Creating Meaningful Redress

In the Schrems II decision, the CJEU specifically pointed to the fact that “EU citizens do not have the same remedies in respect of the processing of personal data by the US authorities” due to the Fourth Amendment not applying to them, and made clear that individuals must have access to judicial remedies to challenge interference with their rights. Targets of U.S. surveillance under Section 702 and EO 12333, including EU citizens, lack a mechanism through which they can seek redress in U.S. courts. In particular, the CJEU noted that FISA Section 702 and EO 12333 do not grant surveilled persons “actionable” rights of redress before “an independent and impartial court.” EO 12333 is particularly problematic for both U.S. and non-U.S. persons, because, as the court noted, “the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable.”

The CJEU explained that an effective method of judicial redress is particularly significant to protecting EU citizens’ rights, and it laid out a number of key requirements. First, to offer essential equivalence to Article 47 of the EU Charter of Fundamental Rights, effective judicial redress requires that individuals are entitled to hearings before an independent and impartial tribunal.¹ Further, the CJEU wrote that legal remedies must offer individuals access to their obtained personal data, and the ability to obtain the rectification or erasure of such data.² The CJEU specified that the appointment of a Privacy Shield ombudsperson (an individual within the U.S. State Department to whom individuals could raise concerns, which was a U.S. solution following Schrems I) did not solve the problem because that ombudsperson could not be considered an independent tribunal and lacked the ability to make decisions that would be binding upon intelligence agencies.³

Accordingly, in order to reinstate data flows between the United States and the EU, one crucial fix will be to provide EU citizens with a mechanism for independent judicial redress. To fully meet the redress standard set forth by the CJEU, legislation will be needed. Proposals for administrative solutions may be worth considering and could be a helpful first step to show good faith in negotiations, but ultimately Congress will need to provide a judicial redress mechanism through legislation in order to meet the robust standards the CJEU has set. Providing an independent tribunal with fact-finding ability will require jurisdiction in U.S. courts, which must be established by statute. Similarly, legislation will be required to implement any approach that involves enabling complainants to establish standing—the constitutional requirement that litigants show they have been harmed by a law or practice in order to challenge it in court—to bring challenges to surveillance practices in U.S. courts.

Academics have developed a creative proposal that attempts to meet the CJEU’s robust requirements through reforms that would only require administrative action, without any legislation.⁴ That proposal involves establishing a fact-finding process that can examine classified information, whose findings could then be appealed to an independent judicial body. Under the first step of the proposal, agencies that conduct or assess surveillance would be required to carry out fact-finding investigations regarding that surveillance—either through intelligence agency privacy and civil liberties officers,⁵ the PCLOB, or potentially through agency inspectors general.⁶ The authors of this proposal suggest that complainants who were not satisfied with the fact-finding could then obtain review in the FISA Court without need for legislation, at least for challenges related to Section 702 surveillance. They contend that the FISA Court would have jurisdiction as part of its authority to review compliance incidents. The authors further suggest that Congress could enact legislation to grant complainants standing to file appeals in the same way as under the Freedom of Information Act (FOIA), where individuals who are not satisfied with an agency’s response to a FOIA request always have standing to seek judicial review of the agency’s investigation. The authors see this review as analogous to judicial review of other agency actions under the Administrative Procedures Act (APA).

… but ultimately Congress will need to provide a judicial redress mechanism through legislation in order to meet the robust standards the CJEU has set.

While the purely administrative version of this proposal could help serve as an interim solution, it is highly unlikely that it would suffice as a longer-term redress fix. One issue is that the potential fact finders considered do not have the power to require the intelligence agencies to act and, as noted above, the CJEU found that the redress mechanism must be binding on the intelligence agencies to “remedy the deficiencies” in the law.⁷ If the PCLOB were tasked with the initial fact-finding investigations under this type of proposal, this would offer more independence than either an intelligence agency’s privacy and civil liberties officer or a State Department official (as with the Privacy Shield ombudsperson). But the PCLOB would then need additional authority, which would ultimately require congressional action to require compliance with their decisions. Further, it is far from clear that, without legislation, the FISA Court would agree that it had jurisdiction to review appeals from the proposed fact-finding investigations as part of its review of compliance matters. By definition, a complainant would only seek to appeal an agency fact-finding where the fact-finding process had concluded that there was not a compliance violation, so such determinations may not fit within the scope of reviewing compliance violations that the FISA Court recognizes to be under its jurisdiction. Moreover, the FISA Court does not review decisions of the PCLOB or inspectors general. Therefore, if either of those actors handled the proposed fact-finding process, the FISA Court would likely be unable to assert jurisdiction without legislative authorization. In addition, even if the FISA Court accepted review as part of the compliance process, this could only provide redress related to Section 702; the FISA Court does not have jurisdiction to review any activities under EO 12333, and therefore legislation would still be required to create a mechanism for redress under EO 12333.

Under current law, there are a variety of barriers not only for Europeans but also for Americans who seek to challenge U.S. surveillance practices in U.S. courts. In particular, such challenges have been blocked by the inability of plaintiffs to establish standing—because without access to classified information, they cannot show that they have been subject to surveillance. However, the U.S. Supreme Court has held that Congress can play a role in determining what qualifies as an “injury” that can establish standing,⁸ and Congress can and should pass legislation that would more clearly define what constitutes an injury in cases challenging government surveillance. Under one proposal, Congress could provide that where a person takes objectively reasonable protective measures in response to a belief that they are subject to surveillance, those protective measures would count as the injury, and they would therefore be able to establish standing to pursue a case against the U.S. government for illegal surveillance.⁹

It seems unavoidable that legislation will ultimately be needed to provide Europeans with individual, independent redress as the CJEU laid out. Nonetheless, it is worth exploring administrative solutions in the near term to improve upon existing mechanisms, including the Privacy Shield ombudsperson, that the CJEU has rejected for failure to provide the requisite independent tribunal to ensure protections of Europeans’ rights.