Redress: What is the problem?
In the wake of the Schrems II ruling last July by the Court of Justice of the European Union (CJEU) invalidating the EU-US Privacy Shield, redress became a major sticking point in efforts to preserve transatlantic data flows. In that ruling, the CJEU found fault with how the United States affords individuals with ‘redress’ when they believe they have been the targets of illegal surveillance. The CJEU reiterated Article 47 of the European Union Charter of Fundamental Rights (Charter), which provides that ‘[e]veryone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal.’ Under Privacy Shield, the U.S. designated a senior State Department official to serve as an ‘ombudsperson’ for reviewing and addressing individual complaints. The CJEU ruled that the ombudsperson mechanism failed to meet Article 47 requirements because it lacked independence and could not issue binding decisions.
For a country with 1.3 million lawyers that is no stranger to litigation, it may seem surprising that the topic of obtaining a remedy would be such a challenging one. And yet, it undeniably is, not only for the U.S. but also for any democracy seeking to protect the nation from external threats.
The reason? Secrecy. Protecting national security requires secrecy. Once foreign terrorists, cyber hackers, or spies realise that their identities, aliases, and online activities have been compromised, they will change their behaviour to avoid detection. A fully transparent intelligence service is a fully ineffective one.
On the other hand, open democracies require transparency to make sure governments remain accountable to the will of the people. As former U.S. Supreme Court Justice Louis Brandeis famously said in an early article about the importance of transparency, ‘[s]unlight is said to be the best of disinfectants.’
For 14 years, I served as the Civil Liberties Protection Officer for the Office of the Director of National Intelligence (ODNI). For the latter part of my tenure, I led the efforts of the Intelligence Community (IC) to enhance transparency, which gave me a unique vantage point on the inherent tension between necessary secrecy and public accountability. The IC has made dramatic progress in enhancing transparency, which continues to this day—you can see evidence of that progress on sites such as IC on the Record and intel.gov. Nonetheless, the IC must remain watchful to prevent the unauthorised disclosure of information that would harm national security.
Here lies the crux of the redress problem. How can claimants show they have suffered a loss that requires compensation, or a wrong that must be made right, if they do not know whether the government collected their data?
On the theory that one must first understand the problem to identify the solution, in this article, we will explore the redress challenge. In our next article, we will compare the U.S. approach with that of Europe. And in our third article, we will examine potential solutions to the redress problem.
Secrecy and judicial redress in the U.S.
Judicial redress in the U.S. is a problem with Constitutional dimensions. Article III of the U.S. Constitution provides that ‘the judicial Power shall extend to all Cases’ as well as to ‘Controversies.’ The U.S. Supreme Court put it this way: ‘No principle is more fundamental to the judiciary’s proper role in our system of government than the constitutional limitation of federal-court jurisdiction to actual cases or controversies’ (p. 18).
The ‘cases or controversies’ clause requires plaintiffs to have ‘standing’ to bring a suit in court. This requirement applies equally to citizens and non-citizens alike. As the Supreme Court held in Clapper v. Amnesty International, ‘[t]o establish Article III standing, an injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”’ Speculation is not enough; the injury (actual or imminent) must exist ‘in fact’ (p. 10).
This disapproval of ‘speculation’ sets a high bar for surveillance claims, but not an insurmountable one. Once surveillance targets know they have been subjected to surveillance, no such speculation is necessary. One of the legal authorities featured prominently in the Schrems II decision is the Foreign Intelligence Surveillance Act (FISA). Under FISA, if the government intends to introduce evidence against an ‘aggrieved person’ in a legal proceeding—that is, a person whose communications or activities were the subject of electronic surveillance—the government must notify that person in advance to enable them to challenge the surveillance. An aggrieved person, having been notified, may also sue the government in a separate legal action. Thus, notifying a person that they have been the target of surveillance will ‘fix’ the redress problem under FISA—the surveillance is no longer speculative, and a legal avenue exists to pursue a remedy. Note that an individual’s ability to sue the U.S. government for violating FISA is not contingent upon nationality; rather, it depends on the individual’s ability to satisfy the constitutional standing requirement.
In addition, as the recent case of Wikimedia Foundation v. National Security Agency illustrates, it may be possible for plaintiffs to show ‘actual injury’ by arguing that the government must have collected their communications given how a particular technique (known as ‘upstream surveillance’) is believed to operate. Finally, it may be possible for Congress to help plaintiffs establish standing by enacting new legislation; indeed, a group of senators has introduced a bill to do exactly that. However, just last month, in TransUnion LLC v. Ramirez, the Supreme Court cautioned that while Congress may ‘“elevate” harms that “exist” in the real world […] it may not simply enact an injury into existence’ (p. 10). Thus, notwithstanding new legislation, the question of ‘actual harm’ will remain.
Secrecy and redress in Europe
Secrecy is not unique to U.S. intelligence agencies; it is a fundamental requirement shared by all intelligence services and creates redress issues within Europe as well. After conducting an extensive study of EU member states’ surveillance laws, in 2017 the EU’s Fundamental Rights Agency (FRA) reported that ‘all Member States limit either individuals’ right to be notified or their right to access their own data based on the confidentiality of intelligence data and protection of national security or of on-going surveillance operations’ (p. 14).
In its landmark ruling on surveillance in 1978 — Case of Klass and Others v. Germany — the European Court of Human Rights (ECtHR) quoted the German government’s explanation of the need for secrecy: ‘The surveillance of the post and telecommunications of a certain person can serve a useful purpose only if the person concerned does not become aware of it’ (para. 22). The Court found this persuasive and declared that
[c]onsequently, since the individual will necessarily be prevented from seeking an effective remedy of his own accord or from taking a direct part in any review proceedings, it is essential that the procedures established should themselves provide adequate and equivalent guarantees safeguarding the individual’s rights (para. 55).
And lest that be viewed as an artefact of a pre-Snowden world, just this past May, in the Case of Big Brother Watch and Others v. The United Kingdom, the ECtHR reaffirmed the above pronouncement, noting that:
There is in principle little scope for recourse to the courts by the individual concerned unless the latter is advised of the measures taken without his or her knowledge and thus able to challenge their legality retrospectively . . . . In view of the risk that a system of secret surveillance set up to protect national security (and other essential national interests) may undermine or even destroy the proper functioning of democratic processes under the cloak of defending them, the Court must be satisfied that there are adequate and effective guarantees against abuse. (paras. 337, 339).
The CJEU also acknowledged that the need for secrecy limits the ability of governments to notify individuals. In its ruling on La Quadrature du Net and Others published last October, the CJEU stated that notification must take place ‘to the extent that and as soon as that notification is no longer liable to jeopardise the tasks for which those authorities are responsible’ (para. 190).
If secrecy properly prevents (or significantly delays) the government from notifying individuals that they have been surveilled, what must governments nonetheless do to provide for redress? Different countries find different ways to tackle this problem, including making use of ‘nonjudicial measures.’ Indeed, the concept of redress does not necessarily rely on courts alone, though they are, naturally, preferred. As the European Data Protection Board (EDPB) has pointed out,
Article 47 of the Charter refers to a tribunal, even though in language versions other than English the preference is given to the word “court”, while the ECHR only obliges Members States to ensure that “everyone whose rights and freedoms are violated shall have an effective remedy before a national authority”, which does not necessarily need to be a judicial authority. . . . [T]he CJEU considers that an effective judicial protection . . . can be ensured not only by a court, but also by a body which offers guarantees essentially equivalent to those required by Article 47 of the Charter’ (para. 46-47).
An FRA study published in 2015 found that EU member states use a complex mix of judicial and nonjudicial mechanisms to provide redress, but found that the ‘different remedial avenues are often fragmented and compartmentalised, and the powers of remedial bodies curtailed when safeguarding national security is involved’ (p. 59). Therefore, nonjudicial measures may play an important role in providing redress, but care must be taken to ensure such measures work together in an effective manner to provide ‘adequate and effective guarantees against abuse.’
Schrems II and the Ombudsperson Mechanism
It should go without saying that the path forward must improve on the measures identified in Privacy Shield. The CJEU was unimpressed with Privacy Shield’s Ombudsperson mechanism (which I had a hand in creating and implementing while I was at the ODNI). Under that mechanism, the Ombudsperson was a senior State Department official who would, among other things, coordinate the work of officials such as civil liberties and privacy officers to ensure that EU complaints were investigated and addressed.
In finding this mechanism inadequate, the Schrems II ruling highlighted two areas in particular: (a) independence and (b) authority to bind the intelligence agencies. Regarding independence, the CJEU pointed out that the ‘the Ombudsperson is appointed by the Secretary of State and is an integral part of the U.S. State Department.’ In addition, it noted that the European Commission had included nothing in its decision ‘to indicate that the dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular guarantees, which is such as to undermine the Ombudsman’s independence from the executive’ (pp. 59-60).
Regarding authority, the court was not satisfied with ‘a commitment from the U.S. Government that the relevant component of the intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson,’ noting that there was nothing to indicate that the Ombudsperson ‘has the power to adopt decisions that are binding on those intelligence services’ (p. 60).
With the guideposts of independence and authority to issue binding rulings, let us return to the U.S. legal framework, which, while providing substantial flexibility and opportunity for crafting solutions, places outer limits on the art of the possible.
Independence and binding authority
The U.S. Constitution establishes a government composed of three co-equal branches – the legislative, executive, and judiciary. We have already discussed the challenge posed by relying on the judiciary for redress in the national security context. Congress has the power to authorize, restrict, or prohibit activities; conduct investigations, carry out oversight; and fund or refuse to fund government programs. We will further explore the role Congress can play in a later article.
For now, let us focus on the parameters for establishing a redress body in the Executive Branch. Can such a body be accompanied by guarantees that the President will not, absent just cause, fire the officials involved? And can that official be vested with the authority to issue binding rulings?
Independence and authority are related in a way that complicates the way forward. In essence, an official with the authority to make binding determinations must usually be removable by the President. The Supreme Court recently issued two rulings that bear on this question. In Seila Law v. Consumer Financial Protection Bureau, the Court explained that
[t]he entire “executive Power” belongs to the President alone. But because it would be “impossib[le]” for “one man” to “perform the great business of the State,” the Constitution assumes that lesser executive officers will “assist the [President] in discharging the duties of his trust.”
These lesser officers must remain accountable to the President, whose authority they wield. As Madison explained, “[i]f any power whatsoever is in its nature Executive, it is the power of appointing, overseeing, and controlling those who execute the laws.” That power, in turn, generally includes the ability to remove executive officials…. (p. 12-13, internal citations omitted).
The Court recognised two exceptions where Congress could enact laws restraining the President’s removal power: ‘one for multimember expert agencies that do not wield substantial executive power, and one for inferior officers with limited duties and no policymaking or administrative authority’ (p. 16). We will explore these exceptions in greater depth in a subsequent article. But for now, we can already see in this language the seeds of the next aspect of the redress challenge.
One way to insulate a redress official from arbitrary dismissal by the President might be to ensure that he or she is an ‘inferior officer.’ After all, career civil servants have well-established job protections under the law, and protections are routinely applied to Executive Branch officials who report government wrongdoing to safeguard them from retaliation. As is apparent from the Supreme Court’s reference to ‘inferior officers with . . . no policymaking or administrative authority’, the question becomes can such officer issue binding rulings?
Once again, the Supreme Court has helpfully provided recent guidance on this question. In United States v. Arthrex, the Court overturned a statutory regime under which so-called ‘administrative patent judges’ adjudicated challenges to previously issued patents. It stated that under the Constitution, ‘principal officers’ – i.e., those nominated by the President and confirmed by the Senate – must either make executive decisions themselves (subject to supervision by the President) or direct the decisions of ‘inferior officers’ on matters of law as well as policy. According to the Court, ‘the unchecked exercise of executive power by an officer buried many layers beneath the President poses more, not less, of a constitutional problem’ (p. 14).
The way forward
The U.S. Constitution establishes boundaries that complicate the ability of the U.S. government to put in place a solution to the redress challenge raised by the Schrems II court. Relying on the judiciary is difficult; individuals must generally have ‘standing’ to bring a case to court, and showing the requisite ‘actual injury’ is problematic if they do not actually know whether they have been surveilled. Establishing a redress function within the Executive Branch that has both independence from the President and the ability to issue binding rulings is also a challenge.
That said, the U.S. has a robust national security legal framework that has developed over many decades, and that provides flexibility to identify solutions for difficult problems.
Given the importance of transparency to open democracies, I find it ironic that the CJEU lacks it. No one can see the pleadings and submissions to the CJEU. We must all rely on the opinion itself to learn about what others presented to the court. And the supposed unanimity of 27 independent judges strains credulity. On this point, the CJEU should take its lead from the ECtHR.
Great paper that provides much needed, timely research for policy makers in the EU-US data privacy arena as well as for those wishing to understand the dynamics of the trans-Atlantic debate. Look forward to the second paper examining the EU redress process in the surveillance context for both EU citizens and non-EU citizens. I wonder, however, if the criteria of “independence” is more form over substance that gets in the way–what about “effective” being the critical criteria? Sharing a paper from Bloomberg (formerly BNA) on this topic from 2009 as well as an excellent report by EU-US “Essentially Equivalent” that discusses redress
Independence Day: How to Move the Global Privacy Dialogue Forward:
I can’t think of a single court where all proceedings and productions in the file are public. Like other courts, however, public hearings and proceedings public. Furthermore an opinion of the court is nothing more than a judgement about the compatibility or other questions of law with regard to an international treaty c.s the EU is about to sign. The underlying documents as well as the positions of the key players are public or can be obtained. What is more is that there is no such thing as unanimity but the court delivers its judgment after a majority vote and no dissent opinions are published. one can discuss the benefits of disclosure of dissent opinions, as in the ECtHR, but one can’t doubt the credulity of the individual members or the court’s judgement on this point.