After Schrems II: A Proposal to Meet the Individual Redress Challenge

6 Pages Posted: 11 Sep 2020

See all articles by Kenneth Propp

Kenneth Propp

Georgetown University Law Center

Peter Swire

Georgia Institute of Technology - Scheller College of Business; Georgia Tech Institute for Information Security & Privacy; Cross-Border Data Forum

Date Written: August 13, 2020

Abstract

In its Schrems II decision, the Court of Justice of the European Union (CJEU) invalidated the EU/US Privacy Shield, and cast doubt on the validity of standard contractual clauses, the principal alternative for transferring personal data from EU territory to the United States and other third countries. This article outlines a proposal for how to amend US law to meet the Court’s stated legal requirementthat an EU individual have a right to individual redress for violations of rights by US intelligence agencies.

In Schrems II, the CJEU stated that privacy protections in nations receiving data from the EU must be “essentially equivalent” to those afforded within the EU, including with respect “to any access by the public authorities to the personal data transferred [and] the relevant aspects of the legal system of that third country.” The CJEU identified two ways in which U.S. surveillance law lacks essential equivalence to EU safeguards. The first, and the focus of this article, is that the US lacks an “effective and enforceable” right of individual redress.

The article explains the history of the Schrems litigation and of previous EU/US negotiations on trans-Atlantic flows of personal data. Specifically, it discusses the CJEU’s finding that the Ombudsperson mechanism in the Privacy Shield for individual redress provided inadequate protections. Based on the CJEU’s decision, any future attempt by the United States to successfully address this perceived deficiency in judicial redress thus must have two dimensions: a credible fact-finding inquiry into classified surveillance activities in order to ensure protection of the individual’s rights, and the possibility of appeal to an independent judicial body that can remedy any violation of rights should it occur. For fact-finding, the authors propose that individual complaints be investigated by existing Privacy Civil Liberties Officers within the US intelligence community, or alternatively by the Privacy and Civil Liberties Oversight Board. Neither approach constitutes complete independence from the executive branch, and the possibility of such independence was narrowed by the US Supreme Court in its 2020 Seila Law opinion.

The independent review required by EU law would occur upon appeal to the US Foreign Intelligence Surveillance Court, composed of fully independent federal judges. Our proposal meets the US constitutional requirement of standing by imposing a legal duty on the agencies to examine complaints similar to the duty imposed under the Freedom of Information Act. If the agency does not meet the required standard of investigation and protection of rights, the judge can order the agency to correct any violation of individual rights. Creation of this judicial review function would require new federal legislation.

The article also discusses the legal standard for judicial review and suggests extending the new statutory protections to both US and EU persons. By meeting the individual redress requirements of EU law and the standing requirements of US law, the proposal complies with both EU and US law, and would be workable in practice.

Keywords: Schrems; privacy; GDPR; cross-border data; redress; Privacy Shield; jurisdiction

Suggested Citation

Propp, Kenneth and Swire, Peter, After Schrems II: A Proposal to Meet the Individual Redress Challenge (August 13, 2020). Georgia Tech Scheller College of Business Research Paper No. 3680148, Available at SSRN: https://ssrn.com/abstract=3680148 or http://dx.doi.org/10.2139/ssrn.3680148

Kenneth Propp

Georgetown University Law Center ( email )

Washington, DC
United States

Peter Swire (Contact Author)

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States
(404) 894-2000 (Phone)

Georgia Tech Institute for Information Security & Privacy ( email )

Atlanta, GA 30332
United States

Cross-Border Data Forum

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
105
Abstract Views
344
rank
304,897
PlumX Metrics