Solving the Transatlantic Data Dilemma

Chapter 5: Discussion and Recommendations

From overbroad government collection, insufficient purpose limitations, and vague data processing requirements, to ill-equipped oversight and redress mechanisms, and easy access from the private sector and other parts of government, our data is often at risk even in democratic nations with oft-debated intelligence laws and practices. Many open or unresolved challenges in the governance of intelligence collection have led to accountability deficits that betray citizens’ trust, as well as other nations’ trust—democracies across the world are grappling with similar challenges on this front. More can and should be done to square national practice with common international principles of democracy, rule of law, and human rights that mature democracies proudly share. While the CJEU’s Schrems II decision highlighted how the current laws inadequately protect the right of non-nationals to judicial redress in the United States, further surveillance and intelligence reform is urgently needed in both the EU and the United States.

Our respective democracies took centuries to establish their unique brand of rule, and our legislatures and legal systems operate quite differently from country to country. This makes it difficult to build a successor to the Privacy Shield because it needs to contain adequate protections and regard for fundamental rights in a way that respects national sovereignty and allows parliaments to legislate according to their established norms. A one-size-fits-all global gold standard for intelligence and surveillance governance is therefore not realistic.

At the same time, we also caution strongly against adopting standards in international cross-border data agreements that merely amount to the lowest common denominator. Some U.S. experts have questioned the need for the United States to take drastic action in response to Schrems II, arguing that surveillance practices in some EU member states are comparable to those in the United States and therefore, similarly do not live up to the CJEU’s standards. Accordingly, legal expert Peter Swire suggested that it is “unrealistic for the EU to demand changes to U.S. national security legislation when European countries themselves are not averse to similar practices.”¹ Further, some argue that U.S. oversight mechanisms are more robust than what exists in many EU member states. However, one of the main entities these critics point to is the PCLOB, which has recently struggled to conduct effective oversight likely due to lack of capacity, resources, and vacancies.² Rather than debating whose practices are worse, democracies should race to the top when it comes to protecting civil liberties and other fundamental rights, adopting stronger safeguards and oversight mechanisms that can serve as models.³

While we do not yet know the outcome from recent negotiations surrounding the Privacy Shield follow-up agreement, we are hopeful that the new agreement will go beyond a quick fix, and address some of the major questions regarding proportionate government access to personal data. But generally, closed-door conversations between the U.S. government and the EU Commission do not provide the robust dialogue needed to achieve a balanced and comprehensive result that will protect civil liberties and satisfy all the relevant courts for years to come. Instead, we need a more inclusive dialogue that brings together government and oversight body representatives with academics, civil society, and the private sector. This will inevitably broaden the scope of these conversations to consider topics such as government purchases of data and other modes of government access to personal data.

Of course, there are strong economic pressures to find a quick resolution for the cross-border data impasse. Restricting data flows can sharply reduce trade volume, reduce productivity, and drive up prices for industries that increasingly rely on data.⁴ As the data flows between the United States and EU continue to remain in question, large companies may consider storing personal data locally within the EU (data localization), as it may be an easier alternative to dealing with messy and unclear legal questions. However, not only does this data localization present risks to the economy and internet freedom, but it also may not resolve the concerns outlined in Schrems II. First, an alternative solution such as data localization may not be affordable or realistic for many small- and medium-sized companies that rely on cross-border data transfers. Additionally, data localization in the EU might not fully address concerns regarding government access, as the data may still be accessible to the company in other countries where it operates.

It remains very unclear whether U.S. administrative actions would satisfy the CJEU, therefore legislative action will likely be necessary to limit U.S. intelligence community access to EU citizens’ personal data at the outset, and especially to create a right for EU citizens to seek redress in U.S. courts. However, because legislation moving through the U.S. Congress is rather unlikely in the near-term, administrative action may suffice in the short-term and show good faith on the U.S. government’s part while attempts at more permanent legislative change are underway.

As they draft new legislation, our democracies can write exceptions to the standard procedures into their legal frameworks that are more clearly defined, allowing governments to respond to imminent dangers. By and large, much more can be done to reconcile the valid needs of security agencies (to access personal data in the pursuit of their important mandate) with the protection of privacy and other rights and freedoms.

As these transatlantic dialogues continue, some analysts have suggested another alternative would be for the United States and EU to abandon the idea of a quick Privacy Shield replacement and instead begin negotiations for a broader digital trade agreement.⁵ Such an agreement could consider cross-border data flows alongside other issues, such as how to handle customs duties on electronic transmissions, ensuring online consumer protection, legal frameworks for data subject rights, prohibiting forced technology transfer, promoting open government data, cybersecurity cooperation, etc.⁶ This could prove difficult, however, as the EU has been reluctant to include requirements to ensure cross-border data flows or prohibit localization in its trade agreements, maintaining that data protection is a fundamental right and therefore, not negotiable within trade agreements—the EU prefers using adequacy decisions instead.⁷ The ongoing legal uncertainties surrounding the CLOUD Act and cross-border law enforcement access to data also need to be addressed, thus, it may make sense to consider these very related issues alongside the surveillance questions raised by Schrems II.⁸

Regardless of whether the U.S. and EU governments take up such a comprehensive approach in the current moment, they must immediately address intelligence collection practices, government access to private sector data, and flows of data through other areas of government into the intelligence community.

Throughout Chapter Two, we discussed how opaque legal frameworks for surveillance and intelligence, and oversight mechanisms that aren't fit-for-purpose, are incommensurable with the rule of law and core principles of democratic governance. They are often also a hindrance for individuals trying to understand and enforce their rights in the EU and United States. Recently, the European Court of Justice and the European Court of Human Rights, as well as the German Constitutional Court, reprimanded lawmakers for adopting overly permissive legal frameworks on data collection and retention. Lawmakers on both sides of the Atlantic should seize the opportunity to write robust safeguards into their laws, and enact provisions that deter and sanction disproportionate government access to personal data when it comes to various intelligence collection practices. More concretely, EU and U.S. lawmakers should:

Enable standing in court that is not hindered by secrecy regulation, where possible (e.g., make it independent from notice), and professionalize the national complaint mechanisms for citizens and non-nationals.
Establish a clear and consolidated legal framework for investigatory powers across the intelligence and security sector.
Regulate all types of bulk data access transparently, such as commercial data purchases, suitability tests, and interception of machine-to-machine communications;
Apply the same standards and safeguards that pertain to personal content data to the collection and processing of metadata.
Enact effective purpose limitations for data collection to limit uncontrolled data transfers and re-use of data outside or within governments.
Establish a consolidated judicial authorization mechanism for all foreign intelligence collection warrants in order to eliminate duplications and inefficiencies.
Expand the independent approval powers of oversight bodies to cover bulk data analysis (examination warrants), suitability tests (testing and training warrants), and commercial data buying (data acquisition warrants).
Provide oversight bodies with sufficient resources and expertise to perform end-to-end oversight: This requires adjustments to the oversight remits as well as capacity building and training to help ensure that the entire process of surveillance is subject to robust and data-driven oversight;
Establish higher standards for effective review, notably by establishing and improving an adversarial process within the authorization process to defend the interests of certain groups affected by surveillance (i.e., non-nationals and certain protected professional groups), and by endowing oversight bodies with binding enforcement powers, including the power to prohibit certain data collection and to require data destruction. In addition, oversight bodies should possess genuine sanctioning powers in the context of foreign intelligence collection.
Codify comprehensive public reporting obligations for the oversight body.

In Chapter Three of the report, we confronted a somewhat novel issue for the EU and the United States: how governments circumvent current legal standards to access commercially available data, namely through purchases of data from the private sector. This particular type of “voluntary access,” which exploits legal loopholes, appears to be on the rise in the United States, where numerous reports over the past two years have exposed government agencies buying data on citizens and non-citizens from data brokers, especially location data.

To better safeguard individual rights when it comes to government access to commercial data, governments and parliaments should:

Consider and enact legislation both in the United States and Europe that would close these loopholes, such as Sen. Wyden’s Fourth Amendment is Not for Sale Act—governments should not be able to evade accountability mechanisms by purchasing data.
Pass comprehensive privacy legislation in the United States that codifies the seven principles developed by the OECD. While the EU is considerably better positioned in this regard thanks to the GDPR, it should continue to work on coherent enforcement of the GDPR.
Ensure more comprehensive oversight within existing bodies—and provide those bodies the resources required to conduct such oversight—or via new oversight bodies where necessary.

In Chapter Four of this report, we examined different modes of cooperation between military and civilian intelligence, and discussed risks associated with automated data transfers, joint databases, and the use of common software such as cross-system information analysis platforms. Lawmakers interested in addressing and reducing obfuscation, accountability gaps, and transparency deficits tied to the automated cooperation of different actors of the security sector should:

Adjust and consolidate their legal frameworks for the governments’ use of investigatory powers to avoid duplication and important government practice falling through the cracks. Lawmakers are advised to adopt a functional approach to the regulation of investigatory powers that focuses on the general nature of investigatory powers rather than the agency that deploys them.
Avoid having entirely different accountability mechanisms for reviewing the use of similar investigatory powers by different actors of the security sectors who are also in intense cooperation with one another. Instead, European and U.S. lawmakers should follow the examples of the United Kingdom and Canada, and ensure “that the entire national security domain falls under the responsibility of the oversight body or bodies to be appointed.”⁹

Ultimately, through Schrems II, the CJEU has forced the U.S. government to reconsider its surveillance laws and practices in order to ensure future transatlantic data flows. But, as demonstrated throughout the report, both the United States and EU member states should rethink and redesign their surveillance standards and safeguards more holistically. There is ample room for progress on both sides of the Atlantic to ensure privacy rights are preserved regardless of one’s nationality, location, or where their data is transferred. The United States and EU member states must also do much more to render their oversight and redress mechanisms fit for purpose.

Citations

Mark Scott, POLITICO Digital Bridge: Privacy Shield is Stuck – COVID Changed Everything — What Next on Digital Tax?, POLITICO, July 15, 2021, source
Matthew Guarglia and Cindy Cohn, PCLOB “Book Report” Fails to Investigate or Tell the Public the Truth About Domestic Mass Surveillance, Electronic Frontier Foundation, June 30, 2021,source; Civil Society Letter to President Biden Regarding PCLOB Vacancies, September 7, 2021, source
For a recent compendium of good legal standards and oversight practice on the many governance challenges tied to bulk collection of personal data by intelligence services, see: source
Cory, Nigel and Dascoli, Luke, How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How To Address Them, Information Technology & Innovation Foundation, July 19, 2021, source
Congressional Research Service, U.S.-EU Privacy Shield and Transatlantic Data Flows, September 22, 2021, source
“As a possible template, negotiators could look to the U.S.-Japan Digital Trade Agreement, concluded in October 2019. The USTR has called it the “most comprehensive and high-standard trade agreement” negotiated on digital trade barriers and said it could set precedents for other talks.” source
European Union, Agreement Between the European Union and Japan for an Economic Partnership , Chapter 8, Trade in Services, Investment Liberalization, and Electronic Commerce, Article 8.3, entered into force February 1, 2019, source; CRS In Focus IF11120, U.S.-Japan Trade Agreement Negotiations, by Cathleen D. Cimino-Isaacs and Brock R. Williams
For instance, as one legal expert has pointed out, U.S. jurisprudence is currently unsettled as courts work to apply the law to new surveillance techniques such as smartphone tracking and computer hacking, so foreign governments may rightfully be hesitant to enter into a CLOUD Act agreements permitting the U.S. to engage in such activities on their soil. Relatedly, “several EU countries have already recognized the special dangers posed by government hacking–to privacy, internet security, and foreign relations–and have developed a panoply of protections to mitigate those risks. By contrast, the U.S. has failed to enact any special substantive and procedural protections against the risks posed by such intrusive surveillance.” Smith, Stephen W., Clouds on the Horizon: Cross-Border Surveillance Under the U.S. CLOUD Act (March 10, 2021). Data Protection Beyond Borders: Transatlantic Perspectives on Extraterritoriality and Sovereignty, chapter 8 (edited by Federico Fabbrini, Edoardo Celeste, John Quinn) (2021), Available at SSRN: source. In both CLOUD Act agreement negotiations and negotiations surrounding the Schrems II decision, these surveillance methods and the outstanding legal questions surrounding them should come into play and must be addressed.
CTIVD and TIB. “Memo CTIVD and TIB on Convention 108+.” February 17, 2021. source. For a more detailed discussion on the relevance of Article 11 of this modernised Convention for democratic intelligence in Europe, see: Wetzling, Thorsten and Charlotte Dietrich. “Report on the need for a guidance note on Article 11 of the modernised Convention.” June 11, 2021. source

Welcome to New America, redesigned for what’s next.

Education & Work

Democratic Futures

Global Security

Technology & Democracy

Thriving Families

Trending Topics

Real Skills, Real Income: Why Youth Apprenticeship Is Resonating Now

Future-Proofing U.S. Nuclear Policy: Forecasting Outcomes of the Nuclear-Armed Sea-Launched Cruise Missile

Debunking Myths on Student Parent Data Collection

The App Store Accountability Act Poses Serious Concerns for Privacy, Security, and Free Expression

Redrawing School Boundaries for Fairer Funding

Reframing Fusion Voting as a Practical, Powerful Reform Strategy

Harnessing Terrorism Data to Reshape U.S. National Security Policy

Establishing a National Housing Loss Rate

New America Fellows

Making Child Care Work for Student Parents

Drinking Water Data for the Nation: Version 1.0 Release Webinar

The Understated Value of Regional Intermediaries for Workforce and Economic Development

The Charleston Regional Youth Apprenticeship Model

Solving the Transatlantic Data Dilemma

Table of Contents

Chapter 5: Discussion and Recommendations

Citations

Chapter 5: Discussion and Recommendations

Solving the Transatlantic Data Dilemma