREEDOM Reauthorization Act of 2020, H.R. 6172, 116th Congress (May 14, 2020), available at: https://www.congress.gov/bill/ 116th-congress/house-bill/6172/text --------------------------------------------------------------------------- 4. Updates to Oversight Safeguards. My 2016 Testimony describes a comprehensive oversight system for foreign intelligence, including Senate and House intelligence committees, agency Inspectors General, Privacy and Civil Liberties offices in the agencies, and ongoing review by the independent Privacy and Civil Liberties Oversight Board.\116\ The structure of these oversight safeguards remains unchanged since 2016. This section briefly discusses updates occurring within the existing oversight framework: (a) PCLOB issuing its PPD-28 report, and (b) activities by Inspectors General. --------------------------------------------------------------------------- \116\ See Swire, supra note 2 at 3-26--3-34. --------------------------------------------------------------------------- a. PCLOB Issued its PPD-28 Report On October 16, 2018, PCLOB published its report on Presidential Policy Directive 28 (PPD-28) (the ``PPD-28 Report'').\117\ To produce the Report, PCLOB reviewed the PPD-28 targeting procedures of the CIA, NSA, and FBI, reviewed ODNI reports on changes to signals intelligence under PPD-28,\118\ took comments from the public and NGOs, and held classified briefings and discussions with IC elements. PCLOB found PPD- 28 resulted in greater memorialization and/or formalization of privacy protections that had inhered in existing practices.\119\ For example, prior to PPD-28, NSA had limited its uses of signals intelligence collected in bulk to the six permissible purposes listed in PPD-28 (such as espionage and threats to U.S. armed forces); PPD-28 resulted in these limitations being memorialized and codified.\120\ Additionally, PPD-28 resulted in extending protections previously reserved for U.S. persons to all individuals regardless of nationality. For example, NSA and CIA used PPD-28 procedures to refocus on protecting ``personal information of all individuals regardless of nationality.'' \121\ Similarly, NSA, CIA, and FBI minimization procedures now require that ``personal information of non-US persons shall only be retained if comparable information of U.S. persons may be retained pursuant to'' EO 12333.\122\ --------------------------------------------------------------------------- \117\ This report was issued on the basis of Section 5 PPD-28, which encouraged PCLOB to provide a report on any matters within PCLOB's mandate, such as the implementation of Executive Branch regulations or policies like PPD-28. See Privacy and Civil Liberties Bd., Report to the President on the Implementation of Presidential Policy Directive 28: Signals Intelligence Activities, (Oct. 16, 2018), available at: https://documents.pclob.gov/prod/Documents/Oversight Report/16f31ea4-3536-43d6-ba51-b19f99c86589/PPD-28%20Report%20 (for%20FOIA%20Release ).pdf [hereinafter ``PCLOB PPD-28 Report'']. \118\ See Office of the Dir. of Nat'l Intelligence, A Status Report on the Development and Implementation of Procedures Under Presidential Policy Directive 28, (July 2014), available at: https://www.dni.gov/ files/documents/1017/PPD-28_Status_ Report_Oct_2014.pdf; See also Office of the Dir. of Nat'l Intelligence, 2016 Progress Report on Changes to Signals Intelligence Activities (Jan. 22, 2016), available at: https://www.intelligence.gov/index.php/ic-on-the-record-database/ results/12-odni-releases-2016-signals-intelligence-reform-progress- report. \119\ See generally PCLOB PPD-28 Report, supra note 117. \120\ See id. at 6. \121\ Id. at 6-7. \122\ Id. at 7-8. --------------------------------------------------------------------------- Based on its review, PCLOB issued four recommendations for PPD-28's implementation: 1) The National Security Council (NSC) and ODNI should issue criteria for determining which activities or types of data will be subject to PPD-28 requirements; 2) IC elements should consider both the mission and privacy implications of applying PPD-28 to multi-sourced systems; 3) NSC and ODNI should ensure that any IC elements obtaining first- time access to unevaluated signals intelligence update their PPD-28 use, retention and dissemination practices, procedures, and trainings before receiving such data; and 4) To the extent consistent with the protection of classified information, IC elements should promptly update their public PPD-28 procedures to reflect any pertinent future changes in practices and policy.\123\ --------------------------------------------------------------------------- \123\ See id. at 12-18. These recommendations were later reviewed by ODNI's Office of Civil Liberties, Privacy, and Transparency (CLPT) in an October 2018 report on the status of implementation of the PCLOB's PPD-28 Report.\124\ The CLPT found that the agencies had already implemented all four of these recommendations to the extent possible to maintain national security.\125\ --------------------------------------------------------------------------- \124\ See Office of the Dir. of Nat'l Intelligence, Status of Implementation of PPD-28: Response to the PCLOB's Report, (Oct. 2018), available at: https://www.dni.gov/files/icotr/Status_of _PPD_28_Implementation_Response_to_PCLOB_Report_10_16_18.pdf [hereinafter ``CLPT PPD-28 Implementation Report'']. \125\ See id. --------------------------------------------------------------------------- b. Inspectors General My 2016 Testimony described Federal inspectors general (IGs) as an oversight component that provides a well-staffed and significant safeguard to ensure that Federal agencies comply with internal administrative privacy mandates, including exercising privacy watchdog responsibilities\126\. Since my 2016 Testimony, as is widely known, the Department of Justice Inspector General issued a report on traditional FISA warrants issued in connection with an FBI investigation into a U.S. citizen associated with the Trump campaign;\127\ however, this report was not related to Section 702 or surveillance targeting non-US persons. The IG for the ODNI has continued to issue semiannual reports relating to the IC as a whole.\128\ The IGs for surveillance agencies have also issued semiannual reports to Congress,\129\ and have published on an ongoing basis reports on various investigations relating to intelligence agency activities.\130\ --------------------------------------------------------------------------- \126\ See Swire, supra note 2 at 3-26--3-28. \127\ See Office of the Inspector Gen., Review of Four FISA Applications and Other Aspects of the FBI's Crossfire Hurricane Investigation, US Dept. of Justice, (Dec. 2019), available at https:// www.justice.gov/storage/120919-examination.pdf \128\ See Office of the Dir. of Nat'l Intelligence, ICIG Semiannual Report, available at: https://www.dni.gov/index.php/who-we-are/ organizations/icig/icig-publications/icig-all-reports \129\ See, e.g., Office of the Inspector Gen., Semiannual Report to Congress, National Security Agency, (Oct. 1, 2019 to Mar. 31, 2020), available at: https://oig.nsa.gov/Portals/71/Reports/SAR/OCT- MAR%202020%20OIG%20SAR.pdf?ver=2020-09-02-094002-550 \130\ For a sample of reports from the NSA's Office of Inspector General, see, e.g., Office of the Inspector Gen. of the Nat'l Sec. Agency, OFFICE OF INSPECTOR GENERAL: REPORTS, available at: https:// oig.nsa.gov/reports/. --------------------------------------------------------------------------- 5. Updates to Transparency Safeguards. My 2016 Testimony discussed how, in the wake of the Snowden disclosures, the U.S. government focused on increasing transparency measures relating to U.S. surveillance, both for companies subject to orders and for government agencies that have requested orders.\131\ The transparency safeguards I identified in 2016 have remained in place, and continue to provide valuable information about how foreign intelligence surveillance is conducted by U.S. agencies. This section discusses transparency efforts since 2016: (a) additional releases of Statistical Transparency Reports, (b) continued corporate transparency reporting, (c) the creation of a second, text-searchable IC on the Record database, and (d) continued public release of declassified IC documents. --------------------------------------------------------------------------- \131\ See Swire, supra note 2 at 3-34--3-38. --------------------------------------------------------------------------- a. Additional Releases of Statistical Transparency Reports. As discussed in Section 2(e) above, ODNI produces annual Statistical Transparency Reports that cover the IC's use of multiple types of intelligence.\132\ Above, I discussed the numbers of Section 702 targets discussed in Statistical Transparency Reports. I note here that Statistical Transparency Reports go well beyond Section 702 and disclose statistics on the number of governmental requests made under other FISA foreign-intelligence authorities, including traditional individual FISA warrant authorities for electronic surveillance or physical searches, pen-register and trap-and-trace authorities, the ``business records'' authorities used to obtain Call Detail Records, and national security letter authorities. These reports also disclose the number of criminal proceedings in which a notice was provided that the government intended to use or disclose FISA-acquired information. The Statistical Transparency Report is also unique in that it explains the development of U.S. surveillance programs, limitations placed on programs by FISC, and even instances of the NSA discontinuing programs--such as the 2020 Statistical Transparency Report describing the NSA's decision to suspend the CDR Program.\133\ --------------------------------------------------------------------------- \132\ See generally Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2016, (Apr. 2017) available at: https:// www.dni.gov/files/icotr/ic_transparecy_report_cy2016_5_2_17.pdf; Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2017, (Apr. 2018) available at: https://www.dni.gov/files/documents/ icotr/2018-ASTR-CY2017FINAL-for-Release-5.4.18.pdf; Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2018, (Apr. 2019) available at: https://www.dni.gov/files/CLPT/documents/ 2019_ASTR_for_CY2018.pdf; Office of the Dir. of Nat'l Intelligence, Statistical Transparency Report: Regarding the use of National Security Authorities for Calendar Year 2019, (Apr. 2020) available at: https:// www.dni.gov/files/CLPT/documents/2020_ASTR_for_CY2019_FINAL.pdf. \133\ See 2019 Statistical Transparency Report, supra note 77 at 29--30. --------------------------------------------------------------------------- b. Continued Corporate Transparency Reporting My 2016 Testimony highlighted corporate transparency reporting as an important transparency safeguard that arose shortly after the Snowden disclosures.\134\ Five leading U.S. technology companies (Facebook, Google, LinkedIn, Microsoft, and Yahoo!) filed suit with the FISC to gain rights to provide transparency reporting, resulting in a DOJ policy change permitting reporting on ranges of governmental foreign intelligence requests. The USA FREEDOM Act codified the right of companies to issue transparency reports. --------------------------------------------------------------------------- \134\ See Swire, supra note 2 at 3-37--3-39. --------------------------------------------------------------------------- Since my 2016 Testimony, corporate transparency reporting has continued as permitted under the USA Freedom Act, with large companies regularly publishing reports on government access requests.\135\ As in my 2016 Testimony, this Appendix examines the most recent transparency reports of Facebook and Google--the percentages of users whose records were accessed in the most recent six-month period is smaller than in 2016. In total, the number of customer accounts accessed by the U.S. government for national security in the most recent time period is no more than (1) 118,997 \136\ for Facebook, out of approximately 2.5 billion\137\ active users per month; and (2) approximately 109,497 \138\ for Google, out of approximately 1.17 billion\139\ active users per month. The charts below, similar to the ones provided in my 2016 Testimony, reflect the current data above. --------------------------------------------------------------------------- \135\ See id. \136\ For the time period from July 2019-December 2019, Facebook received the following: 0-499 non-content requests (affecting the same number of accounts); 0-499 content requests (affecting between 117,000 and 117,499 accounts); and 0-499 national security letters (affecting the same number of accounts). See Facebook, United States Law Enforcement Requests for Data, Government Requests Report (2020), https://govtrequests.facebook.com/country/United%20 States/2015-H1. \137\ See Statista, Number of Monthly Active Facebook Users Worldwide as of 4th Quarter 2019 (2020), https://www.statista.com/ statistics/264810/number-of-monthly-active-facebook-users-worldwide/ #::text=With%20over%202.7%20billion%20monthly,the%20biggest%20social%20 net work%20worldwide. \138\ For the time period from January 2019-June 2019, Google received the following: 0-499 non-content requests (affecting the same number of accounts); 0-499 content requests (affecting between 107,000 and 107,499 accounts); and 500-999 national security letters (affecting between 1000 and 1499 accounts). See Google, Transparency Report-- United States (2020), https://transparencyreport.google.com/user-data/ us-national-security?hl=en. \139\ See Craig Smith, 365 Google Search Statistics and Much More (2020), Expanded Ramblings.com (Nov. 30, 2020), http://expandedramblings.com/index.php/ by-the-numbers-a-gigantic-list-of-google-stats-and-facts. --------------------------------------------------------------------------- I make the following observation--these percentages are very, very small. Government surveillance requests are far from ``pervasive'' or ``unlimited,'' as some have suggested. ---------------------------------------------------------------------------------------------------------------- # of Users Accessed in Percentage based on Facebook 6 months Accounts Specified Users Per Month ---------------------------------------------------------------------------------------------------------------- Non-Content Requests 0-499 0-499 .0000002% Content Requests 0-499 117,000-117,499 .000047% National Security Letters 0-499 500-999 .0000004% ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- # of Users Accessed in Percentage based on Google 6 months Accounts Specified Users Per Month ---------------------------------------------------------------------------------------------------------------- Non-Content Requests 0-499 0-499 .0000004% Content Requests 0-499 107,000-107,499 .00009% National Security Letters 0-499 1000-1499 .0000012% ---------------------------------------------------------------------------------------------------------------- c. The Government Has Launched New Transparency Websites In 2013, the ODNI created ``IC on the Record,'' a website on which ODNI posts declassified documents relating to United States foreign intelligence surveillance practices. In doing so, the U.S. government became the first government in the world to maintain a running repository of declassified documents from its foreign intelligence agencies and oversight organs.\140\ Since its appearance in 2013 and my 2016 Testimony, IC on the Record has accumulated a substantial amount of NSA internal records, FISC opinions, and other documents and records relating to foreign intelligence surveillance. The IC states that it has disclosed hundreds of documents comprising thousands of pages, including ``hundreds of documents relating to Section 702.'' \141\ --------------------------------------------------------------------------- \140\ See Swire, supra note 2 at 3-36--3-37. \141\ Office of the Dir. of Nat'l Intelligence, IC on the Record Guide to Posted Documents, Intel.Gov, (Oct. 2020), available at: https://www.intel.gov/ic-on-the-record/guide-to-posted-documents. --------------------------------------------------------------------------- Further, since 2016, the publicly-available online channels through which the public has access to intelligence-related documents and court decisions has increased. For one, the FISC maintains an online ``Public Filings'' database containing a substantial number of its declassified opinions and orders, which has added usefulness in being searchable by docket number.\142\ Second, ODNI has created ``Intel.gov,'' a new repository on an official IC website that creates the capability to conduct full text searches on all documents posted on IC on the Record.\143\ These resources make the transparency offered by the U.S. government significantly more actionable for researchers, civil-rights organizations, and civil society in monitoring how foreign intelligence surveillance is being conducted. --------------------------------------------------------------------------- \142\ See U.S. Foreign Intelligence Surveillance Ct., Public Filings--US Foreign Intelligence Surveillance Court, available at: https://www.fisc.uscourts.gov/public-filings. [hereinafter ``FISC Public Filings Website'']. \143\ See Intel.gov, IC on the Record Database, available at: https://www.intel.gov/ic-on-the-record/guide-to-posted-documents [hereinafter ``Intel.gov'']. --------------------------------------------------------------------------- 6. Updates to Executive Safeguards a. Presidential Policy Directive 28 (PPD-28) My 2016 Testimony discussed Presidential Policy Directive 28 (PPD- 28) as a significant new safeguard that creates an extensive system of privacy protection for signals intelligence activities involving non-US persons.\144\ Since my prior testimony, PPD-28 has remained unchanged in substance. As discussed above, PPD-28 has resulted in intelligence agencies codifying PPD-28 protections into targeting and minimization procedures governing their conduct of signals intelligence. More significantly, PPD-28 remained in place during the transition between the Obama and Trump administrations.\145\ The Biden administration is reportedly expected to continue or increase current protections under PPD-28.\146\ This demonstrates significant continuity among U.S. presidential administrations to maintain the United States' commitment to PPD-28 and the protections it offers to non-US persons. --------------------------------------------------------------------------- \144\ See Swire, supra note 2 at 3-41--3-46. \145\ See clpt ppd-28 Implementation Report, supra note 124 at 4. \146\ See Kristen Bryan et. al., Election 2020: Looking Forward to What a Biden Presidency May Mean for Data Privacy and Data Privacy Litigation, National Law Review, (Nov. 12, 2020), available at: https:/ /www.natlawreview.com/article/election-2020-looking-forward-to-what- biden -presidency-may-mean-data-privacy-and --------------------------------------------------------------------------- b. Privacy Shield My 2016 Testimony discussed Privacy Shield as a significant safeguard for the protection of data relating to EU citizens, since it introduced commitments from the U.S. government to provide remedies to EU citizens, to act promptly and effectively to address EU data protection concerns, and to subject compliance to an ongoing review process.\147\ After the Schrems II judgment, Secretary of Commerce Ross stated that the Department of Commerce would ``continue to administer the Privacy Shield program,'' and that the ECJ decision ``does not relieve participating organizations of their Privacy Shield obligations.'' \148\ This indicated the U.S. government continues to require Privacy Shield organizations to apply Privacy Shield protections to data received under the Shield until the data is deleted. --------------------------------------------------------------------------- \147\ See Swire, supra note 2 at 3-49. \148\ U.S. Dept. of Commerce, US Secretary of Commerce Wilbur Ross Statement on Schrems II Ruling and the Importance of EU-US Data Flows (July 16, 2020), available at https://www.commerce.gov/news/press- releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems- ii-ruling-and. --------------------------------------------------------------------------- 7. Updates to Foreign Intelligence Surveillance Court (FISC) Testimony. Chapter 5 of my 2016 Testimony contained an evaluation of the significant number of FISC opinions that had been declassified following the Snowden disclosures, in a number of cases at the FISC's own order. My assessment reached four primary conclusions: 1. The newly declassified FISC materials support the conclusion that the FISC today provides independent and effective oversight over U.S. government surveillance. 2. The FISC monitors compliance with its orders and has enforced with significant sanctions in cases of noncompliance. 3. In recent years, both the FISC on its own initiative and new legislation have greatly increased transparency. 4. The FISC now receives and will continue to benefit from briefing by parties other than the Department of Justice in important cases. Since my prior testimony, additional FISC opinions have been published, but I am not aware of any reason to alter these conclusions. This section briefly describes updates that have occurred since 2016 and support the above conclusions: (a) FISC decisions continue to be declassified and published; (b) the FISC and FISA Court of Review have issued further decisions in ACLU litigation discussed in my prior Testimony; and (c) FISC transparency statistics continue to show FISC exercising considerable oversight over government surveillance applications. a. New and Significant FISC Opinions Continue to be Declassified and Published The transparency in regard to FISC opinions that I discussed in my 2016 Testimony has continued to the present. Opinions have been published under the USA FREEDOM Act's requirement to publish every FISC ``decision, order, or opinion'' that contains ``a significant construction or interpretation of any provision of law'' to the greatest practicable extent.\149\ Others have been published in connection with litigation pursued by civil-rights organizations.\150\ On the whole, a considerable quantity of FISC opinions have been published and can be accessed through IC on the Record,\151\ the FISC's own ``Public Filings'' website,\152\ and in text-searchable form on the Intel.gov repository.\153\ --------------------------------------------------------------------------- \149\ 50 U.S.C. Sec. 1872. \150\ See, e.g., IC on the record, Release of the FISC Opinion Approving the 2016 Section 702 Certifications and Other Related Documents (May 11, 2017), available at: https://icontherecord .tumblr.com/post/160561655023/release-of-the-fisc-opinion-approving- the-2016 (listing ``Other FISA Section 702 and Related Documents'' produced in response to Freedom of Information Act litigation). \151\ See IC on the record, available at: https:// icontherecord.tumblr.com/. \152\ See FISC Public Filings Website., supra note 142. \153\ See Intel.gov, supra note 143. --------------------------------------------------------------------------- b. Updates to ACLU Litigation Discussed in Prior Testimony My 2016 Testimony discussed litigation brought by the ACLU following the Snowden disclosures in which the ACLU requested that FISC publish its opinions authorizing the bulk telephone records program under Section 215.\154\ The FISC found that the ACLU had Article III standing to seek publication of FISC opinions, and ordered the publication of certain Section 215 program authorizations. Since my 2016 Testimony, the FISA Court of Review confirmed that the ACLU and similar public-interest organizations have Article III standing to bring petitions for publication of FISC opinions.\155\ However, in a subsequent decision, FISCR held that the FISC does not have subject- matter jurisdiction to hear challenges by public-interest organizations to the withholding of redacted, nonpublic materials in those opinions.\156\ --------------------------------------------------------------------------- \154\ See Swire, supra note 2 at 5-39--5-41. \155\ See In Re: Certification of Questions of Law to the Foreign Intelligence Surveillance Court of Review, No. 18-01 (F.I.S.C. Mar. 16, 2018), https://www.fisc.uscourts.gov/sites/default/files/FISCR%2018- 01%20Opinion%20March%2016%202018.pdf. \156\ See In Re Op.s & Orders by the FISC Addressing Bulk Collection of Data Under the Foreign Intelligence Surveillance Act, No. 18-02 (F.I.S.A. Ct. Rev. Mar. 24, 2020), available at: https:// www.fisc.uscourts.gov/sites/default/files/ FISCR%2020%2001%20Opinion%20200424.pdf. --------------------------------------------------------------------------- c. FISC Transparency Statistics My 2016 Testimony assessed a description of the FISC, in the wake of the Snowden disclosures that FISC acted as a ``rubber stamp'' for government surveillance requests.\157\ The FISC itself had disputed this characterization, stating in a letter to the Senate that ``24.4 percent of matters submitted ultimately involved substantive changes to the information provided by the government or to the authorities granted as a result of Court inquiry or action.'' \158\ The USA FREEDOM Act permitted the Administrative Office of U.S. Courts to issue new statistics on FISC practice that--unlike prior DOJ reporting--did not merely state the number of applications that FISC had denied in full, but rather accounted for all applications that FISC procedures significantly modified, denied in part, or denied in full.\159\ This reporting enabled a more complete view of the extent to which FISC subjects government surveillance requests to scrutiny resulting in changes or denial. My 2016 Testimony evaluated the first of these new FISC reports and found that ``the FISC either rejected or modified just over 17 percent of all surveillance applications it received in the latter half of 2015.'' \160\ --------------------------------------------------------------------------- \157\ Swire, supra note 2 at 5-9--5-18. \158\ Letter dated July 29, 2013 from Reggie B. Walton, FISC Chief Judge, to Patrick J. Leahy, Chairman of the U.S. Senate Judiciary Committee 2, http://www.fisc.uscourts.gov/sites/default/files/ Correspondence%20Grassley-1.pdf. \159\ See Swire, supra note 2 at 5-43--5-48. \160\ Id. at 5-14--5-17. --------------------------------------------------------------------------- Since 2016, the FISC has continued to publish its statistics on the number of applications and certifications for surveillance it modifies or denies.\161\ These reports show the FISC modifying or denying a greater percentage of governmental surveillance requests than it did during my prior review. The following table summarizes the FISC statistics for each year since my 2016 Testimony: --------------------------------------------------------------------------- \161\ See U.S. Courts, Director's Report on Foreign Intelligence Surveillance Courts' Activities, available at https://www.uscourts.gov/ statistics-reports/analysis-reports/directors-report-foreign -intelligence-surveillance-courts. \162\ Admin. Office of U.S. Cts., Report of the Director of the Administrative Office of the U.S. Courts on Activities of the Foreign Intelligence Surveillance Courts for 2017, 4, (Apr. 25, 2018), available at https://www.uscourts.gov/sites/default/files/ ao_foreign_int_surveillance_court_an nual_report_2017.pdf \163\ Admin. Office of U.S. Cts., Report of the Director of the Administrative Office of the U.S. Courts on Activities of the Foreign Intelligence Surveillance Courts for 2018, 4, (Apr. 25, 2019), available at https://www.uscourts.gov/ sites/default/files/fisc_annual_ report_2018_0.pdf. \164\ Admin. Office of U.S. Cts., Report of the Director of the Administrative Office of the U.S. Courts on Activities of the Foreign Intelligence Surveillance Courts for 2019, 4, (Apr. 27, 2020), available at https://www.uscourts.gov/sites/default/files/ fisc_annual_report_2019_0.pdf. -------------------------------------------------------------------------------------------------------------------------------------------------------- Sum of Total Number Total Number of Total Number of Applications Total Number of Percentage of Year Applications Applications Applications Modified, Denied Applications and Applications Modified Denied in Part Denied in Part, and Certifications Modified or Denied Denied by FISC -------------------------------------------------------------------------------------------------------------------------------------------------------- 2017\162\ 391 50 26 467 1,614 29% 2018\163\ 261 42 30 333 1,318 25% 2019\164\ 234 38 20 292 1,010 29% -------------------------------------------------------------------------------------------------------------------------------------------------------- 8. Updates to Surveillance-Related Standing Cases My 2016 Testimony briefly discussed the role that Article III standing may play in attempts to challenge surveillance programs before U.S. courts.\165\ This section briefly describes the state of select U.S. cases seeking court review of surveillance programs. --------------------------------------------------------------------------- \165\ See Swire, supra note 2 at 5-9--5-10. a. Civil Challenges--The two primary attempts to file a civil challenge to Section 702 programs are both actively appealing dismissals on standing grounds.\166\ In each case, the plaintiffs were granted discovery to prove they had standing and proffered either documents or experts as evidence. However, both suits were ultimately dismissed on standing ground because plaintiffs could not show a significant probability, or show evidence the government would authenticate, that the plaintiffs' communications had been affected by 702 programs or their predecessors. My understanding is that both proceedings are currently on appeal to a Federal circuit court. --------------------------------------------------------------------------- \166\ See Jewel v. NSA, No. C 08-04373, 2019 U.S. Dist. LEXIS 217140 (N.D. Cal. 2019); Wikimedia Found. v. NSA/Central Sec. Serv., 427 F. Supp. 3d 582 (D. Md. 2019). b. Challenges in Criminal Cases--In at least two criminal cases, defendants have asserted challenges to the constitutionality and lawfulness of Section 702 programs when 702-obtained evidence was proffered against them.\167\ The challenges have been heard and adjudicated, in each instance with Section 702 programs being found lawful. In each instance, the defendant was a U.S. person whose communications had been incidentally collected via 702 programs. In both cases, the lawfulness of incidentally acquiring communications of U.S. persons via Section 702 programs was affirmed on at the appellate level.\168\ In one case, following this appellate finding, the case was remanded to the district court to evaluate whether any querying of databases containing such incidentally-acquired Section 702 information by the government was constitutional.\169\ --------------------------------------------------------------------------- \167\ See U.S. v. Hasbajrami, 945 F.3d 641 (2d Cir. 2018); U.S. v. Mohamud, 843 F.3d 420 (9th Cir. 2016). \168\ See U.S. v. Hasbajrami, 945 F.3d 641 (2d Cir. 2018); U.S. v. Mohamud, 843 F.3d 420 (9th Cir. 2016). \169\ See .S. v. Hasbajrami, 945 F.3d 641 (2d Cir. 2018) (finding that incidental acquisition of U.S. person communications through Section 702 is lawful, but remanding to district court to determine if querying of databases containing 702-acquired information by the government occurred and if so, whether it violated the defendant's constitutional rights). --------------------------------------------------------------------------- ______ Annex to Swire Testimony: Acronyms used in this Appendix ACLU American Civil Liberties Union AG Attorney General DNI U.S. Director of National Intelligence DOD U.S. Department of Defense DOJ U.S. Department of Justice DOJ NSD U.S. Department of Justice, National Security Division EU European Union FBI U.S. Federal Bureau of Investigation FISA Foreign Intelligence Surveillance Act FISC U.S. Foreign Intelligence Surveillance Court FISCR U.S. Foreign Intelligence Surveillance Court of Review FTC U.S. Federal Trade Commission IC U.S. Intelligence Community IG Inspector General ISP Internet Service Provider MCT Multiple Communication Transactions NSA U.S. National Security Agency NSD National Security Division NSL National Security Letters OCR U.S. Department of Health and Human Services Office for Civil Rights ODNI U.S. Office of the Director of National Intelligence OIG U.S. Office of the Inspector General PCLOB Privacy and Civil Liberties Oversight Board PPD Presidential Policy Directive SIGINT Signals Intelligence US United States of America USA FREEDOM Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring USA PATRIOT Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism The Chairman. Well, thank you very much. And yes, indeed, if there was ever a bipartisan committee, it is this Senate committee. So now we turn to Neil Richards. And Professor Richards is appearing remotely. Do we have a good connection? Alright, good, can you hear us? Mr. Richards. I can. Can you hear me, sir? The Chairman. You bet. You are recognized for 5 minutes to summarize your testimony, more or less---- STATEMENT OF PROF. NEIL M. RICHARDS, KOCH DISTINGUISHED PROFESSOR IN LAW; DIRECTOR, CORDELL INSTITUTE FOR POLICY IN MEDICINE AND LAW, WASHINGTON UNIVERSITY IN ST. LOUIS Mr. Richards. Thank you, Mr. Chairman. Chairman Wicker, Ranking Member--hopefully less, sir. Chairman Wicker, Ranking Member Cantwell and other distinguished members of this committee, thank you for the opportunity to testify at this important hearing. My name is Neil Richards and I am the Koch Distinguished Professor of Law at Washington University in St. Louis where I also co-Direct the Cordele Institute for Policy, Medicine and Law. I am here as an expert on privacy, like my friend Professor Swire. I was also an independent expert witness in Schrems II, in my case for the Data Protection Commissioner of Ireland. The opinions I offer today, however, are my own, and I would like to make three points in my opening remarks. First, the Schrems litigation is a creature of distrust. This distrust comes from the inadequacy of existing Federal privacy safeguards, rights, and remedies, and also, as other panelists have mentioned, from Edward Snowden's 2013 surveillance revelations that led Mr. Schrems to sue in the first place. Two dimensions of the Schrems II holding our paramount importance to Congress as it confronts privacy reform. One is that any successor to the Privacy Shield will require Congress to enact surveillance reform that limits the scope of surveillance and provides meaningful and binding individual remedies to challenge illegality. The other consequence of Schrems II is a particular relevance to this committee. U.S. privacy laws are not yet sufficient to meet EU laws cross border requirements of adequacy, which is to say that U.S. privacy laws do not yet offer protections of personal data held by companies that are essentially equivalent to those in the EU. This matters because adequacy will let EU data flow from Ireland to the U.S. as easily as it can currently flow from Germany to France. Adequacy would make second best mechanisms like the model contractual clause as the Privacy Shield arrangements unnecessary. This leads us to my second main point regarding this committee's bipartisan work on consumer privacy reform, which I believe can solve some of the challenges for data flows and privacy law raised by Schrems II. Comprehensive consumer privacy reform from this committee, coupled with Federal surveillance reform, could result not just in another second best international data transfer agreement, but in an adequacy determination by the European Commission. Under the GDPR, adequacy requires essential equivalence to EU protections, including the rule of law and respect for privacy as a fundamental right in commercial and surveillance contexts. The ECJ in Schrems II specified three factors as most important here. First, appropriate safeguards. Second, enforceable rights. And third, effective legal remedies. These principles are necessary for cross-border transfers and for adequacy. They would also, I believe, be a good roadmap for American consumer privacy reform. This committee has already generated draft bills in a good way toward meeting some of these requirements. For example, the draft bill introduced by Senator Cantwell would provide a variety of rights similar to and potentially essentially equivalent to those in the GDPR. Critically, the Cantwell bill also includes a private right of action for consumers who are injured by unlawful data processing, something that the challenge of Schrems II seems to require. I am also a fan of Senator Schatz's Data Care Act, and the approach of Title II of Chairman Wicker's SAFE DATA Act, which has provisions for algorithmic bias detection, data broker registration, filter bubble transparency, and critically abusive trade practices stemming from manipulated interface design. Third, and finally, there is a better way forward than our status quo of distrust. In a series of published papers, Professor Woodrow Hartzog and I have sought to identify the factors that could get us beyond the dangerous fictions of notice and choice, or even of control-based privacy regulation, and use privacy law to create value for companies as well as protecting consumers. Our trust research indicates that companies who seek trust must be honest, they must be discreet, they must be protective, and they must be loyal. And that where the market provides insufficient incentives, the law can help. In a draft article, we have also articulated a duty of loyalty to privacy law, a duty that actually bears some similarities to Title II of the Wicker bill. In sum, the Schrems litigation is a creature of distrust. It has created problems for American law and commerce, but it has also created a great opportunity. That opportunity lies before this committee, the chance to regain American leadership in global privacy and data protection by passing a comprehensive law that provides appropriate safeguards, enforceable rights, and effective legal remedies for consumers. Passing such a law would not just safeguard the ability to share personal data across the Atlantic. If done right, it will build trust between the United States and our European trading partners and between American companies and the European and American customers. The way forward requires us to recognize that strong, clear, trust building rules aren't hostile to business interests. That we need to preserve effective consumer remedies and State level regulatory innovation. And that we should seriously consider some kind of duty of loyalty. In that direction, I believe, lies not just consumer protection, but international cooperation and economic prosperity. Thank you. [The prepared statement of Mr. Richards follows:] Prepared Statement of Prof. Neil M. Richards, Koch Distinguished Professor in Law, Director, Cordell Institute for Policy in Medicine & Law, Washington University in St. Louis Chairman Wicker, Ranking Member Cantwell, and other distinguished Members of this Committee, thank you for the opportunity to testify at this important hearing examining the future of trans-Atlantic data flows and of American privacy law in light of the European Court of Justice's invalidation of the Privacy Shield arrangement in the Schrems 2 case which.\1\ My name is Neil Richards, and I am the Koch Distinguished Professor in Law at Washington University in St. Louis, where I also co-Direct the Cordell Institute for Policy in Medicine and Law. I am here as an expert in privacy law, which I have studied, taught, written about, and practiced for the past two decades. I was also asked by the Data Protection Commissioner of Ireland to serve as one of her independent experts in U.S. law in Schrems 2, alongside Mr. Andrew Serwin, a distinguished privacy lawyer now with the firm of DLA Piper. The opinions I offer today are my own. They are not necessarily those of either the Irish Data Protection Commissioner or Washington University in St. Louis. --------------------------------------------------------------------------- \1\ C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd., http://curia.europa.eu/juris/document/document.jsf?docid= 228677&mode=req&pageIndex=1&dir=&occ=rst&part=1& text=&doclang=EN&cid=10716034. (hereinafter ``Schrems 2''). --------------------------------------------------------------------------- As someone who has followed technology and privacy policy closely since the 1990s, I am deeply encouraged that Congress--and particularly this Committee under Senator Wicker's and Senator Cantwell's leadership--is taking seriously the urgent need for comprehensive, reasonable, but consumer protective information privacy legislation. This is something that in my opinion is long overdue--Congress came close to passing such a law in 1974, but failed to reach an agreement on private sector data because of concerns about its effect on industry.\2\ As we know all too well, this is a pattern that has repeated itself all too often over the past fifty years. It is my fervent hope that this time will be different, and that Congress will not just pass a comprehensive privacy bill, but one that gets it right, that provides clear but substantive rules for companies, and which provides adequate protections and effective remedies for consumers. A law that meets these features will not just protect consumers--it will be good for business as well, by helping enable transatlantic data flows and building the consumer trust that is essential for long-term sustainable economic prosperity for all. --------------------------------------------------------------------------- \2\ E.g., Sarah E. Igo, The Known Citizen: A History of Privacy in Modern American 257-61 (2018); Lawrence Cappello, None of Your Damn Business: Privacy in the United States from the Gilded Age to the Digital Age 200-03 (2019). --------------------------------------------------------------------------- In awareness of the limited time I have for these opening remarks, I would like to offer three observations. First, I will explain what I understand the judgment in Schrems 2 to require, with particular emphasis on factors within the jurisdiction of this Committee. Second, I will illustrate some ways in which this Committee's work can solve some of the challenges for data flows and privacy law that the Schrems 2 judgment raises or illustrates. Third, I will argue that this Committee should pass a strong privacy law that builds the consumer trust that is so essential to sustainable and profitable commerce. I. The Schrems 2 Case Privacy is a human right recognized around the world and here in the United States. Protections for privacy run throughout our Constitution, and the ``reasonable expectation of privacy'' test is at the core of our Fourth Amendment protections against unreasonable searches and seizures.\3\ As the Supreme Court recognized in the Carpenter decision two years ago, these constitutional privacy protections extend to significant categories of human information that are held on our behalf by private companies.\4\ In 1974, when it passed the Privacy Act, Congress recognized that ``privacy is a personal and fundamental right.'' \5\ Nevertheless, to date, both Congress and the state legislatures have insufficiently protected information privacy against private actors, particularly in the digital context. --------------------------------------------------------------------------- \3\ E.g., Griswold v. Connecticut, 381 U.S. 479 (1965); Katz v. United States, 389 U.S. 347 (1967); Riley v. California, 573 U.S. 373 (2014). \4\ Carpenter v. United States, 585 U.S. ___; 138 S. Ct. 2206 (2018). \5\ Privacy Act of 1974, Sec. 2(a)(4), P.L. 95-579. --------------------------------------------------------------------------- Under European law, both privacy and data protection are fundamental rights expressly protected by the European Charter of Fundamental Rights and Freedoms.\6\ In the European Union (EU), the government is required to protect fundamental rights (including privacy rights) against both public and private actors. Consequently, privacy and data protection are specifically protected in the EU by its General Data Protection Regulation or ``GDPR.'' \7\ As relevant to this hearing, the GDPR does two things. First, it regularizes and limits the collection and processing of personal data by private actors, including companies.\8\ Second, it places limitations on the ability of EU personal data to leave the EU, such as when U.S. tech companies use EU data to fulfill search or GPS requests, store it in the cloud, or use it for HR purposes.\9\ In an ideal case, the GDPR allows the personal data of Europeans to flow to a country whose privacy law has been deemed ``adequate.'' \10\ But American privacy law has never been deemed ``adequate,'' in large part because America lacks a comprehensive, protective privacy law that allows people to enforce their privacy rights against companies as well as the government.\11\ As a result, the legality of the trans-Atlantic data trade has been based upon a set of mechanisms that are second-best--including the model contracts and international executive agreements like the Safe Harbor and Privacy Shield at issue in the Schrems litigation. --------------------------------------------------------------------------- \6\ Charter of Fundamental Rights of the European Union: 2010 O.J. (C83) 389. Proclaimed by the Commission, 7 December 2000. Proclamation and text at 2000 O.J. (C364) 1. \7\ See Commission Regulation 2016/679, 2016 O.J. (L 119) 1 (EU) (providing the new GDPR). \8\ Chris Jay Hoofnagle, Bart van der Sloot & Frederik Zuiderveen Borgesius, The European Union general data protection regulation: what it is and what it means, 28:1 Info. & Comms. Tech. L. 65 (2019). \9\ See Paul M. Schwartz & Karl-Niklaus Peifer, Transatlantic Data Privacy, 106 Geo. L. J. 115, 130-31 (2017). \10\ GDPR Art. 45. \11\ Paul M. Schwartz & Karl-Niklaus Peifer, Transatlantic Data Privacy, 106 Geo. L. J. 115, 158-61 (2017). --------------------------------------------------------------------------- The Schrems litigation is a creature of the costly distrust produced by inadequate Federal privacy laws, protections, and remedies against both government and corporate surveillance. The first Schrems decision of 2015 invalidated the Safe Harbor Agreement based upon the revelations about U.S. Surveillance practices by Edward Snowden.\12\ This was replaced by the Privacy Shield Agreement, the legality of which was a key issue in the Schrems 2 litigation. This past July, the European Court of Justice ruled in Schrems 2, striking down the Privacy Shield and casting doubt on the mechanism of the standard contractual clauses as a means of transfer to the US.\13\ Because the United States has not been deemed to have an ``adequate'' level of privacy protections, EU Data Protection regulators are now able to suspend transfers of EU personal data to the United States. Indeed, the Irish Data Protection Commissioner has already initiated such proceedings against Facebook, the American company at issue in the Schrems litigation.\14\ --------------------------------------------------------------------------- \12\ 3 Case C-362/14, Schrems v. Data Prot. Comm'r, 2015 E.C.R. 650,191 (Oct. 6, 2015). \13\ See Schrems 2 at pp. 61-62. \14\ See Shane Phelan & Adrian Weckler, Facebook in legal battle over order from regulator to halt data transfer to United States, The Irish Independent, Sept. 12, 2020, https://www.independent.ie/business/ technology/facebook-in-legal-battle-over-order-from-regulator-to-halt- data-transfer-to-united-states-39524581.html. --------------------------------------------------------------------------- Two dimensions of the Schrems 2 holding are of paramount importance to Congress as it confronts privacy reform. The first is that any successor to the Privacy Shield would seem to require Congress to enact surveillance reform. The European Courts are particularly concerned that EU citizens whose data is exported to the United States lack meaningful remedies to challenge the legality of the ways that their data may be processed, and the ways in which it may be accessed (particularly in bulk) by the U.S. Intelligence Community.\15\ In particular, the European Court of Justice found in Schrems 2 that the principal defect of the Privacy Shield mechanism was that it failed to offer a binding legal remedy for violations of EU fundamental data protection rights. The Privacy Shield did not allow EU citizens to sue the U.S. government for violations of their rights, but it did create an ``Ombudsperson'' mechanism within the U.S. State Department, who could act as a kind of complaints desk and investigator. As the European Court of Justice put it, however, ``there is nothing [ ] to indicate that [the Privacy Shield] ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely. . . . Therefore, the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter.'' \16\ --------------------------------------------------------------------------- \15\ Schrems 2, 65, 187, 194. \16\ Schrems 2 196-97. --------------------------------------------------------------------------- The second dimension of the Schrems 2 decision of relevance to Congress--and of particular relevance to this Committee--is that U.S. privacy laws are not yet ``adequate,'' which is to say that they do not yet offer protections for personal data held by companies that are ``essentially equivalent'' to those in the EU. This matters because ``adequacy'' would let the U.S. be treated essentially as a part of Europe for purposes of EU data flow restrictions. If the U.S. were to be deemed to have an ``adequate'' level of data protection, then ``second-best'' mechanisms like the model contractual clauses and Privacy Shield arrangements would become unnecessary. While I understand the kinds of surveillance reforms necessitated by the first dimension of the Schrems 2 judgment to be more appropriately part of the Senate Judiciary Committee's and Senate Intelligence Committee's jurisdictions, the consumer privacy reforms suggested by the second dimension of the judgment are not merely part of this Committee's jurisdiction, but would seem to me to fall squarely within the bipartisan comprehensive consumer privacy reform project that the Committee has already embarked upon. It is to that issue that I will now turn. II. Surveillance and Consumer Privacy Reform After Schrems 2 As Congress considers comprehensive consumer privacy reform, that reform effort will inevitably intersect with the cross-border data transfer issue raised by the Schrems litigation and the invalidation of both the Safe Harbor and Privacy Shield arrangements. To solve the problem of trans-Atlantic data transfers and the GDPR, there are essentially three options. First, the United States could do nothing. This would devastate the lucrative and commerce-enhancing trans- Atlantic data trade and result in so-called ``data localization,'' which would require U.S. companies to build expensive data centers in Europe, and process EU citizens' data there at a significant competitive disadvantage to their international competitors. The second option would be for the Executive Branch to negotiate a third, more- protective version of Safe Harbor/Privacy Shield, which would undoubtedly result in uncertainty as an inevitable ``Schrems 3'' challenge rumbled slowly through the Irish and European Courts once again. While it is impossible to perfectly anticipate the results of such a lawsuit, I can say with confidence that without substantial surveillance and consumer privacy reform, the litigation would be likely to end up being invalidated on similar grounds to the Safe Harbor Agreement struck down in Schrems 1 and the Privacy Shield Agreement struck down in Schrems 2. But there is a third way. Comprehensive consumer privacy reform from this Committee, coupled with Federal surveillance reform could result not just in another second-best international data transfer agreement, but in an adequacy determination by the European Commission. In fact, the Schrems 2 judgment points the way towards such an outcome. As the European Court of Justice explained in that case, Article 45(1) of the GDPR permits the European Commission to determine that the U.S. could have an ``adequate level of protection.'' The European Court of Justice explains further that ``the term `adequate level of protection' must, as confirmed by recital 104 of [the GDPR], be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter.'' \17\ Article 45 of the GDPR explains this requirement in further detail by explaining that adequacy requires an inquiry into --------------------------------------------------------------------------- \17\ Schrems 2 94 (citing GDPR Art. 45, GDPR Recital 104). (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data --------------------------------------------------------------------------- are being transferred; (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and (c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.\18\ --------------------------------------------------------------------------- \18\ GDPR Art. 45(2). It is a tremendous (and to my mind disappointing) irony that, even though the Privacy Shield was struck down as insufficient, the privacy protections against commercial processing offered to EU citizens whose data was protected by Privacy Shield was substantially greater than that extended to American citizens under U.S. law. Yet even if the United States does not seek or achieve an adequacy determination from the European Commission, the level of privacy protection given to personal data in the United States is still relevant to the sustainability of both the model contract mechanism for data transfers and any future, hypothetical ``Privacy Shield 2.'' This is because, as the Schrems 2 judgment explains, transfers under the second-best option of model contracts or Privacy Shield-type agreements will still require an inquiry into something very much like the adequacy of data protection rights available in the United States.\19\ The European Court of Justice specified these requirements clearly as being (1) appropriate safeguards, (2) enforceable rights, and (3) effective legal remedies.\20\ A few additional observations about what these requirements would mean in practice is warranted, because I think they offer not just a guide to compliance with the GDPR, but also a good road map for U.S. privacy reform. As I understand these concepts, ``appropriate safeguards'' means that personal information will be processed in ways that are lawful, appropriate, accurate, secure, and not in ways that harm, expose, mislead, misinform, or manipulate American consumers.\21\ ``Enforceable rights'' means that consumers can make claims against companies regarding how their data is collected, used, and disclosed, whether we are talking about rights of access and correction, rights to prevent the sale or transfer of data for purposes unrelated to the reasons the data was collected in the first place, the placement of duties of care, loyalty, and confidentiality on companies, or independent oversight of commercial uses of data by the FTC or a new independent data protection agency. Finally, ``effective legal remedies'' means that where consumers have legal rights, they can actually vindicate those rights in court, which means private rights of action (whether for damages or injunctive relief) that are not bogged down by excessive administrative exhaustion requirements, corporate mens rea requirements, broad statutory defenses and safe harbors, or the difficulties of navigating standing doctrine. --------------------------------------------------------------------------- \19\ Schrems 2 104 (``The assessment required for that purpose in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country. As regards the latter, the factors to be taken into consideration in the context of Article 46 of that regulation correspond to those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.''); GDPR Art. 46(1) (``In the absence of [an adequacy] a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.''). \20\ Schrems 2 103. \21\ See Woodrow Hartzog & Neil Richards, Privacy's Constitutional Moment and the Limits of Data Protection, 61 B.C. L. Rev. 1687 (2020) (suggesting a range of safeguards for American privacy law). --------------------------------------------------------------------------- This Committee has already generated draft bills that go a good way towards meeting some of these requirements. For example, Senate Bill 2968, The Consumer Online Privacy Rights Act introduced by Sen. Cantwell, would provide a variety of rights similar (and potentially ``essentially equivalent'') to those in the GDPR, like rights of access, deletion, and correction, data minimization, data security requirements to avoid harming consumers, and algorithmic impact assessments.\22\ The bill would also provide a private right of action for consumers injured by unlawful data processing, something that the challenge of Schrems 2 seems to require.\23\ Senate Bill 2961, The Data Care Act introduced by Sen. Schatz, is a bold and farsighted statute that would place duties of care, confidentiality and loyalty on companies that collect personal data as part of interstate commerce, along with an expansion of FTC and state enforcement authority.\24\ I am also a fan of some of the provisions of Title II of Senate Bill 4626, The Safe Data Act introduced by Chairman Wicker, which has provisions for algorithmic bias detection, data broker registration, filter bubble transparency, and, critically, abusive trade practices stemming from manipulative interface design.\25\ --------------------------------------------------------------------------- \22\ S. 2968, 116th Cong. 1st Sess. (Dec. 3, 2019). \23\ See id. tit. III. \24\ S. 2961, 116th Cong. 1st Sess (Dec. 2, 2019). \25\ S. 4626, 116th Cong. 2d Sess. (Sept. 17, 2020). --------------------------------------------------------------------------- These three factors--appropriate safeguards, enforceable rights, and effective legal remedies--are helpful guidelines as this Committee goes about its work. They will be important regardless of whether this Committee seeks an adequacy determination from the European Commission to permit American companies to participate in the trans-Atlantic data trade, whether this Committee wants to avoid another Schrems 1 or Schrems 2, whether this Committee wants to give American consumers equivalent protection under American law to that which EU consumers received under the Privacy Shield, or whether this Committee merely wants to pass a meaningful consumer privacy protection bill that protects American consumers and provides clear but meaningful protective guard rails for companies to stay within as part of the digital economy. With respect to this process going forward, however, let me be clear about three essential features that I believe consumer privacy reform in the United States must recognize. First, the model of ``notice and choice'' under which the United States has regulated privacy for the past twenty-five years has been an unmitigated disaster. Constructive ``notice'' through privacy policies and fictitious ``choice'' through limited opt-outs have created both an illusion of consumer control and enabled largely unrestricted data aggregation.\26\ Our law has not given consumers control; it has instead left them largely defenseless and able to be tracked, sorted, harmed, discriminated against, marketed to, ideologically polarized, and manipulated by private companies. Any meaningful privacy reform that is ``consumer protective'' in anything more than name, must place substantive limits on the ability of companies to collect, use, and sell personal data without meaningful constraint.\27\ --------------------------------------------------------------------------- \26\ See, e.g., Neil Richards & Woodrow Hartzog, Taking Trust Seriously in Privacy Law 19 Stan. Tech. L. Rev. 431 (2016); Neil Richards & Woodrow Hartzog, The Pathologies of Digital Consent, 96 WASH. U. L. REV. 1461, 1463 (2019); Woodrow Hartzog & Neil Richards, Privacy's Constitutional Moment and the Limits of Data Protection, 61 B.C. L. Rev. 1687 (2020). \27\ See, e.g., Neil Richards & Woodrow Hartzog, Taking Trust Seriously in Privacy Law 19 Stan. Tech. L. Rev. 431 (2016); Neil Richards & Woodrow Hartzog, The Pathologies of Digital Consent, 96 WASH. U. L. REV. 1461, 1463 (2019); Woodrow Hartzog & Neil Richards, Privacy's Constitutional Moment and the Limits of Data Protection, 61 B.C. L. Rev. 1687 (2020). --------------------------------------------------------------------------- Second, as the European Court of Justice recognized, private rights of action are an essential tool for vindicating legal rights. America's next-generation privacy law should not authorize ``gotcha'' private claims, or massively aggregated class action suits that risk ruinous liability for technical violations. But it should provide what the European Court of Justice calls both enforceable rights and effective legal remedies, even if such remedies offer in some cases ``merely'' effective injunctive relief to prevent violations. Third, and finally, I have concerns about bills that are broadly pre-emptive of state causes of action. State legislatures and state attorneys general have often valiantly protected consumer privacy rights in the digital age in the absence of a general Federal privacy law.\28\ They have invented new and needed legal protections like data breach notification laws, which have spread throughout the country and around the world.\29\ The great American jurist Louis Brandeis famously referred to state regulatory experimentation as our ``laboratories of democracy,'' \30\ and in this time of uncertainty and rapid technological change, we should be reluctant to deprive ourselves of this opportunity for regulatory innovation. Moreover, where state private causes of action like negligence or the privacy torts are sometimes the only form of relief available to plaintiffs, I believe that it would be unwise for a Federal law to pre-empt state causes of action, at least without providing equivalent Federal protections. --------------------------------------------------------------------------- \28\ See Danielle K. Citron, The Privacy Policymaking of State Attorneys General, 92 Notre Dame L. Rev. 747 (2017). \29\ California passed the first data breach notification law in 2012. See Cal. Civ. Code Sec. Sec. 1798.29, .82, .84 (2012). Today, not only do state data breach laws apply across the United States, but Federal laws like the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes- Oxley Act also contain notification requirements, and even the GDPR has incorporated this American legal invention into its comprehensive regulatory scheme. See 16 C.F.R. Sec. 682.3(a); 45 C.F.R. Sec. Sec. 164.308-.314; 16 C.F.R. Sec. Sec. 314.3-314.4; Alaska Stat. Sec. 45.48.010 et seq. (2007); Ariz. Rev. Stat. Sec. 44-7501 (2013); Ark. Code Sec. 4-110-101 et seq. (2004); Cal Civ. Code Sec. Sec. 1798.29, .82, .84 (2012); Colo. Rev. Stat. Sec. 6-1-716 (2002); Conn. Gen. Stat. Sec. 36a-701b (2011); Del. Code Tit. 6, Sec. 12b-101 et seq. (2011); Fla. Stat. Sec. Sec. 501.171, 282.0041, 282.318(2)(I) (2010); Ga. Code Sec. Sec. 10-1-910, -911, -912 Sec. 46- 5-214 (West); Haw. Rev. Stat. Sec. 487n-1 et seq.(2008); Idaho Stat. Sec. Sec. 28-51-104 To -107 (2008) ; 815 Ill. Comp. Stat. Ann. Sec. Sec. 530/1 to 530/25 (2008); Ind. Code Sec. Sec. 4-1-11 et seq., 24-4.9 et seq.(2014); Iowa Code Sec. Sec. 715c.1, 715c.2 (2015); KAN. STAT. Sec. 50-7a01 et. seq. (2008); Ky. Rev. Stat. Ann. Sec. Sec. 365.732, 61.931 To 61.934 (West); La. Rev. Stat Sec. Sec. 51:3071 et seq. 40:1300.111 To .116 (West); Me. Rev. Stat. tit. 10 Sec. 1347 et seq. (2009); Md. Code Com. Law Sec. Sec. 14-3501 et seq. (2013), Md. State Govt. Code Sec. Sec. 10-1301 To -1308 (2007); Mass. Gen. L. Sec. 93h-1 et seq. (2006); Mich. Comp. Law Sec. Sec. 445.63,445.72 (2014); Minn. Stat. Sec. Sec. 325e.61, 325e.64 (2011); Miss. Code Sec. 75-24-29 (2014); Mo. Rev. Stat. Sec. 407.1500 (2014); Mont. Code Sec. Sec. 2-6-504, 30-14-1701 et seq. (2014); Neb. Rev. Stat. Sec. Sec. 87-801, -802, -803, -804, -805, -806,--807 (2014); Nev. Rev. Stat. Sec. Sec. 603.A.010 et seq., 242.183 (2013); N.H. Rev. Stat. Sec. Sec. 359-C:19, -C:20,--C:21 (2009); N.J. Stat. Ann. Sec. 56:8-163 (2012); N.Y. Gen. Bus. L. Sec. 899-Aa, N.Y. State Tech. L. 208 (McKinney 2014); N.C. Gen. Stat. Sec. Sec. 75-61, 75-65 (2012); N.D. Cent. Code Sec. 51-30-01 et seq (2008).; Ohio Rev. Code Sec. Sec. 1347.12, 1349.19, 1349.191, 1349.192 (2004); Okla. Stat. Sec. Sec. 74-3113.1, 24-161 to -166 (2014); Or. Rev. Stat. Sec. 646a.600 to .628 (2011); 73 Pa. Stat. Sec. 2301 et seq. (2013); R.I. Gen. Laws Sec. 11-49.2-1 et seq. (West); S.C. Code Sec. 39-1-90 (West); Tenn. Code Sec. 47-18-2107 (2014); Tex. Bus. & Com. Code Sec. Sec. 521.002, 521.053 (2014), Tex. Ed. Code Sec. 37.007(B)(5) (2013); Utah Code Sec. Sec. 13-44-101 et seq. (2010); Vt. Stat. Tit. 9 Sec. 2430, 2435 (2007); Va. Code Sec. 18.2-186.6, Sec. 32.1-127.1:05 (2012); Wash. Rev. Code Sec. 19.255.010, 42.56.590 (2013); W.V. Code Sec. Sec. 46a-2a-101 et seq. (West); Wis. Stat. Sec. 134.98 (2009); Wyo. Stat. Sec. 40-12-501 et. seq. (2007); D.C. Code Sec. 28-3851 et seq. (2013); 10 Laws Of Puerto Rico Sec. 4051 et seq.; V.I. Code Tit. 14, Sec. 2208. \30\ New State Ice Co. v. Liebmann, 285 U.S. 262 (1932). --------------------------------------------------------------------------- III. Strong Privacy Safeguards Build Consumer Trust The Schrems 2 litigation has certainly created problems for American privacy law, but it has also created a pathway towards the resolution of those problems, whether through an adequacy determination, comprehensive privacy and surveillance reform, or both. In the time that I have left, however, I would like to make one final point, which is that as this Committee considers privacy reform it give serious consideration to imposing some kind of duty of loyalty on data processors. In my work with Professor Woodrow Hartzog of Northeastern University, I have argued that the solution to the problems of American privacy lies in building trust. Today we face a crisis of distrust. The Snowden revelations created justifiable distrust when Americans and Europeans across the political spectrum realized the scope of largely unconstrained surveillance by the Intelligence Community. The Schrems litigation is a further offshoot of this distrust by European consumers, regulators, and judges. Distrust harms everyone--consumers, businesses, and government. It most certainly is bad for business in our modern data-driven economy. There is a better way than our status quo of distrust. In a series of articles, Professor Hartzog and I have sought to identify the factors that could get us beyond the dangerous fiction of ``notice and choice'' privacy regulation, and use privacy law to create value for companies as well as protecting consumers. Our trust theory suggests that companies who seek trust must be discreet, honest, protective, and loyal.\31\ In a forthcoming article, we give greater detail to a duty of loyalty for privacy law based on the risks of opportunism that arise when people trust others with their personal information and online experiences. Data collectors bound by a duty of loyalty would be obligated to act in the best interests of the people exposing their data and engaging in online experiences, but only to the extent of their exposure. Loyalty would manifest itself primarily as a prohibition on designing digital tools and processing data in a way that conflicts with a trusting parties' best interests. Our basic claim is simple: a duty of loyalty framed in terms of the best interests of digital consumers should become a basic element of U.S. data privacy law. A duty of loyalty would compel loyal acts and also constrain conflicted, self-dealing behavior by companies. It would shift the default legal presumptions surrounding a number of common design and data processing practices, and it would act as an interpretive guide for government actors and data collectors to resolve ambiguities inherent in other privacy rules. A duty of loyalty, in effect, would enliven almost the entire patchwork of U.S. data privacy laws. And it would do it in a way that is consistent with American law and traditions, including its commitments to free expression goals and other civil liberties. A duty of loyalty along the lines we suggest would be a big step for American privacy law, but we think it would be a necessary and important one if our digital transformation is to live up to its great promises of human wellbeing and flourishing. It would also be good for business over the long term. The relationship between privacy and trust has been the subject of a lively and creative academic literature.\32\ We also note with optimism that the duty of loyalty is a topic of debate on this Committee, and we hope that this Committee will take the duty of loyalty seriously as an opportunity to protect consumers, safeguard responsible, sustainable commerce, and allow the United States to once again become a leader in global privacy norms.\33\ --------------------------------------------------------------------------- \31\ Neil Richards & Woodrow Hartzog, Privacy's Trust Gap, 126 Yale L.J. 1180, 1183 (2017). \32\ Neil Richards & Woodrow Hartzog, Taking Trust Seriously in Privacy Law, 19 Stan. Tech. L. Rev. 431 (2016); Neil Richards & Woodrow Hartzog, A Duty of Loyalty in Privacy Law, (Sept. 5, 2020) (unpublished manuscript), https://papers.ssrn.com/sol3/papers.cfm?abstract _id=3642217; Neil Richards & Woodrow Hartzog, The Pathologies of Digital Consent, Wash. U. L. Rev. (forthcoming 2019), https:// papers.ssrn.com/sol3/papers.cfm?abstract_id=3370433; Neil Richards & Woodrow Hartzog, Privacy's Trust Gap, 126 Yale L.J. 1180, 1183 (2017); Neil Richards & Woodrow Hartzog, Trusting Big Data Research, 66 DePaul L. Rev. 579 (2017); Jack M. Balkin, Information Fiduciaries and the First Amendment, 49 U.C. Davis L. Rev. 1183, 1185 (2016); Jack Balkin & Jonathan Zittrain, A Grand Bargain to Make Tech Companies Trustworthy, The Atl. (Oct. 3, 2016), https://www.theatlantic.com/technology/ archive/2016/10/information-fiduciary/502346/; Jonathan Zittrain, Engineering an Election, 127 Harv. L. Rev. F. 335, 340 (2014); Lindsey Barrett, Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries, 42 Seattle U. L. Rev. 1057 (2019); Ariel Dobkin, Information Fiduciaries in Practice: Data Privacy and User Expectations, 33 Berkeley Tech. L.J. 1, 1 (2018); Cameron F. Kerry, Why Protecting Privacy Is a Losing Game Today--and How to Change the Game, Brookings (July 12, 2018), https://www.brookings.edu/research/why- protecting-privacy-is-a-losing-game-today-and-how-to-change-the-game/; Ian Kerr, The Legal Relationship Between Online Service Providers and Users, 35 Can. Bus. L.J. 419 (2001); Daniel Solove, The Digital Person (2006); Richard S. Whitt, Old School Goes Online: Exploring Fiduciary Obligations of Loyalty and Care in the Digital Platforms Era, 36 Santa Clara Computer & High Tech. L.J. 75 (2019); Kiel Brennan-Marquez, Fourth Amendment Fiduciaries, 84 Fordham L. Rev. 611, 612 (2015); Lauren Scholz, Fiduciary Boilerplate, J. Corp. L. (forthcoming 2020); Ari Waldman, Privacy as Trust (2018); Ari Ezra Waldman, Privacy As Trust: Sharing Personal Information in A Networked World, 69 U. Miami L. Rev. 559, 560 (2015); Ari Ezra Waldman, Privacy, Sharing, and Trust: The Facebook Study, 67 Case W. Res. L. Rev. 193 (2016); Christopher W. Savage, Managing the Ambient Trust Commons: The Economics of Online Consumer Information Privacy, 22 Stan. Tech. L. Rev. 95 (2019). \33\ See Neil Richards & Woodrow Hartzog, A Duty of Loyalty for Privacy Law, forthcoming 2021, available at https://papers.ssrn.com/ sol3/papers.cfm?abstract_id=3642217. --------------------------------------------------------------------------- Conclusion Thank you for giving me the opportunity to share my views on the consequences of the Schrems 2 decision for privacy reform in the United States. In sum, the Schrems litigation is a creature of distrust, and while it has created problems for American law and commerce, it has also created a great opportunity. That opportunity lies before this Committee--the chance to regain American leadership in global privacy and data protection by passing a comprehensive law that provides appropriate safeguards, enforceable rights, and effective legal remedies for consumers. I believe that the way forward can not only safeguard the ability to share personal data across the Atlantic, but it can do so in a way that builds trust between the United States and our European trading partners and between American companies and their American and European customers. I believe that there is a way forward, but it requires us to recognize that strong, clear, trust-building rules are not hostile to business interest, that we need to push past the failed system of ``notice and choice,'' that we need to preserve effective consumer remedies and state-level regulatory innovation, and seriously consider a duty of loyalty. In that direction, I believe, lies not just consumer protection, but international cooperation and economic prosperity. Thank you. Biography Neil Richards is one of the world's leading experts in privacy law, information law, and freedom of expression. He writes, teaches, and lectures about the regulation of the technologies powered by human information that are revolutionizing our society. Professor Richards holds the Koch Distinguished Professorship at Washington University School of Law, where he co-directs the Cordell Institute for Policy in Medicine & Law. He is also an affiliate scholar with the Stanford Center for Internet and Society and the Yale Information Society Project, a Fellow at the Center for Democracy and Technology, and a consultant and expert in privacy cases. Professor Richards serves on the board of the Future of Privacy Forum and is a member of the American Law Institute. Professor Richards graduated in 1997 with graduate degrees in law and history from the University of Virginia, and served as a law clerk to both William H. Rehnquist, Chief Justice of the United States and Paul V. Niemeyer, United States Court of Appeals for the Fourth Circuit. Professor Richards is the author of Intellectual Privacy (Oxford Press 2015). His many scholarly and popular writings on privacy and civil liberties have appeared in wide a variety of media, from the Harvard Law Review and the Yale Law Journal to The Guardian, WIRED, and Slate. His next book, Why Privacy Matters, will be published by Oxford Press in 2021. The Chairman. Well, thank you all for excellent testimony. I wish the testimony had made me more optimistic about a solution, but I think it just confuses me a little more and points out the complexity of what is before us. Ms. Espinel, your organization submitted an amicus, but in a few words or less, were you--whose part were you taking and were you disappointed or delighted at the decision? Ms. Espinel. We were taking the part of cross-border data transfers. So, yes, we were invited to be an amicus along with the U.S. Government and the European Commission in the case, and we felt it was important to do so for two reasons. The first is because our members believe so strongly in privacy protection, but the second is because cross-border data transfers are not just a software issue or a tech issue, they are an issue for every company, no matter the size, no matter the sector. The Chairman. Were you advocating for the arrangement to be upheld? Ms. Espinel. Yes, we were advocating for it to be upheld. But I do emphasize this point, not so much on behalf of our companies, but on the behalf of the customers of our companies, because they are--it is companies across the United States that rely on cross-border data transfers, and so one of our main points to the court was that this would have far reaching ramifications for the U.S. and the European economy if it were invalidated. The Chairman. OK. And that certainly turns out to be the case. Mr. Swire, what is significant about January 20 other than it is inauguration day? There is no enforcement that kicks in beyond that? Mr. Swire. Well, there is no enforcement that kicks in. In speaking to at least one litigator, I have heard an ominous prediction that there may be court orders in Europe on one or more major U.S. tech companies by that time, which would be-- that would grab some headlines and attention to the issue if court orders like that came out. And there is an opportunity, it seems, for Mr. Sullivan and the hard working people who are working on those issues currently, in my dream world, to imagine trying to get some kind of at least short term interim way to have something happen. When brand new people come in, it takes a little while to get up to speed. I am assuming there is new people coming in. And so the very up-to-speed people who are there now have a particular opportunity to do something that would then lead to easier chances for better some things after that date. The Chairman. OK. There is no grace period. There is a decision that went into effect immediately. Mr. Swire. Right. Correct. Yes. The Chairman. Are companies being hauled into court right now? Mr. Swire. There are numerous--I don't know--I am sorry. There are multiple lawsuits in different countries that are happening right now, yes. The Chairman. OK, but do I take it that your position before the decision is that the Privacy Shield agreement should be upheld and left in place? Is that your position? Mr. Swire. I believe the U.S. had essentially equivalent protections and should have been found that way, but the court disagreed with that. The Chairman. It sure did. And then, Professor Richards, you assisted the Irish government in this case, is that right? Mr. Richards. That is correct, sir. The Chairman. Good. And, what was their position with regard to whether this should be upheld or not? Mr. Richards. So the position of the Irish Data Protection Commissioner--I was an independent expert, as was Professor Swire. Under Irish procedure, experts tend to not to be, to use the colloquial term, hired guns the way they tend to be in American litigation. So we took an oath to give the evidence that we would give, say if Facebook or Ireland had retained us. But the Irish Data Protection Commissioner took the position that there were sufficient doubts about the legitimacy of the Privacy Shield, of standard contractual clauses and by extension Privacy Shield under European law, that she chose after an investigation to seek a referral to the European Court of Justice, which made the ultimate determination. The Chairman. OK, now Mr. Phillips, was it you that--this is all good testimony, by the way. Excellent job on a complex issue. Who was talking about the comparative surveillance done in Europe? That was you, was it not? Mr. Phillips. Senator, I did refer to that. The Chairman. OK, and are you saying that basically when it comes right down to it, there is not really that much difference in the way our intelligence services surveil as compared to Europe? Mr. Phillips. Senator, there have been a number of studies by authoritative lawyers and academics here and in Europe, and the bottom line has been that the practices that we engage in from a National Security perspective afford just as many, if not more, rights to U.S. citizens as rights afforded by domestic law in member states of the EU. The Chairman. And it seems to me that in resolving this matter, that is going to be quite the sticking point. Mr. Phillips. I think that is an important consideration, absolutely. The Chairman. Well, thank you all. And there will be other rounds of questions, but this has been a great panel. Senator Cantwell. Senator Cantwell. Thank you, Mr. Chairman. Senator Peters, do you need--do you have a time constraint? OK, thank you. Well, this has been very helpful, I think. And again, appreciate the opportunity for the hearing, Mr. Chairman, and the witnesses. Mr. Richards, I am struck by this issue of trust and distrust because I think there is so much of that in practically every issue. But clearly, this one is a thorny one. And so we do have to figure out a way to build trust again because we are in the digital age and this won't be the last issue or the last time we have to address this. This is going to continue far into the future. This is the era that we live in. And so I appreciate you mentioning our efforts here in the Senate and our colleague, Senator Schatz's effort on duty of loyalty too because I think that plays into trust and the environment. On those factors that you mentioned, appropriate safeguards, rights, and enforcement, Mr. Richards, I am interested in this larger--so that is a good framework, very important framework, and I believe in that framework. I think that is the essential aspect of the framework, but over here, somewhat out of control of Senator Wicker and I, is Government surveillance. And I want to hear what Mr. Richards, you say and other people say about how we build trust on tackling our most important National Security issues. So it is almost like industry now is going to be hamstrung. We could fix these issues, appropriate safeguards, rights, and enforcement, but over here is going to be this large issue about data gathering by the Government. And I want us to figure out how we are going to move forward. So two examples, Senator Collins and I worked with the former Secretary of Homeland Security, Jay Johnson, to implement overseas borders. That was hard because you are basically doing border security at overseas airports, but no one wanted to turn over--you know, the United States was not going to get access to European or whatever country we were in data, but yet we had to figure out a system where we were both going through potential security risks on our own data. We figured that out. I know, for example, on some of the National Security issues, there is alliance on software. So I am pretty sure both in Europe and the United States, there are foreign countries working together where on software security. So we figured it out. So, Mr. Richards, what do you think those security surveillance issues are that really aren't even within our Committee jurisdiction, but that we have to figure out how to build trust on so that we can resolve this issue so that we don't have business in the digital era hung up on digital trade because basically our two governments can't figure out how to work together. And if we can't figure out how to work with the Europeans, I got news for you, we got problems. Like, we have got to figure out how to work with the Europeans and to figure this out. So, Mr. Richards, do you have a thought on that? Mr. Richards. I do, Senator. I mean, obviously, this is a very difficult problem. The question you have asked me, to solve international surveillance cooperation in less than 2 minutes. But I will give it my best shot. I think some of the other speakers, some of the my co-panelists mentioned the importance of privacy protections flowing with the data, and also the importance, I think Commissioner Phillips mentioned this, the importance of countries with shared values having shared protections. And I think it absolutely should be possible, I realize in Washington should is often a very dangerous word, but I think that it should be possible for countries, for the EU, the United States, the country of my birth, the United Kingdom, with shared commitment to the rule of law, shared commitments to freedom of expression and privacy and democracy, shared strategic and economic interests to cooperate, to extend rights of redress to each other's citizens the way that the U.S. Government did with the passage of the General Redress Act, amending the Privacy Act in 1974 in order to try and save Privacy Shield in the spring of 2017. I think extension of rights and also cooperation, a coalescing on those privacy protections that should travel with the data is. Unfortunate, the United States used to be the leader on commercial privacy in the early 1970s. It sort of abdicated that to Europe. And now that the GDPR, fair information practices model that the Europeans have, is the emerging global market norm. But if the U.S. cooperated on that as well, I think it could go a great deal toward solving the broader problems of international cooperation on surveillance. Senator Cantwell. I just want to follow up, so--I actually think we might be able to achieve that. But then what are we going to do about the fact that we don't control--well, Senator Wicker and I do have votes on this in the larger body, but we don't control these agencies and we certainly don't control executive orders and the Presidential Executive Order. All we can do is fight it and say that we think it is too broad. So how--I am in agreement, we can solve our commercial issues. I just don't know if we are still, if the commercial industry is still going to get tethered to a national policy by an Executive Branch that thinks that we need to go further. Personally, I think we need way more transparency on the FISA court. Look, these are--we blurred the line in the Patriot Act and we just, we have got to do more due diligence here. So, thank you, Mr. Chairman. The Chairman. Yes. You have outlined a serious stumbling block, Senator. I believe Senator Blackburn is next. Are you there, Senator? STATEMENT OF HON. MARSHA BLACKBURN, U.S. SENATOR FROM TENNESSEE Senator Blackburn. Yes, I am. The Chairman. You are recognized for 5 minutes. Senator Blackburn. Thank you, Mr. Chairman. And thank you to our witnesses for being here and for the opportunity to have this hearing today. Privacy Shield, as everyone is fully aware, is something that continues to come up. We have got dozens of companies in Tennessee that would be impacted. I had pulled a list and it is interesting that the wide range of the companies that would be impacted, adversely impacted without an agreement. And everything from a vitamin company to a software company, to the Dollywood Foundation, to the Country Music Association. So as we talk about trade, as we talk about commerce, this is something that is important. I do appreciate that Senator Cantwell brought up the issue of trust and distrust as we look at this issue. But resolving it and getting something in place is vitally important. So, Mr. Sullivan, let me come to you first. Let's say we are not able to negotiate an agreement. If we do not get an agreement, then it seems like that data localization may become the new norm. So I want you to speak to what would be an adverse outcome? Mr. Sullivan. Thank you, Senator, for the question. I guess at the outset, let me make clear, you know, I alluded to the three successful annual reviews that we have had since 2017, where we sat down with the European Commission, the European Data Protection authorities, and those are three very successful internal reviews. And during that period, since that period, before during after those reviews, we have developed very constructive, excuse me, and positive working relationships with our partners in Europe. I do want to note a couple of points. You know, we have been talking about the Schrems II litigation since well before the third annual review, which took place last October. There has been a long-running argument about contingency planning. We have been in constant regular contact with the Commission since the ruling on July 16. Secretary Ross has reached out to a number of high ranking EU officials. And, you know, we are working urgently to resolve this crisis because Privacy Shield, as you alluded to, is the most cost effective and straightforward mechanism for SMEs. And as I think I said, nearly 70 percent of the participants in Privacy Shield are SMEs. And that is--again, that is across all sorts of industries. We are not, again, talking just about digital companies or big multinational tech companies. So, you know, obviously our first priority is privacy---- Senator Blackburn. We are not talking about just digital companies. I just went through the list. You know, you have got Dollywood Foundation and the Country Music Association, CISAC, a vitamin company, all of these different Tennessee companies. But talk about data localization. And if we don't get something, what does that mean and the impact? And then I would like to have Ms. Espinel and others weigh in when you finish your comment. Mr. Sullivan. Of course. So, again, Privacy Shield, I just want to be clear, 70 percent are SMEs with fewer than 500 employees. So we are extremely sensitive to that. And we do recognize to your point, you know, in the hopefully unlikely situation where we do not arrive at a new arrangement or an enhanced Privacy Shield, you know, there are other mechanisms. Obviously, the court upheld SCCs. We have worked with our inter-agency partners to put out a White Paper to hopefully help companies make these case by case assessments. On your question, with respect to data localization. That is a very significant concern for us. My team has been engaged with Europe, but also in countries around the world on this issue. And quite frankly, it is not a perfect solve. It is exceedingly expensive, even for our large companies that will effectively freeze out SMEs in many of the companies that you are talking about from access in the EU market. And quite frankly, it doesn't work at the end of the day. It is simply--beyond the expense factor, trying to keep EU personal data in Europe effectively undermines the business models of the vast majority of companies that operate this way internationally. And so that is not, at the end of the day, a viable solution. And if I could---- Senator Blackburn. Ms. Espinel--I don't want to run out of time. Do you have anything to add on that? Ms. Espinel. I would say that the organizations that he talked about music, country music--the organizations that you mentioned, the Country Music Association, the vitamin company, they are on that list they were certified under the Privacy Shield because they have employees or customers or suppliers in Europe. And if they--if data localization goes into place and they are not able to access that, that means that they are not going to be able to operate effectively either. They will be operating at greatly increased cost or they won't be able to operate in Europe at all. So the implications of data localization are very significant for those organizations, but for organizations including many small and medium sized businesses across the United States. Senator Blackburn. Right. You are changing their business model through no fault of their own. Alright, Mr. Phillips, anything to add? Mr. Phillips. I agree with what both of my co-panelists said. I also just want to add, data localization isn't good for privacy. It isn't good for data security. It doesn't serve all of these other functions in addition to all the cost that it imposes on businesses and nonprofit organizations. Senator Blackburn. Alright. Mr. Richards? Mr. Richards. Sorry, Senator, I was struggling with my mute button. Data localization absolutely would be bad, and I think the key, as a number of the other witnesses have pointed out, is to find some way to harmonize the law. The Europeans, as Professor Swire pointed out quite correctly, treat this as a matter of constitutional law. They believe that just as when they come to the United States, they may go to Dollywood on vacation, that they expect that their constitutional rights travel with them just the same as you or I would expect that our constitutional rights would follow us if we went to Europe. And I think because the U.S. is in a sense importing the data like a tourist, the Europeans expect that their rights are guaranteed. And I think this is not--this is a hard problem, but this is not an irresolvable problem because of our shared traditions and commitments to the rule of law, democracy, and fundamental rights. Senator Blackburn. Mr. Chairman, thank you. Yield back. Senator Thune [presiding]. Senator Blumenthal is up. STATEMENT OF HON. RICHARD BLUMENTHAL, U.S. SENATOR FROM CONNECTICUT Senator Blumenthal. Thanks, thanks very much, Senator Thune. As you probably know, all of you, this committee has spent a good deal of time and effort over the last two years on consumer privacy, and I appreciate the leadership of the Chairman and Ranking Member. And I am grateful for the collaboration of Senator Moran. We have worked together on this issue, given California's passage of Proposition 24 and the change of Administration. This is an area where I think we can make significant bipartisan progress in the next Congress, obviously not this one. I have been fighting for consumer privacy for many, many years as Attorney General before I assumed this office and I want to see a strong Federal law enacted. And I believe it is possible. This absence of consumer protections is part of the reason we have this dispute with the European Union. The United States and the EU need and have needed a Privacy Shield in the first place because the EU determined that our consumer privacy protection in this country are inadequate, as a safeguard to personal data. So our lack of consumer protection in this country for Americans, private data, also harms American businesses that want to operate in Europe. All five of you are respected privacy experts and all of you called for a Federal consumer privacy law. I thank you for your advocacy. And I would like to know more definitely from each of you, what role does the United States' lack of consumer privacy law play in our negotiations with Europe on cross- border data transfers? Would having a consumer privacy law for the United States help end the cycle of Europe striking down data transfer agreements? Maybe begin with you, Mr. Sullivan. Mr. Sullivan. Thank you for that question, Senator. Just a couple of points, if I could. The adequacy model that has been adopted by the EU since about 1995 has to date yielded about 12 adequacy determinations. There are only 12 jurisdictions in 30 years that have been acknowledged as adequate by the EU. At the same time, there is today no globally accepted standard or definition of data privacy and no multilateral agreement on these issues. And so I think that is going to continue regardless of whether or not there is an omnibus Federal privacy law that will remain to be seen. But specifically with regard to the situation we are in after Schrems II, that ruling focused exclusively on Government access to data. And the court did not in any way question Privacy Shield's protections with regard to commercial collection or uses of data. And while I think that potential Federal data privacy legislation would likely be very well received by the EU, it will not address the immediate concerns that we are dealing with around the National Security issues cited by the court in Schrems II. Again, I think, you know, I will speak in my position with the International Trade Administration. We are seeing a proliferation of different national laws around the world. Some are taking their inspiration from GDPR. That is not a guarantee of adequacy. You have a law in India, for example, that sought to emulate GDPR in many ways. Each Nation has different cultural traditions, legal traditions, backgrounds, priorities. Brazil, similarly. So while I think it could help atmospherically and it would probably be very well received by our friends in Europe, it is not a guarantee. Thank you. Senator Blumenthal. Thank you. Mr. Phillips. Mr. Phillips. Thank you, Senator, for the question. Let me just begin by agreeing, of course, the Schrems II decision is about National Security. There is no guarantee that would come from a privacy law. And as I said in my written statement in my oral testimony, while we don't have a law, I think that our privacy enforcement is better than any in the world and more impactful than any in the world. That said, I do think a law will help. I think first, if we are going to do the interoperability between countries of data flows, having one law is a better way to handle that on an international basis rather than having to deal with different jurisdictions. The second, as we have heard from all the panelists atmospherically, I think it does help. Third, I think there are aspects of a privacy law that you and your colleagues, and I thank you for your leadership on this, have contemplated that would help a lot of entities. For instance, removing limitations on the FTC's jurisdiction with respect to common carriers and nonprofits will allow those entities to participate in whatever new Privacy Shield resolution that we might have because all of a sudden their obligations would flow through us. So I do think it would be a helpful thing. Senator Blumenthal. Thank you. Ms. Espinel. Ms. Espinel. Senator Blumenthal, thank you for the question. I just want to thank you for your years of leadership and dedication on privacy legislation. So I agree. I believe that privacy legislation would be a very positive signal to the Europeans. I want to emphasize that I think we need Federal privacy legislation regardless of the situation that we are in, even if the Privacy Shield had not been invalidated. We need it for U.S. citizens so that you have strong, enforceable privacy protections across the United States, and strong obligations on companies. But I also believe that it would be a positive signal and would be a benefit to the negotiations. Last, I just want to say I also believe strongly and would encourage this committee to think about the long term issue of whether or not we can reach some sort of consensus with at least like-minded countries that share our values on intelligence gathering practices, because I believe that is really critical to finding a long term sustainable solution. Senator Blumenthal. Thank you very much. Senator Thune. Thank you, Senator Blumenthal. Senator Blumenthal. Thank you. STATEMENT OF HON. JOHN THUNE, U.S. SENATOR FROM SOUTH DAKOTA Senator Thune. Commissioner Phillips, after the passage of the EU's GDPR, the flow of data between the U.S. and the EU has become less stable and subject to much debate. Would a single national data privacy law in the United States be beneficial to help resolve some of the policy differences between the EU and the United States? Mr. Phillips. Yes, Senator. Senator Thune. And Mr. Sullivan, do you agree with that? Mr. Sullivan. Yes, short answer. Senator Thune. Short answer---- Mr. Sullivan. The short answer is yes. Senator Thune. OK, good. Mr. Sullivan, what kinds of businesses and industries rely upon the Privacy Shield framework? And can you talk about the importance of the need to transfer data across borders? Mr. Sullivan. Of course. So at the time of the ruling on July 16, there were nearly 5,400 companies. As I think I have said before, nearly 70 percent of those companies participating in the Privacy Shield program were small and medium sized enterprises with fewer than 500 employees. The reason for that was because it was a cost effective mechanism, far less administratively burdensome and costly than some of the other options, such as standard contractual clauses or binding corporate rules, which are largely used by large multinationals. The participants in Privacy Shield were again from across industry. We are talking about small manufacturers, we were talking about agricultural producers, other small businesses in a variety of industries. So, again, just I know I am a bit repetitive, I want to underscore we are not simply talking about large multinational tech companies or digital firms. Everyone has to transfer data these days across the Internet, H.R. records, for maintaining their international networks, etc. So it is a broad swath of U.S. industry. Senator Thune. Thanks. Commissioner Philips, at a hearing earlier this year Chairman Simons stated that the FTC intends to make companies fulfill the promises made under Privacy Shield. Has the Commission brought enforcement actions with regard to Privacy Shield since the time the European Court of Justice invalidated the EU-U.S. Privacy Shield? Mr. Phillips. Senator, I am a little bit lost on the timing, but I believe the answer is yes in the RagingWire case. The enforcement that we do on Privacy Shield is under our Section 5 deception authority. And what it means in the main is if you are making material statements to consumers and you violate those statements or, right, you are deceiving those consumers, we can go after you. So representations that they are making with respect to participation in, or following the guidelines of the Privacy Shield, come under that rubric. And we are going to continue to enforce against companies that don't live up to their commitments. Senator Thune. Good. Ms. Espinel, the cross-border transfer of data is, as has been pointed out, vital to our economy. As the U.S. and the EU work to develop a successor, I should say, to the Privacy Shield, are there safeguards the U.S. should be giving consideration? Ms. Espinel. Thank you. So I think in terms of the negotiation on the enhanced Privacy Shield, I don't believe we need a total overhaul of the Privacy Shield. I think there are some targeted reforms that could address some of the issues that were raised specifically by the court. And we are very supportive of the work that the Department of Commerce and the U.S. Government and the European Commission have been doing together. I will say, as I have said before, I think longer term, having the United States work with a group of democracies that share our values to try to come to a consensus on intelligence gathering practices is critical to long-term sustainability. But in terms of the immediate, urgent, short-term need for an enhanced U.S. Privacy Shield, I think there are targeted reforms that I believe, obviously Mr. Sullivan could speak better to this, but I believe could be addressed in the negotiations between the United States and the European Union. Senator Thune. Mr. Swire, what effect would the emergence of data localization requirements in the EU have on Americans' National Security? Mr. Swire. On National Security--well, in my testimony I refer to previous work that I have done with others on data localization, and we hope to have more information about that by the end of the month published. For National Security, one of the problems would be cybersecurity in the following way. When currently, if you are trying to figure out where the bad guys are coming from, you have global flows among the defenders to make sure that we are getting a good view of where the bad guys are coming. And if the data cannot come from Europe to the rest of the world, then the bad guys know they just have to route it through Europe. So we are going to have a discussion at the National Academy of Sciences on December 11 specifically about the effects on cybersecurity, which affects U.S. National Security, affects corporate security. And this is something that has not been brought up but is really deserving a lot more attention, the effects on cybersecurity. Senator Thune. Mr. Chairman, thank you. The Chairman. Thank you, Senator Thune. Senator Peters. STATEMENT OF HON. GARY PETERS, U.S. SENATOR FROM MICHIGAN Senator Peters. Thank you, Mr. Chairman. Mr. Swire, I want to follow up on the question that Senator Thune asked you, because it seems like if eliminating the Privacy Shield, that that could possibly result in the global adoption of data localization, and I know data localization is the hallmark of both Russian and Chinese efforts to centralize and surveil valuable streams of data, something we always have to be conscious of. And I am Ranking Member of Homeland Security Committee here in the Senate, and I am certainly committed to protecting National Security. And as you were saying, it is something that we need to focus on because it has potential to undermine our security interests. What specifically should we be doing to address this because I am concerned about it? Mr. Swire. Well, one thing is to have people in Europe understand how serious and how difficult it is to even try to build data localization. It is a much more thoroughgoing revision of every company's IT system than most people have seen. In a 1998 book, we have had multiple chapters about data localization even back then with about 40 categories of serious effects. And that is linked to in my testimony. And one of the examples is the global financial system, which we rely on for so many things, including, you know, ongoing secure commerce. There are massive data flows of personal data every day between countries for regulators to oversee banks, among other things. And if there is really data localization, we lose the ability to have an integrated global financial system. That all by itself could be a hearing that really was worth a lot of attention, perhaps in a different committee, but it illustrates how thorough the interruption would be if really data localization happens from Europe. Senator Peters. Right. Well, thank you. My next question relates to small business. Ms. Espinel, I would like to ask this question of you. And I think, Mr. Sullivan, you were dealing with small business. I am going to follow up with a question for you related to this too. Because I was walking in so I wasn't sure of the question, but your answer is probably related to what I want to talk about. But in our increasingly connected world, certainly of small businesses like manufacturers or retailers as was mentioned, rely on the free flow of information. In fact, 70 percent of the companies that have certified under Privacy Shield are small or medium sized businesses, and they simply can't afford to store data overseas, especially those small businesses. Of those companies we have identified, 993 companies in Michigan alone fall into this category. So if you could tell me the lack of certainty on international data transfers, how is this going to impact small businesses immediately? And are there steps that we can take here in Congress to address it? How do we mitigate that? Ms. Espinel. So I think it is an immediate concern. I mean, I think it is worth noting that there are other transfer mechanisms that are still in place. So the standard contractual clauses were left in place by the court and we are very pleased that that is the case. So there are still other transfer mechanisms between the United States and Europe. That said, the Privacy Shield was the simplest and the least costly of all the transfer mechanisms. So for small businesses in particular, having the Privacy Shield invalidated is a real concern. Standard contractual clauses are positive in the sense that they can offer very strong privacy commitments to consumers, but they are more complicated, they are more resource intensive, so they are more difficult by definition and therefore more difficult for small businesses. And as you pointed out, small businesses are 70 percent of the companies that are certified under the Privacy Shield. And so, we believe that having an enhanced EU-U.S. Privacy Shield, having a Privacy Shield agreement back in place that small businesses can take advantage of, is of critical importance. Senator Peters. Thank you for that answer. And Mr. Sullivan, I know you are concerned about this as well. And my focus--you know, U.S. small businesses are U.S. innovation and our innovators that really rely on these data flows, particularly when you think of technologies like artificial intelligence and the need for data sets to deal with that. Talk to me about some of the legal uncertainty for international data transfers that are going to impact tech startups, particularly in the innovation sectors. If so, how? And any other ideas of how we need to deal with that? Mr. Sullivan. Certainly, Senator, and thank you for the question. We have all talked about how important Privacy Shield is for SMEs. We have just heard again about how difficult some of the other options SCCs and BCRs, binding corporate rules, which can take up to a year and cost upwards of $1 million, which is just not an option for small startups, tech or otherwise. Which is why, you know, we are working so urgently to develop an enhanced Privacy Shield to address the enormous uncertainties that now exist and do so quickly because of these uncertainties. You know, some can avail themselves of SCCs. And although there are now some significant questions about their viability, we have put out a White Paper to help companies so that they can help or they can make these case-by-case assessments that have since been required by the Schrems II decision, before they send data to the United States. But I think, you know, one thing I do want to touch on that others have spoken to, you know, we have heard a lot today about the need for perhaps a broader discussion among like-minded democracies. I do want to emphasize that we have, my team at the International Trade Administration in concert with others across the interagency, have been engaged with the European Union and other democratic countries in a number of different multilateral discussions about developing principles and common practices. There is an effort underway right now in the OECD to just to do just that around, can we arrive at common principles when it comes to Government access to data? And in our view, it is critical that democracies come together to articulate shared principles, primarily not exclusively, to help make clear the distinction between what democratic societies do and how we respect civil liberties and the rule of law versus what we see authoritarian countries do with their growing surveillance ambitions to surveil, manipulate, and control their own citizens and others around the world with zero regard to privacy or civil liberties. And so we are really approaching this situation, and again SMEs are a priority for us. Many big companies can avail themselves of all the different mechanisms that are step one with Privacy Shield. The other thing I do want to note with Privacy Shield, you know, if we get it back up and running soon, what Privacy Shield did was it took the protections and redress mechanisms in the context of Government access to data and said these apply not only to companies that participate in Privacy Shield but to data transfers pursuant to any EU approved data transfer mechanism. Now, since the ruling, what you have is a situation where companies are now stuck with this incredibly onerous burden of having to do case-by-case assessments. If we get a Privacy Shield framework back in place, that will alleviate all companies of all sizes of this onerous burden of having to do these case-by-case assessments of countries' National Security regimes. 1 And so I just want to emphasize we have a number of different work streams on this beyond just the discrete issue of trying to come up with enhancements on Privacy Shield. Thank you. Senator Peters. Thank you so much. Thank you, Mr. Chairman. The Chairman. Thank you, Senator Peters. Ms. Espinel, lawsuits are being pursued even as we speak against your member companies. Is that correct? Ms. Espinel. I am not aware of any lawsuits that are being prepared against my member companies, against the enterprise software industry that I represent, and it is helpful and we were pleased that other transfer mechanisms like the standard contractual clauses were left in place by the European Court of Justice. And our companies use the standard contractual clauses to transfer data. However, as we have discussed, standard contractual clauses are much more difficult, much more costly, more complicated, resource intensive way of transferring data. And therefore, we believe it is urgent that a new Privacy Shield be put back in place, both for the benefit of the small and medium sized businesses which we have discussed quite a bit because of the difficulty and resource intensive nature of the standard contractual clauses, but also because even for the standard contractual clauses, they will be more stable and more solid if there is an enhanced U.S.-EU Privacy Shield agreement. The Chairman. Sure. Well, who can enlighten the Committee on the degree to which lawsuits are being filed now since there is no grace period? Mr. Swire? Mr. Swire. I could try a little bit. There has been public reports in Ireland of ongoing court proceedings, specifically about Facebook. There have been suits filed------ The Chairman. In Irish courts? Mr. Swire. Yes, sir. The Chairman. OK. Mr. Swire. They are national courts that--currently they are not being appealed up to the European wide court system yet. There have been public reports about a suit in Germany against Amazon. And in talking to one litigator who works specifically in that area, I was told there are other suits, but I don't know exactly what the details are. The Chairman. In those cases, do insurance carriers step forward and represent the companies? Defend? Mr. Swire. I am not aware of that--is not--a lot of it has to do with company conduct and whether the conduct is lawful or not. And so large companies would probably defend themselves. The Chairman. So well, OK. Mr. Swire. But they are facing fines---- The Chairman. Is it possible for companies to purchase insurance coverage to mitigate against these types of actions? Mr. Swire. I am aware of many kinds of cybersecurity protection that are in place for data breaches. I have not heard, and I work a lot in the sector, of any significant insurance for fines for privacy violations. The Chairman. OK. Senator Schatz, are you there? I think Senator Schatz---- STATEMENT OF HON. BRIAN SCHATZ, U.S. SENATOR FROM HAWAII Senator Schatz. Sorry, Chairman, I am here. The Chairman. Yes, sir. You are recognized, sir. Senator Schatz. Thank you, Chairman. And thanks to all the panelists for a really constructive hearing. I want to start with Mr. Richards. You know, the Schrems decision highlights why the United States needs a strong data privacy Federal statute. And I, of course, believe that we need a duty of loyalty and care in Federal law. And I would like you to comment on how duties of loyalty and care could complement the privacy principles in the Privacy Shield and European privacy law without doing violence to our conception of freedom on the Internet and the United States? Mr. Richards. That is a great question, Senator. If I could if just respond to the last question the Chairman asked about lawsuits. In my written testimony, I did cite an Irish newspaper which is reporting on the Facebook proceeding where the data protection commissioner has proceeded to try and pursue the Schrems II ruling to stop data flows to from Facebook Ireland to Facebook U.S., which it is not the kind of risk you can really insure for if the data flows are the business itself. With respect to your--Senator Schatz, and thank you very much for asking, one of the problems with the European approach, which incidentally was invented, as I am sure the Senator knows, by the U.S. Government in a Department of Health, Education and Welfare in 1973--so these GDPR rules that we are talking about, as if they are they are foreign law, were actually invented by the U.S. Government. They tend to be procedural. They tend to say basically, here is how you process data. If you want to do it, these are the steps you have got to go through. But by and large, they provide a pathway for doing so. And while data protection rules notice choice, access, consent in appropriate circumstances, legitimate interests, onward transfer are going to be a necessary part of any robust transatlantic or domestic or European framework, what we need to have are substantive rules. Senator Schatz, you said in the September hearing I believe to Commissioner Kovacic that a duty of loyalty isn't that big of a burden because good companies already know how good business means being loyal to their customers. And actually a duty of loyalty that requires putting your customer's interests ahead of your own in the short term is good for sustainable long term business. And actually, the companies that are being loyal when they are not required are actually at a competitive disadvantage from the bad guys that act in ways that are disloyal, that manipulate their customers that mislead them, that send them misinformation, that expose them to insecure and unfair data practices. Senator Schatz. So I think you make a really important point. And I, for the life of me, don't understand the resistance to duty of loyalty other than Government relations folks feel that their job is to kill everything and lawyers feel that anything that may be unclear and needs to be elucidated over time or even a statutory obligation that has to be elevated to the board level is inherently a risky proposition. But as you are--as we see, doing nothing is riskier than anything for your customers, for the Shield problem, and for the prospect of 50 different states enacting 50 different statutory frameworks. And so it seems to me that the cleanest way to move forward is not just to enact--of course, everyone thinks they are the cleanest way to move forward is to enact their legislation. But it does seem to me that we have to legislate at the conceptual rather than procedural level and empower expert agencies to implement the statute through rulemaking or even the adjudication of individual cases. So talk a little bit more about how notice and choice would be insufficient, not just from a consumer protection standpoint, but from the standpoint of solving our Shield problem? Mr. Richards. Notice and choice are wholly inadequate. They basically are--the way they have been implemented in U.S. law, with apologies to Commissioner Phillips and his agency, which has done fine, fine work with limited tools over the years, but the notice and choice framework has been a catastrophic failure. The notice that consumers receive is fictitious. Do you read privacy policies? Right. There was there was a study that it would take 76 days to read all the privacy policy, just to read them, of the websites that we encounter in a year------ Senator Schatz. I just think--I think that everything on my--I was just setting up Apple TV and I just agreed to everything without reading it like everybody does. Mr. Richards. So do I, Senator, and that is precisely the point. We have no choice and that is the other fault with notice and choice. If we want to participate in the modern world, we have to accept these terms and conditions as they are given, as they are unread. And often we don't have a choice at all. In the pandemic, we may have a choice over our streaming service but we don't have a choice over a cable company. We don't have a choice over the learning management system or the video conferencing system that our children's schools are using. And so what has happened is that notice and choice have been an insufficient check on bad actors in the market and they have given consumers resignation. And it dumps the work onto consumers, work they cannot possibly hope to achieve, and then it performs a masterful trick of making consumers feel bad and blame themselves for consenting to privacy policies when they didn't actually have a meaningful choice in the first place. Sorry, sir. Senator Schatz. Thank you. Let me let me just move on to one final question for you, Deputy Assistant Secretary Sullivan, on the transition. Have you been meeting with the Biden, Harris transition team? What is the frequency of those meetings? What is the extent of your sharing information as we move into the next phase and a transition to a new Administration? Mr. Sullivan. Thank you, Senator, for that question. As I noted at the outset, I oversee the Office of the Digital Services Industries. We have three teams. I will tell you that each of those teams has met on multiple occasions with transit at the agency review team at Commerce. We also prepared a transition memo that was intended to bring everyone up to date on the state of play with the litigation and the various lines of work we have, again, around Privacy Shield, standard contractual clauses, our multilateral efforts, and a variety of different venues be it OECD, the G20, etc. So my understanding is they are being kept fully apprised of our activities and our engagement with the Commission, the EDPB, and others and the member states in Europe. Senator Schatz. Thank you very much. Thank you, Mr. Chairman. The Chairman. Thank you, Senator Schatz. Let me ask you, Professor Richards, where is there a working duty of loyalty in place in law somewhere that we can look to? Mr. Richards. That is a great question, Senator. As an academic, I feel obligated to plug an article that Dr. Hartzog and I have written called ``A Duty of Loyalty for Privacy Law'' that explores this in great detail. But to answer the question very specifically, duties of loyalty have been a part of the Anglo-American common law for centuries. We often see them in fiduciary relationships and in corporate law. We tend to see that whenever there is vulnerability, whenever one party exposes itself to another for combined interests. And frankly, Senator, Mr. Chairman, that is precisely what we see with large platforms in the Internet economy. We need to have use it to expose ourselves to these companies in order to send e-mail, to engage in transcontinental videoconferencing like we are doing right now, to educate our children, and for so many other ways. I think one other place we can look for duties of loyalty, I think it is very interesting and very gratifying and encouraging to me that all three of the pending bills that were introduced, bills that we have talked about in today's hearing, your SAFE DATA Act, Senator Schatz's Data Care Act, and Ranking Member Cantwell's COPRA, all of them either talk about loyalty, or in the case of Title II of your bill, provide loyalty like protections against manipulation, against filter bubbles, against algorithmic discrimination, and against the manipulative--and against experimentation and manipulative use of design against consumers. The Chairman. And the point that I would make is that when we are able to be specific in those instances, then we are getting somewhere, but beyond that, it is hard actually to define such a duty. I am going to let you expand your answer on the record, if you would like. And I may submit some questions for the record. This study that you and Dr. Hartzog did, when was that published, sir? Mr. Richards. It has not yet been published, but it has been circulating on and on the website where academic work is. A draft has circulated since the summer. The Chairman. Can you circulate it to somebody on my staff? Mr. Richards. I believe I already have, but I would be delighted to do it again, sir. The Chairman. I would much appreciate that. Senator Scott. STATEMENT OF HON. RICK SCOTT, U.S. SENATOR FROM FLORIDA Senator Scott. First of all, I want to thank Chairman Wicker for hosting this hearing, and I want to thank each of you for being here today. My first priority is to ensure the privacy and security of American families. Also making sure we have an environment where businesses can thrive. Right now, our Nation is facing threats from all across the world. We have adversaries like the Communist Party of China that continue to steal our data and technology, and force companies in China to turn over any user data their government wants. Chinese backed companies like Huawei will hand over any sensitive data, including medical records, financial information, and social media accounts if they gain access to our markets. My colleague, Senator Cotton, introduced a bill which I support that would permanently prohibit the U.S. from sharing intelligence with countries that give Huawei access to their 5G networks. We have to do everything we can to provide Americans their information--protect Americans' information and our National Security. Mr. Phillips, what enforcement or what enforcement measures and oversight should be in place to ensure companies operate in the United States with access to personal and personal identifying information, disclose to the user where the company is housing the data? Mr. Phillips. Thank you, Senator Scott, for your question. To my mind, it is a question about materiality, what matters to those consumers. And I do think it is very well within Congress's purview to consider that question and to legislate upon it. I think increasingly, as we live in a globalized world, these kinds of questions where the data are, are important questions. But it is important to note that China has data localization. And it is very important, as we have all been discussing, for the liberal democracies of the world that have a more open approach to Internet governance to find a path forward together. Senator Scott. Thank you. When entering international privacy agreements, how do we ensure the U.S. places Americans' privacy interests first? Mr. Phillips. Mr. Phillips. Thank you, Senator. We don't, at the FTC, negotiate the privacy agreements. What we do is provide, in my view, a very important backstop. And that is when companies make commitments that they are participating in those agreements, make commitments about what they do as part of those agreements where they violate the law, where they make statements that aren't true that matter to consumers, we can bring enforcement actions against them. And that is what we have done for years. Senator Scott. So what do you think about requiring online retailers to disclose more information like where data is housed or where products are produced? Mr. Phillips. I would have to give a little bit more thought to whether and to what extent that is material to consumers. I do think over time that is an increasing concern and it is definitely something within Congress's purview. Senator Scott. I can't imagine why we don't know where Amazon and Wal-Mart don't tell U.S. where products are made, where services are provided, or where apps are created. So what do you think is the biggest safeguard that should be put in place to protect our data better? Mr. Phillips. Well, I think we have all been talking about for purposes of Americans and their privacy, a privacy bill. The difficulty we are facing today is in part or in large part to do with the European courts visa VR practices, not on the consumer side, but on the National Security side. And I do think as we have these discussions moving forward, as I said in my testimony, we do want to understand and defend American values, and we don't want our security not to be an important part of that conversation. Mr. Phillips. Thank you. Thank you, Mr. Chairman. The Chairman. Thank you very much. This has been a very, very informative hearing, and some very talented and knowledgeable witnesses. I thank all five of you. And at this point we will close the hearing. Oh, Senator Rosen. STATEMENT OF HON. JACKY ROSEN, U.S. SENATOR FROM NEVADA Senator Rosen. Senator Rosen. Yes, I am here and I know I am always the last one, but I am waiting. I am here. The Chairman. Well, why don't we recognize you for 5 minutes then? Senator Rosen. Well, thank you, my friend. I appreciate it. And I appreciate this hearing. It has been really informative. And I want to talk about the importance of small business, of course. So Nevada is home to more than a quarter of a million small businesses. Small businesses are the driving force that powers my state's economic engine. But unfortunately, this pandemic has dealt business owners unprecedented challenges and obstacles. We need to be doing all we can to ensure that our small and medium-sized businesses can survive this pandemic and receive the resources and support they need to compete both domestically and internationally. Nevada based companies that conduct business outside the U.S. depend on agreed upon frameworks that ensure they are adhering to their international client's home country rules and regulations, including those related to data protection and security. So actually, there are over 30 companies in Nevada that depended on the now invalidated Privacy Shield. The framework, of course, that allows for the transferring, processing, and storing of personal data from the EU to the U.S. Businesses such as game development firm Play Studios, and software company Action Verb that are headquartered right in Las Vegas. So unfortunately, it is quite small size and medium-sized businesses that have had the most to lose if the EU and the U.S. aren't able to reach a new agreement. Larger businesses with large compliance departments, they will really have the upper hand, and it gives them a big competitive edge over the smaller firms, not just in Nevada but across the country. So to both Ms. Espinel and Mr. Sullivan, before the adoption of Privacy Shield, there was a different mechanism that enabled personal data transfers from the U.S. to the EU until it was also invalidated by European court in 2015. With that in mind, as we look to a new Administration and future talks with our EU partners, what issues do we as policymakers need to address to deal with the underlying intelligence gathering concerns that have plagued these frameworks so we just don't end up in the same place over and over again? Mr. Sullivan. Thank you, Senator, for your question. Just to reiterate, maybe add a few more details to your point on SMEs, I want to make sure everyone has a sense of just how cost effective Privacy Shield is. And as you noted, its predecessor's framework, Safe Harbor was. Right now, the fees or the fees at least up until Schrems II for participation in the program, are based on your annual revenue. So if you were a company with annual revenue of up to $5 million, your certification and participation in Privacy Shield, the fee you paid was $250. If you were $5 million to $25 million, it was $650. I won't run you through the whole list, but if you are over $5 billion in annual revenue, what you paid for Privacy Shield was $3,250. It was again by far the most cost effective approach for transatlantic data transfer mechanisms. And that is why--it is just another element as to why we think it is so critical, particularly for SMEs. The other thing I want to make folks aware of, our Privacy Shield team and our other teams, our global data policy team, engage in regular roadshows and they meet--they have a particular remit and focus on SMEs to make sure they understand, you know, if they do want to go global, if they do want to do business in Europe, how do they do that? What are the issues? What are the options? Another thing, again, at the risk of being redundant, because we don't have a global standard on data protection privacy, because countries do take different approaches, we also have another mechanism in place. You know, we have come up, because it is going to take a while for a global standard, we have got to bridge our differences. And so we had Privacy Shield with Europe. We had Safe Harbor before that, as you just noted. We also in APAC have something called the Cross-Border Privacy Rules System. And again, that is another way that we can bridge our differences with some common baseline standards around privacy. And so, again, we do a lot on the APAC's CBPR system to make sure that companies, particularly SMEs, understand that that is an option that is available to them. All of this is to promote interoperability so that companies are facing, again, increasingly fragmented and unaligned regulatory regimes around the world on these issues, and SMEs in particular, cannot pay the costs on this. And so we have got to come up with these structures until we get to a time where there is a single global standard. Without sounding like I am criticizing GDPR, I do think it is important to note, when it went into effect in May 2018, what happened was you saw the big multinationals actually expand their market share and thousands of U.S. SMEs basically made the determination that it was either too expensive to comply with GDPR, or that the potential fines were simply too onerous and they withdrew from the market. And so we spent a lot of time and effort to make sure that we are ensuring market access for SMEs. Hopefully, I answered your question. If not, I am happy to follow up if I missed something. Thank you. Senator Rosen. No, that is fine. I know my time has expired, but---- Ms. Espinel. Chairman Wicker, would I be able to respond Senator Rosen's question? The Chairman. Yes, please. Senator Rosen. Thank you. Ms. Espinel. Thank you. Senator Rosen, first, I want to note that not only is Nevada home to many small businesses, but as you know, in the jobs report, the latest jobs report we put out, Nevada was the number one highest growth rate for software jobs in the country. So I want to congratulate you for that and the work that you are doing on STEM training is going to create jobs across the country. In terms of the issue at hand, there are three things that I think we need to do. The first is we need to negotiate an enhanced U.S.-EU privacy agreement. We have talked a lot about that. I commend Jim Sullivan for the work that he and his team are doing. Two, long term we need to reach a consensus with a group of democracies that share our values on intelligence gathering. And I think that will be a real challenge and an opportunity for U.S. leadership as we move forward. And third, we need to rebuild our foreign alliances and we need to make trust the basis of those. And I think that both underpins and is overarching the first two. That those three elements, the urgent need for enhanced U.S.-EU Privacy Shield, a long-term solution on appropriate safeguards on intelligence norms, and then rebuilding our foreign alliances with the trust underlying them that they warrant, are critical to moving forward. Senator Rosen. Thank you very much for both of those answers. I look forward to working with you on finding the best ways that we can support all those tech jobs that keep growing in Nevada and, of course, all the small and medium sized businesses that do want to expand across the Nation. Thank you, Mr. Chairman, for indulging my time. The Chairman. Thank you. Thank you, Senator Rosen. You and I need to vote, and we will now close this hearing. The hearing record will remain open for two weeks. During this time, Senators are asked to submit any questions for the record. Upon receipt, the witnesses are requested to submit their written answers to the Committee as soon as possible. Thank you. We conclude the hearing, and we very much appreciate your participation. [Whereupon, at 11:51 a.m., the hearing was adjourned.] A P P E N D I X American Civil Liberties Union Washington, DC, December 9, 2020 Hon. Roger Wicker, Chairman, Committee on Commerce, Science, and Transportation, U.S. Senate, Washington, DC. Hon. Maria Cantwell, Ranking Member, Committee on Commerce, Science, and Transportation, U.S. Senate, Washington, DC. RE: The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows Dear Chairman Wicker, Ranking Member Cantwell, and Members of the Committee, On behalf of the American Civil Liberties Union (``ACLU''),\1\ we submit this letter for the record in connection with the Senate Commerce Committee's hearing, ``The Invalidation of the E.U.-U.S. Privacy Shield and the Future of Transatlantic Data Flows.'' We write to address the legal reforms that must be made to permit the free flow of data from the E.U. to the U.S., in the wake of the Schrems II decision by the Court of Justice of the European Union (``CJEU''), and subsequent guidance by the European Data Protection Board. These changes are essential to ensure that small and large businesses alike will not continue to suffer financial consequences through no fault of their own. --------------------------------------------------------------------------- \1\ For nearly 100 years, the ACLU has been our nation's guardian of liberty, working in courts, legislatures, and communities to defend and preserve the individual rights and liberties that the Constitution and the laws of the United States guarantee everyone in this country. The ACLU takes up the toughest civil liberties cases and issues to defend all people from government abuse and overreach. With approximately two million members, activists, and supporters, the ACLU is a nationwide organization that fights tirelessly in all 50 states, Puerto Rico, and Washington, D.C., for the principle that every individual's rights must be protected equally under the law, regardless of race, religion, gender, sexual orientation, disability, or national origin. --------------------------------------------------------------------------- The reforms discussed below would also provide essential privacy protections for Americans, whose communications and data are swept up by the U.S. government's foreign intelligence surveillance in enormous quantities.\2\ As technological advances permit ever-broader forms of surveillance--including bulk collection--there is an urgent need for stronger legal safeguards. --------------------------------------------------------------------------- \2\ See, e.g., Barton Gellman et al., In NSA-Intercepted Data, Those Not Targeted Far Outnumber the Foreigners Who Are, Wash. Post (July 5, 2014), https://www.washingtonpost.com/ world/national-security/in-nsa-intercepted-data-those-not-targeted-far- outnumber-the-foreigners -who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322--story.html; John Napier Tye, Meet Executive Order 12333: The Reagan Rule that lets the NSA spy on Americans, Wash. Post (July 18, 2014), https:// www.washingtonpost.com/opinions/meet-executive-order-12333-the-rea gan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93- 11e4-b8e5-d0de80767f c2--story.html. --------------------------------------------------------------------------- On July 16, the CJEU struck down the E.U.-U.S. Privacy Shield, used by over 5,300 companies, for failing to provide a sufficient level of protection for E.U. data.\3\ Specifically, the court found that U.S. surveillance authorities, including Section 702 of the Foreign Intelligence Surveillance Act (``FISA'') and Executive Order (``EO'') 12333, permit large-scale surveillance that is not strictly necessary to the needs of the state. The court also found that the Privacy Shield failed to create adequate redress mechanisms for Europeans whose data is transferred to the U.S.--namely, the ability to be heard by an independent and impartial court. --------------------------------------------------------------------------- \3\ C-311/18, Data Protection Comm'r v. Facebook Ireland Ltd. & Maximilian Schrems ``Schrems II'') (July 16, 2020), http:// curia.europa.eu/juris/document/document.jsf?text=&docid=228677 &pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=15476758. --------------------------------------------------------------------------- In addition to invalidating Privacy Shield, the CJEU's ruling indicated serious problems with companies' reliance on a separate mechanism, Standard Contractual Clauses (SCCs), for data transfers from the E.U. to the U.S., given the scope of U.S. surveillance and obstacles to redress. Based on the CJEU's ruling, the European Data Protection Board recently issued draft guidance concerning SCCs that would make it virtually impossible to transfer personal data to ``electronic communication service providers,'' 50 U.S.C. Sec. 1881(b)(4), inside the U.S. for processing.\4\ Indeed, the Irish Data Protection Commissioner has already issued a preliminary order to Facebook to halt its transfers to the U.S. about its E.U. users.\5\ --------------------------------------------------------------------------- \4\ See European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Nov. 10, 2020), https:// edpb.europa.eu/sites/edpb/files/consultation/edpb--recommendations --202001--supplementary measurestransferstools--en.pdf; see also, e.g., Omer Tene, Vice President at the International Association of Privacy Professionals, Quick Reaction to EDPB Schrems II Guidance, https:// www.linkedin.com/pulse/quick-reaction-edpb-schrems-ii-guidance-omer- tene (``it's hard to see a clear path for data transfers to the US''). \5\ Sam Schechner & Emily Glazer, Ireland to Order Facebook to Stop Sending User Data to U.S., Wall St. J. (Sept. 9, 2020), https:// www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user- data-to-u-s-11599671980. --------------------------------------------------------------------------- The CJEU's ruling and the European Data Protection Board's guidance pose significant problems for U.S. companies in places as diverse as Boca Raton, Florida, San Francisco, California, and Cleveland, Ohio, who relied on Privacy Shield and currently rely on SCCs to transfer data from the E.U. for processing and storage in the U.S. In many cases, companies rely on these data-transfer mechanisms for critical functions, such as providing services to customers overseas or human resources to a global workforce. Below, we describe several reforms critical to ensuring future transatlantic data flows. Although we propose reforms to both Section 702 and EO 12333 surveillance, the Section 702 reforms are especially urgent. That is because the Section 702 collection of data ``at rest'' inside the United States is an insurmountable obstacle to the functioning of SCCs. In particular, to address the CJEU's ruling, Congress must: Narrow the scope of Section 702 and EO 12333 surveillance; Expand the role of the Foreign Intelligence Surveillance Court in Supervising Section 702 and EO 12333 surveillance; Ensure that individuals affected by U.S. surveillance can challenge improper surveillance in court; and Limit retention and use of information under Section 702 and EO 12333.\6\ --------------------------------------------------------------------------- \6\ These reforms would not necessarily be sufficient to satisfy U.S. constitutional requirements. Separately, Congress must also work to pass comprehensive consumer privacy protections. That legislation must provide clear and strong data-usage rules and ensure that discrimination cannot take on new life in the 21st century. It must also allow states to enact stronger protections and provide people the opportunity to sue companies that violate their privacy. However, we note that these privacy protections, while essential, will not address the concerns of the CJEU, which focused on the U.S. government's overbroad surveillance authorities and obstacles to redress for government surveillance. To address the ruling in Schrems II, the path forward requires reforms to Section 702 and EO 12333. Background Under E.U. law, companies are generally forbidden from transferring personal data to non-E.U. countries on a repeated or systematic basis, unless the transfer is conducted pursuant to one of the following: 1. Special Transfer Mechanisms. Companies may, through contracts such as SCCs or similar mechanisms, establish certain rules for data transfers to safeguard privacy rights. In some contexts, these safeguards can compensate for deficiencies in a non-E.U. country's law--e.g., if the non-E.U. country lacks protections for consumer privacy, companies may use an SCC to commit to extend basic rights to consumers vis-a-vis the companies. In the U.S., however, no contract is capable of overcoming the fundamental problems with U.S. law identified by the CJEU: namely, the scope of U.S. foreign intelligence surveillance and obstacles to redress. No contract between two companies can narrow the sweep of government surveillance or ensure that targeted customers receive notice of classified surveillance. 2. Adequacy Decision. The European Commission may conclude, as a categorical matter, that a non-E.U. country provides an ``adequate'' level of protection through its domestic law and international commitments--as it did through Safe Harbor and then Privacy Shield--but the Commission's adequacy decisions are subject to review by the CJEU. The CJEU has interpreted the ``adequacy'' standard to require that the non-E.U. country provide a level of protection of fundamental rights and freedoms that is ``essentially equivalent'' to those provided under E.U. law.\7\ --------------------------------------------------------------------------- \7\ Schrems II 201, 203. Because the CJEU has identified fundamental defects in U.S. law, discussed in greater detail below, U.S. reforms should be a prerequisite to the negotiation of a new E.U.-U.S. data- transfer agreement. Indeed, European Commissioner Didier Reynders has stated publicly that ``no quick fix'' will --------------------------------------------------------------------------- adequately address the requirements of E.U. law. But even if the European Commission were to agree to a quick fix, U.S. companies would still face substantial economic risks--including the risk that individual member-state Data Protection Authorities (``DPAs'') would halt data flows. In analyzing transfers conducted pursuant to SCCs and similar mechanisms, DPAs are not bound by the European Commission's conclusions about whether a non-E.U. country's laws are adequate. Indeed, prior Commission adequacy decisions have acknowledged DPAs' authority to arrive at their own independent conclusions about whether to halt data transfers. And notably, in Schrems II, the CJEU held that DPAs are required to suspend data transfers if they conclude that such transfers are unlawful. To ensure that any new E.U.-U.S. data-transfer agreement withstands CJEU scrutiny, and to ensure that U.S. companies do not pay the price for a failed ``quick fix,'' Congress must enact the reforms below. Reforms to U.S. Law 1. Narrow the Scope of Section 702 and EO 12333 Surveillance For an adequacy decision to survive CJEU scrutiny, the non-E.U. country's laws may interfere with the protection of personal data ``only in so far as is strictly necessary.'' \8\ In Schrems I, the CJEU explained that, in conducting surveillance, the third country must employ an ``objective criterion'' limiting surveillance to purposes that are ``specific, strictly restricted and capable of justifying the interference.'' \9\ It also held that government access ``on a generalised basis to the content of electronic communications'' violates the ``essence'' of the right to private life.\10\ In Schrems II, the CJEU elaborated on these concerns with respect to Section 702 and EO 12333 surveillance. It explained that Section 702 ``does not indicate any limitations on the power it confers to implement surveillance programs,'' and it observed that the U.S. government collects communications in ``bulk'' under EO 12333\11\--i.e., it accesses communications on a ``generalised basis.'' --------------------------------------------------------------------------- \8\ C-362-14, Schrems v. Data Protection Comm'r (``Schrems I'') 92 (Sept. 23, 2015), http://curia.europa.eu/juris/document/ document.jsf?text=&docid=169195&pageIndex=0&doclang=en& mode=lst&dir=&occ=first&part=1&cid=10588011. \9\ Schrems I 93. \10\ Schrems I 94. \11\ Schrems II 183. --------------------------------------------------------------------------- Congress should act immediately to narrow the scope of both Section 702 and EO 12333. With respect to Section 702, Congress can begin to address this issue by requiring an executive branch finding of reasonable suspicion that surveillance targets are ``foreign powers'' or ``agents of a foreign power'' outside of the United States--a clear ``objective criterion'' to justify the interference with private communications.\12\ In the alternative, Congress could narrow the definition of ``foreign intelligence information'' under 50 U.S.C. ?1801(e), though this reform may not be sufficient to address the CJEU's concerns about the breadth of Section 702 surveillance. --------------------------------------------------------------------------- \12\ Notably, ``foreign power'' and ``agent of a foreign power'' are defined rather broadly under FISA to include international terrorists, political factions, and entities acting under a foreign government's effective control. See 50 U.S.C. Sec. 1801(a)-(b). --------------------------------------------------------------------------- With respect to EO 12333, Congress should prohibit bulk collection and require that surveillance be directed at specified targets. Separately, Congress should narrow EO 12333's definition of ``foreign intelligence,'' which currently allows the government to conduct surveillance to obtain any ``information relating to the capabilities, intentions, or activities of . . . foreign persons.'' 2. Expand the Role of the Foreign Intelligence Surveillance Court in Supervising Section 702 and EO 12333 Surveillance In invalidating Privacy Shield, the CJEU focused largely on the lack of independent approval of surveillance targets under Section 702 and EO 12333. Under Section 702, the role of the FISC consists mainly of an annual review of general targeting and minimization procedures; the FISC does not evaluate whether there is sufficient justification to conduct surveillance on specific targets. Under EO 12333, the FISC has no role at all. To address these concerns, and to ensure greater protection for Americans whose communications and data are swept up in this surveillance, Congress must enact significant changes to the FISC's role in supervising Section 702 and EO 12333 surveillance. At a minimum, the FISC or other independent entity should review targeting decisions on an individual ex post basis. Although this reform would likely require Congress to expand the number of FISC judges, it would enhance privacy protections for Americans swept up in this surveillance and, given the concerns of the CJEU, it is essential to ensuring the free flow of data between the E.U. and the U.S. 3. Ensure that Individuals Affected by U.S. Surveillance Can Challenge Improper Surveillance in Court In Schrems II, the CJEU affirmed that individuals whose personal data is transferred from the E.U. must have access to judicial remedies to challenge the treatment of their data--remedies they lack under the current legal framework in the U.S. As a general matter, individuals do not receive notice that their information has been collected for foreign intelligence purposes, even in cases where notice would not jeopardize an active investigation. The lack of notice makes it difficult--if not impossible--for people subjected to illegal surveillance to establish standing to challenge that surveillance in U.S. courts. Congress should enact two key reforms to expand access to meaningful remedies. First, a ``standing fix'': Congress can and should pass legislation to more clearly define what constitutes an ``injury'' in cases challenging government surveillance, as Senator Wyden and others proposed in a 2017 reform bill. While standing is a constitutional requirement, the Supreme Court has been clear that Congress has a role to play in defining what qualifies as an ``injury'' for the purposes of standing. Congress could, for example, explain that where a person takes objectively reasonable protective measures in response to a good- faith belief that she is subject to surveillance, those protective measures constitute an injury-in-fact. This reform would allow more individuals to begin to litigate claims of unlawful surveillance in the public courts. Second, Congress should require the executive branch to provide delayed notice of foreign intelligence surveillance to targets of that surveillance, where such notice would not result in an imminent threat to safety or jeopardize an active investigation. In addition, FISA should be modified to define ``derived,'' to ensure that the government fully complies with its existing statutory notice obligations. 4. Limit Retention and Use of Information Under Section 702 and EO 12333 In Schrems II, the CJEU found that U.S. surveillance law lacked sufficient safeguards, including with regard to the access and use of information.\13\ Under Section 702, the government has broad authority to retain and use the data it has collected. It can retain communications indefinitely if they are encrypted or are found to contain foreign intelligence information. Even for data that does not fall into either of these categories, the default retention period is as long as five years. The retention limitations for communications and data collected under EO 12333 are similar. --------------------------------------------------------------------------- \13\ Schrems II 180. --------------------------------------------------------------------------- Congress should enact additional restrictions on the use and retention of data collected under Section 702 and EO 12333. In particular, Congress should require that where an agency seeks to retain data beyond the default retention period, the agency must establish that the data falls within a narrow subset of critical ``foreign intelligence.'' Congress should also limit the Section 702 and EO 12333 default retention period to three years. Conclusion For more information, please contact Senior Legislative Counsel Kate Ruane at [email protected] or (202) 675-2336, or Senior Staff Attorney Ashley Gorski at [email protected] or (212) 284-7305. Sincerely, Ronald Newman, National Political Director, National Political Advocacy Department. Kathleen Ruane, Senior Legislative Counsel, National Political Advocacy Department. Ashley Gorski, Senior Staff Attorney, National Security Project. cc: Members of the Senate Committee on Commerce, Science, and Transportation ______ Response to Written Questions Submitted by Hon. Amy Klobuchar to Hon. Noah Joshua Phillips Senator Klobuchar: Economic Impact of the Privacy Shield Invalidation on Small Business. More than 5,300 U.S. companies--which contribute nearly $1.1 trillion in total U.S. trade in goods and services with the EU--were impacted by the invalidation of the Privacy Shield. In your testimony, you highlight that more than 65 percent of small and medium-sized businesses participated in the Privacy Shield and that almost two-thirds of worldwide startups surveyed had customers or users in other countries. Question 1. Can you elaborate on your concerns regarding the impact of the Privacy Shield's invalidation on small and medium-sized companies? Answer. My concern is that the invalidation of Privacy Shield will have an outsized impact on small and medium-sized businesses. The program allowed U.S. businesses interested in European markets a simple and economical way to engage in necessary data transfers, for example of payment and shipping information. That is why some 65 percent of the thousands of companies that enrolled in Privacy Shield were small and medium-sized businesses. Without it, these firms may be forced to shut down or limit access to transatlantic markets. While there are other legal bases through which to transfer the data of European customers to the U.S., they are costly and complicated; in most cases they are not viable options for smaller business. The net effect will be higher costs for small and medium-sized businesses and an uneven playing field that favors larger firms. Question 2. In your view, what measures help ensure secure and stable cross-border data protections, particularly for small and medium-sized businesses? Answer. Small and medium-sized businesses, like all businesses, benefit from stable, efficient, and economical means to transfer data across borders. The most important thing we can do is to finalize a new agreement with our European partners that will once again permit U.S. businesses efficiently and economically to transfer data from Europe. U.S. and EU negotiators are already hard at work on a replacement for Privacy Shield, and the Biden Administration should make it a priority to complete that effort. Congress should continue to support these efforts, as should the Federal Trade Commission. As we move forward, in particular in engagement with our allies in Europe, we must ensure that an American voice and point of view is part of the discussion about Internet governance, and be willing to defend our approach. Liberal democracies that value free speech and privacy should prioritize regulatory interoperability, and not let relatively minor differences impede mutually-beneficial commerce. ______ Response to Written Questions Submitted by Hon. Amy Klobuchar to Prof. Neil M. Richards Consumer Access and Control/Privacy Shield Invalidation. In July, the European Union struck down the Privacy Shield following allegations that Facebook was providing U.S. intelligence agencies with unlimited access to customers' data. In your testimony, you note that if the U.S. had ``adequate'' privacy legislation, the Privacy Shield would be unnecessary. Last December, I joined Senators Cantwell, Schatz, and Markey in introducing comprehensive privacy legislation to establish digital rules to protect consumers' data. Question 1. While our bill is focused on commercial surveillance, do you agree that legislation like ours would help the U.S. strengthen privacy protections and rebuild trust with the EU? Answer. Thank you for the opportunity to answer such perceptive and important questions. Strong, baseline commercial privacy legislation is essential to rebuilding trust with our EU trading partners and allies-- and it would also be a tremendously good thing for Americans. First, commercial privacy protections would strengthen our critically important relationships with the EU. At the December hearing, Mr. Sullivan from the Commerce Department suggested that there is not an international consensus on privacy rights. Simply put, he is wrong. There is an international consensus, and it is one being driven by the EU approach to privacy--including commercial privacy--as a fundamental right. As I have explored in some of my scholarship, while the United States used to be the global leader on privacy, it has ceded that right by inaction. The failure of successive Congresses over the past two decades to pass a comprehensive privacy statute has meant not just that Americans have had insufficient privacy protection in a time of rapid technological change, not just that this inadequacy has affected our global reputation, not just that the EU has taken the lead on global privacy standards, but that the EU standard has become a global trade standard. If the United States wants to participate in these vital markets, it now has to do so according to standards that the EU has shaped through instruments like the Data Protection Directive and the GDPR.\1\ --------------------------------------------------------------------------- \1\ See Woodrow Hartzog & Neil M. Richards, Privacy's Constitutional Moment and the Limits of Data Protection 61 Boston College Law Review 1687 (2020). --------------------------------------------------------------------------- It's important to stress that since the 1990s, the European data protection regime (first the Directive, and since 2018 the GDPR) has primarily focused on what we'd call commercial privacy. The EU originated as the Common Market and has evolved from a trade federation, under the sensible idea that countries that trade together and share common economic interests become stronger allies and better partners. Before the Snowden Revelations and the Schrems litigation that it spawned, issues of cross-border data flows were primarily commercial trade issues, and the issues of ``adequacy'' of U.S. law largely revolved around whether companies like Google were processing the data of Europeans in ways that were consistent with EU law and the fundamental right to privacy and data protection those laws protect. The Schrems litigation has been of course about intelligence services accessing the data of Europeans, but if the United States wants to be deemed ``adequate'' and participate in the international data trade as an equal, respected, trusted partner, robust commercial privacy protections for all personal data held by U.S. companies will be essential. In this way, as I suggested at the December hearing, comprehensive commercial privacy reform by this Congress is a necessary (though not sufficient) condition for preserving and building trusted, sustainable, and profitable commercial relationships with our key European allies around personal data. Second, putting the relationships with our European friends entirely to the side, comprehensive privacy reform would be good for America. Today, American consumers are at the mercy of powerful corporations that collect and process their data. The current American privacy regime relying on fictional notice and illusory choice utterly fails to protect American consumers from manipulation and exposure to data breaches, and I am gratified to see that a bipartisan consensus has emerged that recognizes these facts and is keen to do something about them. The good news is that comprehensive privacy reform can be good for business as well as for consumers. Good businesses rest on trust, and the kinds of trusted, sustainable relationships that can last for decades. To use a technology example, many American consumers have decades-long trusted relationships with companies like Apple or Microsoft, and feel comfortable sharing sensitive information because they believe that those companies will be discreet, honest, protective, and loyal with their data. Unfortunately, this is not the case for many companies in the technology sector, particularly those who offer ``free'' services in exchange for sotto voce data barter transactions, the terms of which are almost impossible for consumers to understand, much less agree to freely. Sensible comprehensive privacy laws that protect consumers would reward the many companies that are already engaging in such behavior, and would eliminate any competitive advantage to cheat when it comes to data protection and consumer protection. Question 2. Our bill also includes a provision to require companies to establish a privacy security program to regularly assess security vulnerabilities. Do you agree that data security programs can play a key role in ensuring secure and stable cross-border data protections? Answer. Absolutely. Meaningful data security requirements that ensure corporate accountability are critical for the consumer trust that is necessary for cross-border data sharing. In addition, data security has long been an obvious and essential part of the language of data protection, and it is part of the requirements of the GDPR for adequate levels (or to put it another way ``essentially equivalent'' levels) of data protection. GDPR Art. 45 & Recital 104. Comprehensive data security programs of the sort advocated by the FTC foreground the importance of data security, while they also regularize and professionalize its practice in firms. The key to security programs, however, is accountability--security program requirements must have teeth that require substantively adequate security under the circumstances and cannot be reduced to safe harbors that relieve companies of liability if they maintain minimal measures or go through a mere process of compliance. ______ Response to Written Questions Submitted by Hon. Kyrsten Sinema to Prof. Neil M. Richards Small Businesses. Small businesses power Arizona's growing economy. We need to remove unnecessary burdens, and increase transparency and accessibility to support small businesses. Question 1. How does the European Court of Justice's invalidation of the Privacy Shield framework harm small businesses that need to transfer data to or from Europe? Answer. The European Court of Justice's invalidation of the Privacy Shield framework harms all American businesses and consumers, but many small businesses are likely to suffer particular harms. Those businesses that need to transfer data from Europe can no longer rely on the Privacy Shield to protect the transfer, and as small businesses they are unlikely to possess the resources to generate binding corporate rules. In the absence of an adequacy determination, this leaves only the model contracts, whose validity was called into question by the ECJ in Schrems II. Under current post-Schrems II guidance from the European Data Protection Board, companies seeking to use the model contracts need to engage in a case-by-case analysis to assess the sufficiency of data protections for such transfers outside the European Economic Area. This analysis requires companies to assess not just the transfer, but the risks the transfer faces in the context of the privacy and intelligence regimes governing the transfer. In essence, this requires companies to engage in a full Schrems II-style ongoing analysis for each kind of transfer--something that would be daunting for a huge company like Google or Amazon, and would be impossible for many small businesses to engage in. Thus, the harm faced by American small businesses is the imposition of a difficult, if not impossible regulatory burden should they wish to make transfers of EU personal data to the United States. This problem is caused by the mismatch between privacy and data protection regimes in the United States and the EU. Question 2. While a long-term solution is crafted, how can Congress support small businesses that need to transfer data to or from Europe? Answer. The best thing that Congress could do is to pass a comprehensive privacy statute with meaningful redress options for consumers, including a private right of action. The closer our American privacy regime gets to ``essential equivalence'' with the level of protection on the consumer side in the GDPR, the easier it will be to reach a durable, sustainable reconciliation with the EU. This is particularly the case because the Schrems II judgment left the model contractual clauses mechanism for cross-border transfer largely intact, subject to the caveat that European data exporters have to assess the risks of access in violation of EU data protection rights. To the extent that small business (and certainly particular kinds of small businesses) are less likely to have the kinds of data that the U.S. Intelligence Community might seek to access, this will be less of a problem for them. On the other hand, as I explained in the previous answer scope, difficulty, and expense of this analysis will be beyond the resources of many small businesses. However, a higher level of privacy protection for all data held in the U.S. (especially the data of Europeans) would tend to lower the temperature of the cross-border conflict with the EU, making it easier to reach long term solution-- ideally adequacy. Speaking of adequacy, I note that at the December hearing, Mr. Sullivan from the Commerce Department suggested that adequacy was difficult, even impossible, to achieve, citing the examples of (I believe) India and Brazil as being countries very different from the United States. Mr. Sullivan's explanation was misleading at best and disingenuous at worst, as he forgot to mention a country that has adequacy which is very similar to the United States: Canada. Canada has had adequacy since the days of the old Data Protection Directive. If Canada can achieve adequacy with its own comprehensive privacy law, PIPEDA, the United States can as well, and I have great optimism that the new administration will take a more nuanced and informed approach to privacy and data protection issues than the perspective Mr. Sullivan espoused at the hearing. The other things that Congress can do is related to remedies to challenge unlawful surveillance. Practical and legal obstacles to the challenge of assertedly unlawful surveillance programs in the United States are significant, and are in my opinion a significant rule of law challenge. As I argued in a widely-cited 2013 law review article, it is a basic element of the rule of law that a democratic, self-governing people should have the right to know and consent to what is being done by their intelligence services in their name, and there should be appropriate legal means to challenge surveillance programs that are asserted to be illegal or unconstitutional, just as with other government programs.\2\ To the extent that there are currently obstacles to relief, such obstacles are a major part of the problem with U.S. law that led to the invalidation of the Safe Harbor Agreement in Schrems I and the Privacy Shield in Schrems II. Indeed, much of my own testimony in that case dealt with the substantial obstacles to relief--including standing doctrine--that plaintiffs face in surveillance challenges. Here, too, Congress can help. As the ACLU explained in its Statement on the Record in this hearing, --------------------------------------------------------------------------- \2\ See Neil M. Richards, The Dangers of Surveillance, 126 Harv. L. Rev. 1934 (2013). --------------------------------------------------------------------------- Congress should enact two key reforms to expand access to meaningful remedies. First, a ``standing fix'': Congress can and should pass legislation to more clearly define what constitutes an ``injury'' in cases challenging government surveillance, as Senator Wyden and others proposed in a 2017 reform bill. While standing is a constitutional requirement, the Supreme Court has been clear that Congress has a role to play in defining what qualifies as an ``injury'' for the purposes of standing. Congress could, for example, explain that where a person takes objectively reasonable protective measures in response to a good faith belief that she is subject to surveillance, those protective measures constitute an injury-in-fact. This reform would allow more individuals to begin to litigate claims of unlawful surveillance in the public courts. Second, Congress should require the Executive Branch to provide delayed notice of foreign intelligence surveillance to targets of that surveillance, where such notice would not result in an imminent threat to safety or jeopardize an active investigation. In addition, FISA should be modified to define ``derived,'' to ensure that the government fully complies with its existing statutory notice obligations. American Civil Liberties Union, Statement on the Record re: The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows, December 9, 2020, at 5, available at https://www.aclu.org/sites/default/files/field _document/2020-12- 8_aclu_statement_for_the_record_senate_commerce_commit tee_hearing_on_privacy_shield.pdf. In my opinion, the reforms proposed by the ACLU (particularly the first) would be an excellent place for Congress to start. ______ Response to Written Questions Submitted by Hon. Brian Schatz to Prof. Neil M. Richards In your testimony, you asserted that it would be an ``important and necessary'' step, as well as good for business, to include a duty of loyalty in American privacy law. Question 1. How would including duty of loyalty in Federal privacy law help American businesses? What other laws and regulations have included the duties of loyalty and care? Answer. A duty of loyalty would help American businesses by setting clear rules of the road with respect to what constitutes fair business practices in an economy seemingly fueled by the exploitation of personal data. At an earlier hearing on privacy reform last fall, Senator, I was struck by the truth and wisdom of your statement that ethical companies already know that being loyal to their customers is good business, and so a duty of loyalty is only a burden for companies who want to be disloyal. In a market economy like ours, incentives for disloyalty can be a massive problem. When there are no rules, anything goes, and well-meaning companies staffed by ethical professionals nonetheless feel the unyielding pressures of the market to match the tactics of those who cheat and act in disloyal ways. A duty of loyalty would level the playing field and create incentives for competition and business innovation in ways that make things better for human customers, rather than creating incentives for companies to manipulate those consumers. To be sure, manipulation is a real risk here. In her excellent book The Age of Surveillance Capitalism, Harvard's Shoshana Zuboff explains how tech companies discovered that digital services create transactional metadata with many uses.\3\ These companies first used the data to improve their services, making them more efficient (such as by refining their search engines or interfaces) in ways that made things better for everyone--the tech companies and their human customers. The second step though, allowed companies to use transactional and other data to anticipate or predict what consumers could want or how they could be more effectively marketed to or influenced through ``personalization.'' Zuboff goes on to describe a third stage--the use of transactional data and the techniques of behavioral science to manipulate consumers and have them behave in ways that were optimal to the companies or their advertiser clients. The first of these stages--product improvement through data--is a good thing in which the incentives of consumers and companies align to want better products. The second, prediction (sometimes called ``personalization'') is problematic when it is used in ways that are not in the best interests of the consumers, and the third--outright manipulation--is almost always problematic. At present, many uses of data that fall in categories two and three are legal. What's more, because thin, opt-out consent is easy to manufacture in a digital environment, any mere opt-out regime would be insufficient to protect consumers.\4\ A duty of loyalty requiring companies to act in the best interests of their vulnerable human customers would help solve these problems. It would ensure that category two cases use the benefits of personalization to advance the interests of consumers, rather than preying on their individual vulnerabilities and human cognitive limitations. And it would also eliminate problematic cases of outright manipulation in category three, in which a company can use information it knows about a consumer to get them to dance to its own tune. --------------------------------------------------------------------------- \3\ Shoshana Zuboff, The Age of Surveillance Capitalism (2019). \4\ Neil Richards & Woodrow Hartzog, The Pathologies of Digital Consent, 96 Wash. U.L. Rev. 1461 (2019). --------------------------------------------------------------------------- Duties of loyalty are not a new idea. In fact, they have a long and proud tradition in Anglo-American law. Many duties of loyalty arise in the fiduciary context, in which there is a less sophisticated party who must trust another who possesses more power, wealth, or expertise. As Dr. Woodrow Hartzog and I explain in our detailed paper, ``A Duty of Loyalty for Privacy Law,'' our law has imposed loyalty duties on a wide variety of relationships typified by power differentials, including the law of trustees, corporate officers, agents, guardians of wards, lawyers, doctors, financial advisors, and others.\5\ This body of law is extensive, and it has ancient roots in our law. Imposing a duty of loyalty on a relationship is a significant step, but it is a time- honored and appropriate step where there is vulnerability. As we argue in our paper on loyalty, the current digital environment is characterized by vulnerability, in which human consumers and citizens trust their online experiences and well-being to powerful, sophisticated, and highly capitalized technology companies. In so doing, they are exposed to risks of manipulation, malware, identity theft, misinformation, nudging, and radicalization, among others. Our thesis is simple: ``a duty of loyalty framed in terms of the best interests of digital consumers should become a basic element of U.S. data privacy law. A duty of loyalty would compel loyal acts and also constrain conflicted, self-dealing behavior by companies. It would shift the default legal presumptions surrounding a number of common design and data processing practices. It would also act as an interpretive guide for government actors and data collectors to resolve ambiguities inherent in other privacy rules. A duty of loyalty, in effect, would enliven almost the entire patchwork of U.S. data privacy laws. And it would do it in a way that is consistent with U.S. free expression goals and other civil liberties.'' \6\ --------------------------------------------------------------------------- \5\ Neil Richards & Woodrow Hartzog, A Duty of Loyalty for Privacy Law, at ms. 22-23. (draft article forthcoming 2021), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id =3642217. \6\ Id. at ms. 7. --------------------------------------------------------------------------- At the hearing, we heard testimony that the European Commission considers the privacy laws of only a couple of countries to be ``adequate'' for international data transfers. Question 2. Would a comprehensive privacy law that includes a duty of loyalty, help the United States achieve ``adequacy'' by the European Commission for international data transfers? Answer. In all, the EU has granted adequacy to twelve nations or jurisdictions--Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. In addition, advanced talks are in progress with both South Korea and the post-Brexit United Kingdom.\7\ I should also note that I followed the discussion of adequacy by Mr. Sullivan at the hearing with great interest. It is correct that the EU made an adequacy determination for a group of countries, but the prospects for adequacy are hardly as bleak as Mr. Sullivan suggested. As I explained in my response to Sen. Sinema's questions, Mr. Sullivan omitted Canada from his examples of countries that have obtained adequacy, though I must assume that this was merely an oversight on his part. In fact, if we look at the countries that have achieved adequacy, many are like the United States in important respects, and many of them are post- industrial democracies with advanced technologies and a robust commitment to the rule of law. Moreover, as I have already mentioned, the fact that Canada has been deemed adequate for two decades suggests that if the United States were to do the things that are necessary for adequacy, the EU would be delighted to bring the United States into that group. --------------------------------------------------------------------------- \7\ European Commission, Adequacy Decisions, visited Feb. 9, 2021, available at https://ec.europa.eu/info/law/law-topic/data-protection/ international-dimension-data-protection/adequacy-decisions_en. --------------------------------------------------------------------------- I would be happy to talk more about adequacy at a future hearing, but for now I can answer your question succinctly by saying the following. The EU evolved from a trade federation and common market, and its laws are largely related to those interests. Until the Schrems litigation, adequacy was seen as almost exclusively a question of commercial data--were the protections for personal data in a particular country ``essentially equivalent'' to those in the EU such that an adequacy determination was warranted? The Schrems cases raise questions of intelligence gathering and of intelligence reform if the United States wishes to participate fully in the trans-Atlantic data trade, but it still remains true that adequacy determinations require substantial commercial protections. Article 45 of the GDPR governs adequacy determinations, and provides that, in assessing the adequacy of a country's level of data protection, the European Commission must look at (a) its rule of law, respect for human rights (including privacy and data protection), and relevant laws governing government access to personal data, as well as whether there are ``effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred''; (b) the existence of agencies that supervise compliance with data protection rules, and (c) a country's international commitments on data protection issues. GDPR Recital 104 helpfully clarifies this standard as whether the country can ``offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union.'' Thus, there are two key parts to an adequacy determination: (1) a comprehensive privacy law imposing affirmative duties on companies that process our data, and providing remedies for violations, and (2) surveillance reform. With respect to (1), it is my opinion that a robust comprehensive U.S. privacy law containing a duty of loyalty would offer the best pathway to satisfying element (1). A duty of loyalty would constrain companies from acting in self-interested ways with our data (and with the data of EU citizens), it would offer remedies for violations, and it would contribute to the overall robustness and commitment to the rule of law for data processing in the United States. It would go a long way to providing the key ``essential equivalence'' with respect to commercial data that adequacy hinges on-- particularly as the EU itself is considering a variant of a duty of loyalty as it continues to develop its own privacy laws.\8\ Moreover, for the reasons I have given in these responses and elsewhere in my writings, I believe that a duty of loyalty for privacy law in the United States would also be excellent policy. --------------------------------------------------------------------------- \8\ See, e.g., European Commission, Proposal for a Regulation on European Data Governance (Data Governance Act), Nov. 25 2020 (containing a duty, like a duty of loyalty, under which ``Data sharing providers that intermediate the exchange of data between individuals as data holders and legal persons should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data holders.''), available at https://ec.europa.eu/digital- single-market/en/news/proposal-regulation-european-data-governance- data-governance-act. --------------------------------------------------------------------------- [all]