[Senate Hearing 116-629]
[From the U.S. Government Publishing Office]
S. Hrg. 116-629
THE INVALIDATION OF THE EU-U.S.
PRIVACY SHIELD AND THE FUTURE
OF TRANSATLANTIC DATA FLOWS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
DECEMBER 9, 2020
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available online: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
52-856 PDF WASHINGTON : 2023
-----------------------------------------------------------------------------------
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
ROGER WICKER, Mississippi, Chairman
JOHN THUNE, South Dakota MARIA CANTWELL, Washington,
ROY BLUNT, Missouri Ranking
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts
CORY GARDNER, Colorado TOM UDALL, New Mexico
MARSHA BLACKBURN, Tennessee GARY PETERS, Michigan
SHELLEY MOORE CAPITO, West Virginia TAMMY BALDWIN, Wisconsin
MIKE LEE, Utah TAMMY DUCKWORTH, Illinois
RON JOHNSON, Wisconsin JON TESTER, Montana
TODD YOUNG, Indiana KYRSTEN SINEMA, Arizona
RICK SCOTT, Florida JACKY ROSEN, Nevada
John Keast, Staff Director
Crystal Tully, Deputy Staff Director
Steven Wall, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Renae Black, Senior Counsel
C O N T E N T S
----------
Page
Hearing held on December 9, 2020................................. 1
Statement of Senator Wicker...................................... 1
Statement of Senator Cantwell.................................... 3
Statement of Senator Blackburn................................... 82
Statement of Senator Blumenthal.................................. 84
Statement of Senator Thune....................................... 86
Statement of Senator Peters...................................... 88
Statement of Senator Schatz...................................... 91
Statement of Senator Scott....................................... 94
Statement of Senator Rosen....................................... 95
Witnesses
James M. Sullivan, Deputy Assistant Secretary for Services,
International Trade Administration, U.S. Department of Commerce 5
Prepared statement........................................... 7
Hon. Noah Joshua Phillips, Commissioner, Federal Trade Commission 11
Prepared statement........................................... 13
Victoria A. Espinel, President and Chief Executive Officer, BSA |
The Software Alliance.......................................... 20
Prepared statement........................................... 21
Peter Swire, Elizabeth and Tommy Holder Chair of Law and Ethics,
Scheller College of Business, Georgia Institute of Technology.. 28
Prepared statement........................................... 31
Prof. Neil M. Richards, Koch Distinguished Professor in Law;
Director, Cordell Institute for Policy in Medicine and Law,
Washington University in St. Louis............................. 70
Prepared statement........................................... 71
Appendix
Letter dated December 9, 2020 to Hon. Roger Wicker and Hon. Maria
Cantwell from Ronald Newman, National Political Director,
National Political Advocacy Department; Kathleen Ruane, Senior
Legislative Counsel, National Political Advisory Department;
and Ashley Gorski, Senior Staff Attorney, National Security
Project........................................................ 99
Response to written questions submitted by Hon. Amy Klobuchar to:
Hon. Noah Joshua Phillips.................................... 103
Response to written questions submitted to Prof. Neil M. Richards
by:
Hon. Amy Klobuchar........................................... 104
Hon. Kyrsten Sinema.......................................... 105
Hon. Brian Schatz............................................ 107
THE INVALIDATION OF THE EU-U.S.
PRIVACY SHIELD AND THE FUTURE
OF TRANSATLANTIC DATA FLOWS
----------
WEDNESDAY, DECEMBER 9, 2020
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:02 a.m., in
room SR-253, Russell Senate Office Building, Hon. Roger Wicker,
Chairman of the Committee, presiding.
Present: Senators Wicker [presiding], Thune [presiding],
Blackburn, Scott, Cantwell, Blumenthal, Schatz, Peters, and
Rosen.
OPENING STATEMENT OF HON. ROGER WICKER,
U.S. SENATOR FROM MISSISSIPPI
The Chairman. Good morning, and welcome to today's hearing
on the ``Invalidation of the EU-U.S. Privacy Shield and the
Future of Transatlantic Data Flows''. I extend a special
welcome to our distinguished panel of witnesses and thank them
for appearing today.
Today we will hear from Mr. James Sullivan, Deputy
Assistant Secretary for Services with the International Trade
Administration at the Department of Commerce; the Honorable
Noah Phillips, Commissioner at the Federal Trade Commission;
Ms. Victoria Espinel, President and Chief Executive Officer at
BSA; the Software Alliance, Mr. Peter Swire, who is the
Elizabeth and Tommy Holder Chair of Law and Ethics at the
Georgia Tech Scheller College of Business and Research Director
at the Cross-Border Data Forum; and Mr. Neil Richards, Koch
Distinguished Professor of Law at Washington University and St.
Louis School of Law.
And I assume Mr. Richards is appearing by video. I have
been told that. That is great. Data is the lifeblood of the
global digital economy. Free movement of data across national
borders underpins trillions of dollars of international trade,
commerce, and investment. Data serves as a catalyst for
innovation, productivity, and economic growth, and helps
promote U.S. competitiveness in technology leadership around
the world. According to one estimate, digitally-enabled trade
amounted to between $800 and $1,500 billion globally in 2019,
and is projected to raise global GDP by over $3 trillion this
year. To sustain digital trade and the free flow of data,
governments have sought to eliminate trade barriers and
safeguard the privacy and security of consumers' personal data,
a top priority of this committee.
Maintaining a shared commitment to protecting consumers'
personal data has been particularly important to our trade
relationship with Europe. In 2016, the United States and the
European Union agreed to the Privacy Shield framework. This
framework established a legal mechanism to provide for transfer
of EU citizens' personal data to the United States in
compliance with EU data protection laws. The establishment of
the Privacy Shield was intended to ensure that over 5,000 small
and medium sized businesses spanning several economic sectors
in both the U.S. and EU could continue engaging in
transatlantic digital commerce without disruption.
Among other things, the Privacy Shield required
participating organizations to give notice about their
collection and use of the data of EU citizens, and give
individuals the right to opt out of having their personal
information disclosed to a third party. Organizations were also
required to implement effective redress mechanisms for EU
citizens to file complaints about how their data is used
outside of the EU. And the United States was required to
appoint an ombudsperson at the State Department to ensure
complaints were properly investigated. The Privacy Shield
included additional assurances that there would be clear
conditions, limitations, and active oversight concerning
Government access to EU citizens' personal data for National
Security purposes. In July of this year, the European Court of
Justice invalidated the Privacy Shield, and that is the reason
we are here today, citing inadequate data protections in the
U.S. based on our surveillance laws and an alleged lack of
redress rights for EU citizens in the United States.
Today's hearing is an opportunity to discuss what can be
done to develop a durable and lasting data transfer framework
between the United States and the EU that provides meaningful
data protections to consumers, sustains free flow of
information across the Atlantic, and encourages continued
economic and strategic partnership with our European allies. A
tall order, but an essential order. A solution begins with
understanding the underlying issues that led to the
invalidation of the Privacy Shield this summer. I hope our
witnesses will discuss the merits of the Privacy Shield to
redress rights for EU citizens and how U.S. intelligence
practices compare to those of the EU member states.
I also look forward to witnesses addressing how the
invalidation of the Privacy Shield affects the viability of
other data transfer mechanisms. To take one example, in a
mechanism called Standard Contractual Clauses, exporters of EU
citizens? data to the U.S. now have to carry out an assessment
of whether U.S. law provides adequate protections. The EU's
Data Protection Board recently issued guidance on how to comply
with EU law while relying on standard contractual clauses to
transfer data across the Atlantic. But in issuing this
guidance, the EU Data Protection Board acknowledged that the
implementation of these measures may still be insufficient to
transfer data legally to the U.S. and other non-EU countries.
With this in mind, I hope witnesses will discuss how U.S.
businesses can confidently conduct transatlantic data transfers
in compliance with EU laws as we continue bilateral
negotiations to replace the Privacy Shield. I welcome the
European Commission's commitment to continue working with the
United States to ensure continuity of safe data flows in a
manner that reflects the values we share as democratic
societies. And I had a very productive and informative
conversation with members of the European Commission just
yesterday.
Finally, a major priority of this committee has been
strengthening consumer data privacy through the development of
bipartisan Federal data privacy law. I look forward to
witnesses discussing how a comprehensive data privacy law with
strong enforcement and meaningful privacy and redress rights
for consumers might be able to aid efforts to develop a
successor data transfer framework between the United States and
the EU.
Having said that mouthful and gone 3 minutes over, I thank
you for your participation and I turn to my dear friend and
colleague, Ranking Member Cantwell, for her opening remarks.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman, and thank you
for holding this hearing. Also, thank you for your leadership
on the Helsinki Commission. I certainly appreciate your hard
work in both of those roles and trying to solve and--resolve
these issues between the United States and the European Union.
So I also want to thank our colleagues, Senators Cardin and
Shaheen, for also working on that Helsinki Commission and these
important issues. The decision by the European Court of Justice
earlier this summer makes it abundantly clear we need to have a
new agreement between the United States and Europe to address
the transatlantic data flow. It must be a top priority by the
Biden Administration. We must ensure the continued free flow of
commercial data between the United States and Europe.
When I think about the Mexico Free Trade Agreement and
getting the digital provisions in there, this is something that
is now the norm. This is not an obscure thing. It is going to
become more and more and more about trade and figuring out
trade. Trade is digital. So a lot is at stake. The U.S. and EU
digital trade is worth more than $300 billion annually,
including more than $218 billion in U.S. exports to Europe. So
a very important export issue. And every business that exports
and imports, has a presence or investment in the U.S. and
Europe will face difficulties if there are barriers to cross-
border data transfer. In all, more than $1 trillion in U.S.-
European trade is at risk.
With the invalidation of the Privacy Shield Agreement, we
now have lost the most straightforward legal tool for
transferring data from the EU to the US. And this is a
particular problem for small and medium sized businesses. It
also puts some of our largest and more sophisticated companies
at a disadvantage and cast doubt on the protection of their
digital services and what they provide. Europe and the United
States have had a long history of working together, and to
address our global challenges and security issues at the same
time, we must redouble those efforts.
We must continue to work closely to defend our shared
values for democracy and the rule of law. And I want to see the
U.S. and Europe working together on these very important
national concerns, trade and technology, so that we can
continue to improve economic opportunities and avoid moves
toward protectionism. We need to start by coming together on
protecting data, but we also must increase bilateral
cooperation on a broad digital agenda, 5G, 6G, a regulatory
framework for artificial intelligence, autonomous vehicles,
cybersecurity-disinformation standards. So I support the
European proposal to create a US, European Technology Council
for dialogue. Maybe the Commission, the Helsinki Commission and
others can help on this.
We can work together in a multilateral organizations like
OECD and the G7 to confront the challenges from China and
Russia so that we can more focus on what the standards are for
the next generation of technology and to ensure for the proper
protection of intellectual property. This must be our larger
goal. If we fail to increase our cooperation on digital issues,
our economy will suffer the consequences. The free flow of data
between the United States and Europe is especially critical to
5,000-plus tech companies in the State of Washington, which
generate more than $2.8 billion in digital export. And so
equally important here today are the privacy issues that we are
still working on as a committee.
These are important issues. So we don't want consumers left
behind. We want them to have control over their personal,
privacy data. We want, at the State and Federal level, to make
sure that we have the right safeguards in place for consumers.
So I guarantee you the United States and European citizenry are
on the same page. These are the concerns that we all share,
that the U.S. may have, at a Government level, a bulk
collection of intelligence information that might violate those
privacy rights. So we have to work hard to resolve this issue
of the Privacy Shield and work hard on privacy legislation next
year.
So thank you, Mr. Chairman. I look forward to working with
you in resolving the issues between us on our two bills, and
certainly we have made progress. It is a very hard issue. But
the digital world is not going away, so we have to not only
pioneer it, but pioneer the laws and safeguards that go along
with it. Thank you very much.
The Chairman. And thank you for that very fine statement,
Madam Ranking Member. And we now have an opportunity for
opening statements by our distinguished panel. Prepared
statements will be submitted and included in full in the record
at this point, and we ask each witness to summarize in 5
minutes or less.
Let me also say, we have a vote--we have a series of three
roll call votes at 11 a.m., and I think what we will do,
Senator Cantwell, is just continue the hearing and we will ask
members, two members of the Committee to preside while we go
back and forth.
Three, 15 minute votes, takes us well over an hour in the
U.S. Senate. So we would be advised that that will not be a
particularly steep hill for us to climb. Mr. Jim Sullivan, what
do you have to tell us in 5 minutes? You bet, yes.
STATEMENT OF JAMES M. SULLIVAN,
DEPUTY ASSISTANT SECRETARY FOR SERVICES,
INTERNATIONAL TRADE ADMINISTRATION,
U.S. DEPARTMENT OF COMMERCE
Mr. Sullivan. Good morning, Chairman Wicker, Ranking Member
Cantwell, distinguished members of the Committee. Thank you for
the invitation to testify about the EU-U.S. Privacy Shield
Framework and the recent Schrems II decision by the Court of
Justice of the European Union. I am heartened by your
bipartisanship on the importance of cross-border data flows. I
appreciate the Committee's very active engagement on Privacy
Shield and the five months since the court's ruling.
As the Deputy Assistant Secretary for Services in the
International Trade Administration, I oversee the Office of
Digital Services Industries and the team responsible for U.S.
Government, administration, and oversight of the Privacy Shield
framework. During the 3-year period between July 2017 and July
2020, the Privacy Shield team and I led three successful joint
annual reviews of the functioning of the framework with our
partners in the European Commission and European data
protection authorities. We also facilitated a 125 percent
increase in the number of Privacy Shield participants, from
2,400 to 5,400 companies, that relied on the framework to
conduct transatlantic trade.
Our Office of Digital Services Industries has long
advocated for policies that support the free flow of data
across borders as essential to global commerce, and I welcome
this opportunity to comment on the status of transatlantic data
flows today. And with the growth in Internet connectivity and
the accelerating digitization of the global economy, cross-
border data flows have become just as important to growing
American jobs and competitiveness as U.S. trade in goods and
services. Because the United States has been a preeminent
innovator and early adopter of information and communications
technology, our Nation occupies a singular leadership role in
the digital economy today.
With the July 16th decision in the Schrems II case,
however, data transfers from one of our largest trading
partners are now under serious threat. In addition to
invalidating the European Commission's adequacy decision for
the Privacy Shield framework, Schrems II decision has also
called into question the reliability of other key mechanisms
for moving personal data from Europe to the United States.
That ability to transfer data, including personal data,
seamlessly across borders generates enormous benefits for our
Nation. It affords Americans greater opportunities and a better
quality of life by allowing us all to interact with people in
organizations anywhere in the world. It allows our businesses,
no matter how large or small, to use the Internet to market and
deliver their goods and services wherever data is allowed to
flow. And with technologies like 5G, the Internet of Things,
and AI, the next wave of digital innovation is already here and
the ability to transfer data across borders is an essential
driver of innovation, competitiveness, and economic growth.
At this particular moment in history, moreover,
international data flows enable the data sharing and
collaborative research critical to understanding the COVID-19
virus, to mitigating its spread, and to expediting the
discovery and the development of treatments and vaccines. The
United States and the European Union enjoy a $7.1 trillion
economic relationship with $5.6 trillion in transatlantic trade
annually. By some estimates, nearly $450 billion of this trade
involves digital services.
In truth, given the ongoing digitization of virtually every
sector of our economy and the fact that transatlantic data
flows are the highest in the world, far more of that $5.6
trillion in trade is facilitated in some fashion by cross-
border transfers of data. Now, despite our shared recognition
of the importance of privacy and data protection, the United
States and the European Union do differ in our respective legal
approaches. As a general matter, the United States has adopted
a sectoral approach to privacy with Federal laws focused on
protecting certain types of particularly sensitive data, such
as financial or medical information.
The European Union, by contrast, largely protects all
personal data under a single set of rules set forth in one law,
the General Data Protection Regulation, or GDPR. And it
prohibits companies from transferring EU personal data outside
Europe, except under special circumstances. Transfers are
expressly permitted to a recipient in a third country, for
example, if the European Commission has determined that the
laws of that country provide an adequate level of data
protection, which is essentially equivalent to that afforded
under EU law. If there is no adequacy decision for a country, a
company may still transfer EU personal data to a recipient in
that country by using an EU-approved data transfer mechanism.
As the European Commission has not made an adequacy
decision for the United States, the primary transfer mechanisms
used by U.S. companies have been standard contractual clauses,
or SCCs, and until recently, Privacy Shield. Privacy Shield was
negotiated as a successor to the 15 year old Safe Harbor
Framework, which itself was invalidated by the EU Court of
Justice in the 2015 Schrems I case in the wake of the Snowden
disclosures. Finalized in July 2016, Privacy Shield created the
ombudsperson mechanism at the State Department to investigate
certain requests from EU individuals related to U.S. National
Security access to their personal data. Because the privacy----
The Chairman. Mr. Sullivan, we are going to put your whole
statement into the record. If you could summarize in 30 more
seconds so we can move along.
Mr. Sullivan. Sure. As framed by the court, the central
question in Schrems II was whether in view of U.S. law and
practice regarding Government access to personal data for
National Security purposes, Privacy Shield and SCCs provide
sufficient safeguards to EU personal data transferred to the
United States? Although the European Commission and several EU
member states joined the U.S. Government in arguing that U.S.
law and practice do, in fact, satisfy EU data protection
standards, the court answered the question with respect to
Privacy Shield with a definitive, no.
And that ruling has created enormous uncertainties for U.S.
companies and the transatlantic economy at a particularly
precarious time. Effective immediately, the 5,400 Privacy
Shield participants could no longer rely on the framework as a
basis for transferring personal data. And because neither the
court nor the European data protection authorities provided for
any enforcement grace period, these companies were basically
left with three choices: they could do nothing and risk huge
fines for violating GDPR, they could withdraw from the European
market altogether, or they could switch right away to other
more expensive data transfer mechanisms----
The Chairman. OK, we will take the rest of the statement
for the record.
Mr. Sullivan. Thank you.
[The prepared statement of Mr. Sullivan follows:]
Prepared Statement of James M. Sullivan, Deputy Assistant Secretary for
Services, International Trade Administration, U.S. Department of
Commerce
1. INTRODUCTION
Good morning, Chairman Wicker, Ranking Member Cantwell, and
distinguished Members of the Committee.
Thank you for the invitation to testify about the EU-U.S. Privacy
Shield Framework and the recent Schrems II decision by the Court of
Justice of the European Union. I am heartened by your bipartisanship on
the importance of cross-border data flows and appreciate the
Committee's active engagement on Privacy Shield in the five months
since the Court's ruling.
As the Deputy Assistant Secretary for Services in the International
Trade Administration, I oversee the Office of Digital Services
Industries and the team responsible for U.S. Government administration
and oversight of the Privacy Shield Framework. During the three-year
period between July 2017 and July 2020, the Privacy Shield Team and I
led three successful joint annual reviews of the functioning of the
Framework with the European Commission and European data protection
authorities, and facilitated a 125 percent increase in the number of
Privacy Shield participants--from 2,400 to 5,400 U.S. companies that
relied on the Framework to conduct transatlantic trade.
The International Trade Administration's Office of Digital Services
Industries has long been focused on digital trade and data governance
issues, advocating for policies that support the free flow of data
across borders as essential to global commerce. As such, I welcome this
opportunity to comment on the status of transatlantic data flows today.
With the growth in Internet connectivity and accelerating
digitization of the global economy, cross-border flows of data have
become just as important to growing American jobs and global
competitiveness as U.S. trade in goods and services. Because the United
States has been a preeminent innovator and early adopter of information
and communications technology, our Nation occupies a singular
leadership role in the digital economy today.
With the July 16, 2020 decision by the Court of Justice of the
European Union in the Schrems II case, however, data transfers from one
of the United States' largest trading partners are now under serious
threat. In addition to invalidating the European Commission's adequacy
decision for the EU-U.S. Privacy Shield Framework, the Schrems II
decision has also called into question the reliability of the other key
mechanisms for moving personal data from Europe to the United States.
My testimony will first explore why transatlantic data flows are so
important to the U.S. economy. I will then review briefly the differing
regulatory approaches to data privacy in the United States and the
European Union, and how we have managed to bridge those differences in
the past through innovative frameworks like Privacy Shield. Finally, I
will discuss the Schrems II decision, its implications for U.S.
businesses, and the Administration's efforts to restore legal certainty
around transatlantic data flows by negotiating mutually acceptable
standards of data privacy through targeted enhancements to the Privacy
Shield Framework.
At the outset, I should note that I am limited as to what details I
can share at this time with respect to discussions with the European
Commission.
2. IMPORTANCE OF TRANSATLANTIC DATA FLOWS
The ability to transfer data--including consumers' personal data--
seamlessly across borders generates enormous benefits for our citizens,
our businesses, and our Nation.
It affords Americans greater opportunities and a better quality of
life--by allowing us all to interact with people and organizations
anywhere in the world and access an ever-growing number of goods and
services that can be tailored to our individual needs and preferences.
It allows our businesses, no matter how large or small, to use the
Internet to more easily market and deliver their ideas, goods and
services--wherever data is allowed to flow. Today, solo entrepreneurs
and small- and medium-sized enterprises can reach global markets--and
the 4.5 billion people now connected to the Internet--with
unprecedented ease. American businesses of all sizes in every industry
rely on personal data to facilitate transactions; enhance efficiencies;
reduce costs; generate new customer insights; improve the quality of
products and services; prevent and mitigate fraud; and manage their
international networks of employees, customers, and suppliers.
With technologies like 5G, the Internet of Things, robotics, and
artificial intelligence, the next wave of digital innovation is already
here, and the ability to transfer data across borders--to and from
Europe and other places in the world--is an essential driver of
commercial competitiveness, economic growth, innovation, job creation,
and wage growth worldwide. The economic benefits are clear not only for
the United States but for Europe itself. At this particular moment in
history, moreover, international data flows enable the data sharing and
collaborative research critical to understanding the COVID-19 virus,
mitigating its spread, and expediting the discovery and development of
treatments and vaccines.
The United States and the European Union enjoy a $7.1 trillion
economic relationship--with $5.6 trillion in transatlantic trade
annually. According to some estimates, nearly $450 billion of this
trade involves digital services. In truth--given the ongoing
digitization of virtually every industry sector and the fact that
cross-border data flows between the U.S. and Europe are the highest in
the world--far more of that overall $5.6 trillion in trade is
facilitated in some way by cross-border transfers of data.
3. DIFFERENT APPROACHES TO DATA PRIVACY
Despite our shared recognition of the importance of consumer
privacy and data protection, the United States and the European Union
differ in our respective legal approaches.
As a general matter, the United States does not have one
comprehensive data protection or privacy law. Privacy is regulated
through a number of laws enacted at the Federal and state level.
Federal laws often vary considerably in their purpose and scope. Many
Federal laws impose data protection requirements tailored to specific
sectors, such as finance, health, and communication. Several Federal
laws focus on protecting certain types of particularly sensitive and
at-risk consumer data. These include an individual's financial and
medical information; children's online information; background
investigations and ``consumer reports'' for credit or employment
purposes; and certain other specific categories of data. All 50 states
have also enacted legislation requiring private or governmental
entities to notify individuals of security breaches of personally
identifiable information.
The European Union, by contrast, largely protects all personal data
under a single set of rules set forth in one law--the General Data
Protection Regulation or ``GDPR.''
As a general matter, EU law also prohibits a company from
transferring EU personal data outside Europe except under special
circumstances.
First, transfers are expressly permitted to a recipient in a third
country if the European Commission has determined that the national
laws of that country provide an ``adequate level of protection'' for
personal data which is ``essentially equivalent'' to the level afforded
under EU law. There are only 12 jurisdictions in the entire world that
the European Commission currently considers to ensure an adequate level
of protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey,
Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and
Japan.
And second, if there is no adequacy decision for a country, a
company may still transfer EU personal data to a recipient in that
country by using an EU-approved ``transfer mechanism'' that ensures
sufficient data protection by the recipient. Standard Contractual
Clauses or ``SCCs'' are the main transfer mechanism used by 90 percent
of companies that transfer EU personal data internationally. Another
option, Binding Corporate Rules or BCRs, is a set of legally
enforceable internal policies for data transfers within a group of
enterprises, typically large multinational organizations. Owing to a
lengthy and expensive approval process, however, relatively few
organizations--only about a hundred around the world--have adopted
BCRs.
As the European Commission has not made an adequacy decision for
the United States as a whole, the primary EU-approved data transfer
mechanisms used by U.S. companies have been SCCs and, until recently,
the EU-U.S. Privacy Shield, which was a ``partial'' adequacy decision
in that it only covered transfers to Privacy Shield-certified companies
in the United States.
The EU-U.S. Privacy Shield Framework
Privacy Shield was negotiated as a successor to the 15-year old
Safe Harbor Framework. Under Safe Harbor, over 4,000 U.S. companies
made legally enforceable promises that allowed for the transfer of EU
personal data to the United States in compliance with EU law. In 2013,
Austrian data privacy activist Max Schrems challenged Safe Harbor, and
in 2015--spurred by Edward Snowden's unauthorized disclosures of
national security information--the Court of Justice of the European
Union invalidated the European Commission's adequacy decision that had
underpinned the Framework since 2000.
To address the Schrems I decision, and in anticipation of GDPR's
implementation in 2018, the Department of Commerce and its interagency
partners worked with the European Commission to develop and maintain a
modernized and durable transatlantic data protection framework. After
months of intense negotiations, the United States and the European
Commission finalized the EU-U.S. Privacy Shield Framework in July 2016.
Under the terms of the new Framework, the United States created the
Privacy Shield Ombudsperson Mechanism at the State Department to
investigate certain requests from EU individuals related to national
security access to EU personal data transmitted to the United States.
Because the Privacy Shield Ombudsperson Mechanism applied to EU
personal data transmitted to the United States pursuant to any transfer
tool approved under EU law (including SCCs and BCRs), Privacy Shield
became a key enabler of all transfers of EU personal data to the United
States.
The International Trade Administration's Privacy Shield Team serves
as the interagency lead for the Framework and administers the day-to-
day functioning of the Privacy Shield Program. It works with eligible
organizations seeking to certify to the Framework by verifying that
they have developed a Privacy Shield-compliant privacy policy;
identified an independent recourse mechanism to investigate complaints;
contributed to an arbitration fund; implemented compliance procedures;
and designated a representative to handle questions, complaints, data
access requests, and other issues related to the organization's
participation in the Program.
Once the Privacy Shield Team finalizes an organization's
certification, it then adds that organization to the public-facing
``Privacy Shield List''. This list enables European companies or other
interested parties to verify whether data can be transferred to the
organization under the Framework.
An organization's public commitments to abide by the Framework's
requirements are legally enforceable. Accordingly, to support the
integrity of the Program, the Privacy Shield Team monitors
organizations' compliance and potential ``red flags'' on an ongoing
basis--and refers matters that may warrant further investigation to the
Federal Trade Commission or the Department of Transportation for
potential enforcement action as necessary.
In addition, each year since 2017, senior U.S. and EU officials
have convened to conduct intensive two-day reviews of the functioning
of the Privacy Shield Program. As noted earlier, the Privacy Shield
Team and I led three successful annual reviews of the Program together
with the European Commission, European data protection authorities, and
U.S. Government colleagues from the Departments of State, Justice, and
Transportation, the Office of the Director of National Intelligence,
the Federal Trade Commission, and the Privacy and Civil Liberties
Oversight Board, among others.
Our regular interactions with EU officials before, during, and
after these annual Privacy Shield reviews afforded numerous
constructive opportunities for transatlantic coordination and
cooperation on promoting trust in the digital economy. Following the
third annual review in Washington, DC in October 2019, for example,
European Commissioner for Justice Vera Jourova enthusiastically
acclaimed Privacy Shield a ``success story''.
For four years, Privacy Shield was the most straightforward and
cost-effective EU-approved transfer mechanism for U.S. and European
companies of all sizes in virtually every industry. For many firms--and
for small- and medium-sized firms especially--Privacy Shield was often
the only viable data transfer mechanism. Many such firms simply do not
have the resources or administrative capacity to utilize more costly
and burdensome mechanisms like SCCs or BCRs. Of the 5,400 Privacy
Shield participants on July 16, 2020, over 70 percent were small-and
medium-enterprises with fewer than 500 employees.
4. SCHREMS II
The July 16, 2020 Schrems II decision was the latest development in
a long-running legal battle that has been waged in the Irish courts and
the EU Court of Justice by Max Schrems. As framed by the Court, the
central question in the case was whether--in view of U.S. law and
practice regarding government access to personal data for national
security purposes--Privacy Shield and SCCs provided sufficient
safeguards to EU personal data transferred to the United States.
Although the European Commission and several EU Member States joined
the U.S. Government in arguing that U.S. law and practice do in fact
satisfy EU data protection standards, the Court answered the question
with respect to Privacy Shield with a definitive ``no''.
The Court based its decision on two principal grounds. First, after
analyzing the European Commission's 2016 adequacy decision for Privacy
Shield, it found that certain U.S. intelligence access to EU personal
data transferred under the Framework was not constrained in a way that
satisfies the EU's legal requirement for ``proportionality''. Second,
the Court concluded that the Privacy Shield Ombudsperson Mechanism did
not afford sufficient redress for violations of EU individuals' right
to data protection.
The Schrems II decision has created enormous uncertainties for U.S.
companies and the transatlantic economy at a particularly precarious
time. Immediately upon issuance of the ruling, the 5,400 Privacy Shield
participants and their business partners in the EU could no longer rely
on the Framework as a lawful basis for transferring personal data from
Europe to the United States. Because neither the Court nor European
data protection authorities provided for any enforcement grace period,
Privacy Shield companies were left with three choices: (1) risk facing
potentially huge fines (of up to 4 percent of total global turnover in
the preceding year) for violating GDPR, (2) withdraw from the European
market, or (3) switch right away to another more expensive data
transfer mechanism.
Unfortunately, because of the Court's ruling in the Privacy Shield
context that U.S. laws relating to government access to data do not
confer adequate protections for EU personal data, the use of other
mechanisms like SCCs and BCRs to transfer EU personal data to the
United States is now in question as well.
Since the Schrems II decision, the lack of legal clarity regarding
data transfers from Europe to the United States has prompted some
companies to begin considering data localization in Europe. Storing and
processing all EU personal data in Europe, however, would be
exceedingly expensive--especially for small- and medium-sized
enterprises--and pose numerous technical problems for the global
business models of most U.S. companies operating in Europe. Beyond the
costs to individual firms, data localization measures can increase
cybersecurity and other operational risks and make regulatory
compliance and global risk management more difficult. Moreover, in our
increasingly digitized economy, embracing data localization in Europe
would set a damaging precedent for other countries and could imperil
the open, interoperable, secure, and reliable Internet on which our
citizens and businesses of all sizes have come to depend so heavily.
Suffice to say, the Schrems II ruling also calls into question the
ability of European governments to share data with the United States
for national security and law enforcement purposes, putting citizens on
both sides of the Atlantic at risk. European authorities should
recognize that the mere location of data does not ensure information
security or privacy, and there are other public policy objectives that
are equally important, including financial stability, operational
resilience, and innovation--all objectives that depend on cross-border
data flows.
U.S. Government Response to Schrems II
While we were deeply disappointed and do not agree with the Court's
decision, we are committed to working with our European Commission
partners to address the Court's concerns and enable companies to
continue to transfer personal data from the EU to the United States.
The Administration seeks to ensure the continuity of transatlantic data
flows in a manner consistent with U.S. economic and national security
interests.
It is important to note that the Schrems II ruling focused
exclusively on government access to data. The Court did not question
the extensive protections Privacy Shield offers EU individuals with
respect to the commercial collection and uses of personal data. We
believe Privacy Shield already provides strong and predictable
protections for EU individuals and any enhancements to the Framework
will build on this strong foundation.
As a first step in our efforts to return stability to transatlantic
data flows, we engaged with the European Commission to begin working on
a solution to Privacy Shield's invalidation. On August 10, Secretary
Ross and European Commissioner for Justice Reynders released a joint
statement announcing that the U.S. Department of Commerce and the
European Commission had initiated discussions on potential enhancements
to Privacy Shield Framework that address the Court's concerns.
Thereafter, in view of the considerable uncertainties concerning
the use of SCCs, we worked with our interagency colleagues to bolster
companies' ability to utilize the SCCs while we worked to negotiate the
necessary enhancements to Privacy Shield. To that end the U.S.
Government released a White Paper to assist organizations using SCCs in
making the case-by-case assessments called for under Schrems II as to
whether U.S. law concerning government access to personal data meets EU
standards. The White Paper includes a wide range of information about
the extensive privacy protections in current U.S. law and practice
relating to government access to data for national security purposes--
and sets forth clearly the strong and multilayered protections provided
under our system. While it is ultimately up to companies to make their
own assessments under EU law, the White Paper has, by all accounts,
proven to be a useful tool in conducting those assessments.
The objective of any potential agreement between the United States
and the European Commission to address Schrems II is to restore the
continuity of transatlantic data flows and the Framework's privacy
protections by negotiating targeted enhancements to Privacy Shield that
address the Court's concerns in Schrems II. Any such enhancements must
respect the U.S. Government's security responsibilities to our citizens
and allies.
To be clear, we expect that any enhancements to the Privacy Shield
Framework would also cover transfers under all other EU-approved data
transfer mechanisms like SCCs and BCRs as well.
The Schrems II decision has underscored the need for a broader
discussion among likeminded democracies on the issue of government
access to data. Especially as a result of the extensive U.S.
surveillance reforms since 2015, the United States affords privacy
protections relating to national security data access that are
equivalent to or greater than those provided by many other democracies
in Europe and elsewhere. To minimize future disruptions to data
transfers, we have engaged with the European Union and other democratic
nations in a multilateral discussion to develop principles based on
common practices for addressing how best to reconcile law enforcement
and national security needs for data with protection of individual
rights.
It is our view that democracies should come together to articulate
shared principles regarding government access to personal data--to help
make clear the distinction between democratic societies that respect
civil liberties and the rule of law and authoritarian governments that
engage in the unbridled collection of personal data to surveil,
manipulate, and control their citizens and other individuals without
regard to personal privacy and human rights. Such principles would
allow us to work with like-minded partners in preserving and promoting
a free and open Internet enabled by the seamless flow of data.
5. CONCLUSION
In closing, the International Trade Administration, the Commerce
Department, and the Administration remain committed to restoring
clarity and certainty to transatlantic data flows and privacy as
quickly as we can. We are hopeful that our European Commission partners
share our sense of urgency, and we appreciate the support and attention
you and your colleagues here in Congress have brought--and can continue
to bring--to the critical issue of cross-border data flows.
Thank you again for this opportunity to appear today.
The Chairman. Thank you very much. Mr. Phillips.
STATEMENT OF HON. NOAH JOSHUA PHILLIPS, COMMISSIONER, FEDERAL
TRADE COMMISSION
Mr. Phillips. Thank you, Mr. Chairman. Chairman Wicker,
Ranking Member Cantwell, members of the Committee, thank you
for the opportunity to testify before you today. My testimony
is my own and does not necessarily reflect the views of other
Federal Trade Commissioners or the Commission itself. The
Schrems II decision and the growth of other impediments to
cross-border data flows deserve serious attention. This
committee has engaged already and today's hearing is an
important continuation of that effort. I thank you.
Mr. Sullivan testified about the terrific work the
Administration is doing, and with Presidential transition
already underway, your leadership and your support for a path
forward are essential. The privacy work of the FTC helps
support the free and open Internet. Since the 1990s, we have
pursued hundreds of privacy cases, hosted dozens of workshops,
and produced many reports relating to privacy and data
security. On the Privacy Shield framework and its predecessor
specifically, we have brought over 60 cases enforcing
commitments that companies make.
I submitted a written statement that I will briefly address
the importance of cross-border data flows, the FTC's role in
supporting them, impediments they face, and suggestions on
moving forward. From small startups to our largest technology
companies, connected cars to contact tracing, American
companies are competing and winning by offering products and
services built on data. Our businesses employ data to support
new technologies like artificial intelligence, and as the
COVID-19 crisis makes clear, to meet longstanding needs like
education, worship, health, and work. Cross-border data flows
are an essential component to that. Companies of all sizes, but
particularly small businesses, rely on them to reach new
customers abroad, to enhance security, and to reduce costs.
That means jobs for American workers, and products and services
for American consumers.
At FTC, our enforcement approach emphasizes harms with a
substantial impact on consumers, permitting both innovation and
enforcement. Recent cases include TikTok, before the company
was a matter of national conversation, Facebook, YouTube, and
just recently Zoom. By any reasonable metric, our enforcement
program has had a greater impact than any in the world. We have
been a key partner in Privacy Shield and are committed to
working with the Department of Commerce to support the free
transatlantic flow of data. Today, those flows are at risk.
The European Court of Justice struck down Privacy Shield,
expressing concerns about U.S. protections for European data,
including redress. The decision also raised questions about
standard contractual clauses, the other common legal basis for
transfers. That creates legal uncertainty, a cost borne
disproportionately by smaller companies, the bulk of Privacy
Shield participants. The court's decision concerned National
Security and three things strike me as noteworthy. First, U.S.
law and practice incorporate substantial civil liberty
protections against Government surveillance. Second, the U.S.
is at least as protective of privacy as the domestic laws of
many of our European allies.
Finally, as Adam Klein, Chairman of the Privacy and Civil
Liberties Oversight Board recently noted, European allies
regularly partner with the U.S. to assist in their collection
of intelligence data. Beyond Schrems II, prominent European
voices have called for data localization requirements,
sometimes under the rubric of data sovereignty. Localization
also poses a threat to cross-border data flows.
Historically, we associate it with a kind of State-
controlled Internet governance in countries like China. Liberal
democracies, which have distinct but fundamentally common
approaches to privacy and civil liberties, should be uniting,
not splintering. Not only will this aid U.S. commerce, it will
demonstrate a better way for those countries yet to decide on a
path for their digital future. So, what can we do? First, we
need to find a path to permit transfers between the U.S. and
EU.
As exemplified by Jim and his team, this has been a
priority for the Administration, and I have every hope and
expectation that it will remain one for the incoming
Administration, and I ask for your help in ensuring that it is.
Second, we must continue to engage with nations evaluating
their approach to digital governance to promote the benefits of
a free and open Internet. Third, we should vocally defend
American values. When it comes to civil liberties and the
enforcement of privacy laws, we are second to none. Fourth, as
European leaders call to strengthen ties with the U.S., we
should prioritize making our regimes interoperable.
Relatively minor differences should not impede mutually
beneficial commerce. Finally, any lines should be drawn between
allies with shared values and others, like China, which offer a
starkly different vision of Internet governance. I thank the
Committee for engaging with these challenges and for inviting
me, and I look forward to your questions.
[The prepared statement of Mr. Phillips follows:]
Prepared Statement of Hon. Noah Joshua Phillips,\1\ Commissioner,
Federal Trade Commission
---------------------------------------------------------------------------
\1\ My comments today are my own and do not necessarily reflect the
views of the Commission or my fellow Commissioners.
---------------------------------------------------------------------------
Chairman Wicker, Ranking Member Cantwell, Members of the Committee,
thank you for the opportunity to testify before you today.
As the agency charged with enforcing the bulk of U.S. privacy law,
the Federal Trade Commission supports cross-border data flows through
law enforcement, cooperation with the Department of Commerce and other
agencies in international engagement, and research and advocacy
concerning privacy and data security law and policy. Specifically with
respect to the EU-U.S. Privacy Shield Framework (``Privacy Shield'')
and its predecessor, we have brought over 60 enforcement actions
against companies that have failed to live up to their commitments,
participated in the Privacy Shield annual review process, and worked
with counterpart independent data protection authorities on a host of
issues.
A free and open Internet is vital to the national interest, but it
is at risk. The impact on U.S. commerce and cross-border data flows
from the ``Schrems II'' decision by the European Union Court of Justice
(``ECJ''),\2\ and the growth of other impediments to that commerce,
deserve our serious and immediate attention. This Committee has engaged
actively since the ECJ's decision was rendered in August, and today's
hearing marks an important, bipartisan, continuation of that effort.
With terrific work ongoing by this Administration--about which you will
hear today--and a presidential transition underway, your leadership in
drawing attention to this issue and your support for a path forward are
essential.
---------------------------------------------------------------------------
\2\ Case C-311/18, Data Prot. Comm'r v. Facebook Ireland &
Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020) (``Schrems
II'').
---------------------------------------------------------------------------
My testimony will address the importance of cross-border data
flows, the Federal Trade Commission's role in supporting them, the
impediments they nonetheless face, and some suggestions on how to move
forward.
The Importance of Cross-Border Data Flows
Data help power the U.S. economy. From small startups to our
largest technology companies, connected cars to contact tracing,
American companies are competing and winning by offering consumers and
clients products and services built on data. Our businesses employ data
to develop new technologies like artificial intelligence and also to
help meet longstanding needs, like education, worship, health, and
office work, in novel ways. The COVID-19 crisis makes this abundantly
clear.
Cross-border data flows are an essential component enabling all of
this. Companies of all sizes rely on these data flows to innovate,
reach new customers abroad, improve efficiency, enhance security, and
reduce costs,\3\ permitting the expansion and innovation that draws
investment capital and creates jobs at home. That is particularly true
for small companies, which cannot afford to, for example, establish
offices or host data centers overseas. Cross-border data flows allow
these companies to gain scale more rapidly and compete internationally
at lower cost and with less risk. That is doubtless why 65 percent of
companies participating in Privacy Shield are small and medium
businesses.\4\ A 2016 study found that almost two-thirds of worldwide
startups surveyed had customers or users in other countries.\5\ Take
Etsy, the Brooklyn-based custom craft marketplace that offers small
businesses a turnkey option to reach a global customer base. In 2019,
cross-border transactions made up the largest component of the 36
percent of business attributable to Etsy's international business.\6\
Or consider that PayPal--based in San Jose and serving many smaller
businesses--has processed over $400 billion in cross border payments
since 2003.\7\ The list goes on.
---------------------------------------------------------------------------
\3\ See, e.g., Joshua P. Meltzer & Peter Lovelock, Regulating for a
Digital Economy: Understanding the Importance of Cross-border Data
Flows in Asia 6 (Brookings Inst. Global Econ. & Dev. Working Paper No.
113) (Mar. 20, 2018), https://www.brookings.edu/wp-content/uploads/
2018/03/digital-economy_meltzer_lovelock_web.pdf (discussing access to
new markets and capabilities of ``digital inputs such as cloud
computing [which] provides on-demand access to computing power and
software that was previously reserved for large companies''); ICC
Comm'n on Trade & Inv. Pol'y & ICC Comm'n on the Digit. Econ., Int'l
Chamber of Com., Trade in the Digital Economy: A Primer on Global Data
Flows for Policymakers 2 (2016), https://cdn.iccwbo.org/content/
uploads/sites/3/2016/09/Trade-in-the-digital-economy-A-primer-on-
global-data-flows-for-policymakers.pdf (``Access to digital products
and services, such as cloud applications, provides SMEs with cutting
edge services at competitive prices, enabling them to participate in
global supply chains and directly access customers in foreign markets
in ways previously only feasible for larger companies. Indeed, the
Internet is a great equalizer, enabling small companies to compete
globally using the same tools as large and established companies.'');
Bus. Roundtable, Putting Data to Work: Maximizing the Value of
Information in an Interconnected World 6 (2015), https://
s3.amazonaws.com/brt.org/archive/reports/BRT%20PuttingDataToWork.pdf
(discussing how Caterpillar uses sensor data to allow it ``and its
customers to remotely monitor assets across their fleets in real
time''); Demetrios Marantis, Cross-border data flows power small
business recovery, Visa, Inc. (Nov. 9, 2020), https://usa.visa.com/
visa-everywhere/blog/bdp/2020/11/09/cross-border-data-flows-
1604955432332.html (noting that cross-border data flows are used to
improve AI the provides fraud detection).
\4\ Oliver Patel & Dr. Nathan Lea, UCL Eur. Inst, EU-U.S. Privacy
Shield, Brexit and the Future of Transatlantic Data Flows 12 (May
2020), https://www.ucl.ac.uk/european-institute/
sites/european-institute/files/
privacy_shield_brexit_and_the_future_of_transatlantic_data_flows
_1.pdf.
\5\ James Manyika & Susan Lund, Digital Protectionism and Barriers
to International Data Flows, Bretton Woods Comm. (Jun. 25, 2018),
https://www.brettonwoods.org/article/digital-protectionism-and-
barriers-to-international-data-flows.
\6\ Etsy, Inc., Annual Report (Form 10-K) 66 (Feb. 27, 2020),
https://d18rn0p25nwr6d.cloud
front.net/CIK-0001370637/d63aa848-ac0c-474c-9350-5b18888e84bf.pdf.
International business includes all transactions ``where either the
billing address for the seller or the shipping address for the buyer at
the time of sale is outside of the United States.'' Id.
\7\ Peggy Abkemeier, Cross-Border Trade: PayPal's $400B Business,
PayPal Holdings, Inc. (Apr. 6, 2017), https://www.paypal.com/stories/
us/cross-border-trade-paypals-400b-business.
---------------------------------------------------------------------------
The impact of cross-border digital commerce numbers in the
trillions of dollars, adding by some estimates hundreds of billions of
dollars annually to U.S. GDP.\8\ And there is every reason to believe
that, if allowed to do so, those numbers will continue to grow. Cross-
border data flows are a critical input to our technology sector, in
which American companies lead the way. Of technology firms in the
Fortune Global 500, the U.S. has 12, nearly double the number of Japan,
the next on the list.\9\ With our increasingly data-driven economy,
cross-border data flows also drive innovation and growth in other
sectors as well. At the end of the day, all of that means jobs for
American workers and products for consumers.
---------------------------------------------------------------------------
\8\ James Manyika et al., McKinsey & Co., Digital Globalization:
The New Era of Global Flows 10 (Feb. 24, 2016), https://
www.mckinsey.com/�/media/McKinsey/Business%20Functions/
McKinsey%20Digital/Our%20Insights/
Digital%20globalization%20The%20new%20era%20of%20
global%20flows/MGI-Digital-globalization-Full-report.pdf (estimating
impact on global GDP of $2.8 trillion in 2014); Gary Clyde Hufbauer &
Zhiyao (Lucy) Lu, Can Digital Flows Compensate for Lethargic Trade and
Investment?, Petersen Inst. for Int'l Econ. (Nov. 28, 2018), https://
www.piie.com/blogs/trade-investment-policy-watch/can-digital-flows-
compensate-lethargic-trade-and-investment (estimating impact on global
GDP of over $3.5 trillion in 2020); U.S. Int'l Trade Comm'n, No. 4485,
Digital Trade in the U.S. and Global Economies, Part 2, at 13 (Aug.
2014), https://www.usitc.gov/publications/332/pub4485.pdf (estimating
2011 impact on U.S. GDP of over $500 billion).
\9\ Fortune Global 500, Fortune (2020), https://fortune.com/
global500/.
---------------------------------------------------------------------------
Role of the FTC
The Federal Trade Commission plays an important role in supporting
the promise of the free and open Internet, including cross-border data
flows.
With respect to data privacy and security, we help ensure that
companies communicate honestly with their customers about their privacy
and security practices and refrain from unfair privacy or security
practices.
Since the enactment of the Fair Credit Reporting Act (``FCRA'') in
1970,\10\ the FTC has served as the primary Federal agency protecting
consumer privacy. With the development of the Internet as a commercial
medium in the 1990s, the Commission expanded its focus on privacy to
reflect the growing collection, use, and sharing of consumer data in
the commercial marketplace. The Commission's main source of legal
authority in the privacy and data security space is Section 5 of the
FTC Act, which prohibits deceptive or unfair commercial practices.\11\
Under Section 5 and other statutes such as the Gramm-Leach-Bliley
Act,\12\ the Children's Online Privacy Protection Act,\13\ and the
FCRA, the FTC has aggressively pursued cases in children's privacy,
financial privacy, health privacy, the Internet of Things, and beyond.
In total, we have brought hundreds of data security and privacy cases
and we have hosted about 75 workshops and issued approximately 50
reports in the privacy and security area, on topics from data brokers
\14\ to portability.\15\
---------------------------------------------------------------------------
\10\ Fair Credit Reporting Act, 15 U.S.C. Sec. 1681 et seq.
\11\ 15 U.S.C. Sec. 45.
\12\ Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338
(1999) (codified as amended in scattered sections of 12 and 15 U.S.C.);
Standards for Safeguarding Customer Information, 16 C.F.R. Sec. 314.
\13\ Children's Online Privacy Protection Act, 15 U.S.C.
Sec. Sec. 6501-6506; Children's Online Privacy Protection Rule, 16
C.F.R. Sec. 312.
\14\ See FTC Report, Data Brokers: A Call for Transparency and
Accountability (May 2014), https://www.ftc.gov/system/files/documents/
reports/data-brokers-call-transparency-accountability-report-federal-
trade-commission-may-2014/140527databrokerreport.pdf.
\15\ See FTC Workshop, Data To Go: An FTC Workshop on Data
Portability (Sept. 22, 2020), https://www.ftc.gov/news-events/events-
calendar/data-go-ftc-workshop-data-portability.
---------------------------------------------------------------------------
Our approach emphasizes addressing harms that have a tangible,
substantial impact on consumers' well-being. This allows for both
innovation and enforcement. There are scores of Data Protection
Authorities in nations around the world, but no agency has engaged in
more, or more significant, privacy and data security enforcement than
the FTC. In just the few years of my tenure and those of my fellow
commissioners, we have finalized settlements with Facebook \16\ and
Google/YouTube \17\ that mandated both substantial monetary relief and
significant improvements in privacy governance practices. In early
2019, we resolved a case against TikTok, long before the company was a
matter of national conversation.\18\ And, just a few weeks ago, we
settled a case against Zoom, including allegations regarding
representations the company made about the security of stored and
transferred data.\19\ In my view, by any reasonable metric, our
enforcement program has had a greater impact than any other in the
world.
---------------------------------------------------------------------------
\16\ See FTC Press Release, FTC Imposes $5 Billion Penalty and
Sweeping New Privacy Restrictions on Facebook (July 24, 2019), https://
www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-
penalty-sweeping-new-privacy-restrictions.
\17\ See FTC Press Release, Google and YouTube Will Pay Record $170
Million for Alleged Violations of Children's Privacy Law (Sept. 4,
2019), https://www.ftc.gov/news-events/press-releases/2019/09/google-
youtube-will-pay-record-170-million-alleged-violations.
\18\ See FTC Press Release, Video Social Networking App Musically
Agrees to Settle FTC Allegations That it Violated Children's Privacy
Law (Feb. 27, 2019), https://www.ftc.gov/news-events/press-releases/
2019/02/video-social-networking-app-musically-agrees-settle-ftc.
\19\ See FTC Press Release, FTC Requires Zoom to Enhance its
Security Practices as Part of Settlement (Nov. 9, 2020), https://
www.ftc.gov/news-events/press-releases/2020/11/ftc-requires-
zoom-enhance-its-security-practices-part-settlement.
---------------------------------------------------------------------------
The Commission has played an important role in Privacy Shield \20\
and its predecessor, the U.S.-EU Safe Harbor Framework (``Safe
Harbor'').\21\ Under the EU's General Data Protection Regulation
(``GDPR'') and its predecessors, companies are required to meet certain
data protection requirements in order to transfer consumer data from
the EU to other jurisdictions.\22\ Privacy Shield and Safe Harbor are
voluntary mechanisms ensuring compliance with European requirements
that have provided legal bases for companies to transfer data from
Europe to the United States.\23\
---------------------------------------------------------------------------
\20\ See FTC Business Guidance, Privacy Shield (2020), https://
www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy-
shield. While I focus here on the U.S.-EU agreements, there was
previously a U.S.-Swiss version of Safe Harbor that was replaced by a
U.S.-Swiss version of Privacy Shield. The Swiss data protection
authorities recently reached a similar decision as the court in Schrems
II. Mark Smith, ANALYSIS: Swiss-U.S. Privacy Shield Suffers from
Schrems, Too, Bloomberg L. (Sept. 10, 2020), https://
news.bloomberglaw.com/bloomberg-law-analysis/analysis-swiss-u-s-
privacy-shield-suffers-from-schrems-too.
\21\ See FTC Business Guidance, Federal Trade Commission
Enforcement of the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks
(2016), https://www.ftc.gov/tips-advice/business-center
/guidance/federal-trade-commission-enforcement-us-eu-us-swiss-safe-
harbor.
\22\ Regulation (EU) 2016/679 of the European Parliament and of the
Council, Art. 45, General Data Protection Regulation, 2016 O.J. (L 119)
1, 41.
\23\ Privacy Shield is not the only mechanism for transferring data
to the U.S. from the EU. As discussed below, GDPR permits transfers
made using Standard Contractual Clauses and Binding Corporate Rules.
---------------------------------------------------------------------------
The FTC can bring enforcement actions against companies that
misrepresent their participation in or compliance with Privacy Shield.
We have brought over 60 cases enforcing companies' commitments under
Safe Harbor and Privacy Shield. We also fill a similar role with the
APEC Cross-Border Privacy Rules system, designed to protect privacy and
data flows in the Asia-Pacific region.\24\
---------------------------------------------------------------------------
\24\ See FTC Press Release, FTC Becomes First Enforcement Authority
in APEC Cross-Border Privacy Rules System (July 26, 2012), https://
www.ftc.gov/news-events/press-releases/2012
/07/ftc-becomes-first-enforcement-authority-apec-cross-border-privacy.
---------------------------------------------------------------------------
Even though the court declared the Privacy Shield invalid, which I
discuss below, the FTC continues to expect companies to comply with
their ongoing obligations with respect to transfers made under Privacy
Shield. If companies do not keep their promises, we will enforce the
law against them. We also encourage companies to continue to follow
robust privacy principles, such as those underlying Privacy Shield, and
to review their privacy policies to ensure they describe their privacy
practices accurately, including with regard to cross-border data
transfers. The Commission remains committed to working with the
Department of Commerce to help support the free flow of data across
borders.
Schrems II
Notwithstanding these efforts, the privacy protections U.S. law
provides U.S. citizens and non-citizens, and the tremendous work this
Administration and the prior one have done with their counterparts on
the European Commission (the Executive Branch of the EU), transatlantic
data flows are threatened.
In 2016, the European Commission deemed Privacy Shield
``adequate'', thus permitting transfers to the U.S. under the
framework.\25\ In its recent ruling in Schrems II, the ECJ struck down
Privacy Shield. The court expressed concerns about U.S. protections
described in the European Commission's Privacy Shield Adequacy
Decision, including the independence of the Ombudsman mechanism
established in the U.S. Department of State and the perceived lack of
redress for EU data subjects.\26\ Additionally, the court required
companies that rely on Standard Contractual Clauses (``SCCs'') to
assess the level of protection in the importing country for all of
their transfers, raising questions about SCCs as a legal basis for
transfers to the U.S.\27\
---------------------------------------------------------------------------
\25\ Eur. Comm'n, Commercial Sector: EU-US Privacy Shield, https://
ec.europa.eu/info/law/
law-topic/data-protection/international-dimension-data-protection/eu-
us-data-transfers_en#:�
:text=The%20adequacy%20decision%20on%20the,United%20States%20for%20comme
rcial%20
purposes.
\26\ Schrems II, supra note 2, �� 186-198.
\27\ Schrems II, supra note 2, � 142. To be sure, it is the view of
many, including the Commerce Department, that SCCs are still available,
at least for some transfers. But even where SCCs may still be
available, the complexity and risk of using them has increased. See
Dep't of Com. et al., Information on U.S. Privacy Safeguards Relevant
to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after
Schrems II (Sept. 2020), https://www.commerce.gov/sites/default/files/
2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF.
---------------------------------------------------------------------------
The Schrems II decision and recent recommendations from the
European Data Protection Board,\28\ the coordinating body of local data
protection authorities under the GDPR, create substantial legal
uncertainty and risk for cross-border data transfers. Those costs are
borne disproportionately by small companies, which cannot afford the
more expensive options, and for that reason constitute the bulk of
companies that participate in Privacy Shield.
---------------------------------------------------------------------------
\28\ Eur. Data Prot. Bd., Recommendations 01/2020 on Measures That
Supplement Transfer Tools to Ensure Compliance with the EU Level of
Protection of Personal Data (Nov. 10, 2020), https://edpb.europa.eu/
sites/edpb/files/consultation/edpb_recommendations_202001_supple
mentarymeasurestransferstools_en.pdf.
---------------------------------------------------------------------------
The court's decision concerned national security access to personal
data, not consumer privacy in the sense that we enforce at the FTC.
Meaning, what was at issue in Schrems II was not the absence of a GDPR-
like national consumer privacy law in the U.S.
Looking at how the court considered U.S. national security access
to personal data, three things strike me. First, U.S. law and practice
incorporate civil liberty protections against government surveillance
that are substantial, including statutes such as the Electronic
Communications Privacy Act \29\ and the Judicial Redress Act \30\ and
executive actions like Presidential Policy Directive 28.\31\ Second, as
researchers in the U.S. and Europe have found, U.S. law and practice
are at least as protective of privacy as the domestic laws of many of
our European allies.\32\ The court, however, deemed European domestic
laws irrelevant, focusing instead on what Professor Peter Swire has
referred to as ``an idealized, formal standard set forth primarily in
EU constitutional law'', rather than the national security laws and
practices of members states.\33\ Finally, as Adam Klein, Chairman of
the Privacy and Civil Liberties Oversight Board recently noted, those
allies regularly partner with the U.S. to assist in their collection of
valuable intelligence data.\34\
---------------------------------------------------------------------------
\29\ Electronic Communications Privacy Act of 1986, Pub. L. No. 99-
508, 100 Stat. 1848 (codified as amended in scattered sections of 18
U.S.C.).
\30\ Judicial Redress Act, 5 U.S.C. Sec. 552a note.
\31\ Presidential Policy Directive 28--Signals Intelligence
Activities, 1 Pub. Papers 46 (Jan. 17, 2014), https://www.govinfo.gov/
content/pkg/PPP-2014-book1/pdf/PPP-2014-book1-doc-pg46
.pdf.
\32\ See, e.g., Jacques Bourgeois et al., Sidley Austin LLP,
Essentially Equivalent: A Comparison of the Legal Orders for Privacy
and Data Protection in the European Union and United States, at iv
(Jan. 2016), https://www.sidley.com/-/media/publications/essentially-
equivalent-final.pdf (arguing that ``the U.S. legal order for privacy
and data protection embodies fundamental rights consistent with the
Charter, principles of proportionality, and checks and balances in both
form and substance, and that these protections of privacy and data
protection rights are essentially equivalent to those in the EU'').
\33\ Kenneth Propp & Peter Swire, Geopolitical Implications of the
European Court's Schrems II Decision, Lawfare (July 17, 2020), https://
www.lawfareblog.com/geopolitical-implications-european-courts-schrems-
ii-decision.
\34\ Adam Klein, Chairman, Priv. & C.L. Oversight Bd., Statement on
the Terrorist Finance Tracking Program (Nov. 19, 2020), https://
documents.pclob.gov/prod/Documents/EventsAnd
Press/b8ce341a-71d5-4cdd-a101-219454bfa459/
TFTP%20Chairman%20Statement%2011_19_20
.pdf.
---------------------------------------------------------------------------
Schrems II is not the only risk factor for cross-border data flows.
Both before and since the decision, sometimes under the rubric of
``data sovereignty'', a number of prominent European voices \35\ have
called for data localization requirements in Europe--that is, for all
data about Europeans to be kept in Europe.
---------------------------------------------------------------------------
\35\ See, e.g., Vincent Manancourt, Europe's data grab, Politico
(Feb. 12, 2020), https://www.politico.eu/article/europe-data-grab-
protection-privacy/; Thierry Breton, Comm'r, Europe: The Keys To
Sovereignty, Eur. Comm'n (Sept. 11, 2020), https://ec.europa.eu/
commission/commissioners/2019-2024/breton/announcements/europe-keys-
sovereignty_en.
---------------------------------------------------------------------------
By no means are data localization concerns unique to Europe. By
some estimates, localization efforts have grown fourfold since 2000,
including many sector-specific rules requiring that certain data be
processed or maintained in-country.\36\ Countries that have, or are
considering, localization requirements include India, Vietnam,
Australia, and Turkey.\37\
---------------------------------------------------------------------------
\36\ Christian Ketels & Arindam Bhattacharya, Global Trade Goes
Digital, Bos. Consulting Grp. (Aug. 12, 2019), https://www.bcg.com/
publications/2019/global-trade-goes-digital; Jennifer Huddleston &
Jacqueline Varas, Impact of Data Localization Requirements on Commerce
and Innovation, Am. Action F. (June 16, 2020), https://
www.americanactionforum.org/insight/impact-of-data-localization-
requirements-on-commerce-and-innovation/#ixzz6YgQOlW4C (``The data
covered by these laws can range from all personal data to only specific
types of data such as health or financial information.'').
\37\ Pablo Urbiola et al., Inst. of Int'l Fin., Data Flows Across
Borders: Overcoming Data Localization Restrictions 1, 2 (Mar. 2019),
https://www.iif.com/Portals/0/Files/32370132_iif_data
_flows_across_borders_march2019.pdf; David Meyer, Here's Why PayPal Is
About to Suspend Operations in Turkey, Fortune (May 31, 2016), https://
fortune.com/2016/05/31/paypal-turkey-suspension/.
---------------------------------------------------------------------------
Adopting data localization around the world poses a threat to U.S.
commerce as well as the free and open Internet. To do business in
multiple countries, companies will need servers, local staff, and so
on. For smaller companies and startups, this may spell the end of
cross-border commerce. The result will negatively impact not only
American companies looking to grow but American consumers who benefit
from products improved by cross-border data flows.
For larger firms that can add processing capacity overseas, there
still are downsides. For instance, localization inhibits the global
backup and redundancy that a distributed network allows, and the
privacy and security that come with it.\38\ Even something as
uncontroversial as bug and error reporting from individual computers--
which allows companies to analyze and correct software issues--may
become a local function deprived of critical inputs. And research
institutions will feel the impact, with cross-border collaboration in
areas like medicine and computer science--where access to large and
global data sets are essential--newly subject to digital
boundaries.\39\
---------------------------------------------------------------------------
\38\ For example, data may be divided into shards, with any
individual's data split up across multiple machines across the world. H
Jacqueline Brehmer, Data Localization: The Unintended Consequences of
Privacy Litigation, 67 Am. U. L. Rev. 927, 967-986 (2018), https://
digitalcom
mons.wcl.american.edu/cgi/viewcontent.cgi?article=2009&context=aulr;
Dillon Reisman, Where Is Your Data, Really?: The Technical Case Against
Data Localization, Lawfare (May 22, 2017), https://www.lawfareblog.com/
where-your-data-really-technical-case-against-data-localization.
\39\ See, e.g., PHG Found., Impact of Schrems II on Genomic Data
Sharing (2020), https://www.phgfoundation.org/documents/schrems-ii-
discussion-paper.pdf (noting how Schrems II impacts genomic research).
---------------------------------------------------------------------------
Data localization requirements are nothing new but historically
have more often been associated with alternative visions of Internet
governance in countries like China and Russia. The hallmark of this
alternative is state control: the opposite of a free and open Internet.
China uses technical controls (its ``great firewall'') and legal
controls to filter what is available to Chinese citizens.\40\ There is
active censorship at the national level, such that you can't type
Winnie the Pooh--a reference used by critics of President Xi--into
Weibo without it being deleted.\41\ And, not surprisingly, China also
requires that substantial amounts of data be stored on servers in
China.\42\ Data stored locally are accessible to the government upon
request, and without due process.\43\
---------------------------------------------------------------------------
\40\ Elizabeth C. Economy, The great firewall of China: Xi
Jinping's Internet shutdown, Guardian (June 29, 2018), https://
www.theguardian.com/news/2018/jun/29/the-great-firewall-of-china-xi-
jinpings-internet-shutdown.
\41\ Yuan Yang, Winnie the Pooh blacklisted by China's online
censors, Fin. Times (July 16, 2017), https://www.ft.com/content/
cf7fd22e-69d5-11e7-bfeb-33fe0c5b7eaa.
\42\ Yuxi Wei, Chinese Data Localization Law: Comprehensive but
Ambiguous, Henry M. Jackson Sch. of Int'l Stud., Univ. of Wash. (Feb.
7, 2018), https://jsis.washington.edu/news/chinese-data-localization-
law-comprehensive-ambiguous/ (localization requirements in China are
comprehensive but also confusing and ambiguous).
\43\ Afef Abrougi, Chinese law and state security requirements
stunt companies' progress in 2019 RDR Index, Ranking Digit. Rts. (July
17, 2019), https://rankingdigitalrights.org/2019/07/17/chinese-law-and-
state-security-requirements-stunt-companies-progress-in-2019-rdr-index/
(Chinese law requires ``to keep user activity logs and relevant data
for six months and to hand it over to the authorities when requested
without due process''); Martina F. Ferracane & Hosuk Lee-Makiyama, Eur.
Ctr. For Int'l Pol. Econ., China's Technology Protectionism and its
Non-negotiable Rationales 3 (June 2017), https://ecipe.org/wp-content/
uploads/2017/06/DTE
_China_TWP_REVIEWED.pdf (``[T]he State Security Law (passed in 1993)
provides the state security organs with access to any information or
data held by an entity in China whenever they deem it necessary.
Without doubt, the scope of the State Security Law has grown
exponentially in the digitalisation era.''); Adrian Shahbaz, Freedom
House, The Rise of Digital Authori
tarianism (2018), https://freedomhouse.org/report/freedom-net/2018/
rise-digital-authoritaria
nism (``China was once again the worst abuser of Internet freedom in
2018.'').
---------------------------------------------------------------------------
Russia also maintains strict data localization laws (though not
always enforced);\44\ allows for blacklisting of Internet sites;\45\
and has experimented with creating, in effect, its own internet, with
exclusively in-country routing, DNS, and the like.\46\
---------------------------------------------------------------------------
\44\ Vera Shaftan, Russian Data Localization law: now with monetary
penalties, Data Prot. Rep. (Dec. 20, 2019), https://
www.dataprotectionreport.com/2019/12/russian-data-localization-law-now-
with-monetary-penalties/
#:�:text=By%20way%20of%20recap%2C%20in,using%20databases
%20located%20in%20Russia (``[I]n 2015, Russia introduced a data
localization law, requiring ``data operators'' to ensure that
recording, systematisation, accumulation, storage, refinement and
extraction of personal data of Russian citizens is done using databases
located in Russia.'').
\45\ Freedom House, Freedom on the Net 2019, Russia (2019), https:/
/freedomhouse.org/country/russia/freedom-net/2019 (``The government
gives several state bodies--including Roskomnadzor, the Prosecutor
General's Office, the Federal Service for Surveillance on Consumer
Rights Protection and Human Wellbeing (Rospotrebnadzor), the Federal
Drug Control Service, and, most recently, the Federal Agency for Youth
Affairs--the authority to block various categories of online
content.'').
\46\ Isabelle Khurshudyan, Russia is bolstering its Internet
censorship powers--is it turning into China?, Independent (Feb. 3,
2020), https://www.independent.co.uk/news/world/europe/russia-internet-
censorship-norway-putin-a9306666.html (observing that a 2019 law ``aims
to route Russian web traffic and data through points controlled by
state authorities and to build a national domain name system. This,
supporters claim, would give Russia greater control of Internet content
and traffic.'').
---------------------------------------------------------------------------
Let me stress that the liberal democracies of Europe are nothing
like China and Russia, but impeding cross-border data flows and
erecting unnecessary barriers--the ``Splinternet'', as Stanford Law
Professor Mark Lemley refers to it in a recent article \47\--will
reverberate. In many parts of the world, including nations with which
the U.S. does substantial commerce, which path to follow remains an
open question. Liberal democracies should be uniting--not dividing--to
light the better path.
---------------------------------------------------------------------------
\47\ Mark A. Lemley, The Splinternet (Stan. Law & Econ. Olin
Working Paper No. 555, 2020), http://dx.doi.org/10.2139/ssrn.3664027.
Professor Lemley is not the first to use this term.
---------------------------------------------------------------------------
Next Steps
All of this demonstrates the need to foster transatlantic data
flows, and international ones more broadly.
First, we need to find a path forward after Schrems II, to permit
transfers between the U.S. and EU. I want to recognize the efforts of
U.S. and EU negotiators to find a replacement for Privacy Shield. While
no doubt challenging, I have confidence in the good faith and
commitment of public servants like Jim Sullivan, with whom I have the
honor of appearing today, and our partners across the Atlantic. I have
every hope and expectation that protecting cross-border data flows will
be a priority for the incoming Administration, and I ask for your help
in ensuring it is.
Second, we must actively engage with nations evaluating their
approach to digital governance, something we at the FTC have done, to
share and promote the benefits of a free and open Internet. There is an
active conversation ongoing internationally, and at every opportunity--
whether in public forums or via private assistance--we must ensure our
voice and view is heard.
Third, we should be vocal in our defense of American values and
policies. While we as Americans always look to improve our laws--and I
commend the members of this committee on their important work on
privacy legislation and other critical matters--we do not need to
apologize to the world. When it comes to civil liberties or the
enforcement of privacy laws, we are second to none. Indeed, in my view,
the overall U.S. privacy framework--especially with the additional
protections built into Privacy Shield--should certainly qualify as
adequate under EU standards.
Fourth, as European leaders call to strengthen ties with the U.S.,
we should prioritize making our regimes compatible for the free flow of
data. This extends to the data governance regimes of like-minded
countries outside of Europe as well. Different nations will have
different rules, but relatively minor differences need not impede
mutually-beneficial commerce.\48\ We need not and should not purport to
aim for a single, identical system of data governance. And we should
remind our allies, and remind ourselves, that far more unites liberal
democracies than divides us.\49\
---------------------------------------------------------------------------
\48\ See, e.g., Remarks of Jennifer Daskal, Debate: We Need to
Protect Strong National Borders on The Internet, 17 Colo. Tech. L.J.,
13, 27 (``[T]he goal is to figure out a way to mediate, and manage,
those differences, without yielding a fractured Internet.'').
\49\ For one model of how to bridge the divide, consider the CLOUD
Act, which provides for U.S. law enforcement access to data stored
overseas while recognizing and respecting the citizens and laws of the
hosting country. See, e.g., Alan Charles Raul, Global Overview,
Privacy, Data Prot. and Cybersecurity L. Rev., 1, 2 (Alan Charles Raul
ed., 2020), https://www
.sidley.com/-/media/publications/the-privacy-data-protection-and-
cybersecurity-law-review-2020-global-overview.pdf?la=en; Daskal, supra
note 48, at 29.
---------------------------------------------------------------------------
Fifth and finally, if we must draw lines, those lines should be
drawn between allies with shared values--the U.S., Europe, Japan,
Australia, and others--and those, like China and Russia, that offer a
starkly different vision. I am certainly encouraged when I hear
recognition of this distinction from Europe. European Data Protection
Supervisor Wojciech Wiewiorowski recently noted that the U.S. is much
closer to Europe than is China and that he has a preference for data
being processed by countries that share values with Europe.\50\ Some
here in the U.S. are even proposing agreements to solidify the
relationships among technologically advanced democracies, an idea worth
exploring in more detail.\51\
---------------------------------------------------------------------------
\50\ Peter Swire, `Schrems II' backs the European legal regime into
a corner--How can it get out?, IAPP (July 16, 2020), https://iapp.org/
news/a/schrems-ii-backs-the-european-legal-regime-into-a-corner-how-
can-it-get-out/.
\51\ See, e.g., Robert K. Knake, Council on Foreign Rels.,
Weaponizing Digital Trade: Creating a Digital Trade Zone to Promote
Online Freedom and Cybersecurity (Sept. 2020), https://cdn.cfr.org/
sites/default/files/report_pdf/weaponizing-digital-
trade_csr_combined_final.pdf; Jared Cohen & Richard Fontaine, Uniting
the Techno-Democracies, Foreign Affs., Nov.-Dec. 2020, https://
www.foreignaffairs.com/articles/united-states/2020-10-13/uniting-
techno-democracies (suggesting an informal group of technologically
advanced states which would hold regular meetings).
---------------------------------------------------------------------------
However we proceed will require vision and leadership, and that is
why I am so glad that this committee is prepared to engage thoughtfully
with these challenges.
Again, thank you for inviting me today, and I look forward to your
questions.
The Chairman. Thank you very much. Ms. Espinel, you are
recognized.
STATEMENT OF VICTORIA A. ESPINEL, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, BSA | THE SOFTWARE ALLIANCE
Ms. Espinel. Good morning--and members of the Committee. My
name is Victoria Espinel and I am President and CEO of BSA |
the Software Alliance. Data flows are not often the topic of
headlines or congressional hearings, even though they are
integral to our daily lives. That is because when they are
permitted and when the data is kept private, our expectations
as consumers are met and our businesses can operate
effectively. However, if they are disrupted, we all face
problems.
I commend the Committee for holding this hearing on the
critical issue of cross-border data transfers and for the
opportunity to testify here today. Today's consumers and
businesses of all sizes and in all industries expect services
that offer privacy and security. Those services often require
connecting people who sit on different sides of the globe, yet
need access to the same data. And that requires moving data
between countries and across legal systems.
As individuals, we rely on data transfers in our jobs and
lives every day without even thinking about it. It might be the
H.R. system that ensures you are paid on time. It might be your
company's e-mail contacts that includes colleagues that are
abroad. It might be your credit card which checks for and stops
fraudulent transactions. Data transfers are foundational to any
business with employees, customers, vendors, or locations
outside the United States. For example, farmers use global data
to understand weather patterns and soil conditions around the
world to increase their crop yields and lower their cost.
Similarly, manufacturers use data from factory floors across
the world to monitor the safety and performance of their
machines. It is difficult to overstate the importance of cross-
border data transfers to U.S. consumers, U.S. businesses of all
sizes and sectors, and the entire U.S. economy, particularly in
light of COVID.
The crosscutting importance of this issue led BSA to launch
a new initiative earlier this year, the Global Data Alliance,
that brings together companies and a range of industries who
are united by the importance of transferring data across
borders in a manner that strongly protects personal privacy. At
BSA, we represent the enterprise software perspective and our
members create the technology that other businesses use. Those
businesses trust BSA members to maintain the privacy and
security of their most sensitive data, and our companies work
hard to earn that trust. I want to emphasize that there should
be no tradeoff between the need to transfer data and the need
to protect the privacy of that data. Both are essential. In our
view, personal data should only be transferred or used in any
way with real effective privacy protections.
BSA also supports strong privacy legislation. I was honored
to testify before this committee at the beginning of this
Congress on privacy legislation. And I want to thank Chairman
Wicker, Ranking Member Cantwell, and Senators Moran,
Blumenthal, Thune, Schatz, Markey, Klobuchar and others for
their hard work and leadership to develop concrete proposals
that will form the basis for passing privacy legislation next
year. While I have focused on the ability to send data across
borders in general, today's hearing focuses on the specific and
importance of transfers, those between the United States and
the European Union.
The EU requires transferring personal data use a transfer
mechanism. The U.S.-EU Privacy Shield was for many years a
trusted way to do this. When the Privacy Shield and other
transfer mechanisms were challenged in the European court, BSA
participated as an amicus alongside the U.S. Government and the
European Commission. This July, the Court of Justice of the
European Union invalidated the Privacy Shield in its so-called
Schrems II decision that had an immediate impact on 5,300,
mostly small and medium sized businesses that relied on the
Privacy Shield.
I want to emphasize that the decision did not question the
privacy practices of the companies participating in the Privacy
Shield. The court also upheld the use of standard contractual
clauses, which will become even stronger when a new U.S.-EU
agreement is reached. We applaud the quick response by
policymakers on both sides of the Atlantic. I want to thank Mr.
Sullivan and Commissioner Philips for their immediate response.
We particularly appreciate the leadership efforts by this
committee and the strong, bipartisan, bicameral support.
Chairman Wicker, Ranking Member Cantwell, thank you for the
letter that you and your House counterparts sent to the FTC and
Commerce shortly after the court's decision.
In addition to these urgent near-term efforts, I want to
encourage this committee to think boldly about longer term,
sustainable ways to address the underlying intelligence
gathering issues, and to work toward building consensus among
like-minded countries. We all realize that some amount of
signals intelligence is necessary in a democratic society to
ensure safety and security.
The question is, what guardrails and safeguards are needed?
Building mutual recognition around these issues is vital over
the long term. BSA stands ready to work with the Committee on
promoting reliable and secure mechanisms for international data
transfers. And I look forward to your questions.
[The prepared statement of Ms. Espinel follows:]
Prepared Statement of Victoria A. Espinel, President and CEO,
BSA | The Software Alliance
Good morning Chairman Wicker, Ranking Member Cantwell, and members
of the Committee. My name is Victoria A. Espinel. I am President and
CEO of BSA | The Software Alliance (``BSA'').
BSA is the leading advocate for the global software industry.\1\
Our members are at the forefront of developing cutting-edge, data-
driven services that have a significant impact on U.S. job creation and
growing the global economy. I commend the Committee for holding this
hearing on the important topic of transatlantic data transfers and the
EU-US Privacy Shield Framework (``Privacy Shield''), and I thank you
for the opportunity to testify.
---------------------------------------------------------------------------
\1\ BSA | The Software Alliance (www.bsa.org) is the leading
advocate for the global software industry before governments and in the
international marketplace. Its members are among the world's most
innovative companies, creating software solutions that spark the
economy and improve modern life. With headquarters in Washington, DC,
and operations in more than 30 countries, BSA pioneers compliance
programs that promote legal software use and advocates for public
policies that foster technology innovation and drive growth in the
digital economy. BSA's members include: Adobe, Atlassian, Autodesk,
Bentley Systems, Box, Cadence, CNC/Mastercam, DocuSign, IBM,
Informatica, Intel, MathWorks, Microsoft, Okta, Oracle, PTC,
Salesforce, ServiceNow, Siemens Industry Software Inc., Sitecore,
Slack, Splunk, Trend Micro, Trimble Solutions Corporation, Twilio, and
Workday.
---------------------------------------------------------------------------
Cross-border data transfers are critical to the success of a broad
range of companies, of all sizes and industries, and to consumers on
both sides of the Atlantic. For that reason, the issues before this
Committee reach far beyond the technology sector. Companies large and
small, across the entire U.S. economy, depend on services that send
data across international borders.
BSA represents the perspective of enterprise software companies.
Our members create the technology products and services that help other
businesses innovate and grow. Businesses trust BSA members to maintain
the privacy and security of their most sensitive data, including
personal information. Those businesses--in sectors as diverse as
agriculture, healthcare, manufacturing, and banking--produce a broad
range of products and services and are united by the need to send data
across international borders. Indeed, everyday technologies like cloud
storage services, customer relationship management software, human
resource management programs, identity management services, workplace
collaboration software, and supply chain management services all depend
on the ability to transfer data across national boundaries.
Transferring data across borders is not only vital to businesses,
but also to consumers and workers. In our professional lives, we
transfer data when we send e-mails to colleagues, manage staff and
budgets, attend videoconferences, and in thousands of other routine
business activities. In our personal lives, we transfer data across
borders when we engage in e-commerce or use messaging platforms to stay
in touch with friends and relatives overseas. In each of these
scenarios, we rightly expect to use global services that can connect us
with others worldwide--in a manner that protects the privacy and
security of our data.
These issues are even more important amid the COVID-19 pandemic, as
companies across the economy rely more heavily on remote workplace
tools and cloud-based technologies that help employees remain
productive while working outside of their physical offices. Online
tools are also opening new avenues for medical researchers, hospitals,
and pharmaceutical companies to coordinate research and treatment
efforts, and for regulators to more quickly and accurately assess
potential vaccines and treatments. Small businesses are increasingly
serving customers not only in physical stores but also through online
models that let them reach customers worldwide. As individuals, we are
also shifting our lives even further online--whether it is to buy goods
and services or to gather with relatives and friends.
In short, it is difficult to overstate the importance of cross-
border data transfers to U.S. consumers, businesses of all sizes and
sectors, and the entire economy. That is why I want to focus my
testimony on the need to ensure companies can continue transferring
data across international borders, so they can provide the products and
services their customers demand, in a way that respects the privacy and
security of the transferred data.
Today's hearing focuses on the Privacy Shield, which until recently
served as a privacy-protective way for companies to transfer data from
the EU to the United States, consistent with EU legal requirements and
privacy expectations of EU and U.S. citizens. The Privacy Shield was
invalidated in July, when the Court of Justice of the European Union
(``CJEU'') issued its decision in Schrems II. We applaud the swift
response to that decision by policymakers on both sides of the Atlantic
and their shared recognition that a new agreement is needed to replace
the Privacy Shield. In particular, I would like to thank Chairman
Wicker and Ranking Member Cantwell for leading a bipartisan and
bicameral letter shortly after the Court's decision. Your efforts
helpfully demonstrated strong congressional support for the
Administration to negotiate with the European Commission to ensure data
flows are not unduly disrupted. We welcome this Committee's efforts to
continue supporting the important work of developing a successor to the
Privacy Shield, to provide a responsible way for companies to transfer
data across the Atlantic. At the same time, along with these important
near-term efforts, we also encourage the Committee to think boldly
about longer-term, sustainable ways to address the underlying issues
about intelligence gathering and privacy--and to work toward building
consensus on those issues among like-minded countries.
The Ability to Send Data Across International Borders is Critical to
Consumers and Companies Worldwide
International data transfers are an essential part of modern-day
commerce. They underpin a wide range of everyday business activities.
For instance, when an employee joins a video conference with an
overseas customer, shares documents with colleagues in a foreign
office, sends an order to a supplier in another country, or simply
communicates online with someone overseas, that person invariably
engages in the cross-border transfer of data. As just one example,
modern IT support offered on a 24-hour/7-days-a-week basis--which
became critical for many companies even before the current pandemic--
would be impossible without the ability to transfer data across
borders. Robust cybersecurity likewise relies on sharing data to help
companies quickly identify and respond to threats that, by their
nature, do not respect national borders. Indeed, sharing information on
how bad actors in one country attempted to breach a system can help
companies in other countries thwart similar efforts.
International data transfers are an essential component of products
and services across industries. For example:
Detecting fraud. Cross-border data flows help stop credit
card fraud on a global scale. By efficiently transmitting data
across borders, banks can detect and block fraud attempts in a
matter of seconds, regardless of where a purchase is attempted.
This process has prevented billions of dollars in losses to
online fraudsters.
Healthcare. Cross-border data transfers allow healthcare
facilities to make treatments more effective by using clinical
support software that analyzes electronic medical records,
insurance claims, and datasets across a large and diverse
sample size. It can also enable digitized medical images to be
shared with non-local specialists for consultations anywhere in
the world, improving the quality of medical care regardless of
where a patient lives.
E-commerce. Cross-border data flows are at the heart of e-
commerce. Retailers send data across borders when they check
inventory in an overseas warehouse, accept and process customer
orders, and enable customers to track shipments en route to
their destination.
Human resources management. Global companies across
industries rely on cloud-based human resources systems to hire
employees and conduct performance reviews, and to administer
benefits and payroll across offices in different countries. The
ability to send data across national borders is critical to
ensuring companies can coordinate personnel management across a
multi-national workforce.
In short, it is difficult to conceive of how commerce in the modern
economy could continue to function without the ability to transfer data
across international borders. And, in BSA's view, personal data should
only be transferred--or used in any way--with real, effective privacy
protections. BSA sees no tradeoff between data transfers and data
privacy--both are essential. Indeed, BSA has long called for Congress
to pass a clear and comprehensive national law that gives consumers
meaningful rights over their personal data; imposes obligations on
companies to safeguard consumers' data and prevent misuse; and provides
strong, consistent enforcement. In all of these conversations, ensuring
that companies handle data in privacy-protective ways that honor
consumers' expectations is paramount.
Cross border data transfers are critical across all industry
sectors. They are also vital to the ability of U.S. companies to grow
and compete worldwide. Although most data transfers today involve
digital products and services, it would be a mistake to view
international data transfers as an issue unique to technology
companies. Global companies of all sizes in every industry rely on
cross-border data transfers to conduct business, innovate, and compete
more effectively. Data transfers are estimated to contribute $2.8
trillion to global GDP--a share that exceeds the global trade in goods
and is expected to grow to $11 trillion by 2025.\2\ This value is
shared by traditional industries like agriculture, logistics, and
manufacturing, which realize 75 percent of the value of the
Internet.\3\ U.S. companies of all sizes and industry sectors must be
able to transfer data across borders to complete in a global market.
---------------------------------------------------------------------------
\2\ OECD, Measuring the Economic Value of Data and Cross-Border
Data Flows, 297 OECD Digital Economy Papers 24 (Aug. 2020), https://
www.oecd-ilibrary.org/docserver/6345995e-
en.pdf?expires=1606762530&id=id&accname=guest&checksum=E07406A96BD78AB99
291D0F7D
411F923.
\3\ McKinsey Global Institute, Internet Matters: The Net's Sweeping
Impact on Growth, Jobs, and Prosperity (May 2011), https://
www.mckinsey.com/�/media/McKinsey/Industries/Techno
logy%20Media%20and%20Telecommunications/High%20Tech/Our%20Insights/
Internet%20mat
ters/MGI_internet_matters_full_report.ashx.
---------------------------------------------------------------------------
Indeed, the cross-cutting importance of this issue spurred BSA to
launch a new initiative earlier this year--the Global Data Alliance--
bringing together companies in industries ranging from consumer goods
to healthcare to aerospace technology. Members of the Global Data
Alliance provide a diverse range of products and services, serve
different types of customers, and operate in different geographic
markets--and they all recognize the critical importance of transferring
data across borders in a manner that strongly protects personal
privacy.
We also should recognize the ultimate beneficiaries of enabling
data to travel freely across borders are consumers. Organizations that
rely on cross-border data flows produce the food we eat, the cars we
drive, the medicines we take, the clothing we wear, and the myriad
other goods and services we enjoy. Consumers also depend on these
transfers when communicating with loved ones abroad, engaging in
banking transactions, and purchasing goods online. The benefits to
individuals of online services has been particularly apparent during
the COVID-19 pandemic, with studies indicating 50 percent of U.S.
employees are working remotely.\4\ Moreover, global collaboration
between researchers, hospitals, and regulators has been critical to the
development and testing of treatments and vaccines for COVID-19.
---------------------------------------------------------------------------
\4\ Global Data Alliance, Cross-Border Data Transfers & Remote Work
at 2 (Oct. 5, 2020), https://www.globaldataalliance.org/downloads/
10052020cbdtremotework.pdf.
---------------------------------------------------------------------------
The importance of cross-border data transfers to the economy will
only grow. By 2022, 60 percent of global GDP is expected to be
digitized, with growth in every industry driven by data flows and
digital technology.\5\ By 2025, six billion consumers--amounting to
over 75 percent of the world's population--are predicted to be
digitally connected, through over 25 billion connected devices.\6\
Ensuring data transfers can happen securely and reliably is therefore
fundamental not only to current economic growth, but also to future
prosperity.
---------------------------------------------------------------------------
\5\ Daniel D. Hamilton & Joseph P. Quinlan, The Transatlantic
Economy 2020 at 28 (2020), https://transatlanticrelations.org/
publications/transatlantic-economy-2020/ (``The Transatlantic Economy
2020'').
\6\ Global Data Alliance, Cross-Border Data Transfer Facts and
Figures, https://globaldata
alliance.org/downloads/gdafactsandfigures.pdf (``GDA Facts and
Figures'').
---------------------------------------------------------------------------
Transatlantic data transfers are particularly important.\7\ Data
transfers to the EU account for about 50 percent of U.S. data
transfers, while data transfers to the United States account for an
even greater share of EU data transfers.\8\ These data flows are
support the roughly $312 billion in annual U.S. services exports to
Europe.\9\
---------------------------------------------------------------------------
\7\ Recent studies indicate transatlantic cables carry 55 percent
more data than transpacific routes, and the quantity of these
transatlantic data transfers are growing rapidly. The Transatlantic
Economy 2020 at 41.
\8\ BSA | The Software Alliance, The Future of Transatlantic Data
Flows at 1 (Sept. 23, 2020), https://www.bsa.org/files/policy-filings/
bsa_transatlanticdataflows.pdf (``BSA Transatlantic Data Flows'').
\9\ The Transatlantic Economy 2020 at iii.
---------------------------------------------------------------------------
These numbers underscore a simple but critically important fact:
maintaining stable and secure mechanisms for data transfers between the
United States and the European Union is essential to the success of
both economies, and to the global economy more broadly.
II. EU-US Data Transfers: The Need for Reliable, Privacy-Protective
Mechanisms
The need for specific legal mechanisms to transfer data across the
Atlantic is rooted in EU law, and is currently embodied in the EU's
General Data Protection Regulation (``GDPR''). Under the GDPR,
companies may only transfer personal data from the EU to another
country if the country has been deemed to provide an ``adequate'' level
of privacy protection, or if the data is transferred pursuant to a
legal mechanism recognized by the GDPR.\10\ The European Commission has
only recognized twelve countries as providing an ``adequate'' level of
protection. When data is transferred to other countries, then,
companies must use another legal mechanism recognized by the GDPR.
---------------------------------------------------------------------------
\10\ See GDPR, Chapter V. The GDPR took effect in May 2018; the
EU's prior data protection law similarly restricted the transfer of
personal data to third countries. See Directive 95/46/EC.
---------------------------------------------------------------------------
The Privacy Shield created a way for companies to transfer data to
the U.S. under privacy-protective principles the EU deemed
``adequate.'' By invalidating the Privacy Shield, the Schrems II
judgment has created an urgent need for a new mechanism for
transatlantic data transfers.
Transfer Mechanisms. The GDPR recognizes several legal mechanisms
for transferring data across borders, including Standard Contractual
Clauses (``SCCs'') and Binding Corporate Rules (``BCRs'').\11\
---------------------------------------------------------------------------
\11\ The other mechanisms include legally binding instruments
between public authorities; codes of conduct; and approved
certifications. The GDPR also permits companies to transfer data
pursuant to derogations for limited, specific situations.
Standard Contractual Clauses. SCCs are a standardized set of
contractual obligations that companies can adopt when
transferring data outside the EU. The SCCs are approved by the
European Commission and reflect commitments that implement EU
legal requirements to safeguard data. Companies that transfer
data pursuant to SCCs typically include the Commission-approved
contract language in all of their relevant contracts with
suppliers and other vendors. SCCs are widely used, and they
underpin transfers of personal data from the EU not only to the
US, but to more than 180 countries. In 2019, one survey found
that nearly 90 percent of companies that transferred data
outside of the EU relied on SCCs.\12\
---------------------------------------------------------------------------
\12\ IAPP-EY Annual Governance Report 2019 (Nov. 6, 2019), https://
iapp.org/resources/article/iapp-ey-annual-governance-report-2019/
(survey of 370 companies)
Binding Corporate Rules. BCRs are corporate rules that
govern international data transfers within a company. The GDPR
sets out a list of topics that must be addressed by BCRs, which
must specify how the company will apply certain data protection
principles and data subject rights to the transferred data.
BCRs may take several years to develop and must be approved by
a data protection authority in the EU before they can take
effect. Even so, their use is limited to a specific set of
intra-company transfers; BCRs accordingly do not provide a
basis for transferring data to third parties, such as
---------------------------------------------------------------------------
customers, partners, or suppliers.
Privacy Shield. The Privacy Shield provided an important and cost-
effective alternative mechanism for transferring data from the EU to
the United States. It was negotiated by the U.S. Government and the
European Commission to allow companies to commit to privacy principles
that ensured data transferred to the U.S. was ``adequately'' protected.
As a result, transfers under the Privacy Shield were deemed
``adequate''--thus allowing companies to transfer data from the EU to
the U.S. under the Privacy Shield program without using other
mechanisms such as SCCs or BCRs.
The Privacy Shield established a voluntary program for companies to
transfer data--but once a company publicly committed to comply with its
requirements, that commitment becomes enforceable by the Federal Trade
Commission. Companies that participate in the Privacy Shield therefore
commit to handle data transferred from the EU to the U.S. in line with
seven privacy-protective principles on notice, choice, onward
transfers, security, data integrity and purpose limitation, access, and
enforcement. Participants also adhere to sixteen supplemental
principles, which address additional protections for sensitive data and
dispute resolution, among other issues. To help ensure these
protections remained meaningful in light of changes involving
technologies and developments in EU or U.S. law, the Privacy Shield
created an internal review mechanism for the United States and the EU
to update the Privacy Shield over time. Its most recent annual review,
released in October 2019, confirmed that the Privacy Shield remained a
trusted mechanism for companies and individuals alike.\13\
---------------------------------------------------------------------------
\13\ European Commission, Report from the Commission to the
European Parliament and The Council on the Third Annual Review of the
Functioning of the EU-U.S. Privacy Shield, Oct. 23, 2019, https://
ec.europa.eu/info/sites/info/files/
report_on_the_third_annual_review_of_the_eu_
us_privacy_shield_2019.pdf.
---------------------------------------------------------------------------
The Privacy Shield program was well-used, particularly by small-
and medium-sized entities transferring data from the EU. Over 5,300
organizations, in industries ranging from manufacturing to hospitality,
participated in the Privacy Shield program,\14\ and more than 70
percent of those companies were small- or medium-sized businesses.\15\
Its benefits reached more broadly, though, to the networks of suppliers
and customers that depended on these Privacy Shield-certified
companies.
---------------------------------------------------------------------------
\14\ Congressional Research Service, U.S.-EU Privacy Shield (Aug.
6, 2020), https://fas.org/sgp/crs/row/IF11613.pdf.
\15\ US Department of Commerce Department, Commerce Secretary
Wilbur Ross Welcomes Privacy Shield Milestone-Privacy Shield Has
Reached 5,000 Active Company Participants (Sept. 11, 2019), https://
www.trade.gov/press-release/commerce-secretary-wilbur-ross-welcomes-
privacy-shield-milestone-privacy-shield-has.
---------------------------------------------------------------------------
The U.S. Government also made significant commitments in connection
with the Privacy Shield, to address the protection of data transferred
under the program. These include not only the annual review mechanism
discussed above, but also the establishment of an ombudsperson
mechanism, which was designed to respond to requests by EU individuals
regarding U.S. signals intelligence practices.\16\ Officials at the
U.S. Department of Justice and the Office of the Director of National
Intelligence also described the many limitations and safeguards
applicable to U.S. government access for law enforcement and for
national security purposes.\17\ These include Presidential Policy
Directive 28 (``PPD-28''), which was issued in 2014 to set out
principles and requirements that apply to all U.S. signals intelligence
activities. In addition to these commitments, the U.S. Privacy and
Civil Liberties Oversight Board has issued oversight reports or
conducted oversight reviews of many of these national security
authorities.
---------------------------------------------------------------------------
\16\ See John F. Kerry, Letter to Commissioner Jourova (July 7,
2016), https://www.privacy
shield.gov/servlet/servlet.FileDownload?file=015t00000004q0b.
\17\ See Bruce C. Schwartz, Letter to Justin Antonipillai and Ted
Dean (Feb. 19, 2016), https://www.privacyshield.gov/servlet/
servlet.FileDownload?file=015t00000004q0W; Robert Litt, Letter to
Justin Antonipillai and Ted Dean (Feb. 22, 2016), https://
www.privacyshield.gov/servlet/
servlet.FileDownload?file=015t00000004q1F; and Robert Litt, Letter to
Justin Antonipillai and Ted Dean (June 21, 2016), https://
www.privacyshield.gov/servlet/servlet.FileDownload?file
=015t00000004q1A.
---------------------------------------------------------------------------
Schrems II Litigation. The Schrems II decision arose after a series
of complaints filed by Max Schrems, who in 2013 challenged the
predecessor to the Privacy Shield, which was known as the Safe Harbor.
In October 2015, the CJEU annulled the Safe Harbor, creating the need
for the U.S. and EU to negotiate the Privacy Shield. Later the same
year, Schrems filed a reformulated complaint challenging the ability of
Facebook to transfer data from the EU to the U.S. using SCCs. Even
though the reformulated complaint centered on the use of SCCs,
proceedings before both the Irish High Court and the CJEU sparked
substantial discussion on the Privacy Shield.
BSA participated in the Schrems II litigation as an amicus curiae.
We argued before the CJEU, asking it to uphold the SCCs and not address
the Privacy Shield, which we felt it did not need to reach in order to
decide that case. Throughout the litigation, BSA emphasized SCCs are
intended to support transfers to jurisdictions the European Commission
has not already deemed ``adequate''--and therefore companies using the
SCCs should focus on the protections provided by those clauses rather
than on the protections offered by the laws of the third country to
which data is exported.
In July 2020, the CJEU's Schrems II decision invalidated the
Privacy Shield, taking away this critical mechanism for transferring
data.\18\ Importantly, the CJEU did not take issue with the privacy
practices of companies that use the Privacy Shield. Rather, the Court
based its decision on U.S. intelligence practices it found were not
consistent with the EU Charter of Fundamental Rights. The Court focused
specifically on signals and intelligence collection under Executive
Order 12333 and Section 702 of the FISA Amendments Act of 2008.
---------------------------------------------------------------------------
\18\ Case C-311/18, Data Protection Commissioner v. Facebook
Ireland Ltd, Maximillian Schrems (Schrems II), �� 180-85, 191-92, 197-
201 (July 16, 2020).
---------------------------------------------------------------------------
At the same time, the CJEU upheld the validity of SCCs. While we
agree with the European Commission and the U.S. Government that the
safeguards and commitments contained in the Privacy Shield should have
been sufficient, we were pleased the Court affirmed the validity of
SCCs. Like BCRs, SCCs can create commercial privacy protections beyond
those included in the Privacy Shield, because companies may use them to
make additional binding commitments.\19\ For companies using SCCs, the
CJEU stressed the need to determine, on a case-by-case basis and in
light of all the circumstances of the transfer, including any
additional safeguards that parties may add to SCCs, whether the data
can be protected adequately. We agree with that approach. In October,
BSA published a set of principles to guide companies in developing
additional safeguards for EU-US data transfers. The principles can be
turned into specific clauses appropriate to the specific nature of the
transfer.\20\
---------------------------------------------------------------------------
\19\ In fact, BSA members were making commitments beyond what is
included in Commission-approved SCCs before the Schrems II case began.
\20\ BSA | The Software Alliance, Principles: Additional Safeguard
for SCC Transfers (Oct. 2020), https://www.bsa.org/files/policy-
filings/10222020bsascctransfers.pdf.
---------------------------------------------------------------------------
Last month, the European Data Protection Board (``EDPB''), which
comprises representatives of the national data protection authorities
within the European Union, published draft recommendations for the use
of SCCs for transferring data. We understand the concern many companies
have raised about whether the recommendations would effectively
prohibit transfers to the US. We appreciate that the EDPB has opened
its recommendations to public comment. We also respect the difficulty
of providing examples that account for all of the circumstances of all
data transfers. We remain optimistic the draft recommendations can be
revised to better reflect the CJEU's judgment, which envisions greater
flexibility and use of additional safeguards to protect privacy. For
example, the CJEU's decision directs companies to consider ``all''
circumstances of a transfer in determining whether additional
safeguards are appropriate to supplement SCCs. The full set of relevant
circumstances may include the nature of the data transferred and the
likelihood of government access to that data, yet the range of these
circumstances are not fully reflected in the current draft
recommendations.
Despite the widespread use of SCCs, we should not forget that the
use of SCCs creates burdens, particularly on smaller businesses that
may be forced to re-negotiate all of their relevant contracts to
include terms of SCCs. This option should therefore not be viewed as a
replacement for the Privacy Shield. Given the breadth and diversity of
companies that rely on transatlantic data transfers, it is imperative
to ensure there are multiple practical and privacy-protective ways for
companies to transfer data.
III. There is Broad Support for the U.S. Government and the European
Commission to Develop an Enhanced Privacy Shield
We commend the U.S. Government and the European Commission for
recognizing the need for a new agreement to improve on the Privacy
Shield. Shortly after the CJEU's judgment, the Department of Commerce
and the European Commission jointly announced the initiation of
discussions to evaluate the potential for an enhanced Privacy Shield
framework.\21\ In doing so, both governments ``recognize[d] the vital
importance of data protection and the significance of cross-border data
transfers to our citizens and economies,'' and stressed their mutual
commitment to supporting privacy, the rule of law, and the close
economic relationship between the United States and Europe.\22\
---------------------------------------------------------------------------
\21\ Joint Press Statement from U.S. Secretary of Commerce Wilbur
Ross and European Commissioner for Justice Didier Reynders (Aug. 10,
2020), https://www.commerce.gov/news/press-releases/2020/08/joint-
press-statement-us-secretary-commerce-wilbur-ross-and-european.
\22\ Id.
---------------------------------------------------------------------------
These efforts have strong bipartisan, bicameral support. Again, we
very much appreciate the letter Chairman Wicker and Ranking Member
Cantwell sent after the Schrems II decision to the Commerce Department
and the Federal Trade Commission, along with your counterparts on the
House Energy and Commerce Committee, encouraging them to work closely
with the European Commission to develop a new data transfer mechanism
to replace the Privacy Shield.\23\
---------------------------------------------------------------------------
\23\ Letter from Senator Roger Wicker et al., to Secretary Wilbur
Ross & Chairman Joseph Simons (Aug. 5, 2020), https://
energycommerce.house.gov/sites/democrats.energycommerce.house
.gov/files/documents/
FTC.DOC.2020.8.5.%20Letter%20re%20Privacy%20Shield%20ECJ%20De
cision.CPC_.pdf. In addition, several members of the House of
Representatives, led by Representatives Welch, LaHood, and DelBene,
have echoed this support. Letter from Representative Peter Welch et
al., to Secretary Wilbur Ross & Chairman Joseph Simons (Oct. 2, 2020),
https://www.bsa.org/files/policy-filings/
10022020congresslettersupportprivacyshield.pdf
---------------------------------------------------------------------------
All sectors of the U.S. economy have also demonstrated support for
this effort to reach an improved agreement. BSA and the U.S. Chamber of
Commerce led a letter signed by dozens of trade associations spanning a
broad range of industries, which together encouraged the U.S.
Government to work collaboratively with its EU counterparts to develop
a stable and sustainable mechanism to replace the Privacy Shield.\24\
---------------------------------------------------------------------------
\24\ Letter from BSA | The Software Alliance et al., to Secretary
Wilbur Ross (July 17, 2020), https://www.bsa.org/files/policy-filings/
07172020multiindustryresponselettertoschremsii.pdf.
---------------------------------------------------------------------------
The U.S. Government and the European Commission have also
repeatedly expressed their support for the Privacy Shield framework.
Prior to the Court's judgment in Schrems II, European regulators
described the Privacy Shield as a ``success story,'' that offered
strong privacy protections to EU data subjects and exemplified the
productive partnership between the EU and U.S. governments.\25\ In the
Schrems II litigation, both the U.S. Government and the European
Commission argued in support of the Privacy Shield, stressing its
importance to both sides of the Atlantic. As an amicus in Schrems II
and in a separate challenge to the Privacy Shield, BSA argued in
support of the Commission and of the Privacy Shield. Moreover, at BSA,
we have a longstanding relationship with the European Commission and
are committed to working collaboratively and closely with them to
address the need for robust data transfer mechanisms and find long-term
solutions.
---------------------------------------------------------------------------
\25\ European Commission, EU-U.S. Privacy Shield: Third Review
Welcomes Progress While Identifying Steps for Improvement (Oct. 23,
2019), https://ec.europa.eu/commission/press
corner/detail/en/IP_19_6134.
---------------------------------------------------------------------------
We are confident the U.S. Government and the European Commission
can work together to develop an enhanced successor to the Privacy
Shield. In its decision invalidating the Privacy Shield, the CJEU
focused on concerns around two specific U.S. intelligence-gathering
programs, including whether those programs appropriately safeguard
privacy and fundamental rights, whether they are subject to independent
oversight, and whether they provide EU data subjects with rights to
judicial redress. Given the targeted nature of the Court's concerns, we
are optimistic the U.S. Government and European Commission can work
together to address them. Indeed, it is important to recognize the CJEU
expressed no concerns about the adequacy of the privacy protections
imposed on commercial entities by the Privacy Shield. Developing an
enhanced Privacy Shield should not require a complete overhaul of the
existing model but instead should address the specific concerns
highlighted in the Schrems II judgment. We fully support those efforts
and stand ready to provide whatever assistance we can.
IV. Over the Long Term, Countries Must Work Together to Recognize
Shared Values on Appropriate Safeguards for Intelligence
Practices
The ongoing work by the Administration and the European Commission
to develop an enhanced Privacy Shield is urgent, and we appreciate
their constructive approach and this Committee's focus on the issue.
Creating a new and enhanced mechanism for such transfers is vital to
the continued prosperity of both the United States and Europe.
We also urge this Committee, the U.S. Government, and all like-
minded democratic societies interested in both security and civil
liberties to think boldly about longer-term approaches to security
safeguards. Even the CJEU recognizes some amount of signals
intelligence is necessary in a democratic society to ensure safety and
security. The question is what guardrails and safeguards are needed.
The U.S. Government has, to its credit, publicly released
significant guidance about safeguards and oversight mechanisms. It is
well positioned to lead a conversation with other governments about the
appropriate use of safeguards to protect privacy and fundamental
rights, the level of independent oversight, and the ability of
individuals to obtain redress for violations. A common understanding on
best practices will improve transparency among America's allies and
decrease future transatlantic data conflicts.
We have full confidence the U.S. Government and the European
Commission can address these issues in the context of developing a
successor to the Privacy Shield. At the same time, we recognize
commitments and agreements addressing such practices are more durable
when they reflect a broader consensus of America and its allies on the
appropriate scope of intelligence-gathering practices.
We accordingly encourage the U.S. Government to work with like-
minded democratic countries to build a mutual recognition that many
countries already share a set of values on the appropriate safeguards
for intelligence-collection activities. For example, we support the
U.S. Government working toward diplomatic agreements with countries
that share our commitment to democracy and the rule of law, to set out
a mutual understanding of the types of safeguards appropriate for
intelligence-gathering activities to ensure respect for the privacy and
fundamental rights of individuals. We do not underestimate the
potential magnitude of such an effort, or the challenges it might
present. But we believe U.S. leadership on this issue will both
strengthen U.S. economic interests, and ensure the United States and
its allies can are aligned in promoting economic growth based on the
principles of freedom, security, democratic values, and human rights
across the globe.
* * *
Thank you again for the opportunity to testify at today's hearing.
BSA looks forward to working with the Committee on promoting reliable
and secure mechanisms for international data transfers.
The Chairman. Thank you very much. Since you mentioned the
letter, Ms. Espinel, I think we should insert it in the record
at this point. So I ask unanimous consent that the letter dated
August 5, 2020 to Honorable Wilbur Ross and Honorable Joseph
Simons and signed by Frank Pallone Jr., Greg Walden, Roger F.
Wicker, and Maria Cantwell be admitted into the record at this
point.
[The letter referred to was unavailable at time of
printing.]
The Chairman. Thank you very much. And Mr. Swire, you are
next.
STATEMENT OF PETER SWIRE, ELIZABETH AND TOMMY
HOLDER CHAIR OF LAW AND ETHICS, SCHELLER COLLEGE
OF BUSINESS, GEORGIA INSTITUTE OF TECHNOLOGY
Mr. Swire. Chairman Wicker, Ranking Member Cantwell, and
members of the Committee for the opportunity to testify today.
My name is Peter Swire. I am a Professor at Georgia Tech and
Research Director of the Cross-border Data Forum. I have been
working on these issues for quite a while. I wrote a book in
1998 for Brookings on EU-U.S. data privacy fights and have been
working on that in some ways ever since. For the Schrems trial
in Ireland, I submitted testimony of over 300 pages. So I have
been living this quite intensively for a long time----
The Chairman. We won't put that in the record.
[Laughter.]
Mr. Swire. There is a nice link in the testimony, sir. This
hearing is important in part to create a clear public record
about these key issues. The part--one of my testimony makes
eight specific points. The first is that the European Data
Protection Board has issued draft guidance last month that is
so strict it would massively cutoff data flows from the United
States--from Europe to the United States. The second point is,
a lot of these issues in Europe are constitutional law. And we
know from the United States you can't go and amend the
Constitution easily.
So the U.S. has to be aware of their Constitutional
restrictions as we negotiate eventual solutions. The third
point, which has been mentioned by others, is the possibility
here of strict data localization if the strict interpretations
happen. And at the Cross-Border Data Forum, we are working on
additional studies about how serious that would be. Point four
is an appendix to my testimony that provides detailed proposals
for one of the hard issues here. It is what is called
``individual redress,'' the rules in Europe that there has to
be somebody who can check to make sure the citizens' rights are
protected.
In August with Kenneth Propp, I wrote a proposal in Lawfare
on this. There has been comments from a senior European lawyer
on it. And in this testimony, I have new non-statutory
approaches that presumably could be implemented pretty much
immediately that would take big steps toward solving the
individual redress problem, and I hope that will be considered
quickly. Fifth point has to do with what is called
``proportionality'' under European law, is there too much
surveillance in the view of their judges. There is an Appendix
to this testimony that lists all the surveillance updates, it
is 25 pages, since 2016. It shows a very strong record in the
United States, that safeguards that have been taken since 2016,
since the Privacy Shield.
So we have a record to explain to the Europeans the very
strong safeguards that exist. A six point and I will take a
little bit to expand on this, is that it is important to
negotiate a deal, in my view, in the short term, hopefully
before January 20. And I would suggest even a one-year deal
that would then expire that meets the goals of both the
European Union and the United States. For the EU, there have
been reports in the press that they would like to have a
broader negotiation on many issues, including privacy, with the
new Administration.
Having a year to negotiate this as part of a broader deal
would meet important European goals. It would also help the
European Union on its guidance, clarify things. It would allow
additional work on significant U.S. actions, and it would
provide time for Congress to see if there are specific statutes
that might help. So even a one-year extension would provide a
lot of room for what would then lead to presumably a longer
term proposal that would build on the shorter term things. That
might seem impossible, but having this issue negotiated in the
first weeks of a new Administration would be very challenging.
So getting something done soon before there is a cutoff of
data flows creates a lot more room for better things down the
road. In my testimony, the last part about Europe is that as
the U.S. considers tough reforms on our side, we should at
least understand what they can do on their side. What are their
legal options for reform? Those haven't been considered very
much in Europe yet, but that is a normal part of negotiations.
I then have three points about the U.S. landscape. The first
point, which is not fully understood in Europe, is how much
continuity we have had on these issues. From the Obama
Administration to the Trump Administration on Privacy Shield,
on Presidential Directive 28, it has been continuity here, and
we would expect the same from a new Biden Administration. So
many things are very tough in a partisan world. In this one,
there is a lot of agreement.
A second point, which is also been made by others today, is
that passing comprehensive commercial privacy legislation would
help a great deal. That wouldn't directly address the
surveillance issues, but the clear story from Europe is it
would help the atmosphere. So if this committee in the Congress
could pass a law in that direction, it would make a big
difference. It is no small thing. I have worked around this
city for a long time, but it would make a huge difference even
to have, for instance, a committee bill reported out that
showed progress would be a help in the negotiations.
And then the last part of the testimony is why this
Congress has a unique opportunity in my 25 years of working on
these issues to pass comprehensive privacy legislation. Could I
have perhaps 30 or 45 seconds to list a couple?
The Chairman. Sure.
Mr. Swire. OK. And you know better than I all the reasons
this is impossible, but not getting there is also a great big
problem. So one big reason for hope is the progress that the
Chairman and the Ranking Member made in this Congress on a lot
of provisions to narrow down the list of disagreements. A
second reason is that industry concern about Europe has a
strong reason to support legislation.
A third reason that industry after the new California
initiative has a strong reason to want to have some
restrictions on additional things that are coming in from
California. A fourth reason has to do with the favorite issue
of preemption, and the testimony suggests one possible way that
both sides of that difficult fight could have a victory on
preemption, for instance, by allowing the current California
privacy law to stay in place, but not having the new initiative
go into effect.
There would be some State action, but not other State
action that might provide more room. And the last point is, in
a Congress where bipartisan accomplishments are difficult, this
is an issue where for business and for consumers, for
Republicans and Democrats, there may actually be the
possibility of bipartisan action.
Thank you, Chairman and Ranking Member, for once again the
opportunity for being here today.
[The prepared statement of Mr. Swire follows:]
Prepared Statement by Peter Swire,\1\ Elizabeth & Tommy Holder Chair
of Law and Ethics Scheller College of Business, Georgia Institute
of Technology
---------------------------------------------------------------------------
\1\ Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia
Tech Scheller College of Business; Research Director, Cross-Border Data
Forum; senior counsel, Alston & Bird LLP. The opinions expressed here
are my own, and should not be attributed to the Cross-Border Data Forum
or any client.
---------------------------------------------------------------------------
Chairman Wicker, Ranking Member Cantwell, and Members of the
Committee, thank you for the opportunity to testify today on ``The
Invalidation of the EU-U.S. Privacy Shield and the Future of
Transatlantic Data Flows.''
I am Peter Swire, the Elizabeth and Tommy Holder Chair of Law and
Ethics at the Scheller College of Business at Georgia Tech, and
Research Director of the Cross-Border Data Forum. Since the mid-1990s I
have worked intensively on the topic of data flows between the European
Union (EU) and U.S., including as lead author of the 1998 book called
``None Of Your Business: World Data Flows, Electronic Commerce, and the
European Privacy Directive.'' I have worked on these issues as a
government official and private citizen, and wrote expert testimony of
over 300 pages for the 2017 trial in Ireland of the Schrems II case. A
biography appears at the end of this testimony.
This hearing is important in part to create a clear public record
about these complex and important issues concerning the European Union,
the United States, and international flows of ``personal data,'' which
is often called PII or ``personally identifiable information'' in the
U.S.
Part I of this testimony offers observations on legal and policy
issues in the European Union. Key points include:
A. The European Data Protection Board in November issued draft
guidance with an extremely strict interpretation of how to
implement the Schrems II case.
B. The decision in Schrems II is based on EU constitutional law.
There are varying current interpretations in Europe of what is
required by Schrems II, but constitutional requirements may
restrict the range of options available to EU and U.S.
policymakers.
C. Strict EU rules about data transfers, such as the draft EDPB
guidance, would appear to result in strict data localization,
creating numerous major issues for EU-and U.S.-based
businesses, as well as affecting many online activities of EU
individuals.
D. Appendix 1 to this testimony provides detailed proposals for one
of the requirements of the EU Charter--individual redress for
violation of rights in the U.S. surveillance system.
E. Along with concerns about lack of individual redress, the CJEU
found that the EU Commission had not established that U.S.
surveillance was ``proportionate'' in its scope and operation.
Appendix 2 to this testimony seeks to contribute to an informed
judgment on proportionality, by cataloguing developments in
U.S. surveillance safeguards since the Commission's issuance of
its Privacy Shield decision in 2016.
F. Negotiating an EU/U.S. adequacy agreement is important in the
short term.
G. A short-run agreement would assist in creating a better overall
long-run agreement or agreements.
H. As the U.S. considers its own possible legal reforms in the
aftermath of Schrems II, it is prudent and a normal part of
negotiations to seek to understand where the other party--the
EU--may have flexibility to reform its own laws.
Part II of the testimony provides observations on the U.S.
political and policy landscape:
A. Issues related to Schrems II have largely been bipartisan in the
U.S., with substantial continuity across the Obama and Trump
administrations, and expected as well for a Biden
administration.
B. Passing comprehensive privacy legislation would help considerably
in EU/U.S. negotiations.
C. This Congress may have a unique opportunity to enact
comprehensive commercial privacy legislation for the United
States.
PART I: Observations on Legal and Policy Issues in the European Union
In the wake of the Schrems II decision very large data flows from
the EU to the U.S. and other third countries may become unlawful. The
likelihood and magnitude of such a blockage are uncertain, and depend
significantly on how European actors interpret the Schrems II decision.
With Kenneth Propp, I have written previously on the background of the
Schrems II case, its holdings, and its geopolitical implications. In
Part I of this testimony, I address legal and policy issues
specifically about the EU.
A. The European Data Protection Board in November issued draft guidance
with an extremely strict interpretation of how to implement the
Schrems II case.
An apparently very strict interpretation of Schrems II appears in
two documents issued, subject to public comment, by the European Data
Protection Board on November 11, 2020. My discussion here draws on the
clear and expert three-part commentary of Professor Theodore Christakis
in the European Law Blog. As the body of national data protection
regulators, the EDPB's views are important due to its official role in
interpreting the GDPR as well as language in the Schrems II decision
about its role in defining what supplementary safeguards are sufficient
for transfers outside of the EU.
The EDPB issued its draft of the ``European Essential Guarantees
for Surveillance Measures'' (``EEG Requirements''). This document
summarized the fundamental rights jurisprudence of the European Court
of Human Rights (housed in Strasbourg, and interpreting the European
Convention on Human Rights) and the Court of Justice of the European
Union (housed in Luxembourg, and interpreting European Union law
including the EU Charter of Fundamental Rights). A key task of the EEG
Requirements was to state the EDPB's understanding of what legal
requirements a third country must have in order to ``offer a level of
protection essentially equivalent to that guaranteed within the EU.''
To simplify the EDPB's main point--if a third country (such as the
U.S.) meets the EEG Requirements, then the country can be seen as
providing ``essentially equivalent'' protections; if not, then the
country does not provide ``essentially equivalent'' protections, and
transfers of personal data would require additional safeguards.
Where ``essentially equivalent'' protections exist, then transfers
to that country may be found ``adequate'' under EU law. This sort of
``adequacy'' determination was made by the EU Commission in 2016 for
the Privacy Shield. Eleven countries currently have this sort of
adequacy determination by the EU Commission. A new EU/U.S. agreement
would presumably be based on a similar adequacy finding.
If an adequacy determination is not in place, then the Schrems II
court stated that transfers from the EU to a third country can exist
where ``supplementary measures'' or ``additional safeguards'' are in
place. Along with the EEG Requirements, the EDPB released its
``Recommendations on Supplementary Measures'' on November 11. Prior to
the EDPB guidance, the U.S. government issued its ``White Paper'' on
``Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU
Legal Bases for EU-U.S. Data Transfers after Schrems II.'' Other expert
commentators published detailed studies of how additional safeguards,
well implemented, could create a lawful basis for continuing to use
Standard Contractual Clauses or other mechanisms for transferring
personal data from the EU to third countries including the U.S.
As Professor Christakis has explained, the EDPB interpreted the
Schrems II decision to be far stricter than had the White Paper or
other commentators. The EDPB's EEG Requirements are so strict, as
Christakis wrote, that ``third countries might rarely if ever meet the
EEG requirements.'' Data exporters, under the EDPB approach, would then
have to rely on its Recommendations on Supplementary Measures.
Christakis, however, found these are also exceptionally strict: ``To
sum up, the EDPB's guidance clearly indicates that no data transfer
should take place to non-adequate/non-essentially equivalent countries
unless the data is so thoroughly encrypted or pseudonymised that it
cannot be read by anyone in the recipient country, not even the
intended recipient.''
B. The decision in Schrems II is based on EU constitutional law. There
are varying current interpretations in Europe of what is
required by Schrems II, but constitutional requirements may
restrict the range of options available to EU and U.S.
policymakers.
There are important and as-yet unresolved disagreements among EU
experts about how to interpret the Schrems II decision. Disagreements
about constitutional law are certainly familiar to the Senators and
American lawyers. That sort of disagreement is what exists in Europe in
the aftermath of Schrems II.
Much of the Schrems II decision relied on specific provisions in
the EU Charter of Fundamental Rights, which came into force in 2009
along with the Treaty of Lisbon:
1. Article 47 of the Charter addresses the right to an effective
remedy: ``Everyone whose rights and freedoms guaranteed by the
law of the Union are violated has the right to an effective
remedy before a tribunal.'' Appendix 1 to this testimony
examines issues arising under Article 47, notably what sorts of
individual redress the U.S. might provide for EU persons with
respect to U.S. surveillance practices.
2. Article 7 of the Charter addresses respect for privacy and family
life: ``Everyone has the right to respect for his or her
private and family life, home and communications.'' This right
to privacy is similar to the ``right to respect for private and
family life'' in Article 8 of the European Convention of Human
Rights, first signed in 1950.
3. Article 8 of the Charter is a data protection right. It states:
``(1) Everyone has the right to the protection of personal data
concerning him or her; (2) Such data must be processed fairly
for specified purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid down by
law. Everyone has the right of access to data which has been
collected concerning him or her, and the right to have it
rectified. (3) Compliance with these rules shall be subject to
control by an independent authority.''
The EDPB guidance can illustrate the importance of how these
fundamental rights protections will be interpreted after the Schrems II
decision. To illustrate, suppose that each aspect of the draft EDPB
guidance were required by the Charter of Fundamental Rights. In that
instance, the European Union would have no legal authority to weaken
constitutional protections, and the strict prohibitions on data
transfers under the EDPB draft guidance would be required as a matter
of EU constitutional law. Based on the review of that guidance by
Professor Christakis, an enormous range of flows of personal data would
be prohibited to the U.S., China, India and most or all other third
countries in the world (except the small number with a current adequacy
decision in place).
The draft EDPB guidance, in fact, would appear to be clearly
stricter than constitutionally required by the Schrems II decision.
After all, the CJEU went to considerable lengths to say that transfers
using Standard Contractual Clauses remained lawful where ``additional
safeguards'' were in place; however, the EDPB guidance found no
``additional safeguards'' that would enable access to the personal data
in a third country. It appears that the EDPB draft guidance would
render the CJEU's discussion of additional safeguards to be a nullity.
Based on my discussions with other EU legal experts, many EU legal
experts would find greater flexibility under EU constitutional law than
provided by the EDPB draft guidance. Going forward, EU experts on
fundamental rights will engage on what restrictions on data transfers
are required by the Charter of Fundamental Rights, as contrasted with
decisions of non-judicial officials.
In conclusion on EU constitutional requirements, a very strict
interpretation of the decision may leave limited options open for
policymakers. Going forward, EU experts on fundamental rights will
engage on what restrictions on data transfers are required by the
Charter of Fundamental Rights, as contrasted with decisions of non-
judicial officials. Although the precise legal issues are different,
the importance of constitutional doctrine is well known to U.S.
lawmakers for free speech and other First Amendment issues. Members of
this Committee will therefore understand that legal, constitutional
limits may affect what the EU Commission, the European Parliament, and
other EU institutions can do in the wake of the Schrems II decision.
C. Strict EU rules about data transfers, such as the draft EDPB
guidance, would appear to result in strict data localization,
creating numerous major issues for EU-and U.S.-based
businesses, as well as affecting many online activities of EU
individuals.
The European Union will continue its own deliberations about how
strict are the limits on data flows, as a matter of either EU policy
choices or fundamental rights jurisprudence. I will briefly discuss
some practical effects of a strict approach, which appear considerable.
I will first address what one might call the ``boy who cried wolf''
theory. After all, concerns about EU cut-off of data have arisen
repeatedly since the Data Protection Directive went into effect in
1998. At that time, the EU/U.S. Safe Harbor, and other practical
measures, enabled commerce to proceed without great hindrance. Later,
in 2015, the CJEU issued the first Schrems decision, and privacy
experts advised companies that data flows from the EU might be cut.
Then, the EU and U.S. negotiated the Privacy Shield, and commerce
continued. More recently, the General Data Protection Regulation (GDPR)
went into effect in 2018, along with warnings that it could shut down
numerous business models. In practice, after often-considerable
compliance efforts, most business has been able to continue under GDPR.
After these three rounds of warnings of disaster that didn't
materialize, it would be easy for people to assume that the aftermath
of Schrems II will once again be less impactful on data transfers than
doomsayers cry out.
My view, however, is that the possibility of major disruptions of
data flows is far greater this time. The CJEU--the supreme court of
Europe, whose decisions are binding on the member states--has
reiterated its strong concerns about transferring data to countries
whose surveillance systems fail to meet European standards. That same
court would have the final word about any new EU-U.S. agreement, or any
other legal mechanism that seeks to enable transfers to third
countries. Depending on how one interprets the constitutional
dimensions of Schrems II and the many other high court decisions
examined by the EDPB, the apparent room for policymaker discretion now
seems more limited. In addition, based on my discussions with
knowledgeable persons, there is a significant possibility that one or
more of the largest companies in the world may come under court order
to stop transfers, before the January 20 U.S. presidential
inauguration. In short, this time may fit the old story, where the boy
cried wolf once again, but this time the wolf was really there.
If many data transfers are cut off, then the effect would be data
localization. The term ``local'' here would apply to the EU member
states, the other countries in the European Economic Area, and the
currently eleven countries that now have an adequacy determination.
Transfers to the United Kingdom after the January 1, 2021 Brexit would
appear to depend on the UK receiving an adequacy determination, which
is currently being considered but has not been finalized.
As the possibility of data localization increases, it becomes
increasingly important for organizations to determine what it would
mean to implement localization, and for policymakers to understand the
effects of localization. The most detailed examination of such data
flows, of which I am aware, remains the book that I wrote with Robert
Litan in 1998, called ``None of Your Business: World Data Flows,
Electronic Commerce, and the European Privacy Directive.'' Thanks to
permission from its publisher, the Brookings Institution, that book is
now downloadable from the Brookings website. Chapter 5 of the book
addresses ``privacy issues affecting many organizations,'' such as
human resources, auditing, business consulting, and customer support
such as call centers. Chapter 6 examines financial services in detail,
and the effects on that large sector deserve careful attention. Chapter
7 looks at ``other sectors with large trans-border flows'', including
business and leisure travel and e-commerce generally; it also looks at
possible interruptions of pharmaceuticals research, which would be
especially important to consider during the COVID pandemic, when
sharing of personal data might be so important concerning the safety
and efficacy of vaccines as well as other medical information.
Looking ahead, I plan to work with the Cross-Border Data Forum as
soon as possible to update and extend the data localization analysis. I
hope to publish initial pieces of that analysis in time to offer
comments on the EDPB Guidelines, due December 21. Many types of data
flows are the same as in 1998, but there are important new categories
of data flows, perhaps most notably for cloud computing, where the
personal data of individuals is often stored in a different country.
Several current reports are also available that provide useful
discussion of the impacts of cutting off data, including here and here.
I welcome any information or suggestions about how to accurately
describe the effects of data localization, such as under a strict
interpretation of EU law.
Pending such additional study, I offer the following observations
about the effects of a strict requirement of data localization:
1. Companies may find it difficult or impossible to ``fix'' the
problem themselves--the legal problem concerns the rules for
government access to personal data.
2. Data localization would have enormous impacts on third countries
other than the U.S. Schrems II clarified that its rule apply to
the U.S. in particular but also to all third countries that
lack essentially equivalent protections.
a. Some countries, such as China, have woefully weaker
safeguards against government surveillance than the U.S.
does. It is therefore difficult for me to understand what
additional safeguards might be taken to enable transfers to
such countries. China is Germany's largest trading partner,
illustrating the large effect on the EU (rather than the
U.S.) of strict limits on transfers.
b. Other countries, such as Canada, are democracies with strong
privacy regimes, but have not thus far received an adequacy
determination. Even if the EU and U.S. reach an agreement,
there will be legal uncertainty about whether and how
transfers can continue to these other democracies.
3. Particular study should focus on the effects on EU individuals,
who may lose access to services and face reduced choice about
how to live their online life. Similarly, EU-based businesses
may face serious obstacles, beginning but not limited to how
they operate with their non-EU affiliates, suppliers, and
partners. Detailed study of the effect on the EU will help EU
decisionmakers weigh how to protect privacy while also meeting
other goals, as stated by the CJEU in Schrems II, that are
``necessary in a democratic society.''
4. During the coronavirus pandemic, individuals and businesses rely
more than ever before on online services, many of which are
operated or managed across borders. Disruptions from data
localization thus would appear to be especially great until we
reach a post-pandemic time.
5. In conclusion on the effects of a strict EU approach, it is vital
to consider carefully what measures can satisfy all the
relevant legal constraints. New solutions quite possibly are
necessary to enable continued data flows along with the
legally-required improvements in privacy protection.
D. Appendix 1 to this testimony provides detailed proposals for one of
the requirements of the EU Charter--individual redress for
violation of rights in the U.S. surveillance system.
This testimony will briefly summarize key points from Appendix 1,
which provides details on how the U.S. might craft a new system of
individual redress to address the CJEU's concerns. The Appendix has
three parts:
1. Discussion of the August 13 proposal by Kenneth Propp and myself,
entitled ``After Schrems II: A Proposal to Meet the Individual
Redress Problem.'' In order to provide an effective fact-
finding phase, a statute could create a mandate for
intelligence agencies to conduct an effective investigation
when an individual (or a Data Protection Authority on behalf of
the individual) makes a complaint. This mandate is similar to
the Freedom of Information Act--an individual does not have to
show specific injury in order to make a FOIA request, and an
individual similarly would not need to show injury to request
the investigation. Once the fact-finding is concluded, the
statute could provide for appeal to the Foreign Intelligence
Surveillance Court (FISC).
2. Discussion of the article by European legal expert Christopher
Docksey on ``Schrems II and Individual Redress--Where There's a
Will, There's a Way.'' This article found the Propp/Swire
approach promising, while pointing out important aspects of EU
law to be considered in any U.S. system for individual redress.
3. New material about how the individual redress system could be
created, even without a new statute. In the fact-finding phase,
Executive Branch agencies could be required to perform an
investigation pursuant to a new Executive Order or other
presidential action. An independent agency, such as the Privacy
and Civil Liberties Oversight Board, could sign a memorandum of
understanding that would bind the agency to participate in the
process. One the fact-finding is complete, complaints that
concern surveillance under Section 702 FISA could then go to
the FISC. The FISC has continuing oversight of actions pursuant
to its annual court order concerning Section 702. It appears
that the government could promise to report the outcome of an
investigation to the FISC, and the FISC could then review the
fact-finding investigation to determine whether it complied
with its court order.
As discussed in Appendix 1, ``non-statutory approaches are worth
considering even if a somewhat better system might be created by a
statute. A non-statutory approach quite possibly is the best way to
ensure that data flows and privacy protections exist during an interim
period while legislation is being considered.''
Based on my experience, the fundamental rights orientation of EU
data protection law has often emphasized the importance of a mechanism
for an individual to make a complaint or access request. Then, there
must be a mechanism with sufficient independence and authority to
review the facts and issue an order to correct any violations. As the
CJEU re-emphasized in Schrems II, Article 47 of the Charter requires
``an effective remedy before a tribunal.'' After working extensively on
this subject, and speaking with both European and American experts, I
believe it is vital and apparently feasible to construct a new system
of individual redress with respect to actions by U.S. surveillance
agencies. Creating such a system would directly respond to a repeated
and important criticism to date of the ``essential equivalence'' of
U.S. protections.
E. Along with concerns about lack of individual redress, the CJEU found
that the EU Commission had not established that U.S.
surveillance was ``proportionate'' in its scope and operation.
Appendix 2 to this testimony seeks to contribute to an informed
judgment on proportionality, by cataloguing developments in
U.S. surveillance safeguards since the Commission's issuance of
its Privacy Shield decision in 2016.
Along with lack of individual redress, the Schrems II court found
that the principle of proportionality requires that a legal basis which
permits interference with fundamental rights must ``itself define the
scope of the limitation on the exercise of the right concerned and lay
down clear and precise rules governing the scope and application of the
measure in question and imposing minimum safeguards.'' (� 180). The
court held that the 2016 Privacy Shield adequacy decision by the EU
Commission did not show proportionality for Section 702 and EO 12,333.
(� 184).
Concerning the issue of proportionality, I offer six observations:
1. Appendix 2 to this testimony provides ``Updates to U.S. Foreign
Intelligence Law since 2016 Testimony.'' Appendix 2 presents
updates on the U.S. legal and regulatory regime for foreign
intelligence surveillance that have occurred since testimony of
over 300 pages that I provided to the Irish High Court in 2016
on the same subject (the ``2016 Testimony''). Taken together,
the 2016 Testimony and Appendix 2 seek to present an integrated
set of references that may inform ongoing assessments, under
European Union law, of the proportionality and overall adequacy
of protection of personal data related to U.S. foreign
intelligence law.
2. A proportionality assessment is quite different than the issue of
individual redress. Redress is a specific assessment--a
sufficient redress provision exists or it doesn't. by contrast,
``proportionality'' can be a more wide-ranging and fact-based
assessment, similar to defining a term such as ``reasonable.''
3. As a related point, the Schrems II decision cites European law
that privacy and data protection rights ``are not absolute
rights,'' but instead ``must be considered in relation to their
function in society. (� 172) In addition, standard data
protection clauses are lawful ``where do not go beyond what is
necessary in a democratic society to safeguard, inter alia,
national security, defence and public security.'' (� 144). More
documentation may thus be relevant as evidence of what is
``necessary in a democratic society.''
4. Appendix 1, concerning individual redress, discusses the
possibility of incorporating concepts such as proportionality
and necessity, or related terms used in U.S. law, into the
targeting procedures for Section 702 approved annually by the
FISC. I make this proposal for the first time in this
testimony, and so there may be classified or other persuasive
reasons why such an approach is inadvisable or unlawful.
5. In considering whether and how to issue an updated adequacy
opinion about the United States, the EU Commission will thus
have available a considerable record that evidences the large
number and high quality of safeguards within the U.S.
surveillance system. Chapter 6 of my 2016 Testimony cited a
study led by Ian Brown, then of Oxford University, that
concluded that the U.S. legal system of foreign intelligence
law contains ``much clearer rules on the authorization and
limits on the collection, use, sharing, and oversight of data
relating to foreign nationals than the equivalent laws of
almost all EU Member States.'' The U.S. government's White
Paper this fall adds particulars about current safeguards.
6. With that said, European law to date has indicated that
``essential equivalence'' of a third country is judged against
the standards set forth by the CJEU, rather than a comparison
of U.S. practices to the practices of the EU member states.
Professor Kristina Irion this year has explained the relevant
EU doctrine. Supporters of U.S. or other third country adequacy
might therefore complain about hypocrisy or an unfair standard,
but such arguments to date have not prevailed in European
courts.
In conclusion on proportionality, it is important for the United
States and the EU Commission to develop a strong record for why Section
702 and other surveillance programs currently are ``proportionate,'' or
else consider reforms that do establish proportionality.
F. Negotiating an EU/U.S. adequacy agreement is important in the short
term.
There are strong reasons for the EU and the U.S. to seek agreement
in the short term, so that the EU Commission can issue an adequacy
decision. I highlight five points:
1. Especially in the wake of the very strict EDPB draft guidance,
there is now considerable uncertainty about the lawful basis
for many transfers from the EU to third countries, including
the U.S. As mentioned above, there may well be court orders
issued, even before January 20, that prohibit transfers of
personal data by one or more major companies based in the U.S.
2. My understanding is that the current administration has a process
in place to engage immediately with the EU. Even though a Biden
administration would have available experts on these EU/U.S.
data issues, there could be a disruptive delay after January 20
if discussions are not completed by then. The immediate
discussions should take account of the legal and political
realities facing the EU Commission--it will only wish to enter
into an agreement with a strong case that it is acting
consistent with the CJEU decision in Schrems II. The U.S. thus
has a stronger-than-usual incentive to make its ``best and
final offer'' quickly, because of the limited time to
renegotiate before January 20.
3. To avoid potentially large disruptions, it makes sense to achieve
a short-term package even if additional reforms and agreements
may be possible in the longer-run. For instance, an adequacy
decision might be for a limited time, such as one year. That
would provide a new administration and the EU time to develop
longer-term agreements across both data protection and other
issue areas, as the EU has indicated it would like to do. A
deadline, such as one year, would provide a useful incentive
for all concerned to continue to work intensively toward a
longer-term solution.
4. Any short-term approach should include, if possible, clear
attention to key sectors, including medical research and
financial services. During the pandemic, it would be foolhardy
to interrupt the ability of medical researchers and
manufacturers to develop and test for the safety and efficacy
of COVID-19 treatments and vaccines. In addition, the financial
services sector has historically relied primarily on Standard
Contractual Clauses for transfers, rather than Privacy Shield.
My understanding is that to date there has been low risk within
the EU of enforcement against the financial services sector,
which I believe transfers large amounts of personal data daily
for business and regulatory reasons. With strict approaches
such as the EDPB draft guidance, there is now increased risk of
disruption of the global financial system due to possible
limits on transfers of personal data from the EU to third
countries.
5. There is an important reason, from the EU perspective, to issue
an adequacy decision for the U.S. in the short term, even
though Schrems II applies to third countries generally. The
specific judicial findings in Europe have been about essential
equivalence and the U.S., even though the U.S. has stronger
safeguards than most or all other countries for foreign
intelligence surveillance and privacy. An adequacy decision
initially concerning the U.S. thus provides the EU time to
clarify its overall approach for transfers to third countries.
Enforcement actions can meanwhile proceed with respect to other
third countries, such as China, to enable the EU judicial
process to make findings relevant to multiple third countries,
and avoid a discriminatory impact on an allied nation--the
U.S.--that has many safeguards already in place.
G. A short-run agreement would assist in creating a better overall
long-run agreement or agreements.
As discussed through this testimony, there are urgent short-term
difficulties concerning the lawful basis for transfers of personal data
from the EU to third countries. I next explain four reasons why an
adequacy agreement in the near future would assist in creating a better
overall set of reforms and agreements in the longer-run:
1. In this testimony, I am suggesting the desirability of seeking an
adequacy agreement in the short run, such as for one year. This
sort of breathing period would enable a new administration to
engage systematically to create durable approaches for
agreements with the EU on data protection and other issues.
2. A short-term agreement would provide the Congress with time to
consider any legislation that may assist in creating a durable
approach to enabling trans-Atlantic transfers while also
protecting privacy, meeting EU and U.S. legal requirements, and
achieving other goals including national security. As one
example, non-statutory approaches for individual redress may be
possible, as explained in Appendix 1, but a subsequent statute
might improve on the non-statutory approach.
3. One category of legislation to consider is for the U.S. to codify
in statute safeguards that already exist in practice. One
example would be the protections for the personal data of non-
U.S. persons, as provided currently in PPD-28. More broadly,
Appendix 2 to this testimony provides examples of privacy-
protective practices that currently exist but are not
explicitly set forth by statute. This sort of codification
could address EU concerns that informal guidance or even agency
policies are not ``established in law'' as effectively as a
statute or other binding legal instrument.
4. On an even longer time scale, there are strong reasons for the
U.S., the EU, and democratic allies to engage systematically on
a realistic and protective set of guidelines for government
access to personal data held by the private sector. Such a
process should include input from a range of expert
stakeholders, including data protection/privacy experts but
also experts in areas such as national security, law
enforcement, and economic policy. I understand the OECD may
move forward with such an initiative, first proposed by Japan,
on ``free flow of data with trust'' with respect to government
access to data held by the private sector. Such guidelines,
among other goals, could help define what safeguards are
``necessary in a democratic society,'' both to protect
fundamental rights and achieve other compelling goals.
H. As the U.S. considers its own possible legal reforms in the
aftermath of Schrems II, it is prudent and a normal part of
negotiations to seek to understand where the other party--the
EU--may have flexibility to reform its own laws.
For understandable reasons, the bulk of discussion to date has
focused on what reforms the U.S. might consider in order to meet legal
requirements set forth in Schrems II and other CJEU decisions. With
that said, my testimony today discusses reasons to seek both short-term
and longer-term agreements with the EU on cross-border data issues. It
is normal and prudent, in any negotiation, to understand where each
party may have flexibility to negotiate. As one example, my view is
that the U.S. should seriously consider reforms to enable individual
redress for EU citizens related to U.S. surveillance activities. Where
might the EU also consider reforming any aspect of its regime?
Recognizing that views might vary about what is possible as a legal
or policy matter, I offer four observations:
1. For reasons discussed above, I believe there is room, consistent
with the Schrems II decision, for the EDPB to make changes to
its draft guidance--the CJEU contemplated some continuation of
transfers where additional safeguards are in place, but the
draft guidance is so strict that such transfers in practice
appear to be eliminated. The analysis by Professor Theodore
Christakis examines specific ways the EDPB guidance might be
amended consistent with EU law.
2. Chapter V of the GDPR governs ``transfers of personal data to
third countries or international organizations.'' Article 46 of
GDPR sets forth extensive measures to enable lawful transfers
to third countries that have not received an adequacy
determination under Article 45. A similar approach existed
under Article 26 of the Data Protection Directive, which
applied from 1998 until GDPR went into effect in 2018. If the
EU came to the view that Article 46 had been interpreted more
narrowly than intended, then the EU could at least contemplate
a targeted amendment to GDPR to clarify its intent to allow
transfers under Article 46 with defined, appropriate
safeguards. Any such amendment might be politically painful and
challenging within the EU; massive disruptions of global trade
would also be painful and challenging.
3. The legal basis for transfers to the U.S. might be stronger if
the U.S. and the EU negotiated a formal international
agreement, such as a treaty. I have seen draft scholarship, not
yet public, that indicates that the legal basis for transfers
from the EU to a third country such as the U.S. might be
stronger if done pursuant to a formal international agreement,
such as a treaty. The Safe Harbor and Privacy Shield were not
treaties. Such a treaty would presumably not be negotiated or
implemented in the short term, but may be a useful longer-term
approach.
4. By contrast, in discussions with EU experts, they have clearly
stated that an amendment to the Charter of Fundamental Rights
would be extremely difficult or impossible to consider.
Americans can readily understand this view--imagine if another
country insisted that the U.S. amend the First Amendment free
speech guarantees. It will thus be important, as a matter of EU
law, to understand what is required under the Charter. The
Commission, Parliament, and other EU institutions are legally
bound to follow the Charter, but have room outside those
requirements to make decisions within their competence.
To date, there has been little or no visible discussion within the
EU about reforming its own data protection laws, such as considering
any change to GDPR. In discussing possible changes, I am not seeking to
tell the EU how to write its own laws. The limited point here is that
the U.S. and other third countries, in contemplating difficult reforms
to their own laws, can reasonably at least consider how the EU might
make reforms as well. Any eventual agreements can then be built on an
understanding of what is or is not legally possible within each legal
system.
PART II: Observations on U.S. Political and Policy Landscape
A. Issues related to Schrems II have largely been bipartisan in the
U.S., with substantial continuity across the Obama and Trump
administrations, and expected as well for a Biden administration.
Issues related to the Privacy Shield, Schrems II, and trans-Atlantic
data flows have been far more bipartisan in the U.S. than for many
other policy issues. I briefly highlight six aspects of continuity
1. Privacy Shield. The EU-U.S. Privacy Shield was signed in 2016,
under President Obama. The Trump administration has uniformly
supported the Privacy Shield, including working closely with EU
officials in its annual reviews.
2. Enforcement by the Federal Trade Commission. The FTC is an
independent agency, charged with enforcing violations of the
Privacy Shield, as part of its general authority to protect
privacy and enforce against unfair and deceptive acts. Change
in administration, in my view, has not affected and will not
affect the FTC's commitment to enforce company commitments to
protect privacy in cross-border data flows.
3. PPD-28. President Obama issued PPD-28, with its safeguards for
non-U.S. persons in signals intelligence, in 2014. PPD-28 has
remained in force under President Trump.
4. Surveillance transparency and safeguards generally. Appendix 2 to
this testimony reports on safeguards and other developments in
surveillance since the Privacy Shield was negotiated in 2016
and I provided my expert testimony in Ireland. The consistent
theme in Appendix 2 is how transparency and surveillance
safeguards have continued extremely similarly under the Obama
and Trump administrations.
5. Continued attention both to privacy and other goals such as
national security. As a member in 2013 of the Review Group on
Intelligence and Communications Technology, I observed how
seriously U.S. government officials treated both privacy and
other important goals such as national security. My opinion is
that similar attention to these goals has continued and will
continue for each U.S. administration.
6. A Biden administration can draw upon experts in these EU/U.S.
data issues. Another reason to expect policy continuity is that
the Biden administration will have available experts in Privacy
Shield and other EU/U.S. data issues. For example, key
negotiators of the Privacy Shield, as signed in 2016, were Ted
Dean, then in the U.S. Department of Commerce, and Robert Litt,
then General Counsel for the Office of the Director of National
Intelligence. Both Mr. Dean and Mr. Litt have been named as
members of the Biden-Harris transition team.
In short, even though there are many differences on other policy
matters, what is remarkable for EU/U.S. data issues is bipartisan
agreement on issues of trans-Atlantic data flows.
B. Passing comprehensive privacy legislation would help considerably in
EU/U.S. negotiations.
I believe that enactment of comprehensive commercial privacy
legislation would greatly improve the overall atmosphere in Europe for
negotiations between the EU and the U.S. about the effects of Schrems
II.
This conclusion may seem counter-intuitive. After all, the CJEU
holdings concerned only issues of U.S. intelligence access to personal
data. By contrast, a commercial privacy statute would apply exclusively
or primarily to private-sector processing of personal data. As a strict
legal matter, a comprehensive commercial privacy law in the U.S. would
not address the holdings in Schrems II.
Nonetheless, I am confident that a meaningful, protective
commercial privacy bill would make an important difference. That is not
only my own intuition, developed after a quarter-century of working on
EU/U.S. data issues. In addition, I have asked the question to multiple
European experts. Their response has been unanimous and positive, along
the lines of ``Yes, that would make a big difference.''
Here are a few reasons to think enacting a comprehensive commercial
privacy law would help:
1. We have seen the link previously between U.S. intelligence
surveillance and the EU reaction on commercial privacy. The
clearest example is what happened after the Snowden revelations
began in June, 2013. Before that, it looked like the draft of
GDPR was blocked or moving slowly through the EU Parliament.
After that, GDPR was amended in multiple ways to be
considerably stricter, including on the U.S.-led tech sector.
GDPR passed the Parliament overwhelmingly in early 2014 by a
621-10 margin. EU Vice President Viviane Reding, in her
official statement on the vote, specifically referenced ``the
U.S. data spying scandals'' as a reason for passage.
2. The U.S. may soon become the only major nation globally that
lacks a comprehensive commercial privacy law. Whatever a
person's views may be of the best approach to protecting
privacy, the global trend is unmistakably in one direction--
toward each country having a comprehensive commercial privacy
law. Professor Graham Greenleaf in Australia has carefully
documented these trends: ``The decade 2010-2019 has seen 62 new
countries enacting data privacy laws, more than in any previous
decade, giving a total of 142 countries with such laws by the
end of 2019.'' Perhaps more importantly, the four most
significant recent exceptions to such a law have been the U.S.,
Brazil, India, and China. Brazil's new privacy law went into
effect in 2020. India has nearly finished its parliamentary
process to pass its law. China is also moving forward with a
commercial privacy law (although its protections against
government surveillance remain far weaker than in the U.S.).
Simply put, unless the U.S. acts in the next Congress, the U.S.
may be the only major nation globally that lacks a
comprehensive privacy law.
3. A U.S. privacy law would strengthen the hand of U.S. allies in
the EU. Currently, there are many in Brussels and throughout
the EU who favor retaining a strong alliance generally with the
U.S. That support for remaining allies was reflected, for
instance, in the broad EU Commission draft, reported by the
Financial Times, that ``seeks a fresh alliance with U.S. in
face of China challenge.'' More specifically, as seen for
instance in a recent DigitalEurope study on the effects of
Schrems II, many in Europe understand the harsh consequences to
Europeans themselves of a major cut-off in data flows.
From the European perspective, the 2000 Safe Harbor agreement and
the 2016 Privacy Shield are examples of ``special deals'' that
make transfers to the U.S. easier than transfers to the other
countries in the world that lack a general adequacy finding. As
the U.S. becomes an increasingly glaring exception on privacy
laws, it becomes more and more difficult for those in Europe to
explain why the U.S. should be a favored partner. Put bluntly,
the U.S. as the last holdout on a privacy law can look more
like a ``privacy pariah'' than a ``favored partner.'' By
contrast, enacting a U.S. commercial privacy law sends the
message that the U.S. in general offers legal protections for
privacy. With a U.S. privacy law in place, it becomes far
easier in Brussels and the EU generally to complete a privacy
deal with the U.S. As a related point, serious progress on U.S.
privacy legislation during the next two years, such as passage
in a crucial committee such as Senate Commerce, can itself help
foster progress in EU/U.S. negotiations by showing that passage
of a U.S. privacy law is feasible.
C. This Congress may have a unique opportunity to enact comprehensive
commercial privacy legislation for the United States.
You as Senators have far greater insight than an outside observer
can have about what is possible to enact in this Committee, the Senate,
or the Congress in the next two years. With that said, my own
perspective is that the 117th Congress, convening this January, has the
best chance to enact comprehensive Federal privacy legislation that I
have ever seen.
I offer six reasons for believing that now is an unusual
opportunity to pass privacy legislation:
1. This Committee has already made a great deal of progress on
finding areas of agreement between the political parties. In
2020, there was significant convergence on draft legislation
supported, separately, by Chairman Wicker and Ranking Member
Cantwell. On the large majority of issues, the language was the
same or similar. Historically, major legislation often passes
after substantial work in a previous Congress. That previous
work settles much of the final package. Then, there are intense
and often difficult negotiations on the final issues, which for
privacy appear to be Federal preemption and private rights of
action. Nonetheless, however difficult those two issues may be,
it is far easier to come to a final deal on two issues than to
try to draft an entire bill on a blank slate.
2. Industry and all those concerned about EU/U.S. relations have a
strong interest in passing comprehensive Federal privacy
legislation. As just discussed above, there are compelling
reasons why progress on U.S. privacy legislation would increase
the possibility of a good outcome in the EU/U.S. negotiations.
For the politically savvy companies that operate in both Europe
and the United States, the benefit of supporting an overall
U.S. law quite possibly outweighs any company-specific reasons
to try to block the bill due to particular provisions in a
privacy bill.
3. Passage last month of the California privacy initiative provides
business with a new, compelling reason to support Federal
privacy legislation. In November, the voters in California
approved a ballot initiative, called the California Privacy
Rights Act (CPRA), which goes into effect on January 1, 2023.
The effective date, in my understanding, is no coincidence--it
gives the 117th Congress time to complete action on a Federal
law. CPRA, while having only mixed support from privacy and
civil liberties advocates, would add new privacy restrictions,
including in the area of online advertising. For this reason,
online advertising companies and companies that buy online
advertising have a new reason to support Federal legislation.
Taken together with business support due to the EU situation,
the U.S. business community in general is more prepared to
accept broad national privacy rules than ever before.
4. The California privacy initiative creates the possibility of
greater agreement on Federal preemption. To date, some members
of this Committee have pushed for broad Federal preemption of
state privacy laws, for reasons including preventing business
from having to comply with multiple and possibly contradictory
state laws. Other members of this Committee have pushed to have
the Federal legislation be a floor but not a ceiling, allowing
states to act first (as they have often done in the past) to
enact greater protection of individual privacy. I have written
three articles on preemption, about the history of Federal
privacy preemption, identifying key issues for preemption, and
a proposal (co-authored with Polyanna Sanderson of the Future
of Privacy Forum) for a process to narrow disagreement, based
on case-by-case examination of the numerous existing state
laws.
Building on this previous analysis, the recent passage of the CPRA
creates a two-part proposal for how the differing sides on
preemption can each achieve a substantial victory. First, as a
win for those supporting privacy innovation in the states, the
California Consumer Privacy Act, which went into effect
already, would remain in effect. After all, businesses have
already had to comply with that law, so the major costs
associated with the law have already been spent. Second, the
new Federal law could preempt the CPRA, which does not go into
effect until 2023. Industry would thus be spared the challenge
of re-engineering their data systems again, so soon after
complying with CCPA. In addition, important privacy advocates,
including the ACLU of California and the Consumer Federation of
California, actually came out in opposition to CPRA. There may
thus be an opportunity to reach agreement on a significant
example of preemption. If both sides of this fierce debate win
a significant victory, then there may be more room to address
remaining preemption issues as something of a technical
drafting matter.
5. A Biden administration will support Federal privacy legislation.
The 2020 Democratic platform calls for enacting Federal privacy
legislation, and the Obama administration supported privacy
legislation as part of the 2012 announcement of a ``Privacy
Bill of Rights.'' Joe Biden himself has long worked on these
issues. He spoke to the European Parliament in 2010, garnering
headlines such as this: ``Biden vows to work with EU parliament
on data privacy.'' In addition, a Biden administration can draw
on numerous individuals who have extensive government
experience on privacy, including those who worked on the
Privacy Bill of Rights and negotiated the Privacy Shield.
6. The narrow majorities in both the Senate and House likely help
define the scope of the possible for Federal privacy
legislation. As a resident of Georgia, I know only too well the
intensity of effort for the two Senate run-off elections on
January 5--my wife and I have basically given up answering our
home telephone for the duration. After those run-offs, one of
the parties will have a narrow working majority in the Senate,
and the margin in the House of Representatives is also
unusually narrow. With such narrow margins, bipartisan
cooperation will be at a premium--neither party can afford to
support a privacy bill alone that would lose any of its
members, so the clearest path to a majority is with bipartisan
support. Last year's proposals from the Senate Commerce
Committee are the most logical starting point for negotiations.
New proposals from the wing of either party will likely have
difficulty making it into the legislation, unless the proposals
can garner support from a range of political viewpoints.
In conclusion on the prospects for Federal privacy legislation, the
stars may finally have aligned to enact meaningful privacy protections.
A new Federal privacy law would enshrine in law a considerable list of
new privacy protections for individuals. The law would also have
support from businesses who usually oppose new government regulation.
At a time when there is risk of partisan gridlock in Congress, Federal
privacy legislation could be a significant instance of bipartisan
accomplishment.
Background of the witness:
Peter Swire is the Elizabeth and Tommy Holder Chair and Professor
of Law and Ethics in the Scheller College of Business at the Georgia
Institute of Technology. He is senior counsel with the law firm of
Alston & Bird, and Research Director of the Cross-Border Data Forum.
In 1998, the Brookings Institution published Swire & Litan, ``None
of Your Business: World Data Flows, Electronic Commerce, and the
European Privacy Directive. In 1999, Swire was named Chief Counselor
for Privacy in the U.S. Office of Management and Budget, the first
person to have U.S. government-wide responsibility for privacy policy.
Swire was the lead White House official during negotiation of the EU/
U.S. Safe Harbor.
After the Snowden revelations, Swire served as one of five members
of President Obama's Review Group on Intelligence and Communications
Technology, making recommendations on privacy and other reforms for the
U.S. intelligence community. In 2015, the International Association of
Privacy Professionals awarded Swire its annual Privacy Leadership
Award. In 2016 he was an expert witness in the Irish trial for Schrems
v. Facebook, and submitted testimony of over 300 pages describing the
legal safeguards for the U.S. intelligence community's use of personal
data.
In 2018, Swire was named an Andrew Carnegie Fellow for his project
on ``Protecting Human Rights and National Security in the New Age of
Data Nationalism.'' In 2019, the Future of Privacy Forum honored him
for Outstanding Academic Scholarship.
______
``Statutory and Non-Statutory Ways to Create Individual Redress
for U.S. Surveillance Activities''
Appendix 1 to U.S. Senate Commerce Committee Testimony
on ``The Invalidation of the EU-U.S. Privacy Shield
and the Future of Transatlantic Data Flows''
Peter Swire\1\
---------------------------------------------------------------------------
\1\ Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia
Tech Scheller College of Business; Research Director, Cross-Border Data
Forum; senior counsel, Alston & Bird LLP. The opinions expressed here
are my own, and should not be attributed to the Cross-Border Data Forum
or any client. For comments on earlier versions of the research, I
thank Theodore Christakis, Dan Felz, Robert Litt, and Kenneth Propp.
Errors are my own.
---------------------------------------------------------------------------
This document addresses a legal issue that calls for solution to
enable continued lawful basis for flows of personal data from the
European Union to the United States--individual redress. In Schrems II,
the Court of Justice for the European Union held that the lack of
individual redress in the United States for persons in the EU
purportedly surveilled by U.S. intelligence was a basis for finding
that the Privacy Shield, as approved by the EU Commission, did not
provide ``adequate'' protection of personal data. In this setting,
individual redress refers to the ability of an individual, including an
individual in the European Union, to receive a determination that their
rights have not been violated by U.S. national security surveillance.
For a U.S. audience, it is important to understand that the
requirement of individual redress is a constitutional requirement,
under Article 47 of the EU Charter of Fundamental Rights. The European
Data Protection Board (EDPB) in November published the ``European
Essential Guarantees'' based on the jurisprudence of the European Court
of Justice and the European Court of Human Rights. One of the four
essential guarantees, as described by the EDPB, is that ``effective
remedies need to be available to the individual.'' This appendix to my
December 9 testimony before
U.S. Senate Commerce Committee seeks to identify issues and suggest
possible approaches to meet the individual redress requirement. The
testimony for which this is an appendix contains a summary discussion
of the issue of individual redress. This appendix provides more
detailed analysis and legal citations, in hopes of advancing discussion
of the individual redress issue.
This appendix to my testimony to the Committee has three sections:
1. Discussion of the proposal that I published on August 13 with
Kenneth Propp, entitled ``After Schrems II: A Proposal to Meet
the Individual Redress Problem.'' This article proposed ways
that a new U.S. statute could apparently meet the EU legal
standard for individual redress.
2. On October 14, European legal expert Christopher Docksey
published ``Schrems II and Individual Redress--Where There's a
Will, There's a Way.'' This article found the Propp/Swire
approach promising, while pointing out important aspects of EU
law to be considered in any U.S. system for individual redress.
3. Discussion of non-statutory approaches for individual redress.
Since August, working with others at the Cross-Border Data
Forum, I have examined lawful ways to meet the goals of the
initial proposal, in the event that Congress does not pass a
new statute to do so.\2\ This appendix includes a number of
ideas that have not previously been published.
---------------------------------------------------------------------------
\2\ Following the publication of the August proposal, I was asked
by U.S. officials about the possibility of a non-statutory approach for
individual redress. I then developed the non-statutory ideas that are
published here for the first time, and described them to officials in
response to their request.
The discussion here necessarily addresses details of multiple areas
of law, including constitutional, statutory, and administrative
provisions of both U.S. and EU law, and including the complex legal
provisions governing U.S. national security surveillance under the
Foreign Intelligence Surveillance Act (FISA) and other laws. As
Christopher Docksey emphasizes, the U.S. need not have perfect
``equivalence'' with EU law--in our different constitutional orders,
there may not be any lawful way to provide precisely the same
procedures as apply under the General Data Protection Regulation (GDPR)
and EU fundamental rights law. Instead, the standard announced by the
CJEU is ``essential equivalence,'' a legal term that has been the
subject of extensive interpretation by the CJEU. As EU courts have
stated, the ``essence of the right'' must be protected. The effort here
is to further the discussion of how such protections might be created
under U.S. law.
I. Individual Redress Proposal Based on U.S. Statutory Change
On August 13, Kenneth Propp and I published in Lawfare ``After
Schrems II: A Proposal to Meet the Individual Redress Problem.'' \3\ In
that case, the CJEU observed that the U.S. surveillance programs
conducted under Section 702 of the Foreign Intelligence Surveillance
Act (FISA) or EO 12333 do not grant surveilled persons ``actionable''
rights of redress before ``an independent and impartial court.'' The
Court emphasized that ``the very existence of effective judicial review
designed to ensure compliance with provisions of EU law is inherent in
the existence of the rule of law.'' It added that ``legislation not
providing for any possibility for an individual to pursue legal
remedies in order to have access to personal data relating to him or
her'' fails to ``respect the essence of the fundamental right to
effective judicial protection,'' as set forth in Article 47 of the EU
Charter of Fundamental Rights.
---------------------------------------------------------------------------
\3\ Kenneth Propp & Peter Swire, ``After Schrems II: A Proposal to
Meet the Individual Redress Problem.'' \3\
---------------------------------------------------------------------------
The CJEU identified two ways in which U.S. surveillance law lacks
essential equivalence to EU safeguards. The first, and the focus of
this article, is that the U.S. lacks an ``effective and enforceable''
right of individual redress. The second, which is beyond the scope of
the proposal we offer here, is the finding that there is a lack of
``proportionality'' in the scale of U.S. intelligence activities. As
discussed in the initial proposal, the CJEU thus measures U.S.
surveillance law protections against an idealized, formal standard set
forth primarily in EU constitutional law.
A. Lessons from Schrems II About Redress
The Privacy Shield was itself an iterative response to the
criticisms of U.S. surveillance law voiced by the CJEU in striking down
its predecessor, the Safe Harbor Framework, in 2015. In that prior
ruling, the Court emphasized the importance of effective redress to
protect surveilled persons, with an independent decision-maker
providing protection for the individual's rights.
In response, the United States agreed in the Privacy Shield to
designate an Ombudsperson, an Under Secretary of State, to receive
requests from Europeans regarding possible U.S. national security
access to their personal data, and to facilitate action by the U.S.
intelligence community to remedy any violation of U.S. law. This role
was built on top of the Under Secretary's previously assigned
responsibilities under Presidential Policy Directive 28 as a point of
contact for foreign governments concerned about U.S. intelligence
activities. No change in U.S. surveillance law was needed to establish
the Ombudsperson--only the conclusion of an interagency memorandum of
understanding between the Department of State and components of the
U.S. intelligence community.
In Schrems II, the CJEU disapproved of the Privacy Shield's
Ombudsperson innovation. The Court observed that the Under Secretary of
State was part of the executive branch, not independent from it, and in
any case lacked the power to take corrective decisions that would bind
the intelligence community. An inquiry conducted by an administrative
official, with no possibility of appealing the result to a court, did
not meet the EU constitutional standard for independence and
impartiality, the CJEU held.
The implications of the CJEU's decision support the conclusion that
any future attempt by the United States to provide individual redress,
to meet EU legal requirements, must have two dimensions: (1) a credible
fact-finding inquiry into classified surveillance activities in order
to ensure protection of the individual's rights, and (2) the
possibility of appeal to an independent judicial body that can remedy
any violation of rights should it occur.
B. Possible Factfinders
In devising a system of individual redress for potential
surveillance abuses, the first question is where best to house the
fact-finding process. Our initial proposal mentioned two possible ways
to conduct such fact-finding. The first is to task fact-finding to
existing Privacy and Civil Liberties Officers (PCLOs) within the
intelligence community, as established by Section 803 of the
Implementing Recommendations of the 9/11 Commission Act of 2007. The
second is to enlist the Privacy and Civil Liberties Oversight Board,
and independent agency tasked with oversight of intelligence community
activities. Since we wrote the proposal, as discussed below, the
suggestion has also been made that fact-finding could be carried out by
the Office of the Inspector General in the relevant intelligence
agency.
Beyond the question of whom in the U.S. Government is best-placed
to act as a factfinder, a new system of individual redress would need
to define the standard for that investigation. To meet the legal
standard announced by the CJEU, the system would apply at least to
individuals protected under EU law; the system might also enable
actions for individual redress for U.S. persons. Precise definition
will require the involvement of experts within the U.S. intelligence
community as well as those knowledgeable about surveillance-related
redress procedures in European countries. A legal standard for all
complaints, at a minimum, would likely test compliance with U.S. legal
requirements, such as whether collection under FISA Section 702 was
done consistent with the statute and judges' orders governing topics
such as targeting and minimization. In addition, a future agreement
between the U.S. and the EU or other third countries could add
provisions forming part of the investigative standard. For instance, as
discussed below, there may be a way to state explicitly that the
surveillance will be necessary and proportionate, which are important
legal terms under the EU Charter of Human Rights and the European
Convention on Human Rights. Our proposal noted that the U.S. might
perhaps negotiate to ensure that the EU provide reciprocal rights for
U.S. persons with respect to any surveillance conducted by EU Member
States. Similarly, the new redress system might address other issues,
including whether individuals would ever receive actual notice some
period of time after they have been surveilled. Such notice has been an
element of EU data protection law, although notice of intelligence
activities appears to have been a rarity there in actual practice.
The fact-finding process would logically have two possible
outcomes--no violation, or some violation that should be remedied.
Where there is no violation, there would be a simple report to the
individual, or perhaps to a Data Protection Authority acting in the EU
on behalf of an individual. Under the Privacy Shield, the report was
that there had been no violation of U.S. surveillance law or that any
violation has been corrected. This sort of limited reporting about
classified investigations exists for the U.K. Investigatory Powers
Tribunal, which is prohibited from disclosing to the complainant
``anything which might compromise national security or the prevention
and detection of serious crime.'' As Christopher Docksey has noted,
this type of reporting can also be found in Article 17 of the Law
Enforcement Directive (EU) 2016/680.
Broader disclosure about classified investigations risks benefiting
hostile states, terrorist groups or others. By contrast, where any
violation is found, then no report could be given until the violation
was remedied. For instance, if there was illegal surveillance about the
person seeking redress, the personal data might be deleted or any other
measure taken to remedy the violation.
C. Judicial Review in the FISC
In the initial article, we stated that the obvious and appropriate
path for an appeal from the fact-finding stage would be to the Foreign
Intelligence Surveillance Court (FISC). FISC judges, along with other
Federal judges, meet the gold standard for independence, since Article
III of the U.S. Constitution ensures that they have lifetime tenure and
are located outside of the executive branch. Making the FISC
responsible for the adjudication of individual complaints would go in
some respects go beyond the FISC's current institutional
responsibilities, but the Federal judges on the FISC are experienced in
reviewing agency decisions in non-FISC cases. The FISC is better-suited
than an ordinary Article III court would be, because of its specialized
expertise in U.S. surveillance law and well-established procedures for
dealing with classified matters. As discussed in more detail below, the
FISC already provides judicial oversight for the FISA Section 702
program--and has a proven track record of effective oversight. In the
wake of the Snowden revelations, numerous FISC decisions were
declassified and made public. A detailed review of these decisions
concluded: ``The FISC monitors compliance with its orders, and has
enforced with significant sanctions in cases of noncompliance.''
A key legal issue in crafting such a system is ensuring that a
plaintiff has ``standing'' to sue, as required by Article III of the
U.S. Constitution. In the Irish High Court decision in Schrems II,
Judge Costello wrote that ``All of the evidence show that [standing] is
an extraordinarily difficult hurdle for a plaintiff to overcome'' in
government surveillance cases. In summary, the plaintiff must show: (1)
he or she has suffered injury in fact (2) that is causally connected to
the conduct complained of and (3) is likely to be redressed by a
favorable judicial opinion. Under EU law, an individual such as Max
Schrems can bring a successful case without proving that he was ever
under surveillance by the U.S. government. By contrast, as explained by
Tim Edgar in Lawfare, plaintiffs in the U.S. have had to clear a high
hurdle to establish standing and gain a legal ruling about the
lawfulness of surveillance.
To assure standing for these appeals to the FISC, a mechanism
similar to the one utilized under the U.S. Freedom of Information Act
(FOIA) appears feasible. Under FOIA, any individual can request that an
agency produce documents, without the need to first demonstrate
particular ``injury.'' The agency is then under a statutory requirement
to conduct an effective investigation, and to explain any decision not
to supply the documents. After the agency completes its investigation,
the individual can appeal to Federal court to ensure independent
judicial review. The judge then examines the quality of the agency's
investigation to ensure compliance with law, and he or she can order
changes in the event of any mistakes by the agency.
Analogously, when seeking individual redress on a matter relating
to national security, the FISC could independently assess whether the
administrative investigation met statutory requirements, and the judge
could issue an order to correct any mistakes by the agency--including
by correcting or deleting data or requiring additional fact-finding.
This sort of judicial review of agency action is extremely common under
the Administrative Procedure Act that applies broadly across Federal
agencies. Typically, the judge must ensure that the agency action is
not ``arbitrary, capricious, an abuse of discretion, or otherwise not
in accordance with law.'' There is standing on the part of the
individual--a ``case or controversy''--to assess whether the agency has
properly discharged its statutory duties. As with FOIA, there is no
need to determine whether the complaining individual has suffered
injury in fact, since the statute creates a duty on the agency to act
in a defined way.
We identify three features worth considering with this approach.
First, due to the classified nature of the fact-finding, there may not
be any workable way for the complainant to decide whether to bring an
appeal. Therefore, it may make sense to have an automatic appeal to the
FISC. Second, the 2015 USA FREEDOM Act established a role for appointed
amici curiae who have full access to classified information and can
brief the FISC on ``legal arguments that advance the protection of
individual privacy and civil liberties.'' These amici could play a role
in advocating for the rights of the complainant, so that the FISC judge
can receive briefing from both the agency and an amicus assigned to
scrutinize the agency investigation. Third, Congress could consider
whether the right to file a complaint be extended to U.S. persons in
addition to those making complaints from the EU concerning surveillance
under FISA Section 702 and EO 12333. Congress should consider how to
structure a meaningful right to redress while avoiding a flood of
complaints. The experience from Europe, and from prior agreements such
as Privacy Shield and the Terrorist Finance Tracking Program, suggests
that the actual number of complaints would likely be manageable.
II. Assessment by European Data Protection Expert Christopher Docksey
On October 14, Christopher Docksey published in Lawfare an article
that commented on the Propp/Swire proposal, ``Schrems II and Individual
Redress--Where There's a Will, There's a Way.'' Docksey is a leading
expert in EU data protection law, after a career as senior lawyer for
the EU Commission and then Director and Head of Secretariat of the
European Data Protection Supervisor.
Docksey was kind enough to state that ``Propp and Swire's proposal
provides a valuable framework for discussions by U.S. policymakers on a
durable solution to individual redress in the United States.'' His
objective was to respond to the proposal ``from a European perspective,
to underline the acceptable elements of their proposal and clarify
which questions remain.'' He said: ``The key to identifying potential
points of future compromise by the EU is understanding the nature of
three different types of institutions: ``data protection officers
(DPOs), independent supervisory authorities (DPAs) and courts.''
A. Fact-Finding Phase
For the fact-finding phase, we suggested either the Section 803
Privacy and Civil Liberties Officers (PCLOs) or the PCLOB. Docksey
explored having the fact-finding conducted either by the Office of
Inspector General (OIG) or else the PCLOB.
In assessing the PCLOs, Docksey compares them to DPO's, whom he
describes as ``part of the organization of the data controller but have
the right and duty to act independently in carrying out their roles.''
Because they are within the organization itself--the Federal agency--
Docksey concludes they do not meet the EU requirement of ``independent
oversight.''
Docksey examines the role of the OIG, and concludes: ``It could be
useful to explore whether the powers of the inspectors general could be
strengthened to hear complaints referred by PCLOs and adopt binding
orders for corrective action.'' As a potentially important factor for
the EU legal analysis, OIG's have a reporting relationship to
Congress--outside of the agency itself. As a legal risk of deploying
the OIG's, Docksey observes that an Inspector General ``can be easily
removed, as recent experience shows.''
Under Docksey's analysis, the PCLOB, as an independent agency, is
most similar to the European institution of the data protection
authority. As shown in a report by the EU Fundamental Rights Agency,
national law in the EU varies in the manner of supervision. Some
nations enable their usual DPA's to have oversight for national
security investigations. Others, such as the Netherlands, have
independent supervisory agencies specifically for intelligence
activities. Docksey underscores the EU legal requirement of the right
to independent supervision by a DPA, which ``is enshrined as a specific
element of the right to protection of personal data in Article 8(3) of
the EU Charter and in Article 16(2) of the EU Treaty itself.''
Assuming that the PCLOB has legal authority to conduct the
investigation, therefore, the most analogous U.S. institution to a DPA,
for conducting the fact-finding, would be the PCLOB. Concerning legal
authority, the statute creating the PCLOB specifically provides that it
shall have the power to review and analyze actions the Executive Branch
takes to protect the U.S. from terrorism. The PCLOB's actions, however,
have not been limited only to terrorism-related activities. As shown on
the agency's website, the PCLOB has taken additional actions, including
under Executive Order 13636 on Improving Critical Infrastructure
Cybersecurity, as well as a request from the President that the Board
provide an assessment of implementation of Presidential Policy
Directive 28 (PPD-28), concerning protection of privacy and civil
liberties in U.S. signals intelligence activities. By statute, Congress
could explicitly authorize a role for the PCLOB in the individual
redress process. As discussed further below, even in the absence of a
statute, there would appear to be a legal basis for the PCLOB to play a
role in a new individual redress process.\4\
---------------------------------------------------------------------------
\4\ The PCLOB has a staff that is small compared to employment by
U.S. intelligence agencies, so a problem might arise if there are many
requests for individual redress. In response, first, my understanding
is that there was only one request to the Privacy Shield Ombudsman in
the five years that the position existed, so staffing may not be a
problem. In addition, the agency may be able to assist the PCLOB in the
fact-finding, such as by ``detailing'' agency individuals to work on
behalf of the PCLOB. This sort of ``detailing'' has often been used in
the Federal government where expertise and staffing exist in one
agency, but individuals are temporarily placed under the direction of
the White House or a different agency.
---------------------------------------------------------------------------
In conclusion on the fact-finding phase, there are multiple
possible ways to create the independent fact-finding process required
under EU law. In addition, as Docksey explains in detail, the EU legal
standard is not ``absolute equivalence''; instead the U.S. must provide
``essential equivalence'' to EU legal protections. Docksey in his
article explains reasons, in his view, why some U.S. approach to
individual redress could indeed meet this ``essential equivalence''
standard.
B. Judicial Review in the FISC
Once the fact-finding phase is complete, Docksey emphasized the
constitutional requirement, under EU law, for judicial review. Article
47 of the EU Charter states the constitutional text--there must be a
right to an ``effective remedy before a tribunal.''
In the Schrems II case, as quoted by Docksey, ``the advocate
general enumerated the criteria laid down by the CJEU to assess whether
a body is a tribunal.'' The advocate general wrote that the decision
hinges on ``whether the body is established by law, whether it is
permanent, whether its jurisdiction is compulsory, whether its
procedure is inter partes, whether it applies rules of law and whether
it is independent[.]'' Docksey adds: ``Probably the most important of
these criteria is the requirement of independence. This means acting
autonomously, without being subject to decisions or pressure by any
other body that could impair the independent judgment of its members.''
The FISC is a close fit for these announced criteria for judicial
review:
1. Independence. For the most important criterion, each FISC judge
meets the gold standard for independence. Decisions are made by
a judge nominated by the President and confirmed by the Senate.
Each judge has lifetime tenure, and cannot be removed except
under the historically rare process of impeachment in the
Congress.
2. Established by law and applies rules of law. The FISC is
established by law in the Foreign Intelligence Surveillance Act
(FISA) and other statutes. It applies rules of law, including
these statutes and its published rules of procedure.
3. Permanence. The FISC is permanent, in the sense that the
authorizing statutes continue in operation unless there is a
new statute passed by the Congress.
4. Compulsory jurisdiction. The FISC is a Federal court, established
under Article III of the U.S. constitution. A Federal judge
acting in the FISC has the same judicial powers as a Federal
judge operating generally in the Federal courts. For instance,
the judge issues a binding order, punishable by contempt of
court, in cases of non-compliance. As with Federal judges
generally, the binding order can apply to a Federal agency as
well as to individuals.
5. Procedure ``inter partes.'' The FISC originally acted ex parte,
without opposing counsel, and now has procedures to act ``inter
partes,'' with counsel in addition to the government. The
Review Group on Intelligence and Communications Technology
explained in 2013 the reason for this change:
``When the FISC was created, it was assumed that it would resolve
routine and individualized questions of fact, akin to those
involved when the government seeks a search warrant. It was not
anticipated that the FISC would address the kinds of questions
that benefit from, or require, an adversary presentation. When
the government applies for a warrant, it must establish
`probable cause,' but an adversary proceeding is not involved.
As both technology and the law have evolved over time, however,
the FISC is sometimes presented with novel and complex issues
of law. The resolution of such issues would benefit from an
adversary proceeding.''
Consistent with this recommendation, Congress created a set of
amici curiae, experts in privacy and related matters, in the
USA FREEDOM Act of 2015. 50 U.S.C. Sec. 1803(1)(i). A judge in
the FISC ``may appoint an individual or organization to serve
as amicus curiae, including to provide technical expertise, in
any instance as such court deems appropriate.'' As part of any
negotiation with the EU, the U.S. government could consider
promising to request appointment of such an amicus curiae in
any case involving the rights of an EU person. With such an
appointment, the FISC would meet the EU criterion of procedure
inter partes.
In conclusion on the Docksey article, the discussion here has
indicated options, consistent with EU law, for fact-finding concerning
a complaint by an EU person about a possible violation of rights.
Appeal then could be to the FISC, which meets the EU legal criteria for
a ``tribunal.'' Docksey himself, after completing his analysis of the
proposal, concluded: ``It is time to grasp the nettle. A compromise is
worth the effort. And if there is the will, there is a way.''
III. Non-Statutory Variations on the Proposals
Since our proposal was published in August, it has become more
urgent to consider ways to establish an individual redress procedure
without necessarily awaiting a statute passed by the Congress, for at
least three reasons:
1. Drafting a statute on these novel issues is a complex task, which
even with full agreement among members of Congress could take
substantial time to complete.
2. The possibility has grown that there may soon be large cut-offs
of personal data from the EU to third countries such as the
U.S. As Professor Theodore Christakis has recently explained,
the November guidance from the European Data Protection Board
appears to conclude that it is illegal, for a very wide array
of routine business practices, to transfer personal data from
the EU to third countries.
3. Non-statutory approaches are worth considering even if a somewhat
better system might be created by a statute. A non-statutory
approach quite possibly is the best way to ensure that data
flows and privacy protections exist during an interim period
while legislation is being considered. Drafting a non-statutory
approach can benefit from commentary from experts in the U.S.
and EU legal systems, and the U.S. and EU officials working on
the issue can identify and address nuanced issues about how to
meet legal and policy goals for an agreement. In short, a non-
statutory approach may be sufficient long-term to provide
individual redress by non-statutory means, although European
law emphasizes the strength of protections memorialized in a
statute. Alternatively, a non-statutory approach might bridge
the period until Congress enacts a statute.
As with Parts I and II above, the discussion here addresses the
fact-finding phase and then the possibility of judicial review.
A. Fact-finding Phase
The discussion here of the Docksey article mentioned possible roles
in fact-finding for the Section 804 Privacy and Civil Liberties
Officers in each agency, the agency Inspectors General, and the PCLOB.
The analysis here suggests possible ways that each might play a role in
fact-finding without statutory change.
The Section 804 PCLO's are subject to an Executive Order or similar
mandates from the President. As a general matter, an Executive Order,
Presidential Policy Directive, or other executive action can take
effect under the President's power under Article II of the U.S.
constitution to ``take care'' that the laws are faithfully executed.
For national security matters, the President also can act as Commander-
in-Chief. Expertise in the possible scope of executive power resides in
the Office of Legal Counsel in the U.S. Department of Justice, working
with White House Counsel and other officials. As one example, the
PCLO's could be ordered by the President to cooperate in specified ways
with others involved in fact-finding, such as the PCLOB.
As Docksey notes, there is a strong tradition of reporting from the
Inspectors General to Congress, and IG's have a history of
independence, in order to investigate and report on the agencies within
which they reside. There may be ways by Executive Order or other
executive action to strengthen IG independence, as Docksey suggests may
be required by EU law.
As discussed above, the PCLOB plays the role of independent
supervisory agency most closely analogous to the supervisory agencies
that exist in the EU. Due to its independence, I am not sure the extent
to which the PCLOB would be bound by an Executive Order or other
presidential action. Nonetheless, one promising approach would be if
the PCLOB entered into a legally-binding Memorandum of Understanding
(MOU) with an Executive Branch agency. This MOU would be a public
commitment by the PCLOB and the Executive Branch agency to act in
agreed-upon ways to conduct fact-finding. To the extent that the EU has
questions about the legal enforceability in court of such an MOU, any
agreement with the U.S. leading to adequacy could be conditional on the
MOU remaining in force. As with other adequacy determinations, the EU
would periodically assess how procedures are working in practice, and
the EU could therefore withdraw its adequacy finding if the MOU were
not followed.
In conclusion on the fact-finding phase, there would appear to be
considerable scope for executive action and/or agreements between
agencies to put in place effective fact-finding mechanisms for
individual redress. Drafting of such measures can be informed by the
insights offered by Christopher Docksey in his articles, and from other
experts.
B. Judicial Review by the FISC
As described in the Propp/Swire proposal, Congress can provide by
statute for an appeal to go to the FISC. The discussion here suggests a
legal approach, without the need for a statute, that may also enable
appeal to the judges in the FISC. The basic idea is that the U.S.
Government could request review by the FISC, as part of the court's
inherent authority to review implementation of its Section 702 orders.
The U.S. Government could promise, such as in an agreement with the EU,
that it will petition the FISC to review each complaint under the
redress system in this manner. As a result, independent Federal judges
would provide judicial review of the complaints, and have authority to
issue binding orders in the event of violations.
The approach discussed here has not been published previously, so I
offer it as an initial public draft, with relatively detailed citations
to relevant authorities.
1. FISC Oversight of Section 702 Orders
The proposed approach would build on existing FISC supervision of
national security surveillance. Judges in the FISC issue binding legal
orders about how requirements apply for any surveillance under Section
702. FISC authorizes Section 702 surveillance each year by entering an
order that evaluates the conduct of the 702 program over the past year,
imposes new restrictions or requirements as appropriate, and approves
targeting, querying, and minimization procedures for U.S. intelligence
agencies. 50 U.S.C. Sec. 1881a(j)(3) (requiring FISC to ``enter an
order'' authorizing 702 program if government's annual certification
meets statutory and constitutional requirements); see also, e.g., In re
Government's Ex Parte Submission of Reauthorization Certifications and
Related Procedures, Case caption redacted (Foreign Int. Surv. Ct. Dec.
6, 2019), available here (order authorizing 2019 Section 702
intelligence programs).
In the U.S. legal system, Federal judges have ``inherent
authority'' under Article III of the Constitution to take judicial
action in order to ensure compliance with judicial orders. FISC has
Article III authority. See, e.g., In re: Certification of Questions of
Law to the Foreign Intelligence Court of Review, No. FISCR 18-01, at 8
(FISA Ct. Rev. Mar. 16, 2018), available here (``FISC's authority . . .
is cabined by--and consistent with--Article III of the Constitution).
Further, FISA expressly ensures FISC can exercise this authority in
regards to FISC's own orders, stating that ``[n]othing in [FISA] shall
be construed to reduce or contravene the inherent authority of [FISC]
to determine or enforce compliance with an order or . . . a procedure
approved by [FISC].''
Under the proposed approach, the U.S. Government would essentially
ask the FISC to do no more than exercise its inherent authority as an
Article III court, to review that 702 intelligence activities conducted
in regards to a specific individual complied with the FISC's own 702
authorization order and applicable law.
This approach would fit with FISC's general monitoring of the
intelligence community's compliance with its orders and U.S.
surveillance laws. The FISC Rules of Procedure already require the
government to report any noncompliance with a FISC order. See FISC Rule
of Procedure 13(b) (requiring the government to report all cases where
``any authority or approval granted by [FISC] has been implemented in a
manner that did not comply with [FISC's] authorization or applicable
law''). The FISC itself has not hesitated to monitor and, if warranted,
aggressively enforce compliance with its orders. Examples include the
FISC's questioning the NSA's compliance with FISC orders governing the
post-9/11 Internet metadata program, ultimately leading to the
program's termination, or the FISC's more recent orders requiring the
government to respond to the DOJ Inspector General's findings relating
to the Carter Page and other FISA warrant cases, both of which are
discussed in Appendix 2 to today's testimony.
Put another way, this approach fits well within the joint, ongoing
system of oversight for 702 surveillance that the FISC and the U.S.
Government already work together to provide. The Government subjects
702 surveillance to a range of oversight mechanisms, including day-to-
day supervision within intelligence agencies, supervision by the
Oversight Section in DOJ's National Security Division (NSD), and
regular joint on-site audits of 702 surveillance by NSD and ODNI. See,
e.g., Joint Unclassified Statement to the H. Comm. on the Judiciary,
114th Cong. 4 (2016), available here. Existing FISC orders also require
the government to report violations of 702 authorization orders. See
PCLOB 702 Report at 29-30 (referencing a still-classified 2009 FISC
opinion imposing reporting requirements). All compliance incidents
identified through these processes are reported to the FISC. The FISC
reviews these compliance incidents as part of its annual 702
reauthorization. This review can give rise to FISC requiring
remediation or imposing new restrictions on intelligence activities in
its 702 authorization orders.
The approach also seems to fit within procedural, jurisdictional,
and national-security constraints under which the FISC operates:
The U.S. Government is entitled to ask FISC for relief. The
FISC Rules of Procedure generally require ``the government'' or
``a party'' to file pleadings requesting relief from FISC. See,
e.g., FISC Rules of Procedure 6(a)-(b) (permitting ``the
government'' to request certain relief); 6(c)-(d) (permitting
``a party'' to request certain relief); 19(a) (permitting ``the
government'' to file show-cause motions); 62(a) (permitting ``a
party'' to move for publication of FISC decisions). If an
individual were to file a petition with the FISC, this could
give rise to questions about whether she is ``a party''
entitled to request relief. But it would seem clear that a
motion from the U.S. Government would be from ``the
government'' as contemplated under FISC rules.
The U.S. Government should not face standing hurdles. When
non-governmental parties have requested relief from FISC in the
past, FISC has required them to plead Article III standing.
See, e.g., In re Opinions & Orders of this Court Addressing
Bulk Collection of Data under [FISA], Misc. 13-08 (Foreign Int.
Surv. Ct. Nov. 9, 2017), available here (chronicling litigation
over whether ACLU had Art. III standing to request that FISC
publish orders relating to Section 215 programs). In contrast,
the U.S. Government is already entitled to obtain 702
authorization orders from FISC in ex parte proceedings, without
needing to show standing. The Government should thus also be
able to ask FISC to review and enforce compliance in connection
with those same 702 orders.
National security interests remain protected. In recent
decisions, the FISA Court of Review has reasserted the FISC's
``unique'' national-security need to maintain secrecy. See,
e.g., In re: Certification of Questions of Law to the Foreign
Intelligence Court of Review, No. FISCR 18-01, at 3 (FISA Ct.
Rev. Mar. 16, 2018), available here (emphasizing that ``[t]he
very nature of [FISC's] work . . . requires that it be
conducted in secret,'' and that FISC orders ``often contain
highly sensitive information'' whose release ``could be
damaging to national security''). The proposed approach would
not require FISC to disclose classified information, or
otherwise impair the secrecy under which FISC normally
operates.
2. What would the FISC Review?
A non-statutory proposal would need to define the scope of
oversight the FISC can and would review. The statutory text of Section
702 states that the FISC oversees the targeting, querying, and
minimization procedures of intelligence agencies. Based on that text,
the FISC would have oversight at least over those procedures, but
perhaps not more broadly. The EU potentially could seek very broad
oversight, along the lines of ``full compliance with all the rights of
a data subject'' under EU law. Defining the scope of oversight would
quite possibly be an important subject of negotiation between the U.S.
and EU.
Scope of FISC's subject-matter jurisdiction. The FISC can only
operate within its subject-matter jurisdiction. Recent decisions of the
FISA Court of Review have discussed the FISC's defined subject-matter
jurisdiction, which may prevent non-parties from requesting relief that
merely ``relates to the FISC or the FISA,'' as opposed to relief
expressly authorized by FISA. See, e.g., In re Opinions & Orders by the
FISC Addressing Bulk Collection of Data under [FISA], FISCR 20-01 at
18-19 (FISA Ct. Rev. Apr. 24, 2020), available here (holding FISCR did
not have subject-matter jurisdiction to adjudicate ACLU request to
declassify portions of Section 215 orders). The proposed approach,
however, would merely ask FISC to confirm compliance with its own
orders, which FISA expressly authorizes FISC to do.
Possibly build agreement with the EU into the scope of the
targeting, querying, and minimization procedures. One potentially
fruitful path is to include EU-relevant provisions in the annual
authorizations by the FISC of Section 702. For instance, the targeting
procedures might adopt language responsive to EU legal concerns, such
as stating that targeting shall be done only as necessary and
proportionate. If the FISC order concerning 702 required necessity and
proportionality--key terms within EU law--then the FISC presumably
could oversee implementation of those necessity and proportionality
requirements. The U.S. Government would have the ability to request
such language, or other language negotiated with the EU, in the
targeting procedures, as part of its regular legal submissions to the
FISC. The FISC could issue binding requirements on U.S. agencies to
ensure compliance with its Section 702 orders.
Due to the defined subject matter jurisdiction of the FISC, the
court quite possibly would not have judicial authority to rule on the
legality of surveillance under EO 12,333. The FISC review above is
predicated on the FISC's authority to oversee implementation of Section
702 orders, but the FISC has no similar statutory authority over an
executive order, such as EO 12333.
I offer five observations about EO 12,333:
First, the fact-finding phase, potentially including
intelligence agencies and the PCLOB, could apply to both
Section 702 and EO 12,333. Perhaps legal theories could be
developed about how the FISC could review, as an ancillary
matter, the portion of the record pertaining to EO 12,333. My
tentative conclusion, however, is that review of EO 12,333
surveillance would be outside of the scope of the FISC's
authority, absent statutory change.
Second, EO 12,333 surveillance may be sufficiently protected
by the procedural steps before the complaint gets to the FISC.
The PCLOB or an agency procedure, for instance, could be the
final arbiter on EO 12,333 issues. Docksey specifically
presents arguments about why a PCLOB decision might meet EU
legal requirements.
Third, the Commerce Department White Paper contains multiple
arguments about why no further legal protections should be
required for companies using standard contractual clauses.
Importantly, for instance, the White Paper states that it is
unclear how companies can ``consider any U.S. national security
data access other than targeted government requirements for
disclosure such as under FISA 702.'' Under these approaches,
the U.S. government has thus articulated reasons why the scope
of individual redress should match Section 702, rather than
including EO 12,333.
Fourth, in practice, many companies are addressing EO 12,333
by taking additional safeguards with respect to secure
communications when personal data leaves the EU, such as to
come to the U.S. There is ongoing discussion among European
actors about the extent to which use of strong encryption
answers EU legal concerns about EO 12,333 surveillance. If such
use of encryption turns out to meet EU legal requirements, then
individual redress can apply to the cases where it is relevant,
under Section 702.
Fifth, and if the previous observations do not apply, I
present as another possible approach the following analysis of
why an effective regime of individual redress may meet the EU
legal standard of ``essential equivalence,'' even if EO 12,333
is outside of that regime. In recent cases concerning data
retention, the CJEU highlighted its jurisdiction where a
government achieves surveillance via private actors, such as
companies subject to a judicial order. By contrast, the CJEU
did not say that it had jurisdiction, in the face of the
national security exception to its jurisdiction, where a
government performs surveillance directly (not through a
private company). Judicial orders to private companies apply to
Section 702, but not to government activities under EO 12,333.
With the disclaimer that I am a U.S. lawyer, perhaps it is
worth considering whether the EU ``essentially equivalent''
regime of individual redress, to that offered by the EU Member
States, might apply only to judicially ordered actions by
companies, that is, to Section 702. With the same disclaimer,
the same limit on ``national security'' jurisdiction does not
apply to the European Court of Human Rights, and potentially
its jurisprudence would apply to the direct government actions
under EO 12,333.
Conclusion
This document has attempted to set before this Committee and the
public research to date about how to create a system of individual
redress under U.S. law. Standing doctrine, under Article III of the
U.S. constitution, can block many proposed ideas for offering
individual redress to an individual. The Propp/Swire proposal explained
how the analogy to FOIA can require an agency to act, with a court then
empowered to review the agency action. Christopher Docksey has
supplemented the initial proposal with his expert insights about EU
legal requirements. The new discussion here then presents ways that
valid individual redress might be created by the U.S. government, even
before Congress is able to enact a statute.
Members of this Committee and other U.S policymakers may doubt
whether it is desirable as a policy matter to create such systems of
individual redress for EU citizens. In response, there is this simple
point--the highest court of the European Union has stated, apparently
as a matter of its constitutional law, that such individual redress is
required. Absent a valid system of individual redress, any future
agreement between the U.S. and EU will be subject to great risk of
invalidation. Faced with that reality, the proposals here seek to
present possible solutions. Creative alternative proposals are most
welcome, and the task is important.
______
``Updates to U.S. Foreign Intelligence Law Since 2016 Testimony''
Appendix 2 to U.S. Senate Commerce Committee Testimony
on ``The Invalidation of the EU-U.S. Privacy Shield
and the Future of Transatlantic Data Flows''
Peter Swire\1\
---------------------------------------------------------------------------
\1\ Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia
Tech Scheller College of Business; Research Director, Cross-Border Data
Forum; senior counsel, Alston & Bird LLP. The opinions expressed here
are my own, and should not be attributed to the Cross-Border Data Forum
or any client. For research assistance on this appendix I thank Daniel
Felz and Sara Guercio. This Appendix is based on publicly available
information; I have not had access to any relevant classified
information since 2016. The views expressed here are my own.
---------------------------------------------------------------------------
This Appendix supplements written testimony I am submitting to the
Senate Committee on Commerce, Science, and Transportation for the
December 9, 2020 hearing on ``The Invalidation of the EU-U.S. Privacy
Shield and the Future of Transatlantic Data Flows.'' This Appendix
presents updates on the U.S. legal and regulatory regime for foreign
intelligence surveillance that have occurred since testimony I provided
to the Irish High Court in 2016 on the same subject (the ``2016
Testimony'').\2\ Taken together, the 2016 Testimony and this Appendix
seek to present an integrated set of references that may inform ongoing
assessments, under European Union law, of the adequacy of protection of
personal data related to U.S. foreign intelligence law.
---------------------------------------------------------------------------
\2\ Peter Swire, Testimony of Peter Swire (submitted to High Court
of Ireland Nov. 3, 2016), available at https://www.alston.com/en/
resources/peter-swire-irish-high-court-case-testimony/.
---------------------------------------------------------------------------
My 2016 Testimony was submitted in November 2016, several months
after the EU Commission adopted the finalized Privacy Shield in July
2016. At that time, I listed over twenty significant privacy-protective
changes that had been made to U.S. foreign intelligence laws since the
Snowden disclosures in 2013.\3\ My 2016 Testimony then discussed the
systemic safeguards present in U.S. law for foreign intelligence,
including: (a) safeguards anchored in the statutes governing foreign
intelligence surveillance by U.S. agencies,\4\ (b) interlocking
executive, legislative, and independent oversight mechanisms that are
in place for surveillance activities;\5\ (c) transparency mechanisms
implemented since the Snowden disclosures that offered a level of
transparency into U.S. surveillance practices unparalleled in other
nations;\6\ and (d) privacy safeguards implemented within the Executive
Branch to protect personal information of non-US persons.\7\ Chapter 5
of my 2016 Testimony also contained a detailed discussion of
declassified opinions of the Foreign Intelligence Surveillance Court
(FISC), including my assessment that the FISC has exercised careful and
effective oversight over foreign intelligence surveillance.\8\
---------------------------------------------------------------------------
\3\ See id. at 3-10--3-12.
\4\ See id. at 3-12--3-26.
\5\ See id. at 3-26--3-34.
\6\ See id. at 3-34--3-38.
\7\ See id. at 3-39--3-49.
\8\ See id. at 5-1--5-53.
---------------------------------------------------------------------------
This Appendix highlights updates that have occurred since the 2016
period in which Privacy Shield and my Testimony was finalized. As an
overview of what will be discussed in this Appendix, the following
represents a summary of intervening developments that have resulted in
greater safeguards, or the continued effectiveness of safeguards in
place, since the 2016 period in which Privacy Shield and my prior
Testimony were finalized:
1. The FISA Amendments Reauthorization Act of 2017 (FARA)
introduced new safeguards for Section 702 programs, including:
(a) mandating querying procedures for 702-acquired information,
(b) codifying the National Security Agency (NSA) and Federal
Bureau of Investigation (FBI) practice of appointing
Privacy and Civil Liberties Officers,
(c) expanding whistleblower protections to Intelligence
Community (IC) contractors,
(d) increasing disclosure and transparency requirements for
Section 702 programs, and
(e) imposing significant restrictions on the recommencement of
Abouts collection.
2. The FISC has continued to annually evaluate Section 702
surveillance as required under Section 702, and its
reauthorization orders have resulted in new protections for
Section 702 programs.
3. As a result of FISC's continued supervision of Abouts collection
the NSA (a) voluntarily terminated Abouts collection and (b)
segregated and deleted all Internet transactions previously
acquired through its Upstream program.
4. The Office of Director of National Intelligence (ODNI) has
continued to declassify significant documents relating to
Section 702 surveillance, such as publishing the Section 702
trainings that NSA provides to its internal personnel that
conduct Section 702 programs on a day-to-day basis.
5. Due in part to compliance incidents reported to the FISC, NSA
decided to delete three years' worth of Call Detail Records
(CDRs) obtained under the USA FREEDOM Act. NSA then decided to
suspend its CDR program in early 2019.
6. The Privacy and Civil Liberties Oversight Board (PCLOB) issued
new oversight reports on (a) the NSA's Call Detail Records
program under the USA FREEDOM Act, as well as (b) the
implementation of Presidential Policy Directive 28 (PPD-28) in
U.S. intelligence agencies. PCLOB also recently announced it
concluded an oversight review of the U.S. Treasury Department's
Terrorist Finance Training Program.\9\
---------------------------------------------------------------------------
\9\ See generally U.S. Privacy and Civil Liberties Oversight Bd.,
Press Release: Privacy and Civil Liberties Oversight Board Concludes
Review of Treasury Department's Terrorist Finance Tracking Program,
(Nov. 19, 2019) available at https://documents.pclob.gov/prod/
Documents/Events
AndPress/de7972f6-03f1-48fd-8acd-b719a658e4a0/
TFTP%20Board%20Statement.pdf. PCLOB Chairman Adam Klein also issued a
statement describing EU decisions to rely on TFTP instead of building
its own equivalent program, and identifying privacy protective measures
in place for EU citizens within TFTP, such as storage of EU bank
customer data in the EU. See U.S. Privacy and Civil Liberties Oversight
Bd., Statement by Chairman Adam Klein on the Terrorist Finance Tracking
Program, (Nov. 19, 2020) available at: https://documents.pclob.gov/
prod/Documents/EventsAndPress/b8ce341a-71d5-4cdd-a101-219454bfa459/
TFTP%20Chairman%20Statement%
2011_19_20.pdf.
7. The ODNI has continued to publish annual Statistical
Transparency Reports showing numerical statistics that provide
transparency on the extent to which U.S. agencies are
requesting data under FISA authorities, including Section 702
---------------------------------------------------------------------------
authorities.
8. The Department of Justice (DOJ) and ODNI continue to publish
Semiannual Reports on the NSA's, FBI's, and CIA's compliance
with Section 702 requirements, including statistics and
descriptions of instances of non-compliance. These Reports
continue to be created as a result of DOJ/ODNI's regular on-
site reviews of the intelligence agencies.
9. U.S. foreign intelligence law continues to permit companies to
publish transparency reports. My review of leading technology
companies' recent transparency reports shows that, as in 2016,
U.S. intelligence appears to affect a vanishingly small
percentage of their active users.
10. ODNI has continued to publish significant quantities of
declassified documents related to U.S. foreign intelligence
activities on the ``IC on the Record'' website. It also
facilitated greater access to these documents by launching a
text-searchable capability on Intel.gov.
11. FISC has continued to declassify opinions and publish statistics
on its handling of government surveillance applications. The
percentage of applications that the FISC has modified or denied
has increased since 2016.
This Appendix discussed the above developments in eight Sections
that track the structure of my 2016 Testimony: 1) updates to systemic
safeguards for U.S. foreign intelligence, 2) updates to Section 702
programs, 3) updates to the former 215 program, 4) updates to oversight
safeguards, 5) updates to transparency safeguards, 6) updates to
executive safeguards, 7) updates to Foreign Intelligence Surveillance
Court (FISC) testimony, 8) updates to surveillance-related standing
cases.
1. Updates to Systemic Safeguards for U.S. Foreign Intelligence:
A significant portion of my 2016 Testimony discussed the systemic
safeguards built into the structure of foreign intelligence in the
United States.\10\ The core and structure of these safeguards has
remained unchanged since I testified in 2016. The U.S. remains a
constitutional democracy committed to the rule of law in conducting
foreign-intelligence surveillance.\11\ Further, U.S. surveillance
remains subject to an interconnected system of statutory
safeguards,\12\ oversight mechanisms,\13\ transparency mechanisms,\14\
and Executive Branch safeguards.\15\ My detailed discussion of these
safeguards can be read in my 2016 Testimony, as outlined in the
introduction above.
---------------------------------------------------------------------------
\10\ See generally Swire, supra note 2 at 3-2--3-49.
\11\ See id. at 3-2--3-6.
\12\ See id. 3-12--3-26.
\13\ See id. at 3-26--3-34.
\14\ See id. at 3-34--3-38.
\15\ See id. at 3-39--3-49.
---------------------------------------------------------------------------
2. Updates to Section 702 Programs.
Section 702 of FISA is the basis for significant foreign
intelligence collection by U.S. intelligence agencies, and was
discussed at length in my 2016 Testimony.\16\ Since 2016, the legal
structure of Section 702 has remained largely unchanged. Section 702
requires the Attorney General and DNI to annually apply to the Foreign
Intelligence Surveillance Court (FISC) to authorize Section 702
surveillance programs.\17\ In doing so, the FISC reviews and authorizes
the targeting, minimization, and (since 2018) querying procedures under
which the intelligence agencies conduct Section 702 surveillance.\18\
Throughout the ensuing year, the agencies' conduct of Section 702
programs is monitored by internal procedures, external audits, and
regular reporting to the FISC and Congress.\19\ The primary programs
that exist under Section 702 remain (a) the Prism program, in which
agencies such as the NSA serve directives on communications providers
compelling the disclosure of communications to or from a tasked
selector; and (b) the Upstream program, in which Internet backbone
providers acquire communications to or from a tasked selector as they
traverse the Internet.\20\ My 2016 Testimony discusses the structure of
Section 702 as well as its primary programs in detail.\21\
---------------------------------------------------------------------------
\16\ See id. at 3-18--3-24.
\17\ See id. at 3-18--3-21.
\18\ See id.
\19\ See generally id.at 3-2--3-49.
\20\ See generally id.at 3-18--3-24.
\21\ See id.
---------------------------------------------------------------------------
Despite broad continuity in Section 702 practice since my 2016
Testimony, a number of significant updates have occurred. This Section
briefly summarizes a selection of these changes: (a) the FISA
Amendments Act Reauthorization Act of 2017 and its privacy-protective
aspects; (b) the FISC continues to reauthorize the Section 702 programs
annually; (c) NSA terminated Upstream's Abouts collection in connection
with 2017 FISC Reauthorization; (d) statistics on 702 programs continue
to be released by the U.S. government; (e) the U.S. government
continues to publish the Semiannual Assessment of compliance for 702
programs; and, (f) NSA declassified its internal guidance and training
manuals for 702 programs.
a. FISA Amendments Reauthorization Act of 2017 (FARA)
In 2018, the FISA Amendments Reauthorization Act of 2017 (FARA) was
passed, reauthorizing FISA for a five-year term and providing
additional oversight and privacy protections.\22\ Specifically, FARA i)
mandated that intelligence agencies adopt querying procedures governing
how they may access and use Section 702 intelligence; ii) codified the
appointment of Privacy and Civil Liberties Officers in the NSA and FBI;
iii) expanded whistleblower protections; iv) increased agency
disclosure requirements; and v) required an approval process if the NSA
wishes to restart Abouts collections.\23\
---------------------------------------------------------------------------
\22\ See FISA Amendments Reauthorization Act of 2017, Pub. L. 115-
118, (2018) [hereinafter ``FARA''].
\23\ See generally id.
---------------------------------------------------------------------------
i. Mandatory Querying Procedures
Before FARA, Section 702 mandated that intelligence agencies adopt
``targeting'' and ``minimization'' procedures, which collectively
provided the standards by which individuals are targeted for foreign
intelligence surveillance and how subsequently acquired communications
may be retained and used. FARA added a requirement that the NSA, FBI,
CIA, and NCTC adopt ``querying'' procedures governing how these
agencies are permitted to access and search 702-acquired
communications.\24\ Like targeting and minimization procedures, Section
702 querying procedures must be annually submitted to the FISC for
approval, and FISC must evaluate them for consistency with FISA and
``the requirements of the Fourth Amendment.'' \25\ While FARA set forth
specific requirements for U.S. person queries,\26\ the querying
procedures adopted by U.S. intelligence agencies contain safeguards for
all individuals regardless of nationality. For example, the NSA's 2019
Querying Procedures state that ``[e]ach query of NSA systems containing
unminimized content or noncontent information acquired pursuant to
section 702 . . . must be reasonably likely to retrieve foreign
intelligence information.'' \27\ These requirements, and FISC's annual
review of how they are followed by U.S. intelligence agencies, help
support proportional use of communications acquired under Section 702.
---------------------------------------------------------------------------
\24\ Id. Sec. 101.
\25\ Id. Sec. 101(a)(1)(B)(f)(1) (2018).
\26\ Id. Sec. 109 (2018).
\27\ Nat'l Sec. Agency, Querying Procedures Used by the National
Security Agency in Connection with Acquisitions of Foreign Intelligence
Information Pursuant to Section 702 of the Foreign Intelligence
Surveillance Act of 1978, As Amended, 3 (Sept. 16, 2019), available at:
https://www.intelligence.gov/assets/documents/702%20Documents/
declassified/2019_702_Cert_NSA_
Querying_ 17Sep19_OCR.pdf.
---------------------------------------------------------------------------
ii. Ratification of Appointment of PCLOs within Agencies
Under its Section 109, FARA expressly required the NSA and FBI to
appoint Privacy and Civil Liberties Officers (PCLOs).\28\ This change
represented more of a change in law than in practice, since both NSA
and FBI already had active PCLOs in place as a matter of internal
policy before FARA was enacted.\29\ Nonetheless, FARA's express
codification of NSA's and FBI's prior practice represents Congress's
approval of the IC practice of installing oversight and privacy
protection offices directly within the agencies that conduct foreign
intelligence surveillance.
---------------------------------------------------------------------------
\28\ FARA Sec. 106.
\29\ Office of the Dir. of Nat'l Intelligence,, The FISA Amendments
Reauthorization Act of 2017: Enhanced Privacy Safeguards for Personal
Data Transfers Under Privacy Shield, 3 (Oct. 15, 2018) available at:
https://www.dni.gov/files/documents/icotr/Summary-FISA-Reauthorization-
of-2017--10.15.18.pdf [hereinafter ``DNI FARA Summary''].
---------------------------------------------------------------------------
iii. Expansion of Whistleblower Protections
FARA extended available whistleblower protections to contract
employees working within U.S. intelligence agencies.\30\ Prior to FARA,
``contractors were protected from agency management retaliation,'' but
not from retaliation from the contractor's direct employer.\31\ FARA
thus extended whistleblower protections to prohibit retaliation against
a whistleblowing IC contractor by the contractor's employer.\32\ As a
result, IC contractors can report deficiencies or violation to the
inspectors general of U.S. intelligence agencies and, as permitted by
law, to the Senate and House intelligence committees.\33\
---------------------------------------------------------------------------
\30\ FARA Sec. 110.
\31\ DNI FARA Summary, supra note 29.
\32\ See id.
\33\ See Swire, supra note 2 at 3-28--3-29.
---------------------------------------------------------------------------
iv. Increased Disclosure Requirements
FARA introduced a number of new disclosure requirements for
intelligence agencies. First, FARA requires future ODNI Statistical
Transparency Reports agencies to separately state the number of U.S.
persons and non-US persons that were targets of electronic
surveillance.\34\ Second, FARA formally mandates that agencies' Section
702 minimization procedures be published.\35\ Third, FARA requires the
Attorney General to provide new reporting to Congress on the number of
surveillance applications and emergency authorizations,\36\ and to make
each report publicly available and unclassified ``to the extent
consistent with national security.'' \37\
---------------------------------------------------------------------------
\34\ FARA Sec. 102(b).
\35\ Id. Sec. 104 (2018). Although agencies' minimization
procedures have already been declassified and published for each year
in which the corresponding Section 702 reauthorization was published,
this change may result in minimization procedures being published even
when the underlying reauthorization is not.
\36\ Id. Sec. 107.
\37\ Id.
---------------------------------------------------------------------------
v. Requirements for Resuming Abouts Collections
Abouts collection was an aspect of the NSA's Upstream program. As
discussed more fully in Section 2(d) below, following significant
interaction with the FISC on the lawfulness of Abouts communication,
the NSA voluntarily discontinued Abouts collections in March 2017. FARA
now ensures that both the FISC and Congress must be informed before
Abouts collection can be revived. If the NSA wishes to resume
``intentional acquisition of [A]bouts communication,'' several
requirements must be met.\38\ First, FISC must issue a certification
approving the program and ``a summary of the protections in place to
detect any material breach.'' \39\ Second, the NSA must notify Congress
in writing 30 days before resuming Abouts collection, and cannot begin
Abouts collection within that thirty-day window.\40\ The FISC's order
approving the recommencement of Abouts collection must be attached to
the notice provided to Congress.\41\ Third, if Abouts collection
resumes after having satisfied the prior two requirements, the NSA must
report all material breaches to Congress.\42\ Finally, any FISC opinion
certifying the recommencement of Section 702 Abouts collection will be
designated as a ``novel or significant interpretation of the law,''
thus requiring appointment of an amicus curiae during authorization
proceedings, as well as public release of the opinion.\43\ The presence
of these requirements within the amended Section 702 adds another level
of oversight to the NSA's collection of Section 702 data.
---------------------------------------------------------------------------
\38\ Id. Sec. 103.
\39\ Id Sec. 103(b)(3).
\40\ Id. Sec. 103(b)(2).
\41\ Id. Sec. 103(b)(3).
\42\ Id. Sec. 103(b)(5). Material breaches include ``significant
noncompliance with applicable law or an order of the FISC concerning
any acquisition of Abouts communication,'' see id. Sec. 103(b)(1)(B).
It can be presumed that other compliance incidents, whether material or
not, would be reported to the FISC, as this is the FISC's current
requirement for Section 702 programs.
\43\ Id. Sec. 103(b)(6); see also USA FREEDOM Act, Pub. L. 114-23,
Sec. 602(a) (2017).
---------------------------------------------------------------------------
b. FISC Continued to Evaluate 702 Compliance During Annual
Reauthorizations
As stated above, FISC must annually review and reauthorize Section
702 programs. Since my prior testimony, FISC has reauthorized Section
702 programs on at least three occasions: in April 2017,\44\ October
2018,\45\ and December 2019.\46\ For each of these reauthorizations,
the U.S. government declassified and published (a) the FISC order
evaluating and reauthorizing Section 702 programs; and (b) the
targeting, minimization, and (starting in 2018) querying procedures
approved by the FISC to govern the conduct of Section 702
surveillance.\47\ For the 2016 reauthorization, the government also
declassified the ODNI/Attorney General certification and the NSA
Director's affidavit submitted to FISC.\48\
---------------------------------------------------------------------------
\44\ See generally Mem. Op. & Order [Redacted], Case Caption
[Redacted] (F.I.S.C. Apr. 26, 2017) available at: https://www.dni.gov/
files/documents/icotr/51117/2016_Cert_FISC_Memo_
Opin_Order_Apr_2017.pdf [hereinafter ``FISC 2016/2017
Reauthorization''].
\45\ See generally Order [Redacted], Case Caption [Redacted]
(F.I.S.C. Oct. 18, 2018) available at: https://www.intelligence.gov/
assets/documents/702%20Documents/declassified/2018_Cert_
FISC_Opin_18Oct18.pdf [hereinafter ``FISC 2018 Reauthorization''].
\46\ See generally Mem. Op. & Order [Redacted], Case Caption
[Redacted] (F.I.S.C. Dec. 6, 2019) available at: https://
www.intelligence.gov/assets/documents/702%20Documents/declassified/
2019_702_Cert_FISC_Opinion_06Dec19_OCR.pdf [hereinafter ``FISC 2019
Reauthorization''].
\47\ See generally FISC 2016/2017 Reauthorization, supra note 44;
FISC 2018 Reauthorization, supra note 45; FISC 2019 Reauthorization,
supra note 46.
\48\ See generally FISC 2016/2017 Reauthorization, supra note 44.
---------------------------------------------------------------------------
The FISC reauthorization opinions show the FISC conducting the
careful and detailed oversight over Section 702 surveillance I
discussed in my 2016 Testimony.\49\ FISC continued to examine how
Section 702 programs ``have been and will be implemented'' in
practice.\50\ It also crafted new requirements for compliance with
Section 702. As brief examples of FISC's review:
---------------------------------------------------------------------------
\49\ See generally Swire, supra note 2 at 5-1--5-53.
\50\ Mem. Op. & Order [Redacted], Case Caption [Redacted], 3
(F.I.S.C. Aug. 26, 2014), available at https://www.dni.gov/files/
documents/0928/FISC%20Memorandum%20Opinion%20and%20
Order%2026%20August%202014.pdf; See also Swire, supra note 2 at 5-12--
5-14.
The 2016 reauthorization opinion is 99 pages long.\51\ The
FISC evaluated the NSA's reports of compliance incidents
relating to Abouts collection, and the NSA's decision to
terminate Abouts collection in response (discussed immediately
below). Further, the FISC evaluated the NCTC receiving access
to Section 702 information, NSA data deletion questions, and
potential issues relating to NSA's Upstream program that had
occurred in the past year. The FISC also evaluated the NSA's
use of automated tools for tasking decisions; determined that
reliance on these tools was not sufficient to task a selector;
and required the NSA to begin reporting incidents where the NSA
did not conduct post-tasking review of acquired communications
to determine whether a tasking decision has been proper.
---------------------------------------------------------------------------
\51\ See FISC 2016/2017 Reauthorization, supra note 44; Due to
extensions granted to review Abouts collection which extended
reauthorization proceedings, the 2016 reauthorization appears to have
covered Section 702 surveillance in both the years 2016 and 2017. The
Attorney General and ODNI filed certifications to reauthorize Section
702 surveillance on September 26, 2016. See also Government's Ex Parte
Submission of Reauthorization Certifications and Related Procedures, Ex
Parte Submission of Amended Certifications, and Request for an Order
Approving Such Certifications and Amended Certifications [Redacted],
(F.I.S.C. Sept. 26, 2016) available at: https://www.dni.gov/files/
documents/icotr/51117/2016_Certification_Cover_Filing_Sep_26_
2016_part_1_and_2_-merged.pdf. In evaluating Abouts collection issues,
FISC granted extensions into March 2017, at which point NSA announced
it was terminating Abouts collection. FISC then issued its
reauthorization order on April 26, 2017. This reauthorization thus
appears to have authorized Section 702 programs for 2016 and 2017.
The 2018 reauthorization opinion is 138 pages long.\52\ In
its most lengthy discussion, the FISC found FBI querying
practices involving U.S. person identities were inconsistent
with the Fourth Amendment; this finding was appealed to the
FISA Court of Review, which affirmed the FISC,\53\ resulting in
the FBI modifying its minimization and querying procedures.\54\
Additionally, in a novel and significant decision, the FISC
held that FARA restrictions on Abouts collection also applied
to certain non-Abouts collection. Although the precise
collection technique at issue remained redacted, FISC ordered
the NSA to report each time it tasked a selector using this
technique within 10 days to FISC, presumably to monitor on an
ongoing basis that NSA's acquisitions complied with the
restrictions of FARA.\55\ For this decision, the FISC invited
and received amicus briefing.
---------------------------------------------------------------------------
\52\ See FISC 2018 Reauthorization, supra note 45.
\53\ See In Re: DNI/AG 702(h) Certifications 2018 [Redacted], Dkt.
No. [Redacted] (F.I.S.A. Ct. Rev. July 12, 2019) available at: https://
www.intelligence.gov/assets/documents/702%20Docu
ments/declassified/2018_Cert_FISCR_Opinion_12Jul19.pdf.
\54\ See Mem. Op. & Order [Redacted], Case No. [Redacted] (F.I.S.C.
Sept. 4, 2019) available at: https://www.intelligence.gov/assets/
documents/702%20Documents/declassified/2018_Cert_
FISC_Opinion_04Sep19.pdf
\55\ See FISC 2018 Reauthorization, supra note 45 at 136-138.
The 2019 reauthorization opinion is 83 pages long.\56\ It
addressed questions about whether the NSA may share information
with FBI for targeting purposes, as well as the retention
period for Upstream collection after termination of Abouts
collection. Additionally, FISC addressed whether 702-acquired
information could be captured by intelligence agencies' ``user-
activity monitoring'' (AUM) activities, such as insider threat
protection. The FISC preliminarily approved AUM activities, but
required all agencies to provide further reporting on the
extent of their AUM activities and the amount of 702-acquired
information affected by it.
---------------------------------------------------------------------------
\56\ See FISC 2019 Reauthorization, supra note 46.
---------------------------------------------------------------------------
c. NSA Terminated Upstream's Abouts Collection in Connection with
FISC's 2017 Section 702 Reauthorization
The NSA's termination of Abouts collection represents a significant
development that has occurred since my 2016 Testimony and illustrates
the effectiveness of the U.S. system of safeguards for foreign
intelligence surveillance. Abouts collection referred to an aspect of
the NSA's Section 702 Upstream program. It acquired communications that
were not to or from a tasked selector, but which instead mentioned the
selector (and were thus described as being ``about'' that selector). An
example would be the NSA receiving an e-mail where the selector e-mail
address of the target is included in the body or text of the e-mail,
but neither sent nor received that e-mail.\57\
---------------------------------------------------------------------------
\57\ Nat'l Sec. Agency, NSA Stops Certain 702 ``Upstream''
Activities, PA-014-18, (Apr. 28, 2017), available at: https://
www.nsa.gov/news-features/press-room/Article/1618699/nsa-stops-certain-
section-702-upstream-activities/.
---------------------------------------------------------------------------
Abouts collection first came to FISC's attention in 2011, when it
raised concerns due to acquisition of Multi-Communication Transactions
(MCTs).\58\ E-mails and similar communications are often not
transmitted through the Internet as discrete communications, but
instead as part of MCT clusters,\59\ what is often called a ``thread''
of e-mails. This resulted in Upstream acquiring not just communications
containing a tasked selector, but also a further cluster of attached
communications in which the selector did not appear.\60\ For Abouts
communication, FISC found this raised heightened privacy concerns,
since it resulted in the NSA acquiring communications that did not
contain selectors.\61\ FISC thus imposed a number of restrictions on
Abouts collection, such as requiring the NSA to segregate Abouts
collection from other 702-acquired data, to restrict other agencies'
access to Upstream collection, to restrict NSA analysts' use of
Upstream-collected data, and to purge Upstream collection on a more
expedited basis than other 702-acquired information.\62\ These
restrictions were memorialized in NSA's Section 702 minimization
beginning in 2011.\63\
---------------------------------------------------------------------------
\58\ See generally Swire, supra note 2 at 5-31--5-34.
\59\ See Id.
\60\ See Id.
\61\ See Id.
\62\ See Mem. Op. [Redacted], Case No. [Redacted] (F.I.S.C. Oct. 3,
2011) available at: https://www.dni.gov/files/documents/0716/October-
2011-Bates-Opinion-and%20Order-20140716.pdf
\63\ See Mem. Op. [Redacted], Case No. [Redacted] (F.I.S.C. Nov.
30, 2011) available at: http://www.fas.org/irp/agency/doj/fisa/
fisc1111.pdf
---------------------------------------------------------------------------
It appears that in 2016, NSA's Inspector General reviewed NSA's
querying of Upstream collections and identified ``significant
noncompliance'' with the FISC's restrictions.\64\ This was reported to
FISC, which held a hearing and required the government to submit a
report on the full extent of querying practices affecting Upstream data
as well as a remediation plan.\65\ The government provided several
rounds of updates to the FISC; however, the FISC on several occasions
expressed dissatisfaction with the state of the government's
investigation into how querying practices were not complying with
existing FISC orders.\66\
---------------------------------------------------------------------------
\64\ FISC 2016/2017 Reauthorization, supra note 44 at 4.
\65\ See id.
\66\ See id. at 4-6.
---------------------------------------------------------------------------
Ultimately, on March 30, 2017, the NSA reported to FISC that it
would ``eliminate `Abouts' collection altogether.'' \67\ In addition,
NSA stated it would ``sequester and destroy raw Upstream Internet data
previously collected,'' and ``destroy such sequestered Internet
transactions as soon as practicable through an accelerated age-off
process.'' \68\ Going forward, NSA stated that any communications
obtained by Upstream ``that are not to or from a person targeted in
accordance with NSA's section 702 targeting procedures . . . will be
destroyed upon recognition,'' and that NSA ``will report any
acquisition of such communications to [FISC] as an incident of non-
compliance.'' \69\ The NSA proffered updated minimization procedures to
the FISC that memorialized these changes to Upstream.\70\
---------------------------------------------------------------------------
\67\ Id. at 6.
\68\ Id. at 23-24.
\69\ Id.
\70\ Id. at 26.
---------------------------------------------------------------------------
The FISC accepted the NSA's updated minimization procedures that
prohibited Abouts collection.\71\ Further, as described above, FARA now
requires the NSA to obtain FISC authorization, and provide notification
to Congress, prior to recommencing Abouts communication.\72\ The NSA
also publicly announced its termination of Abouts collection.\73\
---------------------------------------------------------------------------
\71\ See id.
\72\ FARA Sec. 103.
\73\ Nat'l Sec. Agency, NSA Stops Certain 702 ``Upstream''
Activities, PA-014-18 (Apr. 28, 2017), available at: https://
www.nsa.gov/news-features/press-room/Article/1618699/nsa-stops-certain-
section-702-upstream-activities/)
---------------------------------------------------------------------------
The termination of Abouts communication underscores the
effectiveness of the U.S. system of safeguards for foreign
intelligence. The FISC recognized privacy risks in Abouts collection
and imposed heightened requirements on the NSA. Those requirements
could not be met, in part due to technical challenges. Internal reviews
identified the noncompliance; and it was reported to FISC. FISC
insisted on compliance with its privacy restrictions, and the NSA
determined this required Abouts collection to end.
d. Statistics on 702 Programs Continue to be Released by the U.S.
Government
ODNI publishes annual Statistical Transparency Reports that
identify the number of non-U.S. persons who are the targets of tasked
selectors under Section 702.\74\ My 2016 Testimony referenced that in
2015, there had been 94,368 targets of Section 702 programs.\75\ Since
then, the Statistical Transparency Reports have provided targeting
statistics for subsequent years.\76\ The following table provides
statistics for targeting of non-US persons under Section 702 since
2016:\77\
---------------------------------------------------------------------------
\74\ See 50 U.S.C. Sec. 1873(b)(2)(A); Swire, supra note 2 at 3-
36--3-37.
\75\ See Swire, supra note 2 at 3-21--3-24.
\76\ See generally Office of the Dir. of Nat'l Intelligence,
Statistical Transparency Report: Regarding the use of National Security
Authorities for Calendar Year 2016 (Apr. 2017) available at: https://
www.dni.gov/files/icotr/ic_transparecy_report_cy2016_5_2_17.pdf; See
generally Office of the Dir. of Nat'l Intelligence, Statistical
Transparency Report: Regarding the use of National Security Authorities
for Calendar Year 2017 (Apr. 2018) available at: https://www.dni.gov/
files/documents/icotr/2018-ASTR-CY2017-FINAL-for-Release-5.4.18.pdf;
See generally Office of the Dir. of Nat'l Intelligence, Statistical
Transparency Report: Regarding the use of National Security Authorities
for Calendar Year 2018, (Apr. 2019) available at: https://www.dni.gov/
files/CLPT/documents/2019_ASTR_for_CY2018.pdf; See generally Office of
the Dir. of Nat'l Intelligence, Statistical Transparency Report:
Regarding the use of National Security Authorities for Calendar Year
2019 (Apr. 2020) available at: https://www.dni.gov/files/CLPT/
documents/2020_ASTR_for_CY2019_FINAL.pdf.
\77\ Office of the Dir. of Nat'l Intelligence, Statistical
Transparency Report: Regarding the use of National Security Authorities
for Calendar Year 2019, 14 (Apr. 2020) available at: https://
www.dni.gov/files/CLPT/documents/2020_ASTR_for_CY2019_FINAL.pdf
[hereinafter ``2019 Statistical Transparency Report''].
------------------------------------------------------------------------
Calendar Year 2016 2017 2018 2019
------------------------------------------------------------------------
Estimated Number 106,469 129,080 164,770 204,968
of Section 702
Targets for Non-
US Persons
------------------------------------------------------------------------
I add one comment relevant to current discussions about possible
changes in U.S. surveillance practices after Schrems II. One proposal I
have heard would be to end the Section 702 program and have each
selector be subject to the one-at-a-time prior approval by a judge
under Title I of FISA, the sort of approval that applies to individuals
in the U.S. where there is probable cause that they are ``agents of a
foreign power.'' \78\ There are currently 11 Federal district judges on
the FISC; processing over 100,000 individual orders per year would
simply not be possible with anything like current staffing with the
care and attention to each application that DOJ documents and a judge
assesses. As discussed in my 2016 Testimony, Section 702 was created in
2008 as an increase in legal process compared to prior collection done
outside of the US.\79\ Adding one-at-a-time prior approval by a judge
for each selector would thus appear to be a greater change to current
practice than some may have realized. That is not a conclusion about
what changes the U.S. might contemplate in discussions with the EU, but
instead an observation about the nature of the current 702 program.
---------------------------------------------------------------------------
\78\ 50 U.S.C. Sec. 1801(b).
\79\ See Swire, supra note 2 at 3-18--3-19.
---------------------------------------------------------------------------
e. The U.S. Government Continued to Publish Semiannual Assessments of
Compliance for 702 Programs
Section 702 requires the AG and ODNI to jointly assess intelligence
agencies' compliance with FISA Section 702 and publish their assessment
semiannually in a declassified report (the ``Semiannual
Assessments'').\80\ The AG (through its National Security Division) and
ODNI conduct regular on-site reviews of NSA, FBI, and CIA on at least a
bimonthly basis, and they review agencies' targeting and minimization
decisions.\81\ Using the results of these reviews, the Semiannual
Assessments describe types, percentages, and trends of 702 non-
compliance issues. The table below summarizes the overall compliance
rates, as well as compliance rates for each category of non-compliance,
from December 2014 to November 2017. Note that Semiannual Assessments
are published on a lag, meaning that although the statistics below date
back to 2014, all of the below statistics have been published since the
2016 period in which my prior Testimony and Privacy Shield were
finalized.
---------------------------------------------------------------------------
\80\ 50 U.S.C. Sec. 1881(a)(l)(1).
\81\ See Swire, supra note 2 at 5-20--5-23.
\82\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual
Assessment of Compliance with Procedures and Guidelines Issued Pursuant
to Section 702 of the Foreign Intelligence Surveillance Act, 26-30
(Feb. 2016), available at here: https://www.dni.gov/files/documents/
icotr/14th-Joint-Assessment-Feb2016-FINAL-REDACTED.pdf
\83\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual
Assessment of Compliance with Procedures and Guidelines Issued Pursuant
to Section 702 of the Foreign Intelligence Surveillance Act, 27-31
(Nov. 2016), found here: https://www.dni.gov/files/documents/icotr/
15th-702Joint-Assessment-Nov2016-FINAL-REDACTED1517.pdf
\84\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual
Assessment of Compliance with Procedures and Guidelines Issued Pursuant
to Section 702 of the Foreign Intelligence Surveillance Act, 27-31
(Aug. 2017), found here: https://www.dni.gov/files/icotr/
16th_Joint_Assessment
_Aug_2017_10.16.18.pdf
\85\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual
Assessment of Compliance with Procedures and Guidelines Issued Pursuant
to Section 702 of the Foreign Intelligence Surveillance Act, 26-30
(Dec. 2017), found here: https://www.dni.gov/files/icotr/
17th_Joint_Assessment
_Dec_2017_10.16.18.pdf
\86\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual
Assessment of Compliance with Procedures and Guidelines Issued Pursuant
to Section 702 of the Foreign Intelligence Surveillance Act, 28-32
(Oct. 2018); found here: https://www.dni.gov/files/icotr/
18th_Joint_Assessment.pdf [hereinafter ``Semiannual Report 18''].
\87\ Dir. of Nat'l Intelligence & U.S. Att'y Gen., Semiannual
Assessment of Compliance with Procedures and Guidelines Issued Pursuant
to Section 702 of the Foreign Intelligence Surveillance Act, 30-36
(Dec. 2019)., found here: https://www.intelligence.gov/assets/
documents/702%20
Documents/declassified/
19th%20Joint%20Assessment%20for%20702%20Dec%202019%20-%20Fi
nal%20for%20release%20(002)OCR.pdf [hereinafter ``Semiannual Report
19''].
----------------------------------------------------------------------------------------------------------------
Report 14 Report 15 Report 16 Report 17 Report 18 Report 19
Intelligence Agencies (Dec. 2014- (June 2015- (Dec. 2015- (June 2016- (Dec. 2016- (June 2017
Compliance Statistics May Nov. May Nov. May to Nov.
2015)\82\ 2015)\83\ 2016)\84\ 2016)\85\ 2017)\86\ 2017)\87\
----------------------------------------------------------------------------------------------------------------
Overall Non-Compliance Rate 0.35% 0.53% 0.45% 0.88% 0.37% 0.42%
Tasking Non-Compliance Rate 42.3% 58.% 50.8% 35.3% 24.9% 28.7%
Detasking Non-Compliance 24.3% 21.5% 13.7% 5.9% 7.5% 7.3%
Rate
Notification Non-Compliance 8.7% 5.2% 6.4% 6.8% 11.2% 22.1%
Rate
Documentation Non-Compliance 4.9% 2.2% 12.9% 7.5% 14% 23.6%
Rate
Minimization Non-Compliance 14.8% 9.9% 14.3% 42.5% 39.1% 17.3%
Rate
Miscellaneous/Other Non- 4.9% 2.5% 2% 1.9% 0.9% 0.7%
Compliance Rate
Overcollection Non- Not reported Not reported Not reported 0.1% Not reported 0.3%
Compliance Rate
----------------------------------------------------------------------------------------------------------------
Overall, AG/ODNI concluded in each Semiannual Assessment that ``the
agencies have continued to implement [targeting and minimization]
procedures and follow [applicable] guidelines in a manner that reflects
a focused and concerted effort by agency personnel to comply with the
requirements of Section 702.''\88\ Only two incidents of intentional
non-compliance were identified in the six Semiannual Assessments that
have been published since my 2016 Testimony, each of which was
remedied.\89\ The Semiannual Assessments enable transparency into the
conduct of foreign intelligence surveillance that, to the best of my
knowledge, remains unique among leading nations.
---------------------------------------------------------------------------
\88\ This conclusion is from the October 2018 Semiannual
Assessment, but is representative of the conclusion of prior Semiannual
Assessments. See, e.g., Semiannual Report 18, supra note 86 at 48,
(``[T]he agencies continued to implement the procedures and follow the
guidelines in a manner that reflects a focused and concerted effort by
agency personnel to comply with the requirements of Section 702.'').
\89\ In Semiannual Report 19, there were two issues of intentional
non-compliance. The first issue involved FBI running batch queries
under proposed, but unapproved, query procedures. These query
procedures were eventually approved, but this incident still counted as
intentional non-compliance. The second issue involved traditional
intentional non-compliance where an FBI analyst queried his name and
the name of his co-worker in the FBI database. This analyst was fired,
and his security clearance was terminated. See Semiannual Report 19,
supra note 87.
---------------------------------------------------------------------------
f. NSA Declassified its Internal Training Manuals for 702 Programs
Since my 2016 Testimony, NSA has released internal guidance and
training documents related to Section 702.\90\ The documents show the
multi-level training NSA provides to personnel on Section 702
compliance. They include trainings NSA provides to analysts who task
selectors to be used in Section 702 surveillance, detailing the process
through which NSA analysts must document their rationale for targeting
a selector and submit it to an NSA ``Adjudicator'' for review. The
documents also include trainings provided to Adjudicators on reviewing
analyst requests to task specific selectors, and the checklists used in
selector evaluations.\92\ Finally, NSA published a comprehensive
Section 702 training covering aspects of NSA personnel's compliance
duties relating to collecting, processing, analysis, retention, and
dissemination of 702-acquired information, as well as obligations to
immediately report compliance incidents.\93\
---------------------------------------------------------------------------
\90\ See Office of the Dir. of Nat'l Intelligence, IC on the
Record: IC on the Record Guide to Posted Documents,
IContheRecord.tumblr.com, (Oct. 2020), available at: https://
www.intel.gov/ic-on-the-record/guide-to-posted-documents.
\91\ See Nat'l Sec. Agency, Updated FAA 702 Targeting Review
Guidance [Redacted], (May 15, 2017), available at: https://www.dni.gov/
files/icotr/ACLU%2016-CV-8936%20(RMB)%20000911
-001000%20-
%20Doc%2010.%20NSA%E2%80%99s%20702%20Targeting%20Review%20Guidance
.pdf; NSA's Practical Applications Training. See also Nat'l Sec.
Agency, CRSK1304: FAA Section 702 Practical Applications [Redacted];
https://www.dni.gov/files/icotr/ACLU%2016-CV-8936
%20(RMB)%20000911-001000%20-
%20Doc%2011.%20NSA%E2%80%99s%20702%20Practical%2
0Applications%20Training.pdf.
\92\ See Nat'l Sec. Agency, FAA702 Adjudicator Training [Redacted],
available at: https://www
.dni.gov/files/icotr/ACLU%2016-CV-8936%20(RMB)%20000911-001000%20-
%20Doc%2012.%20
NSA%E2%80%99s%20702%20Training%20for%20NSA%20Adjudicators.pdf; Nat'l
Sec. Agency, FAA 702 Adjudication Checklist [Redacted], available at:
https://www.dni.gov/files/icotr/
ACLU%2016-CV-8936%20(RMB)%20001001-001049%20-
%20Doc%2013.%20NSA%E2%80%99s%
20702%20Adjudication%20Checklist.pdf
\93\ See Nat'l Sec. Agency, OVSC1203: FISA Amendments Act Section
702 [Redacted], available at: https://www.dni.gov/files/icotr/
ACLU%2016-CV-8936%20(RMB)%20001001-001049%20-%2
0Doc%2017.%20NSA%E2%80%99s%20Training%20on%20FISA%20Amendments20Act%20Se
c
tion%20702.pdf
---------------------------------------------------------------------------
As one comment on possible reforms that may address EU legal
concerns, the U.S. government might consider codifying training
requirements and other aspects of compliance. Such codification might
be done through either statutory or non-statutory means, to address
European legal concerns that Section 702 and other safeguards be
``required by law.''
3. Updates to the Former 215 Program.
In my 2016 Testimony, I discussed ``[p]erhaps the most dramatic
change in U.S. surveillance law'' since the Snowden disclosures: The
termination of a bulk telephone record collection program that had been
operated under Section 215 of the USA PATRIOT Act, and its replacement
with a targeted call records program.\94\ This change began when
President Obama's Review Group, in which I participated, reviewed the
215 program and found it ``not essential to preventing attacks.'' \95\
The USA FREEDOM Act was passed soon thereafter, and prohibited bulk
collection under Section 215, as well as under pen register, trap-and-
trace, and national security letter authorities. NSA terminated the
bulk phone records program on November 29, 2015.\96\
---------------------------------------------------------------------------
\94\ Swire, supra note 2 at 3-16--3-18.
\95\ See id.
\96\ See Office of the Dir. of Nat'l Int., ODNI Announces
Transition to a New Telephone Metadata Program, (Nov. 27, 2015),
available at: https://www.dni.gov/index.php/newsroom/press-releases/
press-releases-2015/item/1292-odni-announces-transition-to-new-
telephone-meta
data-program.
---------------------------------------------------------------------------
The USA FREEDOM Act thus introduced a targeted telephone call
detail records program (the ``CDR Program'') that operated as I
described in my 2016 Testimony.\97\ The government had to identify a
specific selector that is reasonably suspected of being associated with
terrorism (such as a phone number), and obtain a FISC order requiring a
communications provider to produce records associated with that
selector. The government could only obtain records that were no more
than two ``hops'' from the identified selector.
---------------------------------------------------------------------------
\97\ See Swire, supra note 2 at 3-16--3-18.
---------------------------------------------------------------------------
Since my 2016 Testimony, the NSA voluntarily terminated the CDR
Program due to compliance and data-integrity issues it did not believe
could be resolved. This section briefly describes the significant
events relating to the CDR Program: (a) the NSA's deletion of years'
worth of CDRs, followed by its decision to terminate the CDR Program,
and (b) the PCLOB's ensuring report on the CDR Program. These NSA
actions are another example of the oversight and correction mechanisms
built into the U.S. legal system governing foreign intelligence.
a. NSA Voluntarily Deleted 3 Years' Worth of USA FREEDOM Act CDRs, then
Discontinued the CDR Program Altogether
The CDR Program was affected by a number of compliance issues that
resulted in the NSA deciding to delete years' worth of CDR Program
data, then to discontinue the program. Between 2016 and 2019, the NSA
provided a number of notices to FISC detailing issues of non-compliance
and data-integrity issues.\98\ Generally, the non-compliance issues
included information omitted from FISA applications, providers
transmitting CDRs on expired orders, and training and access incidents
involving NSA personnel.\99\ The data-integrity issues generally
involved the NSA receiving erroneous data from certain telecom
providers.\100\ NSA notified FISC of these incidents, and deleted CDRs
associated with these incidents.
---------------------------------------------------------------------------
\98\ See Privacy and Civil Liberties Oversight Bd., Report on the
Government's Use of the Call Detail Records Program Under the USA
Freedom Act, 20 (Feb. 2020), available at: https://documents.pclob.gov/
prod/Documents/OversightReport/87c7e900-6162-4274-8f3a-d15e3ab9c2e4/PC
LOB%20USA%20Freedom%20Act%20Report%20(Unclassified).pdf [hereinafter
``PCLOB CDR Report''].
\99\ See id. at 21.
\100\ First, a telecom provider pushed ``inaccurate first-hop
numbers to the NSA,'' which the NSA's system could not detect.
``Instead, [the system] requested second-hop records using the
erroneous first-hop response.'' Subsequently, the provider fixed the
issue and the NSA purged the CDRs containing inaccurate numbers.
Second, a telecom provider pushed produced a number of CDRs with
inaccurate data to the NSA. The NSA took immediate action to stop
receipt of CDRs from the provider. The NSA also found there were four
FISA applications that relied on the inaccurate information, which it
quickly reported to the FISC. The NSA then deleted associated CDRs and
``recalled one disseminated intelligence report generated based on
inaccurate CDRs.'' Id. at 22.
---------------------------------------------------------------------------
In a further incident, when a provider produced inaccurate data,
NSA searched for ``anomalous data from the other providers,'' and found
data-accuracy issues distributed across providers.\101\ Further
discussions by the NSA with another provider confirmed it also provided
inaccurate data.\102\ Ultimately, NSA determined ``the providers could
not identify for NSA all the affected records, and NSA had no way to
independently determine which records contained inaccurate
information.'' \103\
---------------------------------------------------------------------------
\101\ Id. at 23.
\102\ See id.
\103\ Id. at 24.
---------------------------------------------------------------------------
In response, starting on May 23, 2018, the NSA began deleting all
CDRs obtained since 2015.\104\ As required under FISA, the NSA also
notified the PCLOB, Department of Justice (DOJ), and Congressional
Oversight committees of its decision.\105\ In June 2018, NSA released a
statement notifying the public that it had deleted all of its call
records under the CDR program due to ``technical irregularities in some
data received from telecommunications service providers'' that had
resulted in the NSA having access to some CDRs that NSA was not
authorized to receive.\106\
---------------------------------------------------------------------------
\104\ See Nat'l Sec. Agency, NSA Reports Data Deletion, Release No:
PA-010-18, (June 18, 2018), available at: https://www.nsa.gov/news-
features/press-room/Article/1618691/nsa-reports-data-deletion/
\105\ The DOJ subsequently notified FISC. See id.
\106\ PCLOB CDR Report, supra note 98 at 24.
---------------------------------------------------------------------------
Shortly after, in early 2019, the NSA allowed its last FISC order
authorizing CDR collection to expire, thus discontinuing the CDR
Program under the USA FREEDOM Act.\107\ This decision was based on a
balancing of ``the program's relative intelligence value, associated
costs, and compliance and data-integrity concerns.'' \108\ Accordingly,
the number of CDRs collected by the NSA fell from over 434 million in
2018 to approximately 4.2 million in 2019.\109\
---------------------------------------------------------------------------
\107\ As a part of the discontinuation, the NSA deleted remaining
data collected under the CDR Program, but not data ``that had been used
in disseminated intelligence reporting or data that was considered
`mission management related information.' '' PCLOB CDR Report, supra
note 98 at 24.
\108\ PCLOB CDR Report, supra note 98 at 24.
\109\ Semiannual Report 19 supra note 87 at 32.
---------------------------------------------------------------------------
b. PCLOB Assessed the USA FREEDOM Act CDR Program
In February 2020, the PCLOB issued a report reviewing the CDR
program under the USA Freedom Act (the ``CDR Program Report'').\110\
Since the CDR program had been discontinued by the time the PCLOB's
Report was issued, the PCLOB made no recommendations regarding the Act,
but did issue five key findings. First, the Board found that the CDR
program had been constitutional, and second, that the NSA's collection
of two hops of CDR data on an ongoing basis was statutorily
authorized.\111\ Third, PCLOB found no agency abuse of the CDR Program
prior to the NSA's decision to stop CDR collection, and, fourth, no
evidence that the NSA received statutorily prohibited categories of
information such as name, address, or financial information related to
a selector. \112\ Finally, the Board found the NSA did not use its
authority granted under the USA Freedom Act to attempt to gather
certain kinds of metadata (the specifics of which remain
redacted).\113\ More broadly, the PCLOB agreed with the NSA's decision
to stop CDR collection.\114\
---------------------------------------------------------------------------
\110\ See generally PCLOB CDR Report, supra note 98.
\111\ Some of the members of the Board did not join on the
constitutional analysis provided in the report. See id. at 70-77.
\112\ See PCLOB CDR Report, supra note 98 at 2.
\113\ See id.
\114\ See Privacy and Civil Liberties Bd., Fact Sheet: Report on
the NSA's Call Detail Records Program Under the USA Freedom Act, 2,
available at: https://documents.pclob.gov/prod/Documents/
OversightReport/e37f0efb-c85d-4053-b4c1-4159ccbf100f/
CDR%20Fact%20sheet%20FINAL
.pdf
---------------------------------------------------------------------------
In March 2020, Congress reauthorized the USA FREEDOM Act, extending
it through December 2023.\115\ Thus, there is the possibility that NSA
could revive the CDR Program in the future. However, to do so, the NSA
would have to obtain FISC orders authorizing the collection of CDRs,
and the FISC--as it does in other contexts--could impose safeguards on
CDR collection based on the past experience of the now-discontinued CDR
Program.
---------------------------------------------------------------------------
\115\ See USA FREEDOM Reauthorization Act of 2020, H.R. 6172, 116th
Congress (May 14, 2020), available at: https://www.congress.gov/bill/
116th-congress/house-bill/6172/text
---------------------------------------------------------------------------
4. Updates to Oversight Safeguards.
My 2016 Testimony describes a comprehensive oversight system for
foreign intelligence, including Senate and House intelligence
committees, agency Inspectors General, Privacy and Civil Liberties
offices in the agencies, and ongoing review by the independent Privacy
and Civil Liberties Oversight Board.\116\ The structure of these
oversight safeguards remains unchanged since 2016. This section briefly
discusses updates occurring within the existing oversight framework:
(a) PCLOB issuing its PPD-28 report, and (b) activities by Inspectors
General.
---------------------------------------------------------------------------
\116\ See Swire, supra note 2 at 3-26--3-34.
---------------------------------------------------------------------------
a. PCLOB Issued its PPD-28 Report
On October 16, 2018, PCLOB published its report on Presidential
Policy Directive 28 (PPD-28) (the ``PPD-28 Report'').\117\ To produce
the Report, PCLOB reviewed the PPD-28 targeting procedures of the CIA,
NSA, and FBI, reviewed ODNI reports on changes to signals intelligence
under PPD-28,\118\ took comments from the public and NGOs, and held
classified briefings and discussions with IC elements. PCLOB found PPD-
28 resulted in greater memorialization and/or formalization of privacy
protections that had inhered in existing practices.\119\ For example,
prior to PPD-28, NSA had limited its uses of signals intelligence
collected in bulk to the six permissible purposes listed in PPD-28
(such as espionage and threats to U.S. armed forces); PPD-28 resulted
in these limitations being memorialized and codified.\120\
Additionally, PPD-28 resulted in extending protections previously
reserved for U.S. persons to all individuals regardless of nationality.
For example, NSA and CIA used PPD-28 procedures to refocus on
protecting ``personal information of all individuals regardless of
nationality.'' \121\ Similarly, NSA, CIA, and FBI minimization
procedures now require that ``personal information of non-US persons
shall only be retained if comparable information of U.S. persons may be
retained pursuant to'' EO 12333.\122\
---------------------------------------------------------------------------
\117\ This report was issued on the basis of Section 5 PPD-28,
which encouraged PCLOB to provide a report on any matters within
PCLOB's mandate, such as the implementation of Executive Branch
regulations or policies like PPD-28. See Privacy and Civil Liberties
Bd., Report to the President on the Implementation of Presidential
Policy Directive 28: Signals Intelligence Activities, (Oct. 16, 2018),
available at: https://documents.pclob.gov/prod/Documents/Oversight
Report/16f31ea4-3536-43d6-ba51-b19f99c86589/PPD-28%20Report%20
(for%20FOIA%20Release
).pdf [hereinafter ``PCLOB PPD-28 Report''].
\118\ See Office of the Dir. of Nat'l Intelligence, A Status Report
on the Development and Implementation of Procedures Under Presidential
Policy Directive 28, (July 2014), available at: https://www.dni.gov/
files/documents/1017/PPD-28_Status_ Report_Oct_2014.pdf; See also
Office of the Dir. of Nat'l Intelligence, 2016 Progress Report on
Changes to Signals Intelligence Activities (Jan. 22, 2016), available
at: https://www.intelligence.gov/index.php/ic-on-the-record-database/
results/12-odni-releases-2016-signals-intelligence-reform-progress-
report.
\119\ See generally PCLOB PPD-28 Report, supra note 117.
\120\ See id. at 6.
\121\ Id. at 6-7.
\122\ Id. at 7-8.
---------------------------------------------------------------------------
Based on its review, PCLOB issued four recommendations for PPD-28's
implementation:
1) The National Security Council (NSC) and ODNI should issue
criteria for determining which activities or types of data will
be subject to PPD-28 requirements;
2) IC elements should consider both the mission and privacy
implications of applying PPD-28 to multi-sourced systems;
3) NSC and ODNI should ensure that any IC elements obtaining first-
time access to unevaluated signals intelligence update their
PPD-28 use, retention and dissemination practices, procedures,
and trainings before receiving such data; and
4) To the extent consistent with the protection of classified
information, IC elements should promptly update their public
PPD-28 procedures to reflect any pertinent future changes in
practices and policy.\123\
---------------------------------------------------------------------------
\123\ See id. at 12-18.
These recommendations were later reviewed by ODNI's Office of Civil
Liberties, Privacy, and Transparency (CLPT) in an October 2018 report
on the status of implementation of the PCLOB's PPD-28 Report.\124\ The
CLPT found that the agencies had already implemented all four of these
recommendations to the extent possible to maintain national
security.\125\
---------------------------------------------------------------------------
\124\ See Office of the Dir. of Nat'l Intelligence, Status of
Implementation of PPD-28: Response to the PCLOB's Report, (Oct. 2018),
available at: https://www.dni.gov/files/icotr/Status_of
_PPD_28_Implementation_Response_to_PCLOB_Report_10_16_18.pdf
[hereinafter ``CLPT PPD-28 Implementation Report''].
\125\ See id.
---------------------------------------------------------------------------
b. Inspectors General
My 2016 Testimony described Federal inspectors general (IGs) as an
oversight component that provides a well-staffed and significant
safeguard to ensure that Federal agencies comply with internal
administrative privacy mandates, including exercising privacy watchdog
responsibilities\126\. Since my 2016 Testimony, as is widely known, the
Department of Justice Inspector General issued a report on traditional
FISA warrants issued in connection with an FBI investigation into a
U.S. citizen associated with the Trump campaign;\127\ however, this
report was not related to Section 702 or surveillance targeting non-US
persons. The IG for the ODNI has continued to issue semiannual reports
relating to the IC as a whole.\128\ The IGs for surveillance agencies
have also issued semiannual reports to Congress,\129\ and have
published on an ongoing basis reports on various investigations
relating to intelligence agency activities.\130\
---------------------------------------------------------------------------
\126\ See Swire, supra note 2 at 3-26--3-28.
\127\ See Office of the Inspector Gen., Review of Four FISA
Applications and Other Aspects of the FBI's Crossfire Hurricane
Investigation, US Dept. of Justice, (Dec. 2019), available at https://
www.justice.gov/storage/120919-examination.pdf
\128\ See Office of the Dir. of Nat'l Intelligence, ICIG Semiannual
Report, available at: https://www.dni.gov/index.php/who-we-are/
organizations/icig/icig-publications/icig-all-reports
\129\ See, e.g., Office of the Inspector Gen., Semiannual Report to
Congress, National Security Agency, (Oct. 1, 2019 to Mar. 31, 2020),
available at: https://oig.nsa.gov/Portals/71/Reports/SAR/OCT-
MAR%202020%20OIG%20SAR.pdf?ver=2020-09-02-094002-550
\130\ For a sample of reports from the NSA's Office of Inspector
General, see, e.g., Office of the Inspector Gen. of the Nat'l Sec.
Agency, OFFICE OF INSPECTOR GENERAL: REPORTS, available at: https://
oig.nsa.gov/reports/.
---------------------------------------------------------------------------
5. Updates to Transparency Safeguards.
My 2016 Testimony discussed how, in the wake of the Snowden
disclosures, the U.S. government focused on increasing transparency
measures relating to U.S. surveillance, both for companies subject to
orders and for government agencies that have requested orders.\131\ The
transparency safeguards I identified in 2016 have remained in place,
and continue to provide valuable information about how foreign
intelligence surveillance is conducted by U.S. agencies. This section
discusses transparency efforts since 2016: (a) additional releases of
Statistical Transparency Reports, (b) continued corporate transparency
reporting, (c) the creation of a second, text-searchable IC on the
Record database, and (d) continued public release of declassified IC
documents.
---------------------------------------------------------------------------
\131\ See Swire, supra note 2 at 3-34--3-38.
---------------------------------------------------------------------------
a. Additional Releases of Statistical Transparency Reports.
As discussed in Section 2(e) above, ODNI produces annual
Statistical Transparency Reports that cover the IC's use of multiple
types of intelligence.\132\ Above, I discussed the numbers of Section
702 targets discussed in Statistical Transparency Reports. I note here
that Statistical Transparency Reports go well beyond Section 702 and
disclose statistics on the number of governmental requests made under
other FISA foreign-intelligence authorities, including traditional
individual FISA warrant authorities for electronic surveillance or
physical searches, pen-register and trap-and-trace authorities, the
``business records'' authorities used to obtain Call Detail Records,
and national security letter authorities. These reports also disclose
the number of criminal proceedings in which a notice was provided that
the government intended to use or disclose FISA-acquired information.
The Statistical Transparency Report is also unique in that it explains
the development of U.S. surveillance programs, limitations placed on
programs by FISC, and even instances of the NSA discontinuing
programs--such as the 2020 Statistical Transparency Report describing
the NSA's decision to suspend the CDR Program.\133\
---------------------------------------------------------------------------
\132\ See generally Office of the Dir. of Nat'l Intelligence,
Statistical Transparency Report: Regarding the use of National Security
Authorities for Calendar Year 2016, (Apr. 2017) available at: https://
www.dni.gov/files/icotr/ic_transparecy_report_cy2016_5_2_17.pdf; Office
of the Dir. of Nat'l Intelligence, Statistical Transparency Report:
Regarding the use of National Security Authorities for Calendar Year
2017, (Apr. 2018) available at: https://www.dni.gov/files/documents/
icotr/2018-ASTR-CY2017FINAL-for-Release-5.4.18.pdf; Office of the Dir.
of Nat'l Intelligence, Statistical Transparency Report: Regarding the
use of National Security Authorities for Calendar Year 2018, (Apr.
2019) available at: https://www.dni.gov/files/CLPT/documents/
2019_ASTR_for_CY2018.pdf; Office of the Dir. of Nat'l Intelligence,
Statistical Transparency Report: Regarding the use of National Security
Authorities for Calendar Year 2019, (Apr. 2020) available at: https://
www.dni.gov/files/CLPT/documents/2020_ASTR_for_CY2019_FINAL.pdf.
\133\ See 2019 Statistical Transparency Report, supra note 77 at
29--30.
---------------------------------------------------------------------------
b. Continued Corporate Transparency Reporting
My 2016 Testimony highlighted corporate transparency reporting as
an important transparency safeguard that arose shortly after the
Snowden disclosures.\134\ Five leading U.S. technology companies
(Facebook, Google, LinkedIn, Microsoft, and Yahoo!) filed suit with the
FISC to gain rights to provide transparency reporting, resulting in a
DOJ policy change permitting reporting on ranges of governmental
foreign intelligence requests. The USA FREEDOM Act codified the right
of companies to issue transparency reports.
---------------------------------------------------------------------------
\134\ See Swire, supra note 2 at 3-37--3-39.
---------------------------------------------------------------------------
Since my 2016 Testimony, corporate transparency reporting has
continued as permitted under the USA Freedom Act, with large companies
regularly publishing reports on government access requests.\135\ As in
my 2016 Testimony, this Appendix examines the most recent transparency
reports of Facebook and Google--the percentages of users whose records
were accessed in the most recent six-month period is smaller than in
2016. In total, the number of customer accounts accessed by the U.S.
government for national security in the most recent time period is no
more than (1) 118,997 \136\ for Facebook, out of approximately 2.5
billion\137\ active users per month; and (2) approximately 109,497
\138\ for Google, out of approximately 1.17 billion\139\ active users
per month. The charts below, similar to the ones provided in my 2016
Testimony, reflect the current data above.
---------------------------------------------------------------------------
\135\ See id.
\136\ For the time period from July 2019-December 2019, Facebook
received the following: 0-499 non-content requests (affecting the same
number of accounts); 0-499 content requests (affecting between 117,000
and 117,499 accounts); and 0-499 national security letters (affecting
the same number of accounts). See Facebook, United States Law
Enforcement Requests for Data, Government Requests Report (2020),
https://govtrequests.facebook.com/country/United%20
States/2015-H1.
\137\ See Statista, Number of Monthly Active Facebook Users
Worldwide as of 4th Quarter 2019 (2020), https://www.statista.com/
statistics/264810/number-of-monthly-active-facebook-users-worldwide/
#:�:text=With%20over%202.7%20billion%20monthly,the%20biggest%20social%20
net
work%20worldwide.
\138\ For the time period from January 2019-June 2019, Google
received the following: 0-499 non-content requests (affecting the same
number of accounts); 0-499 content requests (affecting between 107,000
and 107,499 accounts); and 500-999 national security letters (affecting
between 1000 and 1499 accounts). See Google, Transparency Report--
United States (2020), https://transparencyreport.google.com/user-data/
us-national-security?hl=en.
\139\ See Craig Smith, 365 Google Search Statistics and Much More
(2020), Expanded
Ramblings.com (Nov. 30, 2020), http://expandedramblings.com/index.php/
by-the-numbers-a-gigantic-list-of-google-stats-and-facts.
---------------------------------------------------------------------------
I make the following observation--these percentages are very, very
small. Government surveillance requests are far from ``pervasive'' or
``unlimited,'' as some have suggested.
----------------------------------------------------------------------------------------------------------------
# of Users Accessed in Percentage based on
Facebook 6 months Accounts Specified Users Per Month
----------------------------------------------------------------------------------------------------------------
Non-Content Requests 0-499 0-499 .0000002%
Content Requests 0-499 117,000-117,499 .000047%
National Security Letters 0-499 500-999 .0000004%
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
# of Users Accessed in Percentage based on
Google 6 months Accounts Specified Users Per Month
----------------------------------------------------------------------------------------------------------------
Non-Content Requests 0-499 0-499 .0000004%
Content Requests 0-499 107,000-107,499 .00009%
National Security Letters 0-499 1000-1499 .0000012%
----------------------------------------------------------------------------------------------------------------
c. The Government Has Launched New Transparency Websites
In 2013, the ODNI created ``IC on the Record,'' a website on which
ODNI posts declassified documents relating to United States foreign
intelligence surveillance practices. In doing so, the U.S. government
became the first government in the world to maintain a running
repository of declassified documents from its foreign intelligence
agencies and oversight organs.\140\ Since its appearance in 2013 and my
2016 Testimony, IC on the Record has accumulated a substantial amount
of NSA internal records, FISC opinions, and other documents and records
relating to foreign intelligence surveillance. The IC states that it
has disclosed hundreds of documents comprising thousands of pages,
including ``hundreds of documents relating to Section 702.'' \141\
---------------------------------------------------------------------------
\140\ See Swire, supra note 2 at 3-36--3-37.
\141\ Office of the Dir. of Nat'l Intelligence, IC on the Record
Guide to Posted Documents, Intel.Gov, (Oct. 2020), available at:
https://www.intel.gov/ic-on-the-record/guide-to-posted-documents.
---------------------------------------------------------------------------
Further, since 2016, the publicly-available online channels through
which the public has access to intelligence-related documents and court
decisions has increased. For one, the FISC maintains an online ``Public
Filings'' database containing a substantial number of its declassified
opinions and orders, which has added usefulness in being searchable by
docket number.\142\ Second, ODNI has created ``Intel.gov,'' a new
repository on an official IC website that creates the capability to
conduct full text searches on all documents posted on IC on the
Record.\143\ These resources make the transparency offered by the U.S.
government significantly more actionable for researchers, civil-rights
organizations, and civil society in monitoring how foreign intelligence
surveillance is being conducted.
---------------------------------------------------------------------------
\142\ See U.S. Foreign Intelligence Surveillance Ct., Public
Filings--US Foreign Intelligence Surveillance Court, available at:
https://www.fisc.uscourts.gov/public-filings. [hereinafter ``FISC
Public Filings Website''].
\143\ See Intel.gov, IC on the Record Database, available at:
https://www.intel.gov/ic-on-the-record/guide-to-posted-documents
[hereinafter ``Intel.gov''].
---------------------------------------------------------------------------
6. Updates to Executive Safeguards
a. Presidential Policy Directive 28 (PPD-28)
My 2016 Testimony discussed Presidential Policy Directive 28 (PPD-
28) as a significant new safeguard that creates an extensive system of
privacy protection for signals intelligence activities involving non-US
persons.\144\ Since my prior testimony, PPD-28 has remained unchanged
in substance. As discussed above, PPD-28 has resulted in intelligence
agencies codifying PPD-28 protections into targeting and minimization
procedures governing their conduct of signals intelligence. More
significantly, PPD-28 remained in place during the transition between
the Obama and Trump administrations.\145\ The Biden administration is
reportedly expected to continue or increase current protections under
PPD-28.\146\ This demonstrates significant continuity among U.S.
presidential administrations to maintain the United States' commitment
to PPD-28 and the protections it offers to non-US persons.
---------------------------------------------------------------------------
\144\ See Swire, supra note 2 at 3-41--3-46.
\145\ See clpt ppd-28 Implementation Report, supra note 124 at 4.
\146\ See Kristen Bryan et. al., Election 2020: Looking Forward to
What a Biden Presidency May Mean for Data Privacy and Data Privacy
Litigation, National Law Review, (Nov. 12, 2020), available at: https:/
/www.natlawreview.com/article/election-2020-looking-forward-to-what-
biden
-presidency-may-mean-data-privacy-and
---------------------------------------------------------------------------
b. Privacy Shield
My 2016 Testimony discussed Privacy Shield as a significant
safeguard for the protection of data relating to EU citizens, since it
introduced commitments from the U.S. government to provide remedies to
EU citizens, to act promptly and effectively to address EU data
protection concerns, and to subject compliance to an ongoing review
process.\147\ After the Schrems II judgment, Secretary of Commerce Ross
stated that the Department of Commerce would ``continue to administer
the Privacy Shield program,'' and that the ECJ decision ``does not
relieve participating organizations of their Privacy Shield
obligations.'' \148\ This indicated the U.S. government continues to
require Privacy Shield organizations to apply Privacy Shield
protections to data received under the Shield until the data is
deleted.
---------------------------------------------------------------------------
\147\ See Swire, supra note 2 at 3-49.
\148\ U.S. Dept. of Commerce, US Secretary of Commerce Wilbur Ross
Statement on Schrems II Ruling and the Importance of EU-US Data Flows
(July 16, 2020), available at https://www.commerce.gov/news/press-
releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-
ii-ruling-and.
---------------------------------------------------------------------------
7. Updates to Foreign Intelligence Surveillance Court (FISC) Testimony.
Chapter 5 of my 2016 Testimony contained an evaluation of the
significant number of FISC opinions that had been declassified
following the Snowden disclosures, in a number of cases at the FISC's
own order. My assessment reached four primary conclusions:
1. The newly declassified FISC materials support the conclusion that
the FISC today provides independent and effective oversight
over U.S. government surveillance.
2. The FISC monitors compliance with its orders and has enforced
with significant sanctions in cases of noncompliance.
3. In recent years, both the FISC on its own initiative and new
legislation have greatly increased transparency.
4. The FISC now receives and will continue to benefit from briefing
by parties other than the Department of Justice in important
cases.
Since my prior testimony, additional FISC opinions have been
published, but I am not aware of any reason to alter these conclusions.
This section briefly describes updates that have occurred since 2016
and support the above conclusions: (a) FISC decisions continue to be
declassified and published; (b) the FISC and FISA Court of Review have
issued further decisions in ACLU litigation discussed in my prior
Testimony; and (c) FISC transparency statistics continue to show FISC
exercising considerable oversight over government surveillance
applications.
a. New and Significant FISC Opinions Continue to be Declassified and
Published
The transparency in regard to FISC opinions that I discussed in my
2016 Testimony has continued to the present. Opinions have been
published under the USA FREEDOM Act's requirement to publish every FISC
``decision, order, or opinion'' that contains ``a significant
construction or interpretation of any provision of law'' to the
greatest practicable extent.\149\ Others have been published in
connection with litigation pursued by civil-rights organizations.\150\
On the whole, a considerable quantity of FISC opinions have been
published and can be accessed through IC on the Record,\151\ the FISC's
own ``Public Filings'' website,\152\ and in text-searchable form on the
Intel.gov repository.\153\
---------------------------------------------------------------------------
\149\ 50 U.S.C. Sec. 1872.
\150\ See, e.g., IC on the record, Release of the FISC Opinion
Approving the 2016 Section 702 Certifications and Other Related
Documents (May 11, 2017), available at: https://icontherecord
.tumblr.com/post/160561655023/release-of-the-fisc-opinion-approving-
the-2016 (listing ``Other FISA Section 702 and Related Documents''
produced in response to Freedom of Information Act litigation).
\151\ See IC on the record, available at: https://
icontherecord.tumblr.com/.
\152\ See FISC Public Filings Website., supra note 142.
\153\ See Intel.gov, supra note 143.
---------------------------------------------------------------------------
b. Updates to ACLU Litigation Discussed in Prior Testimony
My 2016 Testimony discussed litigation brought by the ACLU
following the Snowden disclosures in which the ACLU requested that FISC
publish its opinions authorizing the bulk telephone records program
under Section 215.\154\ The FISC found that the ACLU had Article III
standing to seek publication of FISC opinions, and ordered the
publication of certain Section 215 program authorizations. Since my
2016 Testimony, the FISA Court of Review confirmed that the ACLU and
similar public-interest organizations have Article III standing to
bring petitions for publication of FISC opinions.\155\ However, in a
subsequent decision, FISCR held that the FISC does not have subject-
matter jurisdiction to hear challenges by public-interest organizations
to the withholding of redacted, nonpublic materials in those
opinions.\156\
---------------------------------------------------------------------------
\154\ See Swire, supra note 2 at 5-39--5-41.
\155\ See In Re: Certification of Questions of Law to the Foreign
Intelligence Surveillance Court of Review, No. 18-01 (F.I.S.C. Mar. 16,
2018), https://www.fisc.uscourts.gov/sites/default/files/FISCR%2018-
01%20Opinion%20March%2016%202018.pdf.
\156\ See In Re Op.s & Orders by the FISC Addressing Bulk
Collection of Data Under the Foreign Intelligence Surveillance Act, No.
18-02 (F.I.S.A. Ct. Rev. Mar. 24, 2020), available at: https://
www.fisc.uscourts.gov/sites/default/files/
FISCR%2020%2001%20Opinion%20200424.pdf.
---------------------------------------------------------------------------
c. FISC Transparency Statistics
My 2016 Testimony assessed a description of the FISC, in the wake
of the Snowden disclosures that FISC acted as a ``rubber stamp'' for
government surveillance requests.\157\ The FISC itself had disputed
this characterization, stating in a letter to the Senate that ``24.4
percent of matters submitted ultimately involved substantive changes to
the information provided by the government or to the authorities
granted as a result of Court inquiry or action.'' \158\ The USA FREEDOM
Act permitted the Administrative Office of U.S. Courts to issue new
statistics on FISC practice that--unlike prior DOJ reporting--did not
merely state the number of applications that FISC had denied in full,
but rather accounted for all applications that FISC procedures
significantly modified, denied in part, or denied in full.\159\ This
reporting enabled a more complete view of the extent to which FISC
subjects government surveillance requests to scrutiny resulting in
changes or denial. My 2016 Testimony evaluated the first of these new
FISC reports and found that ``the FISC either rejected or modified just
over 17 percent of all surveillance applications it received in the
latter half of 2015.'' \160\
---------------------------------------------------------------------------
\157\ Swire, supra note 2 at 5-9--5-18.
\158\ Letter dated July 29, 2013 from Reggie B. Walton, FISC Chief
Judge, to Patrick J. Leahy, Chairman of the U.S. Senate Judiciary
Committee 2, http://www.fisc.uscourts.gov/sites/default/files/
Correspondence%20Grassley-1.pdf.
\159\ See Swire, supra note 2 at 5-43--5-48.
\160\ Id. at 5-14--5-17.
---------------------------------------------------------------------------
Since 2016, the FISC has continued to publish its statistics on the
number of applications and certifications for surveillance it modifies
or denies.\161\ These reports show the FISC modifying or denying a
greater percentage of governmental surveillance requests than it did
during my prior review. The following table summarizes the FISC
statistics for each year since my 2016 Testimony:
---------------------------------------------------------------------------
\161\ See U.S. Courts, Director's Report on Foreign Intelligence
Surveillance Courts' Activities, available at https://www.uscourts.gov/
statistics-reports/analysis-reports/directors-report-foreign
-intelligence-surveillance-courts.
\162\ Admin. Office of U.S. Cts., Report of the Director of the
Administrative Office of the U.S. Courts on Activities of the Foreign
Intelligence Surveillance Courts for 2017, 4, (Apr. 25, 2018),
available at https://www.uscourts.gov/sites/default/files/
ao_foreign_int_surveillance_court_an
nual_report_2017.pdf
\163\ Admin. Office of U.S. Cts., Report of the Director of the
Administrative Office of the U.S. Courts on Activities of the Foreign
Intelligence Surveillance Courts for 2018, 4, (Apr. 25, 2019),
available at https://www.uscourts.gov/ sites/default/files/fisc_annual_
report_2018_0.pdf.
\164\ Admin. Office of U.S. Cts., Report of the Director of the
Administrative Office of the U.S. Courts on Activities of the Foreign
Intelligence Surveillance Courts for 2019, 4, (Apr. 27, 2020),
available at https://www.uscourts.gov/sites/default/files/
fisc_annual_report_2019_0.pdf.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sum of
Total Number Total Number of Total Number of Applications Total Number of Percentage of
Year Applications Applications Applications Modified, Denied Applications and Applications
Modified Denied in Part Denied in Part, and Certifications Modified or
Denied Denied by FISC
--------------------------------------------------------------------------------------------------------------------------------------------------------
2017\162\ 391 50 26 467 1,614 29%
2018\163\ 261 42 30 333 1,318 25%
2019\164\ 234 38 20 292 1,010 29%
--------------------------------------------------------------------------------------------------------------------------------------------------------
8. Updates to Surveillance-Related Standing Cases
My 2016 Testimony briefly discussed the role that Article III
standing may play in attempts to challenge surveillance programs before
U.S. courts.\165\ This section briefly describes the state of select
U.S. cases seeking court review of surveillance programs.
---------------------------------------------------------------------------
\165\ See Swire, supra note 2 at 5-9--5-10.
a. Civil Challenges--The two primary attempts to file a civil
challenge to Section 702 programs are both actively appealing
dismissals on standing grounds.\166\ In each case, the
plaintiffs were granted discovery to prove they had standing
and proffered either documents or experts as evidence. However,
both suits were ultimately dismissed on standing ground because
plaintiffs could not show a significant probability, or show
evidence the government would authenticate, that the
plaintiffs' communications had been affected by 702 programs or
their predecessors. My understanding is that both proceedings
are currently on appeal to a Federal circuit court.
---------------------------------------------------------------------------
\166\ See Jewel v. NSA, No. C 08-04373, 2019 U.S. Dist. LEXIS
217140 (N.D. Cal. 2019); Wikimedia Found. v. NSA/Central Sec. Serv.,
427 F. Supp. 3d 582 (D. Md. 2019).
b. Challenges in Criminal Cases--In at least two criminal cases,
defendants have asserted challenges to the constitutionality
and lawfulness of Section 702 programs when 702-obtained
evidence was proffered against them.\167\ The challenges have
been heard and adjudicated, in each instance with Section 702
programs being found lawful. In each instance, the defendant
was a U.S. person whose communications had been incidentally
collected via 702 programs. In both cases, the lawfulness of
incidentally acquiring communications of U.S. persons via
Section 702 programs was affirmed on at the appellate
level.\168\ In one case, following this appellate finding, the
case was remanded to the district court to evaluate whether any
querying of databases containing such incidentally-acquired
Section 702 information by the government was
constitutional.\169\
---------------------------------------------------------------------------
\167\ See U.S. v. Hasbajrami, 945 F.3d 641 (2d Cir. 2018); U.S. v.
Mohamud, 843 F.3d 420 (9th Cir. 2016).
\168\ See U.S. v. Hasbajrami, 945 F.3d 641 (2d Cir. 2018); U.S. v.
Mohamud, 843 F.3d 420 (9th Cir. 2016).
\169\ See .S. v. Hasbajrami, 945 F.3d 641 (2d Cir. 2018) (finding
that incidental acquisition of U.S. person communications through
Section 702 is lawful, but remanding to district court to determine if
querying of databases containing 702-acquired information by the
government occurred and if so, whether it violated the defendant's
constitutional rights).
---------------------------------------------------------------------------
______
Annex to Swire Testimony: Acronyms used in this Appendix
ACLU American Civil Liberties Union
AG Attorney General
DNI U.S. Director of National Intelligence
DOD U.S. Department of Defense
DOJ U.S. Department of Justice
DOJ NSD U.S. Department of Justice, National
Security Division EU European Union
FBI U.S. Federal Bureau of Investigation
FISA Foreign Intelligence Surveillance Act
FISC U.S. Foreign Intelligence Surveillance
Court
FISCR U.S. Foreign Intelligence Surveillance
Court of Review
FTC U.S. Federal Trade Commission
IC U.S. Intelligence Community
IG Inspector General
ISP Internet Service Provider
MCT Multiple Communication Transactions
NSA U.S. National Security Agency
NSD National Security Division
NSL National Security Letters
OCR U.S. Department of Health and Human
Services Office for Civil Rights
ODNI U.S. Office of the Director of National
Intelligence
OIG U.S. Office of the Inspector General
PCLOB Privacy and Civil Liberties Oversight
Board
PPD Presidential Policy Directive
SIGINT Signals Intelligence
US United States of America
USA FREEDOM Uniting and Strengthening America by
Fulfilling Rights and Ending
Eavesdropping, Dragnet-collection and
Online Monitoring
USA PATRIOT Uniting and Strengthening America by
Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism
The Chairman. Well, thank you very much. And yes, indeed,
if there was ever a bipartisan committee, it is this Senate
committee. So now we turn to Neil Richards. And Professor
Richards is appearing remotely. Do we have a good connection?
Alright, good, can you hear us?
Mr. Richards. I can. Can you hear me, sir?
The Chairman. You bet. You are recognized for 5 minutes to
summarize your testimony, more or less----
STATEMENT OF PROF. NEIL M. RICHARDS,
KOCH DISTINGUISHED PROFESSOR IN LAW; DIRECTOR,
CORDELL INSTITUTE FOR POLICY IN MEDICINE AND LAW,
WASHINGTON UNIVERSITY IN ST. LOUIS
Mr. Richards. Thank you, Mr. Chairman. Chairman Wicker,
Ranking Member--hopefully less, sir. Chairman Wicker, Ranking
Member Cantwell and other distinguished members of this
committee, thank you for the opportunity to testify at this
important hearing. My name is Neil Richards and I am the Koch
Distinguished Professor of Law at Washington University in St.
Louis where I also co-Direct the Cordele Institute for Policy,
Medicine and Law. I am here as an expert on privacy, like my
friend Professor Swire. I was also an independent expert
witness in Schrems II, in my case for the Data Protection
Commissioner of Ireland.
The opinions I offer today, however, are my own, and I
would like to make three points in my opening remarks. First,
the Schrems litigation is a creature of distrust. This distrust
comes from the inadequacy of existing Federal privacy
safeguards, rights, and remedies, and also, as other panelists
have mentioned, from Edward Snowden's 2013 surveillance
revelations that led Mr. Schrems to sue in the first place. Two
dimensions of the Schrems II holding our paramount importance
to Congress as it confronts privacy reform.
One is that any successor to the Privacy Shield will
require Congress to enact surveillance reform that limits the
scope of surveillance and provides meaningful and binding
individual remedies to challenge illegality. The other
consequence of Schrems II is a particular relevance to this
committee. U.S. privacy laws are not yet sufficient to meet EU
laws cross border requirements of adequacy, which is to say
that U.S. privacy laws do not yet offer protections of personal
data held by companies that are essentially equivalent to those
in the EU.
This matters because adequacy will let EU data flow from
Ireland to the U.S. as easily as it can currently flow from
Germany to France. Adequacy would make second best mechanisms
like the model contractual clause as the Privacy Shield
arrangements unnecessary. This leads us to my second main point
regarding this committee's bipartisan work on consumer privacy
reform, which I believe can solve some of the challenges for
data flows and privacy law raised by Schrems II.
Comprehensive consumer privacy reform from this committee,
coupled with Federal surveillance reform, could result not just
in another second best international data transfer agreement,
but in an adequacy determination by the European Commission.
Under the GDPR, adequacy requires essential equivalence to EU
protections, including the rule of law and respect for privacy
as a fundamental right in commercial and surveillance contexts.
The ECJ in Schrems II specified three factors as most important
here. First, appropriate safeguards. Second, enforceable
rights. And third, effective legal remedies. These principles
are necessary for cross-border transfers and for adequacy. They
would also, I believe, be a good roadmap for American consumer
privacy reform. This committee has already generated draft
bills in a good way toward meeting some of these requirements.
For example, the draft bill introduced by Senator Cantwell
would provide a variety of rights similar to and potentially
essentially equivalent to those in the GDPR.
Critically, the Cantwell bill also includes a private right
of action for consumers who are injured by unlawful data
processing, something that the challenge of Schrems II seems to
require. I am also a fan of Senator Schatz's Data Care Act, and
the approach of Title II of Chairman Wicker's SAFE DATA Act,
which has provisions for algorithmic bias detection, data
broker registration, filter bubble transparency, and critically
abusive trade practices stemming from manipulated interface
design. Third, and finally, there is a better way forward than
our status quo of distrust.
In a series of published papers, Professor Woodrow Hartzog
and I have sought to identify the factors that could get us
beyond the dangerous fictions of notice and choice, or even of
control-based privacy regulation, and use privacy law to create
value for companies as well as protecting consumers. Our trust
research indicates that companies who seek trust must be
honest, they must be discreet, they must be protective, and
they must be loyal. And that where the market provides
insufficient incentives, the law can help. In a draft article,
we have also articulated a duty of loyalty to privacy law, a
duty that actually bears some similarities to Title II of the
Wicker bill.
In sum, the Schrems litigation is a creature of distrust.
It has created problems for American law and commerce, but it
has also created a great opportunity. That opportunity lies
before this committee, the chance to regain American leadership
in global privacy and data protection by passing a
comprehensive law that provides appropriate safeguards,
enforceable rights, and effective legal remedies for consumers.
Passing such a law would not just safeguard the ability to
share personal data across the Atlantic. If done right, it will
build trust between the United States and our European trading
partners and between American companies and the European and
American customers.
The way forward requires us to recognize that strong,
clear, trust building rules aren't hostile to business
interests. That we need to preserve effective consumer remedies
and State level regulatory innovation. And that we should
seriously consider some kind of duty of loyalty.
In that direction, I believe, lies not just consumer
protection, but international cooperation and economic
prosperity. Thank you.
[The prepared statement of Mr. Richards follows:]
Prepared Statement of Prof. Neil M. Richards, Koch Distinguished
Professor in Law, Director, Cordell Institute for Policy in Medicine &
Law, Washington University in St. Louis
Chairman Wicker, Ranking Member Cantwell, and other distinguished
Members of this Committee, thank you for the opportunity to testify at
this important hearing examining the future of trans-Atlantic data
flows and of American privacy law in light of the European Court of
Justice's invalidation of the Privacy Shield arrangement in the Schrems
2 case which.\1\ My name is Neil Richards, and I am the Koch
Distinguished Professor in Law at Washington University in St. Louis,
where I also co-Direct the Cordell Institute for Policy in Medicine and
Law. I am here as an expert in privacy law, which I have studied,
taught, written about, and practiced for the past two decades. I was
also asked by the Data Protection Commissioner of Ireland to serve as
one of her independent experts in U.S. law in Schrems 2, alongside Mr.
Andrew Serwin, a distinguished privacy lawyer now with the firm of DLA
Piper. The opinions I offer today are my own. They are not necessarily
those of either the Irish Data Protection Commissioner or Washington
University in St. Louis.
---------------------------------------------------------------------------
\1\ C-311/18, Data Protection Commissioner v. Facebook Ireland
Ltd., http://curia.europa.eu/juris/document/document.jsf?docid=
228677&mode=req&pageIndex=1&dir=&occ=rst&part=1&
text=&doclang=EN&cid=10716034. (hereinafter ``Schrems 2'').
---------------------------------------------------------------------------
As someone who has followed technology and privacy policy closely
since the 1990s, I am deeply encouraged that Congress--and particularly
this Committee under Senator Wicker's and Senator Cantwell's
leadership--is taking seriously the urgent need for comprehensive,
reasonable, but consumer protective information privacy legislation.
This is something that in my opinion is long overdue--Congress came
close to passing such a law in 1974, but failed to reach an agreement
on private sector data because of concerns about its effect on
industry.\2\ As we know all too well, this is a pattern that has
repeated itself all too often over the past fifty years. It is my
fervent hope that this time will be different, and that Congress will
not just pass a comprehensive privacy bill, but one that gets it right,
that provides clear but substantive rules for companies, and which
provides adequate protections and effective remedies for consumers. A
law that meets these features will not just protect consumers--it will
be good for business as well, by helping enable transatlantic data
flows and building the consumer trust that is essential for long-term
sustainable economic prosperity for all.
---------------------------------------------------------------------------
\2\ E.g., Sarah E. Igo, The Known Citizen: A History of Privacy in
Modern American 257-61 (2018); Lawrence Cappello, None of Your Damn
Business: Privacy in the United States from the Gilded Age to the
Digital Age 200-03 (2019).
---------------------------------------------------------------------------
In awareness of the limited time I have for these opening remarks,
I would like to offer three observations. First, I will explain what I
understand the judgment in Schrems 2 to require, with particular
emphasis on factors within the jurisdiction of this Committee. Second,
I will illustrate some ways in which this Committee's work can solve
some of the challenges for data flows and privacy law that the Schrems
2 judgment raises or illustrates. Third, I will argue that this
Committee should pass a strong privacy law that builds the consumer
trust that is so essential to sustainable and profitable commerce.
I. The Schrems 2 Case
Privacy is a human right recognized around the world and here in
the United States. Protections for privacy run throughout our
Constitution, and the ``reasonable expectation of privacy'' test is at
the core of our Fourth Amendment protections against unreasonable
searches and seizures.\3\ As the Supreme Court recognized in the
Carpenter decision two years ago, these constitutional privacy
protections extend to significant categories of human information that
are held on our behalf by private companies.\4\ In 1974, when it passed
the Privacy Act, Congress recognized that ``privacy is a personal and
fundamental right.'' \5\ Nevertheless, to date, both Congress and the
state legislatures have insufficiently protected information privacy
against private actors, particularly in the digital context.
---------------------------------------------------------------------------
\3\ E.g., Griswold v. Connecticut, 381 U.S. 479 (1965); Katz v.
United States, 389 U.S. 347 (1967); Riley v. California, 573 U.S. 373
(2014).
\4\ Carpenter v. United States, 585 U.S. ___; 138 S. Ct. 2206
(2018).
\5\ Privacy Act of 1974, Sec. 2(a)(4), P.L. 95-579.
---------------------------------------------------------------------------
Under European law, both privacy and data protection are
fundamental rights expressly protected by the European Charter of
Fundamental Rights and Freedoms.\6\ In the European Union (EU), the
government is required to protect fundamental rights (including privacy
rights) against both public and private actors. Consequently, privacy
and data protection are specifically protected in the EU by its General
Data Protection Regulation or ``GDPR.'' \7\ As relevant to this
hearing, the GDPR does two things. First, it regularizes and limits the
collection and processing of personal data by private actors, including
companies.\8\ Second, it places limitations on the ability of EU
personal data to leave the EU, such as when U.S. tech companies use EU
data to fulfill search or GPS requests, store it in the cloud, or use
it for HR purposes.\9\ In an ideal case, the GDPR allows the personal
data of Europeans to flow to a country whose privacy law has been
deemed ``adequate.'' \10\ But American privacy law has never been
deemed ``adequate,'' in large part because America lacks a
comprehensive, protective privacy law that allows people to enforce
their privacy rights against companies as well as the government.\11\
As a result, the legality of the trans-Atlantic data trade has been
based upon a set of mechanisms that are second-best--including the
model contracts and international executive agreements like the Safe
Harbor and Privacy Shield at issue in the Schrems litigation.
---------------------------------------------------------------------------
\6\ Charter of Fundamental Rights of the European Union: 2010 O.J.
(C83) 389. Proclaimed by the Commission, 7 December 2000. Proclamation
and text at 2000 O.J. (C364) 1.
\7\ See Commission Regulation 2016/679, 2016 O.J. (L 119) 1 (EU)
(providing the new GDPR).
\8\ Chris Jay Hoofnagle, Bart van der Sloot & Frederik Zuiderveen
Borgesius, The European Union general data protection regulation: what
it is and what it means, 28:1 Info. & Comms. Tech. L. 65 (2019).
\9\ See Paul M. Schwartz & Karl-Niklaus Peifer, Transatlantic Data
Privacy, 106 Geo. L. J. 115, 130-31 (2017).
\10\ GDPR Art. 45.
\11\ Paul M. Schwartz & Karl-Niklaus Peifer, Transatlantic Data
Privacy, 106 Geo. L. J. 115, 158-61 (2017).
---------------------------------------------------------------------------
The Schrems litigation is a creature of the costly distrust
produced by inadequate Federal privacy laws, protections, and remedies
against both government and corporate surveillance. The first Schrems
decision of 2015 invalidated the Safe Harbor Agreement based upon the
revelations about U.S. Surveillance practices by Edward Snowden.\12\
This was replaced by the Privacy Shield Agreement, the legality of
which was a key issue in the Schrems 2 litigation. This past July, the
European Court of Justice ruled in Schrems 2, striking down the Privacy
Shield and casting doubt on the mechanism of the standard contractual
clauses as a means of transfer to the US.\13\ Because the United States
has not been deemed to have an ``adequate'' level of privacy
protections, EU Data Protection regulators are now able to suspend
transfers of EU personal data to the United States. Indeed, the Irish
Data Protection Commissioner has already initiated such proceedings
against Facebook, the American company at issue in the Schrems
litigation.\14\
---------------------------------------------------------------------------
\12\ 3 Case C-362/14, Schrems v. Data Prot. Comm'r, 2015 E.C.R.
650,191 (Oct. 6, 2015).
\13\ See Schrems 2 at pp. 61-62.
\14\ See Shane Phelan & Adrian Weckler, Facebook in legal battle
over order from regulator to halt data transfer to United States, The
Irish Independent, Sept. 12, 2020, https://www.independent.ie/business/
technology/facebook-in-legal-battle-over-order-from-regulator-to-halt-
data-transfer-to-united-states-39524581.html.
---------------------------------------------------------------------------
Two dimensions of the Schrems 2 holding are of paramount importance
to Congress as it confronts privacy reform. The first is that any
successor to the Privacy Shield would seem to require Congress to enact
surveillance reform. The European Courts are particularly concerned
that EU citizens whose data is exported to the United States lack
meaningful remedies to challenge the legality of the ways that their
data may be processed, and the ways in which it may be accessed
(particularly in bulk) by the U.S. Intelligence Community.\15\ In
particular, the European Court of Justice found in Schrems 2 that the
principal defect of the Privacy Shield mechanism was that it failed to
offer a binding legal remedy for violations of EU fundamental data
protection rights. The Privacy Shield did not allow EU citizens to sue
the U.S. government for violations of their rights, but it did create
an ``Ombudsperson'' mechanism within the U.S. State Department, who
could act as a kind of complaints desk and investigator. As the
European Court of Justice put it, however, ``there is nothing [ ] to
indicate that [the Privacy Shield] ombudsperson has the power to adopt
decisions that are binding on those intelligence services and does not
mention any legal safeguards that would accompany that political
commitment on which data subjects could rely. . . . Therefore, the
ombudsperson mechanism to which the Privacy Shield Decision refers does
not provide any cause of action before a body which offers the persons
whose data is transferred to the United States guarantees essentially
equivalent to those required by Article 47 of the Charter.'' \16\
---------------------------------------------------------------------------
\15\ Schrems 2, �� 65, 187, 194.
\16\ Schrems 2 �� 196-97.
---------------------------------------------------------------------------
The second dimension of the Schrems 2 decision of relevance to
Congress--and of particular relevance to this Committee--is that U.S.
privacy laws are not yet ``adequate,'' which is to say that they do not
yet offer protections for personal data held by companies that are
``essentially equivalent'' to those in the EU. This matters because
``adequacy'' would let the U.S. be treated essentially as a part of
Europe for purposes of EU data flow restrictions. If the U.S. were to
be deemed to have an ``adequate'' level of data protection, then
``second-best'' mechanisms like the model contractual clauses and
Privacy Shield arrangements would become unnecessary. While I
understand the kinds of surveillance reforms necessitated by the first
dimension of the Schrems 2 judgment to be more appropriately part of
the Senate Judiciary Committee's and Senate Intelligence Committee's
jurisdictions, the consumer privacy reforms suggested by the second
dimension of the judgment are not merely part of this Committee's
jurisdiction, but would seem to me to fall squarely within the
bipartisan comprehensive consumer privacy reform project that the
Committee has already embarked upon. It is to that issue that I will
now turn.
II. Surveillance and Consumer Privacy Reform After Schrems 2
As Congress considers comprehensive consumer privacy reform, that
reform effort will inevitably intersect with the cross-border data
transfer issue raised by the Schrems litigation and the invalidation of
both the Safe Harbor and Privacy Shield arrangements. To solve the
problem of trans-Atlantic data transfers and the GDPR, there are
essentially three options. First, the United States could do nothing.
This would devastate the lucrative and commerce-enhancing trans-
Atlantic data trade and result in so-called ``data localization,''
which would require U.S. companies to build expensive data centers in
Europe, and process EU citizens' data there at a significant
competitive disadvantage to their international competitors. The second
option would be for the Executive Branch to negotiate a third, more-
protective version of Safe Harbor/Privacy Shield, which would
undoubtedly result in uncertainty as an inevitable ``Schrems 3''
challenge rumbled slowly through the Irish and European Courts once
again. While it is impossible to perfectly anticipate the results of
such a lawsuit, I can say with confidence that without substantial
surveillance and consumer privacy reform, the litigation would be
likely to end up being invalidated on similar grounds to the Safe
Harbor Agreement struck down in Schrems 1 and the Privacy Shield
Agreement struck down in Schrems 2.
But there is a third way. Comprehensive consumer privacy reform
from this Committee, coupled with Federal surveillance reform could
result not just in another second-best international data transfer
agreement, but in an adequacy determination by the European Commission.
In fact, the Schrems 2 judgment points the way towards such an outcome.
As the European Court of Justice explained in that case, Article 45(1)
of the GDPR permits the European Commission to determine that the U.S.
could have an ``adequate level of protection.'' The European Court of
Justice explains further that ``the term `adequate level of protection'
must, as confirmed by recital 104 of [the GDPR], be understood as
requiring the third country in fact to ensure, by reason of its
domestic law or its international commitments, a level of protection of
fundamental rights and freedoms that is essentially equivalent to that
guaranteed within the European Union by virtue of the regulation, read
in the light of the Charter.'' \17\ Article 45 of the GDPR explains
this requirement in further detail by explaining that adequacy requires
an inquiry into
---------------------------------------------------------------------------
\17\ Schrems 2 � 94 (citing GDPR Art. 45, GDPR Recital 104).
(a) the rule of law, respect for human rights and fundamental
freedoms, relevant legislation, both general and sectoral,
including concerning public security, defence, national
security and criminal law and the access of public authorities
to personal data, as well as the implementation of such
legislation, data protection rules, professional rules and
security measures, including rules for the onward transfer of
personal data to another third country or international
organisation which are complied with in that country or
international organisation, case-law, as well as effective and
enforceable data subject rights and effective administrative
and judicial redress for the data subjects whose personal data
---------------------------------------------------------------------------
are being transferred;
(b) the existence and effective functioning of one or more
independent supervisory authorities in the third country or to
which an international organisation is subject, with
responsibility for ensuring and enforcing compliance with the
data protection rules, including adequate enforcement powers,
for assisting and advising the data subjects in exercising
their rights and for cooperation with the supervisory
authorities of the Member States; and
(c) the international commitments the third country or
international organisation concerned has entered into, or other
obligations arising from legally binding conventions or
instruments as well as from its participation in multilateral
or regional systems, in particular in relation to the
protection of personal data.\18\
---------------------------------------------------------------------------
\18\ GDPR Art. 45(2).
It is a tremendous (and to my mind disappointing) irony that, even
though the Privacy Shield was struck down as insufficient, the privacy
protections against commercial processing offered to EU citizens whose
data was protected by Privacy Shield was substantially greater than
that extended to American citizens under U.S. law.
Yet even if the United States does not seek or achieve an adequacy
determination from the European Commission, the level of privacy
protection given to personal data in the United States is still
relevant to the sustainability of both the model contract mechanism for
data transfers and any future, hypothetical ``Privacy Shield 2.'' This
is because, as the Schrems 2 judgment explains, transfers under the
second-best option of model contracts or Privacy Shield-type agreements
will still require an inquiry into something very much like the
adequacy of data protection rights available in the United States.\19\
The European Court of Justice specified these requirements clearly as
being (1) appropriate safeguards, (2) enforceable rights, and (3)
effective legal remedies.\20\ A few additional observations about what
these requirements would mean in practice is warranted, because I think
they offer not just a guide to compliance with the GDPR, but also a
good road map for U.S. privacy reform. As I understand these concepts,
``appropriate safeguards'' means that personal information will be
processed in ways that are lawful, appropriate, accurate, secure, and
not in ways that harm, expose, mislead, misinform, or manipulate
American consumers.\21\ ``Enforceable rights'' means that consumers can
make claims against companies regarding how their data is collected,
used, and disclosed, whether we are talking about rights of access and
correction, rights to prevent the sale or transfer of data for purposes
unrelated to the reasons the data was collected in the first place, the
placement of duties of care, loyalty, and confidentiality on companies,
or independent oversight of commercial uses of data by the FTC or a new
independent data protection agency. Finally, ``effective legal
remedies'' means that where consumers have legal rights, they can
actually vindicate those rights in court, which means private rights of
action (whether for damages or injunctive relief) that are not bogged
down by excessive administrative exhaustion requirements, corporate
mens rea requirements, broad statutory defenses and safe harbors, or
the difficulties of navigating standing doctrine.
---------------------------------------------------------------------------
\19\ Schrems 2 � 104 (``The assessment required for that purpose in
the context of such a transfer must, in particular, take into
consideration both the contractual clauses agreed between the
controller or processor established in the European Union and the
recipient of the transfer established in the third country concerned
and, as regards any access by the public authorities of that third
country to the personal data transferred, the relevant aspects of the
legal system of that third country. As regards the latter, the factors
to be taken into consideration in the context of Article 46 of that
regulation correspond to those set out, in a non-exhaustive manner, in
Article 45(2) of that regulation.''); GDPR Art. 46(1) (``In the absence
of [an adequacy] a decision pursuant to Article 45(3), a controller or
processor may transfer personal data to a third country or an
international organisation only if the controller or processor has
provided appropriate safeguards, and on condition that enforceable data
subject rights and effective legal remedies for data subjects are
available.'').
\20\ Schrems 2 � 103.
\21\ See Woodrow Hartzog & Neil Richards, Privacy's Constitutional
Moment and the Limits of Data Protection, 61 B.C. L. Rev. 1687 (2020)
(suggesting a range of safeguards for American privacy law).
---------------------------------------------------------------------------
This Committee has already generated draft bills that go a good way
towards meeting some of these requirements. For example, Senate Bill
2968, The Consumer Online Privacy Rights Act introduced by Sen.
Cantwell, would provide a variety of rights similar (and potentially
``essentially equivalent'') to those in the GDPR, like rights of
access, deletion, and correction, data minimization, data security
requirements to avoid harming consumers, and algorithmic impact
assessments.\22\ The bill would also provide a private right of action
for consumers injured by unlawful data processing, something that the
challenge of Schrems 2 seems to require.\23\ Senate Bill 2961, The Data
Care Act introduced by Sen. Schatz, is a bold and farsighted statute
that would place duties of care, confidentiality and loyalty on
companies that collect personal data as part of interstate commerce,
along with an expansion of FTC and state enforcement authority.\24\ I
am also a fan of some of the provisions of Title II of Senate Bill
4626, The Safe Data Act introduced by Chairman Wicker, which has
provisions for algorithmic bias detection, data broker registration,
filter bubble transparency, and, critically, abusive trade practices
stemming from manipulative interface design.\25\
---------------------------------------------------------------------------
\22\ S. 2968, 116th Cong. 1st Sess. (Dec. 3, 2019).
\23\ See id. tit. III.
\24\ S. 2961, 116th Cong. 1st Sess (Dec. 2, 2019).
\25\ S. 4626, 116th Cong. 2d Sess. (Sept. 17, 2020).
---------------------------------------------------------------------------
These three factors--appropriate safeguards, enforceable rights,
and effective legal remedies--are helpful guidelines as this Committee
goes about its work. They will be important regardless of whether this
Committee seeks an adequacy determination from the European Commission
to permit American companies to participate in the trans-Atlantic data
trade, whether this Committee wants to avoid another Schrems 1 or
Schrems 2, whether this Committee wants to give American consumers
equivalent protection under American law to that which EU consumers
received under the Privacy Shield, or whether this Committee merely
wants to pass a meaningful consumer privacy protection bill that
protects American consumers and provides clear but meaningful
protective guard rails for companies to stay within as part of the
digital economy.
With respect to this process going forward, however, let me be
clear about three essential features that I believe consumer privacy
reform in the United States must recognize. First, the model of
``notice and choice'' under which the United States has regulated
privacy for the past twenty-five years has been an unmitigated
disaster. Constructive ``notice'' through privacy policies and
fictitious ``choice'' through limited opt-outs have created both an
illusion of consumer control and enabled largely unrestricted data
aggregation.\26\ Our law has not given consumers control; it has
instead left them largely defenseless and able to be tracked, sorted,
harmed, discriminated against, marketed to, ideologically polarized,
and manipulated by private companies. Any meaningful privacy reform
that is ``consumer protective'' in anything more than name, must place
substantive limits on the ability of companies to collect, use, and
sell personal data without meaningful constraint.\27\
---------------------------------------------------------------------------
\26\ See, e.g., Neil Richards & Woodrow Hartzog, Taking Trust
Seriously in Privacy Law 19 Stan. Tech. L. Rev. 431 (2016); Neil
Richards & Woodrow Hartzog, The Pathologies of Digital Consent, 96
WASH. U. L. REV. 1461, 1463 (2019); Woodrow Hartzog & Neil Richards,
Privacy's Constitutional Moment and the Limits of Data Protection, 61
B.C. L. Rev. 1687 (2020).
\27\ See, e.g., Neil Richards & Woodrow Hartzog, Taking Trust
Seriously in Privacy Law 19 Stan. Tech. L. Rev. 431 (2016); Neil
Richards & Woodrow Hartzog, The Pathologies of Digital Consent, 96
WASH. U. L. REV. 1461, 1463 (2019); Woodrow Hartzog & Neil Richards,
Privacy's Constitutional Moment and the Limits of Data Protection, 61
B.C. L. Rev. 1687 (2020).
---------------------------------------------------------------------------
Second, as the European Court of Justice recognized, private rights
of action are an essential tool for vindicating legal rights. America's
next-generation privacy law should not authorize ``gotcha'' private
claims, or massively aggregated class action suits that risk ruinous
liability for technical violations. But it should provide what the
European Court of Justice calls both enforceable rights and effective
legal remedies, even if such remedies offer in some cases ``merely''
effective injunctive relief to prevent violations.
Third, and finally, I have concerns about bills that are broadly
pre-emptive of state causes of action. State legislatures and state
attorneys general have often valiantly protected consumer privacy
rights in the digital age in the absence of a general Federal privacy
law.\28\ They have invented new and needed legal protections like data
breach notification laws, which have spread throughout the country and
around the world.\29\ The great American jurist Louis Brandeis famously
referred to state regulatory experimentation as our ``laboratories of
democracy,'' \30\ and in this time of uncertainty and rapid
technological change, we should be reluctant to deprive ourselves of
this opportunity for regulatory innovation. Moreover, where state
private causes of action like negligence or the privacy torts are
sometimes the only form of relief available to plaintiffs, I believe
that it would be unwise for a Federal law to pre-empt state causes of
action, at least without providing equivalent Federal protections.
---------------------------------------------------------------------------
\28\ See Danielle K. Citron, The Privacy Policymaking of State
Attorneys General, 92 Notre Dame L. Rev. 747 (2017).
\29\ California passed the first data breach notification law in
2012. See Cal. Civ. Code Sec. Sec. 1798.29, .82, .84 (2012). Today, not
only do state data breach laws apply across the United States, but
Federal laws like the Gramm-Leach-Bliley Act (GLBA), the Health
Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-
Oxley Act also contain notification requirements, and even the GDPR has
incorporated this American legal invention into its comprehensive
regulatory scheme. See 16 C.F.R. Sec. 682.3(a); 45 C.F.R.
Sec. Sec. 164.308-.314; 16 C.F.R. Sec. Sec. 314.3-314.4; Alaska Stat.
Sec. 45.48.010 et seq. (2007); Ariz. Rev. Stat. Sec. 44-7501 (2013);
Ark. Code Sec. 4-110-101 et seq. (2004); Cal Civ. Code
Sec. Sec. 1798.29, .82, .84 (2012); Colo. Rev. Stat. Sec. 6-1-716
(2002); Conn. Gen. Stat. Sec. 36a-701b (2011); Del. Code Tit. 6,
Sec. 12b-101 et seq. (2011); Fla. Stat. Sec. Sec. 501.171, 282.0041,
282.318(2)(I) (2010); Ga. Code Sec. Sec. 10-1-910, -911, -912 Sec. 46-
5-214 (West); Haw. Rev. Stat. Sec. 487n-1 et seq.(2008); Idaho Stat.
Sec. Sec. 28-51-104 To -107 (2008) ; 815 Ill. Comp. Stat. Ann.
Sec. Sec. 530/1 to 530/25 (2008); Ind. Code Sec. Sec. 4-1-11 et seq.,
24-4.9 et seq.(2014); Iowa Code Sec. Sec. 715c.1, 715c.2 (2015); KAN.
STAT. Sec. 50-7a01 et. seq. (2008); Ky. Rev. Stat. Ann.
Sec. Sec. 365.732, 61.931 To 61.934 (West); La. Rev. Stat
Sec. Sec. 51:3071 et seq. 40:1300.111 To .116 (West); Me. Rev. Stat.
tit. 10 Sec. 1347 et seq. (2009); Md. Code Com. Law Sec. Sec. 14-3501
et seq. (2013), Md. State Govt. Code Sec. Sec. 10-1301 To -1308 (2007);
Mass. Gen. L. Sec. 93h-1 et seq. (2006); Mich. Comp. Law
Sec. Sec. 445.63,445.72 (2014); Minn. Stat. Sec. Sec. 325e.61, 325e.64
(2011); Miss. Code Sec. 75-24-29 (2014); Mo. Rev. Stat. Sec. 407.1500
(2014); Mont. Code Sec. Sec. 2-6-504, 30-14-1701 et seq. (2014); Neb.
Rev. Stat. Sec. Sec. 87-801, -802, -803, -804, -805, -806,--807 (2014);
Nev. Rev. Stat. Sec. Sec. 603.A.010 et seq., 242.183 (2013); N.H. Rev.
Stat. Sec. Sec. 359-C:19, -C:20,--C:21 (2009); N.J. Stat. Ann.
Sec. 56:8-163 (2012); N.Y. Gen. Bus. L. Sec. 899-Aa, N.Y. State Tech.
L. 208 (McKinney 2014); N.C. Gen. Stat. Sec. Sec. 75-61, 75-65 (2012);
N.D. Cent. Code Sec. 51-30-01 et seq (2008).; Ohio Rev. Code
Sec. Sec. 1347.12, 1349.19, 1349.191, 1349.192 (2004); Okla. Stat.
Sec. Sec. 74-3113.1, 24-161 to -166 (2014); Or. Rev. Stat.
Sec. 646a.600 to .628 (2011); 73 Pa. Stat. Sec. 2301 et seq. (2013);
R.I. Gen. Laws Sec. 11-49.2-1 et seq. (West); S.C. Code Sec. 39-1-90
(West); Tenn. Code Sec. 47-18-2107 (2014); Tex. Bus. & Com. Code
Sec. Sec. 521.002, 521.053 (2014), Tex. Ed. Code Sec. 37.007(B)(5)
(2013); Utah Code Sec. Sec. 13-44-101 et seq. (2010); Vt. Stat. Tit. 9
Sec. 2430, 2435 (2007); Va. Code Sec. 18.2-186.6, Sec. 32.1-127.1:05
(2012); Wash. Rev. Code Sec. 19.255.010, 42.56.590 (2013); W.V. Code
Sec. Sec. 46a-2a-101 et seq. (West); Wis. Stat. Sec. 134.98 (2009);
Wyo. Stat. Sec. 40-12-501 et. seq. (2007); D.C. Code Sec. 28-3851 et
seq. (2013); 10 Laws Of Puerto Rico Sec. 4051 et seq.; V.I. Code Tit.
14, Sec. 2208.
\30\ New State Ice Co. v. Liebmann, 285 U.S. 262 (1932).
---------------------------------------------------------------------------
III. Strong Privacy Safeguards Build Consumer Trust
The Schrems 2 litigation has certainly created problems for
American privacy law, but it has also created a pathway towards the
resolution of those problems, whether through an adequacy
determination, comprehensive privacy and surveillance reform, or both.
In the time that I have left, however, I would like to make one final
point, which is that as this Committee considers privacy reform it give
serious consideration to imposing some kind of duty of loyalty on data
processors. In my work with Professor Woodrow Hartzog of Northeastern
University, I have argued that the solution to the problems of American
privacy lies in building trust. Today we face a crisis of distrust. The
Snowden revelations created justifiable distrust when Americans and
Europeans across the political spectrum realized the scope of largely
unconstrained surveillance by the Intelligence Community. The Schrems
litigation is a further offshoot of this distrust by European
consumers, regulators, and judges. Distrust harms everyone--consumers,
businesses, and government. It most certainly is bad for business in
our modern data-driven economy.
There is a better way than our status quo of distrust. In a series
of articles, Professor Hartzog and I have sought to identify the
factors that could get us beyond the dangerous fiction of ``notice and
choice'' privacy regulation, and use privacy law to create value for
companies as well as protecting consumers. Our trust theory suggests
that companies who seek trust must be discreet, honest, protective, and
loyal.\31\ In a forthcoming article, we give greater detail to a duty
of loyalty for privacy law based on the risks of opportunism that arise
when people trust others with their personal information and online
experiences. Data collectors bound by a duty of loyalty would be
obligated to act in the best interests of the people exposing their
data and engaging in online experiences, but only to the extent of
their exposure. Loyalty would manifest itself primarily as a
prohibition on designing digital tools and processing data in a way
that conflicts with a trusting parties' best interests. Our basic claim
is simple: a duty of loyalty framed in terms of the best interests of
digital consumers should become a basic element of U.S. data privacy
law. A duty of loyalty would compel loyal acts and also constrain
conflicted, self-dealing behavior by companies. It would shift the
default legal presumptions surrounding a number of common design and
data processing practices, and it would act as an interpretive guide
for government actors and data collectors to resolve ambiguities
inherent in other privacy rules. A duty of loyalty, in effect, would
enliven almost the entire patchwork of U.S. data privacy laws. And it
would do it in a way that is consistent with American law and
traditions, including its commitments to free expression goals and
other civil liberties. A duty of loyalty along the lines we suggest
would be a big step for American privacy law, but we think it would be
a necessary and important one if our digital transformation is to live
up to its great promises of human wellbeing and flourishing. It would
also be good for business over the long term. The relationship between
privacy and trust has been the subject of a lively and creative
academic literature.\32\ We also note with optimism that the duty of
loyalty is a topic of debate on this Committee, and we hope that this
Committee will take the duty of loyalty seriously as an opportunity to
protect consumers, safeguard responsible, sustainable commerce, and
allow the United States to once again become a leader in global privacy
norms.\33\
---------------------------------------------------------------------------
\31\ Neil Richards & Woodrow Hartzog, Privacy's Trust Gap, 126 Yale
L.J. 1180, 1183 (2017).
\32\ Neil Richards & Woodrow Hartzog, Taking Trust Seriously in
Privacy Law, 19 Stan. Tech. L. Rev. 431 (2016); Neil Richards & Woodrow
Hartzog, A Duty of Loyalty in Privacy Law, (Sept. 5, 2020) (unpublished
manuscript), https://papers.ssrn.com/sol3/papers.cfm?abstract
_id=3642217; Neil Richards & Woodrow Hartzog, The Pathologies of
Digital Consent, Wash. U. L. Rev. (forthcoming 2019), https://
papers.ssrn.com/sol3/papers.cfm?abstract_id=3370433; Neil Richards &
Woodrow Hartzog, Privacy's Trust Gap, 126 Yale L.J. 1180, 1183 (2017);
Neil Richards & Woodrow Hartzog, Trusting Big Data Research, 66 DePaul
L. Rev. 579 (2017); Jack M. Balkin, Information Fiduciaries and the
First Amendment, 49 U.C. Davis L. Rev. 1183, 1185 (2016); Jack Balkin &
Jonathan Zittrain, A Grand Bargain to Make Tech Companies Trustworthy,
The Atl. (Oct. 3, 2016), https://www.theatlantic.com/technology/
archive/2016/10/information-fiduciary/502346/; Jonathan Zittrain,
Engineering an Election, 127 Harv. L. Rev. F. 335, 340 (2014); Lindsey
Barrett, Confiding in Con Men: U.S. Privacy Law, the GDPR, and
Information Fiduciaries, 42 Seattle U. L. Rev. 1057 (2019); Ariel
Dobkin, Information Fiduciaries in Practice: Data Privacy and User
Expectations, 33 Berkeley Tech. L.J. 1, 1 (2018); Cameron F. Kerry, Why
Protecting Privacy Is a Losing Game Today--and How to Change the Game,
Brookings (July 12, 2018), https://www.brookings.edu/research/why-
protecting-privacy-is-a-losing-game-today-and-how-to-change-the-game/;
Ian Kerr, The Legal Relationship Between Online Service Providers and
Users, 35 Can. Bus. L.J. 419 (2001); Daniel Solove, The Digital Person
(2006); Richard S. Whitt, Old School Goes Online: Exploring Fiduciary
Obligations of Loyalty and Care in the Digital Platforms Era, 36 Santa
Clara Computer & High Tech. L.J. 75 (2019); Kiel Brennan-Marquez,
Fourth Amendment Fiduciaries, 84 Fordham L. Rev. 611, 612 (2015);
Lauren Scholz, Fiduciary Boilerplate, J. Corp. L. (forthcoming 2020);
Ari Waldman, Privacy as Trust (2018); Ari Ezra Waldman, Privacy As
Trust: Sharing Personal Information in A Networked World, 69 U. Miami
L. Rev. 559, 560 (2015); Ari Ezra Waldman, Privacy, Sharing, and Trust:
The Facebook Study, 67 Case W. Res. L. Rev. 193 (2016); Christopher W.
Savage, Managing the Ambient Trust Commons: The Economics of Online
Consumer Information Privacy, 22 Stan. Tech. L. Rev. 95 (2019).
\33\ See Neil Richards & Woodrow Hartzog, A Duty of Loyalty for
Privacy Law, forthcoming 2021, available at https://papers.ssrn.com/
sol3/papers.cfm?abstract_id=3642217.
---------------------------------------------------------------------------
Conclusion
Thank you for giving me the opportunity to share my views on the
consequences of the Schrems 2 decision for privacy reform in the United
States. In sum, the Schrems litigation is a creature of distrust, and
while it has created problems for American law and commerce, it has
also created a great opportunity. That opportunity lies before this
Committee--the chance to regain American leadership in global privacy
and data protection by passing a comprehensive law that provides
appropriate safeguards, enforceable rights, and effective legal
remedies for consumers. I believe that the way forward can not only
safeguard the ability to share personal data across the Atlantic, but
it can do so in a way that builds trust between the United States and
our European trading partners and between American companies and their
American and European customers. I believe that there is a way forward,
but it requires us to recognize that strong, clear, trust-building
rules are not hostile to business interest, that we need to push past
the failed system of ``notice and choice,'' that we need to preserve
effective consumer remedies and state-level regulatory innovation, and
seriously consider a duty of loyalty. In that direction, I believe,
lies not just consumer protection, but international cooperation and
economic prosperity. Thank you.
Biography
Neil Richards is one of the world's leading experts in privacy law,
information law, and freedom of expression. He writes, teaches, and
lectures about the regulation of the technologies powered by human
information that are revolutionizing our society. Professor Richards
holds the Koch Distinguished Professorship at Washington University
School of Law, where he co-directs the Cordell Institute for Policy in
Medicine & Law. He is also an affiliate scholar with the Stanford
Center for Internet and Society and the Yale Information Society
Project, a Fellow at the Center for Democracy and Technology, and a
consultant and expert in privacy cases. Professor Richards serves on
the board of the Future of Privacy Forum and is a member of the
American Law Institute. Professor Richards graduated in 1997 with
graduate degrees in law and history from the University of Virginia,
and served as a law clerk to both William H. Rehnquist, Chief Justice
of the United States and Paul V. Niemeyer, United States Court of
Appeals for the Fourth Circuit.
Professor Richards is the author of Intellectual Privacy (Oxford
Press 2015). His many scholarly and popular writings on privacy and
civil liberties have appeared in wide a variety of media, from the
Harvard Law Review and the Yale Law Journal to The Guardian, WIRED, and
Slate. His next book, Why Privacy Matters, will be published by Oxford
Press in 2021.
The Chairman. Well, thank you all for excellent testimony.
I wish the testimony had made me more optimistic about a
solution, but I think it just confuses me a little more and
points out the complexity of what is before us. Ms. Espinel,
your organization submitted an amicus, but in a few words or
less, were you--whose part were you taking and were you
disappointed or delighted at the decision?
Ms. Espinel. We were taking the part of cross-border data
transfers. So, yes, we were invited to be an amicus along with
the U.S. Government and the European Commission in the case,
and we felt it was important to do so for two reasons. The
first is because our members believe so strongly in privacy
protection, but the second is because cross-border data
transfers are not just a software issue or a tech issue, they
are an issue for every company, no matter the size, no matter
the sector.
The Chairman. Were you advocating for the arrangement to be
upheld?
Ms. Espinel. Yes, we were advocating for it to be upheld.
But I do emphasize this point, not so much on behalf of our
companies, but on the behalf of the customers of our companies,
because they are--it is companies across the United States that
rely on cross-border data transfers, and so one of our main
points to the court was that this would have far reaching
ramifications for the U.S. and the European economy if it were
invalidated.
The Chairman. OK. And that certainly turns out to be the
case. Mr. Swire, what is significant about January 20 other
than it is inauguration day? There is no enforcement that kicks
in beyond that?
Mr. Swire. Well, there is no enforcement that kicks in. In
speaking to at least one litigator, I have heard an ominous
prediction that there may be court orders in Europe on one or
more major U.S. tech companies by that time, which would be--
that would grab some headlines and attention to the issue if
court orders like that came out. And there is an opportunity,
it seems, for Mr. Sullivan and the hard working people who are
working on those issues currently, in my dream world, to
imagine trying to get some kind of at least short term interim
way to have something happen.
When brand new people come in, it takes a little while to
get up to speed. I am assuming there is new people coming in.
And so the very up-to-speed people who are there now have a
particular opportunity to do something that would then lead to
easier chances for better some things after that date.
The Chairman. OK. There is no grace period. There is a
decision that went into effect immediately.
Mr. Swire. Right. Correct. Yes.
The Chairman. Are companies being hauled into court right
now?
Mr. Swire. There are numerous--I don't know--I am sorry.
There are multiple lawsuits in different countries that are
happening right now, yes.
The Chairman. OK, but do I take it that your position
before the decision is that the Privacy Shield agreement should
be upheld and left in place? Is that your position?
Mr. Swire. I believe the U.S. had essentially equivalent
protections and should have been found that way, but the court
disagreed with that.
The Chairman. It sure did. And then, Professor Richards,
you assisted the Irish government in this case, is that right?
Mr. Richards. That is correct, sir.
The Chairman. Good. And, what was their position with
regard to whether this should be upheld or not?
Mr. Richards. So the position of the Irish Data Protection
Commissioner--I was an independent expert, as was Professor
Swire. Under Irish procedure, experts tend to not to be, to use
the colloquial term, hired guns the way they tend to be in
American litigation. So we took an oath to give the evidence
that we would give, say if Facebook or Ireland had retained us.
But the Irish Data Protection Commissioner took the position
that there were sufficient doubts about the legitimacy of the
Privacy Shield, of standard contractual clauses and by
extension Privacy Shield under European law, that she chose
after an investigation to seek a referral to the European Court
of Justice, which made the ultimate determination.
The Chairman. OK, now Mr. Phillips, was it you that--this
is all good testimony, by the way. Excellent job on a complex
issue. Who was talking about the comparative surveillance done
in Europe? That was you, was it not?
Mr. Phillips. Senator, I did refer to that.
The Chairman. OK, and are you saying that basically when it
comes right down to it, there is not really that much
difference in the way our intelligence services surveil as
compared to Europe?
Mr. Phillips. Senator, there have been a number of studies
by authoritative lawyers and academics here and in Europe, and
the bottom line has been that the practices that we engage in
from a National Security perspective afford just as many, if
not more, rights to U.S. citizens as rights afforded by
domestic law in member states of the EU.
The Chairman. And it seems to me that in resolving this
matter, that is going to be quite the sticking point.
Mr. Phillips. I think that is an important consideration,
absolutely.
The Chairman. Well, thank you all. And there will be other
rounds of questions, but this has been a great panel. Senator
Cantwell.
Senator Cantwell. Thank you, Mr. Chairman. Senator Peters,
do you need--do you have a time constraint? OK, thank you.
Well, this has been very helpful, I think. And again,
appreciate the opportunity for the hearing, Mr. Chairman, and
the witnesses. Mr. Richards, I am struck by this issue of trust
and distrust because I think there is so much of that in
practically every issue. But clearly, this one is a thorny one.
And so we do have to figure out a way to build trust again
because we are in the digital age and this won't be the last
issue or the last time we have to address this.
This is going to continue far into the future. This is the
era that we live in. And so I appreciate you mentioning our
efforts here in the Senate and our colleague, Senator Schatz's
effort on duty of loyalty too because I think that plays into
trust and the environment. On those factors that you mentioned,
appropriate safeguards, rights, and enforcement, Mr. Richards,
I am interested in this larger--so that is a good framework,
very important framework, and I believe in that framework. I
think that is the essential aspect of the framework, but over
here, somewhat out of control of Senator Wicker and I, is
Government surveillance.
And I want to hear what Mr. Richards, you say and other
people say about how we build trust on tackling our most
important National Security issues. So it is almost like
industry now is going to be hamstrung. We could fix these
issues, appropriate safeguards, rights, and enforcement, but
over here is going to be this large issue about data gathering
by the Government. And I want us to figure out how we are going
to move forward. So two examples, Senator Collins and I worked
with the former Secretary of Homeland Security, Jay Johnson, to
implement overseas borders. That was hard because you are
basically doing border security at overseas airports, but no
one wanted to turn over--you know, the United States was not
going to get access to European or whatever country we were in
data, but yet we had to figure out a system where we were both
going through potential security risks on our own data.
We figured that out. I know, for example, on some of the
National Security issues, there is alliance on software. So I
am pretty sure both in Europe and the United States, there are
foreign countries working together where on software security.
So we figured it out. So, Mr. Richards, what do you think those
security surveillance issues are that really aren't even within
our Committee jurisdiction, but that we have to figure out how
to build trust on so that we can resolve this issue so that we
don't have business in the digital era hung up on digital trade
because basically our two governments can't figure out how to
work together.
And if we can't figure out how to work with the Europeans,
I got news for you, we got problems. Like, we have got to
figure out how to work with the Europeans and to figure this
out. So, Mr. Richards, do you have a thought on that?
Mr. Richards. I do, Senator. I mean, obviously, this is a
very difficult problem. The question you have asked me, to
solve international surveillance cooperation in less than 2
minutes. But I will give it my best shot. I think some of the
other speakers, some of the my co-panelists mentioned the
importance of privacy protections flowing with the data, and
also the importance, I think Commissioner Phillips mentioned
this, the importance of countries with shared values having
shared protections.
And I think it absolutely should be possible, I realize in
Washington should is often a very dangerous word, but I think
that it should be possible for countries, for the EU, the
United States, the country of my birth, the United Kingdom,
with shared commitment to the rule of law, shared commitments
to freedom of expression and privacy and democracy, shared
strategic and economic interests to cooperate, to extend rights
of redress to each other's citizens the way that the U.S.
Government did with the passage of the General Redress Act,
amending the Privacy Act in 1974 in order to try and save
Privacy Shield in the spring of 2017. I think extension of
rights and also cooperation, a coalescing on those privacy
protections that should travel with the data is.
Unfortunate, the United States used to be the leader on
commercial privacy in the early 1970s. It sort of abdicated
that to Europe. And now that the GDPR, fair information
practices model that the Europeans have, is the emerging global
market norm. But if the U.S. cooperated on that as well, I
think it could go a great deal toward solving the broader
problems of international cooperation on surveillance.
Senator Cantwell. I just want to follow up, so--I actually
think we might be able to achieve that. But then what are we
going to do about the fact that we don't control--well, Senator
Wicker and I do have votes on this in the larger body, but we
don't control these agencies and we certainly don't control
executive orders and the Presidential Executive Order. All we
can do is fight it and say that we think it is too broad. So
how--I am in agreement, we can solve our commercial issues.
I just don't know if we are still, if the commercial
industry is still going to get tethered to a national policy by
an Executive Branch that thinks that we need to go further.
Personally, I think we need way more transparency on the FISA
court. Look, these are--we blurred the line in the Patriot Act
and we just, we have got to do more due diligence here. So,
thank you, Mr. Chairman.
The Chairman. Yes. You have outlined a serious stumbling
block, Senator. I believe Senator Blackburn is next. Are you
there, Senator?
STATEMENT OF HON. MARSHA BLACKBURN,
U.S. SENATOR FROM TENNESSEE
Senator Blackburn. Yes, I am.
The Chairman. You are recognized for 5 minutes.
Senator Blackburn. Thank you, Mr. Chairman. And thank you
to our witnesses for being here and for the opportunity to have
this hearing today. Privacy Shield, as everyone is fully aware,
is something that continues to come up. We have got dozens of
companies in Tennessee that would be impacted. I had pulled a
list and it is interesting that the wide range of the companies
that would be impacted, adversely impacted without an
agreement.
And everything from a vitamin company to a software
company, to the Dollywood Foundation, to the Country Music
Association. So as we talk about trade, as we talk about
commerce, this is something that is important. I do appreciate
that Senator Cantwell brought up the issue of trust and
distrust as we look at this issue. But resolving it and getting
something in place is vitally important. So, Mr. Sullivan, let
me come to you first.
Let's say we are not able to negotiate an agreement. If we
do not get an agreement, then it seems like that data
localization may become the new norm. So I want you to speak to
what would be an adverse outcome?
Mr. Sullivan. Thank you, Senator, for the question. I guess
at the outset, let me make clear, you know, I alluded to the
three successful annual reviews that we have had since 2017,
where we sat down with the European Commission, the European
Data Protection authorities, and those are three very
successful internal reviews. And during that period, since that
period, before during after those reviews, we have developed
very constructive, excuse me, and positive working
relationships with our partners in Europe.
I do want to note a couple of points. You know, we have
been talking about the Schrems II litigation since well before
the third annual review, which took place last October. There
has been a long-running argument about contingency planning. We
have been in constant regular contact with the Commission since
the ruling on July 16. Secretary Ross has reached out to a
number of high ranking EU officials.
And, you know, we are working urgently to resolve this
crisis because Privacy Shield, as you alluded to, is the most
cost effective and straightforward mechanism for SMEs. And as I
think I said, nearly 70 percent of the participants in Privacy
Shield are SMEs. And that is--again, that is across all sorts
of industries. We are not, again, talking just about digital
companies or big multinational tech companies. So, you know,
obviously our first priority is privacy----
Senator Blackburn. We are not talking about just digital
companies. I just went through the list. You know, you have got
Dollywood Foundation and the Country Music Association, CISAC,
a vitamin company, all of these different Tennessee companies.
But talk about data localization. And if we don't get
something, what does that mean and the impact? And then I would
like to have Ms. Espinel and others weigh in when you finish
your comment.
Mr. Sullivan. Of course. So, again, Privacy Shield, I just
want to be clear, 70 percent are SMEs with fewer than 500
employees. So we are extremely sensitive to that. And we do
recognize to your point, you know, in the hopefully unlikely
situation where we do not arrive at a new arrangement or an
enhanced Privacy Shield, you know, there are other mechanisms.
Obviously, the court upheld SCCs. We have worked with our
inter-agency partners to put out a White Paper to hopefully
help companies make these case by case assessments.
On your question, with respect to data localization. That
is a very significant concern for us. My team has been engaged
with Europe, but also in countries around the world on this
issue. And quite frankly, it is not a perfect solve. It is
exceedingly expensive, even for our large companies that will
effectively freeze out SMEs in many of the companies that you
are talking about from access in the EU market.
And quite frankly, it doesn't work at the end of the day.
It is simply--beyond the expense factor, trying to keep EU
personal data in Europe effectively undermines the business
models of the vast majority of companies that operate this way
internationally. And so that is not, at the end of the day, a
viable solution. And if I could----
Senator Blackburn. Ms. Espinel--I don't want to run out of
time. Do you have anything to add on that?
Ms. Espinel. I would say that the organizations that he
talked about music, country music--the organizations that you
mentioned, the Country Music Association, the vitamin company,
they are on that list they were certified under the Privacy
Shield because they have employees or customers or suppliers in
Europe. And if they--if data localization goes into place and
they are not able to access that, that means that they are not
going to be able to operate effectively either.
They will be operating at greatly increased cost or they
won't be able to operate in Europe at all. So the implications
of data localization are very significant for those
organizations, but for organizations including many small and
medium sized businesses across the United States.
Senator Blackburn. Right. You are changing their business
model through no fault of their own. Alright, Mr. Phillips,
anything to add?
Mr. Phillips. I agree with what both of my co-panelists
said. I also just want to add, data localization isn't good for
privacy. It isn't good for data security. It doesn't serve all
of these other functions in addition to all the cost that it
imposes on businesses and nonprofit organizations.
Senator Blackburn. Alright. Mr. Richards?
Mr. Richards. Sorry, Senator, I was struggling with my mute
button. Data localization absolutely would be bad, and I think
the key, as a number of the other witnesses have pointed out,
is to find some way to harmonize the law. The Europeans, as
Professor Swire pointed out quite correctly, treat this as a
matter of constitutional law.
They believe that just as when they come to the United
States, they may go to Dollywood on vacation, that they expect
that their constitutional rights travel with them just the same
as you or I would expect that our constitutional rights would
follow us if we went to Europe. And I think because the U.S. is
in a sense importing the data like a tourist, the Europeans
expect that their rights are guaranteed.
And I think this is not--this is a hard problem, but this
is not an irresolvable problem because of our shared traditions
and commitments to the rule of law, democracy, and fundamental
rights.
Senator Blackburn. Mr. Chairman, thank you. Yield back.
Senator Thune [presiding]. Senator Blumenthal is up.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thanks, thanks very much, Senator
Thune. As you probably know, all of you, this committee has
spent a good deal of time and effort over the last two years on
consumer privacy, and I appreciate the leadership of the
Chairman and Ranking Member. And I am grateful for the
collaboration of Senator Moran.
We have worked together on this issue, given California's
passage of Proposition 24 and the change of Administration.
This is an area where I think we can make significant
bipartisan progress in the next Congress, obviously not this
one. I have been fighting for consumer privacy for many, many
years as Attorney General before I assumed this office and I
want to see a strong Federal law enacted. And I believe it is
possible. This absence of consumer protections is part of the
reason we have this dispute with the European Union.
The United States and the EU need and have needed a Privacy
Shield in the first place because the EU determined that our
consumer privacy protection in this country are inadequate, as
a safeguard to personal data. So our lack of consumer
protection in this country for Americans, private data, also
harms American businesses that want to operate in Europe.
All five of you are respected privacy experts and all of
you called for a Federal consumer privacy law. I thank you for
your advocacy. And I would like to know more definitely from
each of you, what role does the United States' lack of consumer
privacy law play in our negotiations with Europe on cross-
border data transfers? Would having a consumer privacy law for
the United States help end the cycle of Europe striking down
data transfer agreements? Maybe begin with you, Mr. Sullivan.
Mr. Sullivan. Thank you for that question, Senator. Just a
couple of points, if I could. The adequacy model that has been
adopted by the EU since about 1995 has to date yielded about 12
adequacy determinations. There are only 12 jurisdictions in 30
years that have been acknowledged as adequate by the EU. At the
same time, there is today no globally accepted standard or
definition of data privacy and no multilateral agreement on
these issues. And so I think that is going to continue
regardless of whether or not there is an omnibus Federal
privacy law that will remain to be seen.
But specifically with regard to the situation we are in
after Schrems II, that ruling focused exclusively on Government
access to data. And the court did not in any way question
Privacy Shield's protections with regard to commercial
collection or uses of data. And while I think that potential
Federal data privacy legislation would likely be very well
received by the EU, it will not address the immediate concerns
that we are dealing with around the National Security issues
cited by the court in Schrems II. Again, I think, you know, I
will speak in my position with the International Trade
Administration.
We are seeing a proliferation of different national laws
around the world. Some are taking their inspiration from GDPR.
That is not a guarantee of adequacy. You have a law in India,
for example, that sought to emulate GDPR in many ways. Each
Nation has different cultural traditions, legal traditions,
backgrounds, priorities. Brazil, similarly. So while I think it
could help atmospherically and it would probably be very well
received by our friends in Europe, it is not a guarantee. Thank
you.
Senator Blumenthal. Thank you. Mr. Phillips.
Mr. Phillips. Thank you, Senator, for the question. Let me
just begin by agreeing, of course, the Schrems II decision is
about National Security. There is no guarantee that would come
from a privacy law. And as I said in my written statement in my
oral testimony, while we don't have a law, I think that our
privacy enforcement is better than any in the world and more
impactful than any in the world. That said, I do think a law
will help.
I think first, if we are going to do the interoperability
between countries of data flows, having one law is a better way
to handle that on an international basis rather than having to
deal with different jurisdictions. The second, as we have heard
from all the panelists atmospherically, I think it does help.
Third, I think there are aspects of a privacy law that you and
your colleagues, and I thank you for your leadership on this,
have contemplated that would help a lot of entities.
For instance, removing limitations on the FTC's
jurisdiction with respect to common carriers and nonprofits
will allow those entities to participate in whatever new
Privacy Shield resolution that we might have because all of a
sudden their obligations would flow through us. So I do think
it would be a helpful thing.
Senator Blumenthal. Thank you. Ms. Espinel.
Ms. Espinel. Senator Blumenthal, thank you for the
question. I just want to thank you for your years of leadership
and dedication on privacy legislation. So I agree. I believe
that privacy legislation would be a very positive signal to the
Europeans. I want to emphasize that I think we need Federal
privacy legislation regardless of the situation that we are in,
even if the Privacy Shield had not been invalidated.
We need it for U.S. citizens so that you have strong,
enforceable privacy protections across the United States, and
strong obligations on companies. But I also believe that it
would be a positive signal and would be a benefit to the
negotiations.
Last, I just want to say I also believe strongly and would
encourage this committee to think about the long term issue of
whether or not we can reach some sort of consensus with at
least like-minded countries that share our values on
intelligence gathering practices, because I believe that is
really critical to finding a long term sustainable solution.
Senator Blumenthal. Thank you very much.
Senator Thune. Thank you, Senator Blumenthal.
Senator Blumenthal. Thank you.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Commissioner Phillips, after the passage of
the EU's GDPR, the flow of data between the U.S. and the EU has
become less stable and subject to much debate. Would a single
national data privacy law in the United States be beneficial to
help resolve some of the policy differences between the EU and
the United States?
Mr. Phillips. Yes, Senator.
Senator Thune. And Mr. Sullivan, do you agree with that?
Mr. Sullivan. Yes, short answer.
Senator Thune. Short answer----
Mr. Sullivan. The short answer is yes.
Senator Thune. OK, good. Mr. Sullivan, what kinds of
businesses and industries rely upon the Privacy Shield
framework? And can you talk about the importance of the need to
transfer data across borders?
Mr. Sullivan. Of course. So at the time of the ruling on
July 16, there were nearly 5,400 companies. As I think I have
said before, nearly 70 percent of those companies participating
in the Privacy Shield program were small and medium sized
enterprises with fewer than 500 employees.
The reason for that was because it was a cost effective
mechanism, far less administratively burdensome and costly than
some of the other options, such as standard contractual clauses
or binding corporate rules, which are largely used by large
multinationals. The participants in Privacy Shield were again
from across industry.
We are talking about small manufacturers, we were talking
about agricultural producers, other small businesses in a
variety of industries. So, again, just I know I am a bit
repetitive, I want to underscore we are not simply talking
about large multinational tech companies or digital firms.
Everyone has to transfer data these days across the Internet,
H.R. records, for maintaining their international networks,
etc. So it is a broad swath of U.S. industry.
Senator Thune. Thanks. Commissioner Philips, at a hearing
earlier this year Chairman Simons stated that the FTC intends
to make companies fulfill the promises made under Privacy
Shield. Has the Commission brought enforcement actions with
regard to Privacy Shield since the time the European Court of
Justice invalidated the EU-U.S. Privacy Shield?
Mr. Phillips. Senator, I am a little bit lost on the
timing, but I believe the answer is yes in the RagingWire case.
The enforcement that we do on Privacy Shield is under our
Section 5 deception authority. And what it means in the main is
if you are making material statements to consumers and you
violate those statements or, right, you are deceiving those
consumers, we can go after you. So representations that they
are making with respect to participation in, or following the
guidelines of the Privacy Shield, come under that rubric. And
we are going to continue to enforce against companies that
don't live up to their commitments.
Senator Thune. Good. Ms. Espinel, the cross-border transfer
of data is, as has been pointed out, vital to our economy. As
the U.S. and the EU work to develop a successor, I should say,
to the Privacy Shield, are there safeguards the U.S. should be
giving consideration?
Ms. Espinel. Thank you. So I think in terms of the
negotiation on the enhanced Privacy Shield, I don't believe we
need a total overhaul of the Privacy Shield. I think there are
some targeted reforms that could address some of the issues
that were raised specifically by the court. And we are very
supportive of the work that the Department of Commerce and the
U.S. Government and the European Commission have been doing
together. I will say, as I have said before, I think longer
term, having the United States work with a group of democracies
that share our values to try to come to a consensus on
intelligence gathering practices is critical to long-term
sustainability.
But in terms of the immediate, urgent, short-term need for
an enhanced U.S. Privacy Shield, I think there are targeted
reforms that I believe, obviously Mr. Sullivan could speak
better to this, but I believe could be addressed in the
negotiations between the United States and the European Union.
Senator Thune. Mr. Swire, what effect would the emergence
of data localization requirements in the EU have on Americans'
National Security?
Mr. Swire. On National Security--well, in my testimony I
refer to previous work that I have done with others on data
localization, and we hope to have more information about that
by the end of the month published. For National Security, one
of the problems would be cybersecurity in the following way.
When currently, if you are trying to figure out where the bad
guys are coming from, you have global flows among the defenders
to make sure that we are getting a good view of where the bad
guys are coming.
And if the data cannot come from Europe to the rest of the
world, then the bad guys know they just have to route it
through Europe. So we are going to have a discussion at the
National Academy of Sciences on December 11 specifically about
the effects on cybersecurity, which affects U.S. National
Security, affects corporate security. And this is something
that has not been brought up but is really deserving a lot more
attention, the effects on cybersecurity.
Senator Thune. Mr. Chairman, thank you.
The Chairman. Thank you, Senator Thune. Senator Peters.
STATEMENT OF HON. GARY PETERS,
U.S. SENATOR FROM MICHIGAN
Senator Peters. Thank you, Mr. Chairman. Mr. Swire, I want
to follow up on the question that Senator Thune asked you,
because it seems like if eliminating the Privacy Shield, that
that could possibly result in the global adoption of data
localization, and I know data localization is the hallmark of
both Russian and Chinese efforts to centralize and surveil
valuable streams of data, something we always have to be
conscious of.
And I am Ranking Member of Homeland Security Committee here
in the Senate, and I am certainly committed to protecting
National Security. And as you were saying, it is something that
we need to focus on because it has potential to undermine our
security interests. What specifically should we be doing to
address this because I am concerned about it?
Mr. Swire. Well, one thing is to have people in Europe
understand how serious and how difficult it is to even try to
build data localization. It is a much more thoroughgoing
revision of every company's IT system than most people have
seen. In a 1998 book, we have had multiple chapters about data
localization even back then with about 40 categories of serious
effects. And that is linked to in my testimony. And one of the
examples is the global financial system, which we rely on for
so many things, including, you know, ongoing secure commerce.
There are massive data flows of personal data every day
between countries for regulators to oversee banks, among other
things. And if there is really data localization, we lose the
ability to have an integrated global financial system. That all
by itself could be a hearing that really was worth a lot of
attention, perhaps in a different committee, but it illustrates
how thorough the interruption would be if really data
localization happens from Europe.
Senator Peters. Right. Well, thank you. My next question
relates to small business. Ms. Espinel, I would like to ask
this question of you. And I think, Mr. Sullivan, you were
dealing with small business. I am going to follow up with a
question for you related to this too. Because I was walking in
so I wasn't sure of the question, but your answer is probably
related to what I want to talk about. But in our increasingly
connected world, certainly of small businesses like
manufacturers or retailers as was mentioned, rely on the free
flow of information.
In fact, 70 percent of the companies that have certified
under Privacy Shield are small or medium sized businesses, and
they simply can't afford to store data overseas, especially
those small businesses. Of those companies we have identified,
993 companies in Michigan alone fall into this category. So if
you could tell me the lack of certainty on international data
transfers, how is this going to impact small businesses
immediately? And are there steps that we can take here in
Congress to address it? How do we mitigate that?
Ms. Espinel. So I think it is an immediate concern. I mean,
I think it is worth noting that there are other transfer
mechanisms that are still in place. So the standard contractual
clauses were left in place by the court and we are very pleased
that that is the case. So there are still other transfer
mechanisms between the United States and Europe. That said, the
Privacy Shield was the simplest and the least costly of all the
transfer mechanisms.
So for small businesses in particular, having the Privacy
Shield invalidated is a real concern. Standard contractual
clauses are positive in the sense that they can offer very
strong privacy commitments to consumers, but they are more
complicated, they are more resource intensive, so they are more
difficult by definition and therefore more difficult for small
businesses. And as you pointed out, small businesses are 70
percent of the companies that are certified under the Privacy
Shield.
And so, we believe that having an enhanced EU-U.S. Privacy
Shield, having a Privacy Shield agreement back in place that
small businesses can take advantage of, is of critical
importance.
Senator Peters. Thank you for that answer. And Mr.
Sullivan, I know you are concerned about this as well. And my
focus--you know, U.S. small businesses are U.S. innovation and
our innovators that really rely on these data flows,
particularly when you think of technologies like artificial
intelligence and the need for data sets to deal with that.
Talk to me about some of the legal uncertainty for
international data transfers that are going to impact tech
startups, particularly in the innovation sectors. If so, how?
And any other ideas of how we need to deal with that?
Mr. Sullivan. Certainly, Senator, and thank you for the
question. We have all talked about how important Privacy Shield
is for SMEs. We have just heard again about how difficult some
of the other options SCCs and BCRs, binding corporate rules,
which can take up to a year and cost upwards of $1 million,
which is just not an option for small startups, tech or
otherwise. Which is why, you know, we are working so urgently
to develop an enhanced Privacy Shield to address the enormous
uncertainties that now exist and do so quickly because of these
uncertainties.
You know, some can avail themselves of SCCs. And although
there are now some significant questions about their viability,
we have put out a White Paper to help companies so that they
can help or they can make these case-by-case assessments that
have since been required by the Schrems II decision, before
they send data to the United States. But I think, you know, one
thing I do want to touch on that others have spoken to, you
know, we have heard a lot today about the need for perhaps a
broader discussion among like-minded democracies. I do want to
emphasize that we have, my team at the International Trade
Administration in concert with others across the interagency,
have been engaged with the European Union and other democratic
countries in a number of different multilateral discussions
about developing principles and common practices.
There is an effort underway right now in the OECD to just
to do just that around, can we arrive at common principles when
it comes to Government access to data? And in our view, it is
critical that democracies come together to articulate shared
principles, primarily not exclusively, to help make clear the
distinction between what democratic societies do and how we
respect civil liberties and the rule of law versus what we see
authoritarian countries do with their growing surveillance
ambitions to surveil, manipulate, and control their own
citizens and others around the world with zero regard to
privacy or civil liberties.
And so we are really approaching this situation, and again
SMEs are a priority for us. Many big companies can avail
themselves of all the different mechanisms that are step one
with Privacy Shield. The other thing I do want to note with
Privacy Shield, you know, if we get it back up and running
soon, what Privacy Shield did was it took the protections and
redress mechanisms in the context of Government access to data
and said these apply not only to companies that participate in
Privacy Shield but to data transfers pursuant to any EU
approved data transfer mechanism.
Now, since the ruling, what you have is a situation where
companies are now stuck with this incredibly onerous burden of
having to do case-by-case assessments. If we get a Privacy
Shield framework back in place, that will alleviate all
companies of all sizes of this onerous burden of having to do
these case-by-case assessments of countries' National Security
regimes. 1
And so I just want to emphasize we have a number of
different work streams on this beyond just the discrete issue
of trying to come up with enhancements on Privacy Shield. Thank
you.
Senator Peters. Thank you so much. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Peters. Ms. Espinel,
lawsuits are being pursued even as we speak against your member
companies. Is that correct?
Ms. Espinel. I am not aware of any lawsuits that are being
prepared against my member companies, against the enterprise
software industry that I represent, and it is helpful and we
were pleased that other transfer mechanisms like the standard
contractual clauses were left in place by the European Court of
Justice. And our companies use the standard contractual clauses
to transfer data. However, as we have discussed, standard
contractual clauses are much more difficult, much more costly,
more complicated, resource intensive way of transferring data.
And therefore, we believe it is urgent that a new Privacy
Shield be put back in place, both for the benefit of the small
and medium sized businesses which we have discussed quite a bit
because of the difficulty and resource intensive nature of the
standard contractual clauses, but also because even for the
standard contractual clauses, they will be more stable and more
solid if there is an enhanced U.S.-EU Privacy Shield agreement.
The Chairman. Sure. Well, who can enlighten the Committee
on the degree to which lawsuits are being filed now since there
is no grace period? Mr. Swire?
Mr. Swire. I could try a little bit. There has been public
reports in Ireland of ongoing court proceedings, specifically
about Facebook. There have been suits filed------
The Chairman. In Irish courts?
Mr. Swire. Yes, sir.
The Chairman. OK.
Mr. Swire. They are national courts that--currently they
are not being appealed up to the European wide court system
yet. There have been public reports about a suit in Germany
against Amazon. And in talking to one litigator who works
specifically in that area, I was told there are other suits,
but I don't know exactly what the details are.
The Chairman. In those cases, do insurance carriers step
forward and represent the companies? Defend?
Mr. Swire. I am not aware of that--is not--a lot of it has
to do with company conduct and whether the conduct is lawful or
not. And so large companies would probably defend themselves.
The Chairman. So well, OK.
Mr. Swire. But they are facing fines----
The Chairman. Is it possible for companies to purchase
insurance coverage to mitigate against these types of actions?
Mr. Swire. I am aware of many kinds of cybersecurity
protection that are in place for data breaches. I have not
heard, and I work a lot in the sector, of any significant
insurance for fines for privacy violations.
The Chairman. OK. Senator Schatz, are you there? I think
Senator Schatz----
STATEMENT OF HON. BRIAN SCHATZ,
U.S. SENATOR FROM HAWAII
Senator Schatz. Sorry, Chairman, I am here.
The Chairman. Yes, sir. You are recognized, sir.
Senator Schatz. Thank you, Chairman. And thanks to all the
panelists for a really constructive hearing. I want to start
with Mr. Richards. You know, the Schrems decision highlights
why the United States needs a strong data privacy Federal
statute. And I, of course, believe that we need a duty of
loyalty and care in Federal law. And I would like you to
comment on how duties of loyalty and care could complement the
privacy principles in the Privacy Shield and European privacy
law without doing violence to our conception of freedom on the
Internet and the United States?
Mr. Richards. That is a great question, Senator. If I could
if just respond to the last question the Chairman asked about
lawsuits. In my written testimony, I did cite an Irish
newspaper which is reporting on the Facebook proceeding where
the data protection commissioner has proceeded to try and
pursue the Schrems II ruling to stop data flows to from
Facebook Ireland to Facebook U.S., which it is not the kind of
risk you can really insure for if the data flows are the
business itself.
With respect to your--Senator Schatz, and thank you very
much for asking, one of the problems with the European
approach, which incidentally was invented, as I am sure the
Senator knows, by the U.S. Government in a Department of
Health, Education and Welfare in 1973--so these GDPR rules that
we are talking about, as if they are they are foreign law, were
actually invented by the U.S. Government. They tend to be
procedural. They tend to say basically, here is how you process
data. If you want to do it, these are the steps you have got to
go through. But by and large, they provide a pathway for doing
so.
And while data protection rules notice choice, access,
consent in appropriate circumstances, legitimate interests,
onward transfer are going to be a necessary part of any robust
transatlantic or domestic or European framework, what we need
to have are substantive rules. Senator Schatz, you said in the
September hearing I believe to Commissioner Kovacic that a duty
of loyalty isn't that big of a burden because good companies
already know how good business means being loyal to their
customers.
And actually a duty of loyalty that requires putting your
customer's interests ahead of your own in the short term is
good for sustainable long term business. And actually, the
companies that are being loyal when they are not required are
actually at a competitive disadvantage from the bad guys that
act in ways that are disloyal, that manipulate their customers
that mislead them, that send them misinformation, that expose
them to insecure and unfair data practices.
Senator Schatz. So I think you make a really important
point. And I, for the life of me, don't understand the
resistance to duty of loyalty other than Government relations
folks feel that their job is to kill everything and lawyers
feel that anything that may be unclear and needs to be
elucidated over time or even a statutory obligation that has to
be elevated to the board level is inherently a risky
proposition.
But as you are--as we see, doing nothing is riskier than
anything for your customers, for the Shield problem, and for
the prospect of 50 different states enacting 50 different
statutory frameworks. And so it seems to me that the cleanest
way to move forward is not just to enact--of course, everyone
thinks they are the cleanest way to move forward is to enact
their legislation. But it does seem to me that we have to
legislate at the conceptual rather than procedural level and
empower expert agencies to implement the statute through
rulemaking or even the adjudication of individual cases. So
talk a little bit more about how notice and choice would be
insufficient, not just from a consumer protection standpoint,
but from the standpoint of solving our Shield problem?
Mr. Richards. Notice and choice are wholly inadequate. They
basically are--the way they have been implemented in U.S. law,
with apologies to Commissioner Phillips and his agency, which
has done fine, fine work with limited tools over the years, but
the notice and choice framework has been a catastrophic
failure. The notice that consumers receive is fictitious. Do
you read privacy policies? Right. There was there was a study
that it would take 76 days to read all the privacy policy, just
to read them, of the websites that we encounter in a year------
Senator Schatz. I just think--I think that everything on
my--I was just setting up Apple TV and I just agreed to
everything without reading it like everybody does.
Mr. Richards. So do I, Senator, and that is precisely the
point. We have no choice and that is the other fault with
notice and choice. If we want to participate in the modern
world, we have to accept these terms and conditions as they are
given, as they are unread. And often we don't have a choice at
all. In the pandemic, we may have a choice over our streaming
service but we don't have a choice over a cable company. We
don't have a choice over the learning management system or the
video conferencing system that our children's schools are
using.
And so what has happened is that notice and choice have
been an insufficient check on bad actors in the market and they
have given consumers resignation. And it dumps the work onto
consumers, work they cannot possibly hope to achieve, and then
it performs a masterful trick of making consumers feel bad and
blame themselves for consenting to privacy policies when they
didn't actually have a meaningful choice in the first place.
Sorry, sir.
Senator Schatz. Thank you. Let me let me just move on to
one final question for you, Deputy Assistant Secretary
Sullivan, on the transition. Have you been meeting with the
Biden, Harris transition team? What is the frequency of those
meetings? What is the extent of your sharing information as we
move into the next phase and a transition to a new
Administration?
Mr. Sullivan. Thank you, Senator, for that question. As I
noted at the outset, I oversee the Office of the Digital
Services Industries. We have three teams. I will tell you that
each of those teams has met on multiple occasions with transit
at the agency review team at Commerce. We also prepared a
transition memo that was intended to bring everyone up to date
on the state of play with the litigation and the various lines
of work we have, again, around Privacy Shield, standard
contractual clauses, our multilateral efforts, and a variety of
different venues be it OECD, the G20, etc. So my understanding
is they are being kept fully apprised of our activities and our
engagement with the Commission, the EDPB, and others and the
member states in Europe.
Senator Schatz. Thank you very much. Thank you, Mr.
Chairman.
The Chairman. Thank you, Senator Schatz. Let me ask you,
Professor Richards, where is there a working duty of loyalty in
place in law somewhere that we can look to?
Mr. Richards. That is a great question, Senator. As an
academic, I feel obligated to plug an article that Dr. Hartzog
and I have written called ``A Duty of Loyalty for Privacy Law''
that explores this in great detail. But to answer the question
very specifically, duties of loyalty have been a part of the
Anglo-American common law for centuries. We often see them in
fiduciary relationships and in corporate law. We tend to see
that whenever there is vulnerability, whenever one party
exposes itself to another for combined interests. And frankly,
Senator, Mr. Chairman, that is precisely what we see with large
platforms in the Internet economy. We need to have use it to
expose ourselves to these companies in order to send e-mail, to
engage in transcontinental videoconferencing like we are doing
right now, to educate our children, and for so many other ways.
I think one other place we can look for duties of loyalty,
I think it is very interesting and very gratifying and
encouraging to me that all three of the pending bills that were
introduced, bills that we have talked about in today's hearing,
your SAFE DATA Act, Senator Schatz's Data Care Act, and Ranking
Member Cantwell's COPRA, all of them either talk about loyalty,
or in the case of Title II of your bill, provide loyalty like
protections against manipulation, against filter bubbles,
against algorithmic discrimination, and against the
manipulative--and against experimentation and manipulative use
of design against consumers.
The Chairman. And the point that I would make is that when
we are able to be specific in those instances, then we are
getting somewhere, but beyond that, it is hard actually to
define such a duty. I am going to let you expand your answer on
the record, if you would like. And I may submit some questions
for the record. This study that you and Dr. Hartzog did, when
was that published, sir?
Mr. Richards. It has not yet been published, but it has
been circulating on and on the website where academic work is.
A draft has circulated since the summer.
The Chairman. Can you circulate it to somebody on my staff?
Mr. Richards. I believe I already have, but I would be
delighted to do it again, sir.
The Chairman. I would much appreciate that. Senator Scott.
STATEMENT OF HON. RICK SCOTT,
U.S. SENATOR FROM FLORIDA
Senator Scott. First of all, I want to thank Chairman
Wicker for hosting this hearing, and I want to thank each of
you for being here today. My first priority is to ensure the
privacy and security of American families. Also making sure we
have an environment where businesses can thrive. Right now, our
Nation is facing threats from all across the world. We have
adversaries like the Communist Party of China that continue to
steal our data and technology, and force companies in China to
turn over any user data their government wants.
Chinese backed companies like Huawei will hand over any
sensitive data, including medical records, financial
information, and social media accounts if they gain access to
our markets. My colleague, Senator Cotton, introduced a bill
which I support that would permanently prohibit the U.S. from
sharing intelligence with countries that give Huawei access to
their 5G networks. We have to do everything we can to provide
Americans their information--protect Americans' information and
our National Security. Mr. Phillips, what enforcement or what
enforcement measures and oversight should be in place to ensure
companies operate in the United States with access to personal
and personal identifying information, disclose to the user
where the company is housing the data?
Mr. Phillips. Thank you, Senator Scott, for your question.
To my mind, it is a question about materiality, what matters to
those consumers. And I do think it is very well within
Congress's purview to consider that question and to legislate
upon it. I think increasingly, as we live in a globalized
world, these kinds of questions where the data are, are
important questions. But it is important to note that China has
data localization.
And it is very important, as we have all been discussing,
for the liberal democracies of the world that have a more open
approach to Internet governance to find a path forward
together.
Senator Scott. Thank you. When entering international
privacy agreements, how do we ensure the U.S. places Americans'
privacy interests first? Mr. Phillips.
Mr. Phillips. Thank you, Senator. We don't, at the FTC,
negotiate the privacy agreements. What we do is provide, in my
view, a very important backstop. And that is when companies
make commitments that they are participating in those
agreements, make commitments about what they do as part of
those agreements where they violate the law, where they make
statements that aren't true that matter to consumers, we can
bring enforcement actions against them. And that is what we
have done for years.
Senator Scott. So what do you think about requiring online
retailers to disclose more information like where data is
housed or where products are produced?
Mr. Phillips. I would have to give a little bit more
thought to whether and to what extent that is material to
consumers. I do think over time that is an increasing concern
and it is definitely something within Congress's purview.
Senator Scott. I can't imagine why we don't know where
Amazon and Wal-Mart don't tell U.S. where products are made,
where services are provided, or where apps are created. So what
do you think is the biggest safeguard that should be put in
place to protect our data better?
Mr. Phillips. Well, I think we have all been talking about
for purposes of Americans and their privacy, a privacy bill.
The difficulty we are facing today is in part or in large part
to do with the European courts visa VR practices, not on the
consumer side, but on the National Security side. And I do
think as we have these discussions moving forward, as I said in
my testimony, we do want to understand and defend American
values, and we don't want our security not to be an important
part of that conversation.
Mr. Phillips. Thank you. Thank you, Mr. Chairman.
The Chairman. Thank you very much. This has been a very,
very informative hearing, and some very talented and
knowledgeable witnesses. I thank all five of you. And at this
point we will close the hearing. Oh, Senator Rosen.
STATEMENT OF HON. JACKY ROSEN,
U.S. SENATOR FROM NEVADA
Senator Rosen. Senator Rosen. Yes, I am here and I know I
am always the last one, but I am waiting. I am here.
The Chairman. Well, why don't we recognize you for 5
minutes then?
Senator Rosen. Well, thank you, my friend. I appreciate it.
And I appreciate this hearing. It has been really informative.
And I want to talk about the importance of small business, of
course. So Nevada is home to more than a quarter of a million
small businesses. Small businesses are the driving force that
powers my state's economic engine. But unfortunately, this
pandemic has dealt business owners unprecedented challenges and
obstacles. We need to be doing all we can to ensure that our
small and medium-sized businesses can survive this pandemic and
receive the resources and support they need to compete both
domestically and internationally. Nevada based companies that
conduct business outside the U.S. depend on agreed upon
frameworks that ensure they are adhering to their international
client's home country rules and regulations, including those
related to data protection and security.
So actually, there are over 30 companies in Nevada that
depended on the now invalidated Privacy Shield. The framework,
of course, that allows for the transferring, processing, and
storing of personal data from the EU to the U.S. Businesses
such as game development firm Play Studios, and software
company Action Verb that are headquartered right in Las Vegas.
So unfortunately, it is quite small size and medium-sized
businesses that have had the most to lose if the EU and the
U.S. aren't able to reach a new agreement.
Larger businesses with large compliance departments, they
will really have the upper hand, and it gives them a big
competitive edge over the smaller firms, not just in Nevada but
across the country. So to both Ms. Espinel and Mr. Sullivan,
before the adoption of Privacy Shield, there was a different
mechanism that enabled personal data transfers from the U.S. to
the EU until it was also invalidated by European court in 2015.
With that in mind, as we look to a new Administration and
future talks with our EU partners, what issues do we as
policymakers need to address to deal with the underlying
intelligence gathering concerns that have plagued these
frameworks so we just don't end up in the same place over and
over again?
Mr. Sullivan. Thank you, Senator, for your question. Just
to reiterate, maybe add a few more details to your point on
SMEs, I want to make sure everyone has a sense of just how cost
effective Privacy Shield is. And as you noted, its
predecessor's framework, Safe Harbor was. Right now, the fees
or the fees at least up until Schrems II for participation in
the program, are based on your annual revenue.
So if you were a company with annual revenue of up to $5
million, your certification and participation in Privacy
Shield, the fee you paid was $250. If you were $5 million to
$25 million, it was $650. I won't run you through the whole
list, but if you are over $5 billion in annual revenue, what
you paid for Privacy Shield was $3,250. It was again by far the
most cost effective approach for transatlantic data transfer
mechanisms. And that is why--it is just another element as to
why we think it is so critical, particularly for SMEs.
The other thing I want to make folks aware of, our Privacy
Shield team and our other teams, our global data policy team,
engage in regular roadshows and they meet--they have a
particular remit and focus on SMEs to make sure they
understand, you know, if they do want to go global, if they do
want to do business in Europe, how do they do that? What are
the issues? What are the options? Another thing, again, at the
risk of being redundant, because we don't have a global
standard on data protection privacy, because countries do take
different approaches, we also have another mechanism in place.
You know, we have come up, because it is going to take a while
for a global standard, we have got to bridge our differences.
And so we had Privacy Shield with Europe. We had Safe
Harbor before that, as you just noted. We also in APAC have
something called the Cross-Border Privacy Rules System. And
again, that is another way that we can bridge our differences
with some common baseline standards around privacy. And so,
again, we do a lot on the APAC's CBPR system to make sure that
companies, particularly SMEs, understand that that is an option
that is available to them.
All of this is to promote interoperability so that
companies are facing, again, increasingly fragmented and
unaligned regulatory regimes around the world on these issues,
and SMEs in particular, cannot pay the costs on this. And so we
have got to come up with these structures until we get to a
time where there is a single global standard.
Without sounding like I am criticizing GDPR, I do think it
is important to note, when it went into effect in May 2018,
what happened was you saw the big multinationals actually
expand their market share and thousands of U.S. SMEs basically
made the determination that it was either too expensive to
comply with GDPR, or that the potential fines were simply too
onerous and they withdrew from the market.
And so we spent a lot of time and effort to make sure that
we are ensuring market access for SMEs. Hopefully, I answered
your question. If not, I am happy to follow up if I missed
something. Thank you.
Senator Rosen. No, that is fine. I know my time has
expired, but----
Ms. Espinel. Chairman Wicker, would I be able to respond
Senator Rosen's question?
The Chairman. Yes, please.
Senator Rosen. Thank you.
Ms. Espinel. Thank you. Senator Rosen, first, I want to
note that not only is Nevada home to many small businesses, but
as you know, in the jobs report, the latest jobs report we put
out, Nevada was the number one highest growth rate for software
jobs in the country. So I want to congratulate you for that and
the work that you are doing on STEM training is going to create
jobs across the country. In terms of the issue at hand, there
are three things that I think we need to do. The first is we
need to negotiate an enhanced U.S.-EU privacy agreement. We
have talked a lot about that. I commend Jim Sullivan for the
work that he and his team are doing.
Two, long term we need to reach a consensus with a group of
democracies that share our values on intelligence gathering.
And I think that will be a real challenge and an opportunity
for U.S. leadership as we move forward. And third, we need to
rebuild our foreign alliances and we need to make trust the
basis of those.
And I think that both underpins and is overarching the
first two. That those three elements, the urgent need for
enhanced U.S.-EU Privacy Shield, a long-term solution on
appropriate safeguards on intelligence norms, and then
rebuilding our foreign alliances with the trust underlying them
that they warrant, are critical to moving forward.
Senator Rosen. Thank you very much for both of those
answers. I look forward to working with you on finding the best
ways that we can support all those tech jobs that keep growing
in Nevada and, of course, all the small and medium sized
businesses that do want to expand across the Nation. Thank you,
Mr. Chairman, for indulging my time.
The Chairman. Thank you. Thank you, Senator Rosen. You and
I need to vote, and we will now close this hearing. The hearing
record will remain open for two weeks. During this time,
Senators are asked to submit any questions for the record. Upon
receipt, the witnesses are requested to submit their written
answers to the Committee as soon as possible. Thank you. We
conclude the hearing, and we very much appreciate your
participation.
[Whereupon, at 11:51 a.m., the hearing was adjourned.]
A P P E N D I X
American Civil Liberties Union
Washington, DC, December 9, 2020
Hon. Roger Wicker,
Chairman,
Committee on Commerce, Science, and Transportation,
U.S. Senate,
Washington, DC.
Hon. Maria Cantwell,
Ranking Member,
Committee on Commerce, Science, and Transportation,
U.S. Senate,
Washington, DC.
RE: The Invalidation of the EU-US Privacy Shield and the Future of
Transatlantic Data Flows
Dear Chairman Wicker, Ranking Member Cantwell, and Members of the
Committee,
On behalf of the American Civil Liberties Union (``ACLU''),\1\ we
submit this letter for the record in connection with the Senate
Commerce Committee's hearing, ``The Invalidation of the E.U.-U.S.
Privacy Shield and the Future of Transatlantic Data Flows.'' We write
to address the legal reforms that must be made to permit the free flow
of data from the E.U. to the U.S., in the wake of the Schrems II
decision by the Court of Justice of the European Union (``CJEU''), and
subsequent guidance by the European Data Protection Board. These
changes are essential to ensure that small and large businesses alike
will not continue to suffer financial consequences through no fault of
their own.
---------------------------------------------------------------------------
\1\ For nearly 100 years, the ACLU has been our nation's guardian
of liberty, working in courts, legislatures, and communities to defend
and preserve the individual rights and liberties that the Constitution
and the laws of the United States guarantee everyone in this country.
The ACLU takes up the toughest civil liberties cases and issues to
defend all people from government abuse and overreach. With
approximately two million members, activists, and supporters, the ACLU
is a nationwide organization that fights tirelessly in all 50 states,
Puerto Rico, and Washington, D.C., for the principle that every
individual's rights must be protected equally under the law, regardless
of race, religion, gender, sexual orientation, disability, or national
origin.
---------------------------------------------------------------------------
The reforms discussed below would also provide essential privacy
protections for Americans, whose communications and data are swept up
by the U.S. government's foreign intelligence surveillance in enormous
quantities.\2\ As technological advances permit ever-broader forms of
surveillance--including bulk collection--there is an urgent need for
stronger legal safeguards.
---------------------------------------------------------------------------
\2\ See, e.g., Barton Gellman et al., In NSA-Intercepted Data,
Those Not Targeted Far Outnumber the Foreigners Who Are, Wash. Post
(July 5, 2014), https://www.washingtonpost.com/
world/national-security/in-nsa-intercepted-data-those-not-targeted-far-
outnumber-the-foreigners
-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322--story.html;
John Napier Tye, Meet Executive Order 12333: The Reagan Rule that lets
the NSA spy on Americans, Wash. Post (July 18, 2014), https://
www.washingtonpost.com/opinions/meet-executive-order-12333-the-rea
gan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93-
11e4-b8e5-d0de80767f
c2--story.html.
---------------------------------------------------------------------------
On July 16, the CJEU struck down the E.U.-U.S. Privacy Shield, used
by over 5,300 companies, for failing to provide a sufficient level of
protection for E.U. data.\3\ Specifically, the court found that U.S.
surveillance authorities, including Section 702 of the Foreign
Intelligence Surveillance Act (``FISA'') and Executive Order (``EO'')
12333, permit large-scale surveillance that is not strictly necessary
to the needs of the state. The court also found that the Privacy Shield
failed to create adequate redress mechanisms for Europeans whose data
is transferred to the U.S.--namely, the ability to be heard by an
independent and impartial court.
---------------------------------------------------------------------------
\3\ C-311/18, Data Protection Comm'r v. Facebook Ireland Ltd. &
Maximilian Schrems ``Schrems II'') (July 16, 2020), http://
curia.europa.eu/juris/document/document.jsf?text=&docid=228677
&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=15476758.
---------------------------------------------------------------------------
In addition to invalidating Privacy Shield, the CJEU's ruling
indicated serious problems with companies' reliance on a separate
mechanism, Standard Contractual Clauses (SCCs), for data transfers from
the E.U. to the U.S., given the scope of U.S. surveillance and
obstacles to redress. Based on the CJEU's ruling, the European Data
Protection Board recently issued draft guidance concerning SCCs that
would make it virtually impossible to transfer personal data to
``electronic communication service providers,'' 50 U.S.C.
Sec. 1881(b)(4), inside the U.S. for processing.\4\ Indeed, the Irish
Data Protection Commissioner has already issued a preliminary order to
Facebook to halt its transfers to the U.S. about its E.U. users.\5\
---------------------------------------------------------------------------
\4\ See European Data Protection Board, Recommendations 01/2020 on
measures that supplement transfer tools to ensure compliance with the
EU level of protection of personal data (Nov. 10, 2020), https://
edpb.europa.eu/sites/edpb/files/consultation/edpb--recommendations
--202001--supplementary measurestransferstools--en.pdf; see also, e.g.,
Omer Tene, Vice President at the International Association of Privacy
Professionals, Quick Reaction to EDPB Schrems II Guidance, https://
www.linkedin.com/pulse/quick-reaction-edpb-schrems-ii-guidance-omer-
tene (``it's hard to see a clear path for data transfers to the US'').
\5\ Sam Schechner & Emily Glazer, Ireland to Order Facebook to Stop
Sending User Data to U.S., Wall St. J. (Sept. 9, 2020), https://
www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-
data-to-u-s-11599671980.
---------------------------------------------------------------------------
The CJEU's ruling and the European Data Protection Board's guidance
pose significant problems for U.S. companies in places as diverse as
Boca Raton, Florida, San Francisco, California, and Cleveland, Ohio,
who relied on Privacy Shield and currently rely on SCCs to transfer
data from the E.U. for processing and storage in the U.S. In many
cases, companies rely on these data-transfer mechanisms for critical
functions, such as providing services to customers overseas or human
resources to a global workforce.
Below, we describe several reforms critical to ensuring future
transatlantic data flows. Although we propose reforms to both Section
702 and EO 12333 surveillance, the Section 702 reforms are especially
urgent. That is because the Section 702 collection of data ``at rest''
inside the United States is an insurmountable obstacle to the
functioning of SCCs.
In particular, to address the CJEU's ruling, Congress must:
Narrow the scope of Section 702 and EO 12333 surveillance;
Expand the role of the Foreign Intelligence Surveillance
Court in Supervising Section 702 and EO 12333 surveillance;
Ensure that individuals affected by U.S. surveillance can
challenge improper surveillance in court; and
Limit retention and use of information under Section 702 and
EO 12333.\6\
---------------------------------------------------------------------------
\6\ These reforms would not necessarily be sufficient to satisfy
U.S. constitutional requirements.
Separately, Congress must also work to pass comprehensive consumer
privacy protections. That legislation must provide clear and strong
data-usage rules and ensure that discrimination cannot take on new life
in the 21st century. It must also allow states to enact stronger
protections and provide people the opportunity to sue companies that
violate their privacy. However, we note that these privacy protections,
while essential, will not address the concerns of the CJEU, which
focused on the U.S. government's overbroad surveillance authorities and
obstacles to redress for government surveillance. To address the ruling
in Schrems II, the path forward requires reforms to Section 702 and EO
12333.
Background
Under E.U. law, companies are generally forbidden from transferring
personal data to non-E.U. countries on a repeated or systematic basis,
unless the transfer is conducted pursuant to one of the following:
1. Special Transfer Mechanisms. Companies may, through
contracts such as SCCs or similar mechanisms, establish certain
rules for data transfers to safeguard privacy rights. In some
contexts, these safeguards can compensate for deficiencies in a
non-E.U. country's law--e.g., if the non-E.U. country lacks
protections for consumer privacy, companies may use an SCC to
commit to extend basic rights to consumers vis-a-vis the
companies.
In the U.S., however, no contract is capable of overcoming the
fundamental problems with U.S. law identified by the CJEU:
namely, the scope of U.S. foreign intelligence surveillance and
obstacles to redress. No contract between two companies can
narrow the sweep of government surveillance or ensure that
targeted customers receive notice of classified surveillance.
2. Adequacy Decision. The European Commission may conclude, as
a categorical matter, that a non-E.U. country provides an
``adequate'' level of protection through its domestic law and
international commitments--as it did through Safe Harbor and
then Privacy Shield--but the Commission's adequacy decisions
are subject to review by the CJEU. The CJEU has interpreted the
``adequacy'' standard to require that the non-E.U. country
provide a level of protection of fundamental rights and
freedoms that is ``essentially equivalent'' to those provided
under E.U. law.\7\
---------------------------------------------------------------------------
\7\ Schrems II �� 201, 203.
Because the CJEU has identified fundamental defects in U.S.
law, discussed in greater detail below, U.S. reforms should be
a prerequisite to the negotiation of a new E.U.-U.S. data-
transfer agreement. Indeed, European Commissioner Didier
Reynders has stated publicly that ``no quick fix'' will
---------------------------------------------------------------------------
adequately address the requirements of E.U. law.
But even if the European Commission were to agree to a quick
fix, U.S. companies would still face substantial economic
risks--including the risk that individual member-state Data
Protection Authorities (``DPAs'') would halt data flows. In
analyzing transfers conducted pursuant to SCCs and similar
mechanisms, DPAs are not bound by the European Commission's
conclusions about whether a non-E.U. country's laws are
adequate. Indeed, prior Commission adequacy decisions have
acknowledged DPAs' authority to arrive at their own independent
conclusions about whether to halt data transfers. And notably,
in Schrems II, the CJEU held that DPAs are required to suspend
data transfers if they conclude that such transfers are
unlawful.
To ensure that any new E.U.-U.S. data-transfer agreement
withstands CJEU scrutiny, and to ensure that U.S. companies do
not pay the price for a failed ``quick fix,'' Congress must
enact the reforms below.
Reforms to U.S. Law
1. Narrow the Scope of Section 702 and EO 12333 Surveillance
For an adequacy decision to survive CJEU scrutiny, the non-E.U.
country's laws may interfere with the protection of personal data
``only in so far as is strictly necessary.'' \8\ In Schrems I, the CJEU
explained that, in conducting surveillance, the third country must
employ an ``objective criterion'' limiting surveillance to purposes
that are ``specific, strictly restricted and capable of justifying the
interference.'' \9\ It also held that government access ``on a
generalised basis to the content of electronic communications''
violates the ``essence'' of the right to private life.\10\ In Schrems
II, the CJEU elaborated on these concerns with respect to Section 702
and EO 12333 surveillance. It explained that Section 702 ``does not
indicate any limitations on the power it confers to implement
surveillance programs,'' and it observed that the U.S. government
collects communications in ``bulk'' under EO 12333\11\--i.e., it
accesses communications on a ``generalised basis.''
---------------------------------------------------------------------------
\8\ C-362-14, Schrems v. Data Protection Comm'r (``Schrems I'') �
92 (Sept. 23, 2015), http://curia.europa.eu/juris/document/
document.jsf?text=&docid=169195&pageIndex=0&doclang=en&
mode=lst&dir=&occ=first&part=1&cid=10588011.
\9\ Schrems I � 93.
\10\ Schrems I � 94.
\11\ Schrems II � 183.
---------------------------------------------------------------------------
Congress should act immediately to narrow the scope of both Section
702 and EO 12333.
With respect to Section 702, Congress can begin to address this
issue by requiring an executive branch finding of reasonable suspicion
that surveillance targets are ``foreign powers'' or ``agents of a
foreign power'' outside of the United States--a clear ``objective
criterion'' to justify the interference with private
communications.\12\ In the alternative, Congress could narrow the
definition of ``foreign intelligence information'' under 50 U.S.C.
?1801(e), though this reform may not be sufficient to address the
CJEU's concerns about the breadth of Section 702 surveillance.
---------------------------------------------------------------------------
\12\ Notably, ``foreign power'' and ``agent of a foreign power''
are defined rather broadly under FISA to include international
terrorists, political factions, and entities acting under a foreign
government's effective control. See 50 U.S.C. Sec. 1801(a)-(b).
---------------------------------------------------------------------------
With respect to EO 12333, Congress should prohibit bulk collection
and require that surveillance be directed at specified targets.
Separately, Congress should narrow EO 12333's definition of ``foreign
intelligence,'' which currently allows the government to conduct
surveillance to obtain any ``information relating to the capabilities,
intentions, or activities of . . . foreign persons.''
2. Expand the Role of the Foreign Intelligence Surveillance Court in
Supervising Section 702 and EO 12333 Surveillance
In invalidating Privacy Shield, the CJEU focused largely on the
lack of independent approval of surveillance targets under Section 702
and EO 12333. Under Section 702, the role of the FISC consists mainly
of an annual review of general targeting and minimization procedures;
the FISC does not evaluate whether there is sufficient justification to
conduct surveillance on specific targets. Under EO 12333, the FISC has
no role at all.
To address these concerns, and to ensure greater protection for
Americans whose communications and data are swept up in this
surveillance, Congress must enact significant changes to the FISC's
role in supervising Section 702 and EO 12333 surveillance. At a
minimum, the FISC or other independent entity should review targeting
decisions on an individual ex post basis. Although this reform would
likely require Congress to expand the number of FISC judges, it would
enhance privacy protections for Americans swept up in this surveillance
and, given the concerns of the CJEU, it is essential to ensuring the
free flow of data between the E.U. and the U.S.
3. Ensure that Individuals Affected by U.S. Surveillance Can Challenge
Improper Surveillance in Court
In Schrems II, the CJEU affirmed that individuals whose personal
data is transferred from the E.U. must have access to judicial remedies
to challenge the treatment of their data--remedies they lack under the
current legal framework in the U.S. As a general matter, individuals do
not receive notice that their information has been collected for
foreign intelligence purposes, even in cases where notice would not
jeopardize an active investigation. The lack of notice makes it
difficult--if not impossible--for people subjected to illegal
surveillance to establish standing to challenge that surveillance in
U.S. courts.
Congress should enact two key reforms to expand access to
meaningful remedies.
First, a ``standing fix'': Congress can and should pass legislation
to more clearly define what constitutes an ``injury'' in cases
challenging government surveillance, as Senator Wyden and others
proposed in a 2017 reform bill. While standing is a constitutional
requirement, the Supreme Court has been clear that Congress has a role
to play in defining what qualifies as an ``injury'' for the purposes of
standing. Congress could, for example, explain that where a person
takes objectively reasonable protective measures in response to a good-
faith belief that she is subject to surveillance, those protective
measures constitute an injury-in-fact. This reform would allow more
individuals to begin to litigate claims of unlawful surveillance in the
public courts.
Second, Congress should require the executive branch to provide
delayed notice of foreign intelligence surveillance to targets of that
surveillance, where such notice would not result in an imminent threat
to safety or jeopardize an active investigation. In addition, FISA
should be modified to define ``derived,'' to ensure that the government
fully complies with its existing statutory notice obligations.
4. Limit Retention and Use of Information Under Section 702 and EO
12333
In Schrems II, the CJEU found that U.S. surveillance law lacked
sufficient safeguards, including with regard to the access and use of
information.\13\ Under Section 702, the government has broad authority
to retain and use the data it has collected. It can retain
communications indefinitely if they are encrypted or are found to
contain foreign intelligence information. Even for data that does not
fall into either of these categories, the default retention period is
as long as five years. The retention limitations for communications and
data collected under EO 12333 are similar.
---------------------------------------------------------------------------
\13\ Schrems II � 180.
---------------------------------------------------------------------------
Congress should enact additional restrictions on the use and
retention of data collected under Section 702 and EO 12333. In
particular, Congress should require that where an agency seeks to
retain data beyond the default retention period, the agency must
establish that the data falls within a narrow subset of critical
``foreign intelligence.'' Congress should also limit the Section 702
and EO 12333 default retention period to three years.
Conclusion
For more information, please contact Senior Legislative Counsel
Kate Ruane at [email protected] or (202) 675-2336, or Senior Staff
Attorney Ashley Gorski at [email protected] or (212) 284-7305.
Sincerely,
Ronald Newman,
National Political Director,
National Political Advocacy Department.
Kathleen Ruane,
Senior Legislative Counsel,
National Political Advocacy Department.
Ashley Gorski,
Senior Staff Attorney,
National Security Project.
cc: Members of the Senate Committee on Commerce, Science, and
Transportation
______
Response to Written Questions Submitted by Hon. Amy Klobuchar to
Hon. Noah Joshua Phillips
Senator Klobuchar: Economic Impact of the Privacy Shield
Invalidation on Small Business. More than 5,300 U.S. companies--which
contribute nearly $1.1 trillion in total U.S. trade in goods and
services with the EU--were impacted by the invalidation of the Privacy
Shield. In your testimony, you highlight that more than 65 percent of
small and medium-sized businesses participated in the Privacy Shield
and that almost two-thirds of worldwide startups surveyed had customers
or users in other countries.
Question 1. Can you elaborate on your concerns regarding the impact
of the Privacy Shield's invalidation on small and medium-sized
companies?
Answer. My concern is that the invalidation of Privacy Shield will
have an outsized impact on small and medium-sized businesses. The
program allowed U.S. businesses interested in European markets a simple
and economical way to engage in necessary data transfers, for example
of payment and shipping information. That is why some 65 percent of the
thousands of companies that enrolled in Privacy Shield were small and
medium-sized businesses. Without it, these firms may be forced to shut
down or limit access to transatlantic markets. While there are other
legal bases through which to transfer the data of European customers to
the U.S., they are costly and complicated; in most cases they are not
viable options for smaller business. The net effect will be higher
costs for small and medium-sized businesses and an uneven playing field
that favors larger firms.
Question 2. In your view, what measures help ensure secure and
stable cross-border data protections, particularly for small and
medium-sized businesses?
Answer. Small and medium-sized businesses, like all businesses,
benefit from stable, efficient, and economical means to transfer data
across borders. The most important thing we can do is to finalize a new
agreement with our European partners that will once again permit U.S.
businesses efficiently and economically to transfer data from Europe.
U.S. and EU negotiators are already hard at work on a replacement for
Privacy Shield, and the Biden Administration should make it a priority
to complete that effort.
Congress should continue to support these efforts, as should the
Federal Trade Commission.
As we move forward, in particular in engagement with our allies in
Europe, we must ensure that an American voice and point of view is part
of the discussion about Internet governance, and be willing to defend
our approach. Liberal democracies that value free speech and privacy
should prioritize regulatory interoperability, and not let relatively
minor differences impede mutually-beneficial commerce.
______
Response to Written Questions Submitted by Hon. Amy Klobuchar to
Prof. Neil M. Richards
Consumer Access and Control/Privacy Shield Invalidation. In July,
the European Union struck down the Privacy Shield following allegations
that Facebook was providing U.S. intelligence agencies with unlimited
access to customers' data. In your testimony, you note that if the U.S.
had ``adequate'' privacy legislation, the Privacy Shield would be
unnecessary. Last December, I joined Senators Cantwell, Schatz, and
Markey in introducing comprehensive privacy legislation to establish
digital rules to protect consumers' data.
Question 1. While our bill is focused on commercial surveillance,
do you agree that legislation like ours would help the U.S. strengthen
privacy protections and rebuild trust with the EU?
Answer. Thank you for the opportunity to answer such perceptive and
important questions. Strong, baseline commercial privacy legislation is
essential to rebuilding trust with our EU trading partners and allies--
and it would also be a tremendously good thing for Americans.
First, commercial privacy protections would strengthen our
critically important relationships with the EU. At the December
hearing, Mr. Sullivan from the Commerce Department suggested that there
is not an international consensus on privacy rights. Simply put, he is
wrong. There is an international consensus, and it is one being driven
by the EU approach to privacy--including commercial privacy--as a
fundamental right. As I have explored in some of my scholarship, while
the United States used to be the global leader on privacy, it has ceded
that right by inaction. The failure of successive Congresses over the
past two decades to pass a comprehensive privacy statute has meant not
just that Americans have had insufficient privacy protection in a time
of rapid technological change, not just that this inadequacy has
affected our global reputation, not just that the EU has taken the lead
on global privacy standards, but that the EU standard has become a
global trade standard. If the United States wants to participate in
these vital markets, it now has to do so according to standards that
the EU has shaped through instruments like the Data Protection
Directive and the GDPR.\1\
---------------------------------------------------------------------------
\1\ See Woodrow Hartzog & Neil M. Richards, Privacy's
Constitutional Moment and the Limits of Data Protection 61 Boston
College Law Review 1687 (2020).
---------------------------------------------------------------------------
It's important to stress that since the 1990s, the European data
protection regime (first the Directive, and since 2018 the GDPR) has
primarily focused on what we'd call commercial privacy. The EU
originated as the Common Market and has evolved from a trade
federation, under the sensible idea that countries that trade together
and share common economic interests become stronger allies and better
partners. Before the Snowden Revelations and the Schrems litigation
that it spawned, issues of cross-border data flows were primarily
commercial trade issues, and the issues of ``adequacy'' of U.S. law
largely revolved around whether companies like Google were processing
the data of Europeans in ways that were consistent with EU law and the
fundamental right to privacy and data protection those laws protect.
The Schrems litigation has been of course about intelligence services
accessing the data of Europeans, but if the United States wants to be
deemed ``adequate'' and participate in the international data trade as
an equal, respected, trusted partner, robust commercial privacy
protections for all personal data held by U.S. companies will be
essential. In this way, as I suggested at the December hearing,
comprehensive commercial privacy reform by this Congress is a necessary
(though not sufficient) condition for preserving and building trusted,
sustainable, and profitable commercial relationships with our key
European allies around personal data.
Second, putting the relationships with our European friends
entirely to the side, comprehensive privacy reform would be good for
America. Today, American consumers are at the mercy of powerful
corporations that collect and process their data. The current American
privacy regime relying on fictional notice and illusory choice utterly
fails to protect American consumers from manipulation and exposure to
data breaches, and I am gratified to see that a bipartisan consensus
has emerged that recognizes these facts and is keen to do something
about them. The good news is that comprehensive privacy reform can be
good for business as well as for consumers. Good businesses rest on
trust, and the kinds of trusted, sustainable relationships that can
last for decades. To use a technology example, many American consumers
have decades-long trusted relationships with companies like Apple or
Microsoft, and feel comfortable sharing sensitive information because
they believe that those companies will be discreet, honest, protective,
and loyal with their data. Unfortunately, this is not the case for many
companies in the technology sector, particularly those who offer
``free'' services in exchange for sotto voce data barter transactions,
the terms of which are almost impossible for consumers to understand,
much less agree to freely. Sensible comprehensive privacy laws that
protect consumers would reward the many companies that are already
engaging in such behavior, and would eliminate any competitive
advantage to cheat when it comes to data protection and consumer
protection.
Question 2. Our bill also includes a provision to require companies
to establish a privacy security program to regularly assess security
vulnerabilities. Do you agree that data security programs can play a
key role in ensuring secure and stable cross-border data protections?
Answer. Absolutely. Meaningful data security requirements that
ensure corporate accountability are critical for the consumer trust
that is necessary for cross-border data sharing. In addition, data
security has long been an obvious and essential part of the language of
data protection, and it is part of the requirements of the GDPR for
adequate levels (or to put it another way ``essentially equivalent''
levels) of data protection. GDPR Art. 45 & Recital 104. Comprehensive
data security programs of the sort advocated by the FTC foreground the
importance of data security, while they also regularize and
professionalize its practice in firms. The key to security programs,
however, is accountability--security program requirements must have
teeth that require substantively adequate security under the
circumstances and cannot be reduced to safe harbors that relieve
companies of liability if they maintain minimal measures or go through
a mere process of compliance.
______
Response to Written Questions Submitted by Hon. Kyrsten Sinema to
Prof. Neil M. Richards
Small Businesses. Small businesses power Arizona's growing economy.
We need to remove unnecessary burdens, and increase transparency and
accessibility to support small businesses.
Question 1. How does the European Court of Justice's invalidation
of the Privacy Shield framework harm small businesses that need to
transfer data to or from Europe?
Answer. The European Court of Justice's invalidation of the Privacy
Shield framework harms all American businesses and consumers, but many
small businesses are likely to suffer particular harms. Those
businesses that need to transfer data from Europe can no longer rely on
the Privacy Shield to protect the transfer, and as small businesses
they are unlikely to possess the resources to generate binding
corporate rules. In the absence of an adequacy determination, this
leaves only the model contracts, whose validity was called into
question by the ECJ in Schrems II. Under current post-Schrems II
guidance from the European Data Protection Board, companies seeking to
use the model contracts need to engage in a case-by-case analysis to
assess the sufficiency of data protections for such transfers outside
the European Economic Area. This analysis requires companies to assess
not just the transfer, but the risks the transfer faces in the context
of the privacy and intelligence regimes governing the transfer. In
essence, this requires companies to engage in a full Schrems II-style
ongoing analysis for each kind of transfer--something that would be
daunting for a huge company like Google or Amazon, and would be
impossible for many small businesses to engage in. Thus, the harm faced
by American small businesses is the imposition of a difficult, if not
impossible regulatory burden should they wish to make transfers of EU
personal data to the United States. This problem is caused by the
mismatch between privacy and data protection regimes in the United
States and the EU.
Question 2. While a long-term solution is crafted, how can Congress
support small businesses that need to transfer data to or from Europe?
Answer. The best thing that Congress could do is to pass a
comprehensive privacy statute with meaningful redress options for
consumers, including a private right of action. The closer our American
privacy regime gets to ``essential equivalence'' with the level of
protection on the consumer side in the GDPR, the easier it will be to
reach a durable, sustainable reconciliation with the EU. This is
particularly the case because the Schrems II judgment left the model
contractual clauses mechanism for cross-border transfer largely intact,
subject to the caveat that European data exporters have to assess the
risks of access in violation of EU data protection rights. To the
extent that small business (and certainly particular kinds of small
businesses) are less likely to have the kinds of data that the U.S.
Intelligence Community might seek to access, this will be less of a
problem for them. On the other hand, as I explained in the previous
answer scope, difficulty, and expense of this analysis will be beyond
the resources of many small businesses. However, a higher level of
privacy protection for all data held in the U.S. (especially the data
of Europeans) would tend to lower the temperature of the cross-border
conflict with the EU, making it easier to reach long term solution--
ideally adequacy.
Speaking of adequacy, I note that at the December hearing, Mr.
Sullivan from the Commerce Department suggested that adequacy was
difficult, even impossible, to achieve, citing the examples of (I
believe) India and Brazil as being countries very different from the
United States. Mr. Sullivan's explanation was misleading at best and
disingenuous at worst, as he forgot to mention a country that has
adequacy which is very similar to the United States: Canada. Canada has
had adequacy since the days of the old Data Protection Directive. If
Canada can achieve adequacy with its own comprehensive privacy law,
PIPEDA, the United States can as well, and I have great optimism that
the new administration will take a more nuanced and informed approach
to privacy and data protection issues than the perspective Mr. Sullivan
espoused at the hearing.
The other things that Congress can do is related to remedies to
challenge unlawful surveillance. Practical and legal obstacles to the
challenge of assertedly unlawful surveillance programs in the United
States are significant, and are in my opinion a significant rule of law
challenge. As I argued in a widely-cited 2013 law review article, it is
a basic element of the rule of law that a democratic, self-governing
people should have the right to know and consent to what is being done
by their intelligence services in their name, and there should be
appropriate legal means to challenge surveillance programs that are
asserted to be illegal or unconstitutional, just as with other
government programs.\2\ To the extent that there are currently
obstacles to relief, such obstacles are a major part of the problem
with U.S. law that led to the invalidation of the Safe Harbor Agreement
in Schrems I and the Privacy Shield in Schrems II. Indeed, much of my
own testimony in that case dealt with the substantial obstacles to
relief--including standing doctrine--that plaintiffs face in
surveillance challenges. Here, too, Congress can help. As the ACLU
explained in its Statement on the Record in this hearing,
---------------------------------------------------------------------------
\2\ See Neil M. Richards, The Dangers of Surveillance, 126 Harv. L.
Rev. 1934 (2013).
---------------------------------------------------------------------------
Congress should enact two key reforms to expand access to
meaningful remedies.
First, a ``standing fix'': Congress can and should pass
legislation to more clearly define what constitutes an
``injury'' in cases challenging government surveillance, as
Senator Wyden and others proposed in a 2017 reform bill. While
standing is a constitutional requirement, the Supreme Court has
been clear that Congress has a role to play in defining what
qualifies as an ``injury'' for the purposes of standing.
Congress could, for example, explain that where a person takes
objectively reasonable protective measures in response to a
good faith belief that she is subject to surveillance, those
protective measures constitute an injury-in-fact. This reform
would allow more individuals to begin to litigate claims of
unlawful surveillance in the public courts.
Second, Congress should require the Executive Branch to provide
delayed notice of foreign intelligence surveillance to targets
of that surveillance, where such notice would not result in an
imminent threat to safety or jeopardize an active
investigation. In addition, FISA should be modified to define
``derived,'' to ensure that the government fully complies with
its existing statutory notice obligations.
American Civil Liberties Union, Statement on the Record re: The
Invalidation of the EU-US Privacy Shield and the Future of
Transatlantic Data Flows, December 9, 2020, at 5, available at
https://www.aclu.org/sites/default/files/field
_document/2020-12-
8_aclu_statement_for_the_record_senate_commerce_commit
tee_hearing_on_privacy_shield.pdf.
In my opinion, the reforms proposed by the ACLU (particularly the
first) would be an excellent place for Congress to start.
______
Response to Written Questions Submitted by Hon. Brian Schatz to
Prof. Neil M. Richards
In your testimony, you asserted that it would be an ``important and
necessary'' step, as well as good for business, to include a duty of
loyalty in American privacy law.
Question 1. How would including duty of loyalty in Federal privacy
law help American businesses? What other laws and regulations have
included the duties of loyalty and care?
Answer. A duty of loyalty would help American businesses by setting
clear rules of the road with respect to what constitutes fair business
practices in an economy seemingly fueled by the exploitation of
personal data. At an earlier hearing on privacy reform last fall,
Senator, I was struck by the truth and wisdom of your statement that
ethical companies already know that being loyal to their customers is
good business, and so a duty of loyalty is only a burden for companies
who want to be disloyal. In a market economy like ours, incentives for
disloyalty can be a massive problem. When there are no rules, anything
goes, and well-meaning companies staffed by ethical professionals
nonetheless feel the unyielding pressures of the market to match the
tactics of those who cheat and act in disloyal ways. A duty of loyalty
would level the playing field and create incentives for competition and
business innovation in ways that make things better for human
customers, rather than creating incentives for companies to manipulate
those consumers.
To be sure, manipulation is a real risk here. In her excellent book
The Age of Surveillance Capitalism, Harvard's Shoshana Zuboff explains
how tech companies discovered that digital services create
transactional metadata with many uses.\3\ These companies first used
the data to improve their services, making them more efficient (such as
by refining their search engines or interfaces) in ways that made
things better for everyone--the tech companies and their human
customers. The second step though, allowed companies to use
transactional and other data to anticipate or predict what consumers
could want or how they could be more effectively marketed to or
influenced through ``personalization.'' Zuboff goes on to describe a
third stage--the use of transactional data and the techniques of
behavioral science to manipulate consumers and have them behave in ways
that were optimal to the companies or their advertiser clients. The
first of these stages--product improvement through data--is a good
thing in which the incentives of consumers and companies align to want
better products. The second, prediction (sometimes called
``personalization'') is problematic when it is used in ways that are
not in the best interests of the consumers, and the third--outright
manipulation--is almost always problematic. At present, many uses of
data that fall in categories two and three are legal. What's more,
because thin, opt-out consent is easy to manufacture in a digital
environment, any mere opt-out regime would be insufficient to protect
consumers.\4\ A duty of loyalty requiring companies to act in the best
interests of their vulnerable human customers would help solve these
problems. It would ensure that category two cases use the benefits of
personalization to advance the interests of consumers, rather than
preying on their individual vulnerabilities and human cognitive
limitations. And it would also eliminate problematic cases of outright
manipulation in category three, in which a company can use information
it knows about a consumer to get them to dance to its own tune.
---------------------------------------------------------------------------
\3\ Shoshana Zuboff, The Age of Surveillance Capitalism (2019).
\4\ Neil Richards & Woodrow Hartzog, The Pathologies of Digital
Consent, 96 Wash. U.L. Rev. 1461 (2019).
---------------------------------------------------------------------------
Duties of loyalty are not a new idea. In fact, they have a long and
proud tradition in Anglo-American law. Many duties of loyalty arise in
the fiduciary context, in which there is a less sophisticated party who
must trust another who possesses more power, wealth, or expertise. As
Dr. Woodrow Hartzog and I explain in our detailed paper, ``A Duty of
Loyalty for Privacy Law,'' our law has imposed loyalty duties on a wide
variety of relationships typified by power differentials, including the
law of trustees, corporate officers, agents, guardians of wards,
lawyers, doctors, financial advisors, and others.\5\ This body of law
is extensive, and it has ancient roots in our law. Imposing a duty of
loyalty on a relationship is a significant step, but it is a time-
honored and appropriate step where there is vulnerability. As we argue
in our paper on loyalty, the current digital environment is
characterized by vulnerability, in which human consumers and citizens
trust their online experiences and well-being to powerful,
sophisticated, and highly capitalized technology companies. In so
doing, they are exposed to risks of manipulation, malware, identity
theft, misinformation, nudging, and radicalization, among others. Our
thesis is simple: ``a duty of loyalty framed in terms of the best
interests of digital consumers should become a basic element of U.S.
data privacy law. A duty of loyalty would compel loyal acts and also
constrain conflicted, self-dealing behavior by companies. It would
shift the default legal presumptions surrounding a number of common
design and data processing practices. It would also act as an
interpretive guide for government actors and data collectors to resolve
ambiguities inherent in other privacy rules. A duty of loyalty, in
effect, would enliven almost the entire patchwork of U.S. data privacy
laws. And it would do it in a way that is consistent with U.S. free
expression goals and other civil liberties.'' \6\
---------------------------------------------------------------------------
\5\ Neil Richards & Woodrow Hartzog, A Duty of Loyalty for Privacy
Law, at ms. 22-23. (draft article forthcoming 2021), available at
https://papers.ssrn.com/sol3/papers.cfm?abstract_id
=3642217.
\6\ Id. at ms. 7.
---------------------------------------------------------------------------
At the hearing, we heard testimony that the European Commission
considers the privacy laws of only a couple of countries to be
``adequate'' for international data transfers.
Question 2. Would a comprehensive privacy law that includes a duty
of loyalty, help the United States achieve ``adequacy'' by the European
Commission for international data transfers?
Answer. In all, the EU has granted adequacy to twelve nations or
jurisdictions--Andorra, Argentina, Canada, the Faroe Islands, Guernsey,
Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and
Uruguay. In addition, advanced talks are in progress with both South
Korea and the post-Brexit United Kingdom.\7\ I should also note that I
followed the discussion of adequacy by Mr. Sullivan at the hearing with
great interest. It is correct that the EU made an adequacy
determination for a group of countries, but the prospects for adequacy
are hardly as bleak as Mr. Sullivan suggested. As I explained in my
response to Sen. Sinema's questions, Mr. Sullivan omitted Canada from
his examples of countries that have obtained adequacy, though I must
assume that this was merely an oversight on his part. In fact, if we
look at the countries that have achieved adequacy, many are like the
United States in important respects, and many of them are post-
industrial democracies with advanced technologies and a robust
commitment to the rule of law. Moreover, as I have already mentioned,
the fact that Canada has been deemed adequate for two decades suggests
that if the United States were to do the things that are necessary for
adequacy, the EU would be delighted to bring the United States into
that group.
---------------------------------------------------------------------------
\7\ European Commission, Adequacy Decisions, visited Feb. 9, 2021,
available at https://ec.europa.eu/info/law/law-topic/data-protection/
international-dimension-data-protection/adequacy-decisions_en.
---------------------------------------------------------------------------
I would be happy to talk more about adequacy at a future hearing,
but for now I can answer your question succinctly by saying the
following. The EU evolved from a trade federation and common market,
and its laws are largely related to those interests. Until the Schrems
litigation, adequacy was seen as almost exclusively a question of
commercial data--were the protections for personal data in a particular
country ``essentially equivalent'' to those in the EU such that an
adequacy determination was warranted? The Schrems cases raise questions
of intelligence gathering and of intelligence reform if the United
States wishes to participate fully in the trans-Atlantic data trade,
but it still remains true that adequacy determinations require
substantial commercial protections. Article 45 of the GDPR governs
adequacy determinations, and provides that, in assessing the adequacy
of a country's level of data protection, the European Commission must
look at (a) its rule of law, respect for human rights (including
privacy and data protection), and relevant laws governing government
access to personal data, as well as whether there are ``effective and
enforceable data subject rights and effective administrative and
judicial redress for the data subjects whose personal data are being
transferred''; (b) the existence of agencies that supervise compliance
with data protection rules, and (c) a country's international
commitments on data protection issues. GDPR Recital 104 helpfully
clarifies this standard as whether the country can ``offer guarantees
ensuring an adequate level of protection essentially equivalent to that
ensured within the Union.''
Thus, there are two key parts to an adequacy determination: (1) a
comprehensive privacy law imposing affirmative duties on companies that
process our data, and providing remedies for violations, and (2)
surveillance reform. With respect to (1), it is my opinion that a
robust comprehensive U.S. privacy law containing a duty of loyalty
would offer the best pathway to satisfying element (1). A duty of
loyalty would constrain companies from acting in self-interested ways
with our data (and with the data of EU citizens), it would offer
remedies for violations, and it would contribute to the overall
robustness and commitment to the rule of law for data processing in the
United States. It would go a long way to providing the key ``essential
equivalence'' with respect to commercial data that adequacy hinges on--
particularly as the EU itself is considering a variant of a duty of
loyalty as it continues to develop its own privacy laws.\8\ Moreover,
for the reasons I have given in these responses and elsewhere in my
writings, I believe that a duty of loyalty for privacy law in the
United States would also be excellent policy.
---------------------------------------------------------------------------
\8\ See, e.g., European Commission, Proposal for a Regulation on
European Data Governance (Data Governance Act), Nov. 25 2020
(containing a duty, like a duty of loyalty, under which ``Data sharing
providers that intermediate the exchange of data between individuals as
data holders and legal persons should, in addition, bear fiduciary duty
towards the individuals, to ensure that they act in the best interest
of the data holders.''), available at https://ec.europa.eu/digital-
single-market/en/news/proposal-regulation-european-data-governance-
data-governance-act.
---------------------------------------------------------------------------
[all]