EU/U.S. Data Privacy Framework Redress Challenges and Constitutional Constraints

Redress and the EU/U.S. Data Privacy Framework Peter Swire JZ Liang Chair, College of Computing, Georgia Tech Debating the Critical Issues in the Data Privacy Framework CPDP Conference May 22, 2024

Overview U.S. constitutional constraints, with recent U.S. Supreme Court cases Standing and federal courts Independence More detail at KU Leuven with Prof. Drechsler online Neither confirm nor deny

Difficult Difficult to Draft a Redress Proposal: Must Be Lawful in EU and U.S. Schrems II (July 2020) Propp & Swire, After Schrems II: A Proposal to Meet the Individual Redress Challenge (August 2020) But, Docksey Swire, Statutory and Non-Statutory Ways to Create Individual Redress for U.S. Surveillance Activities US Senate Commerce testimony (December 2020) But, EO 12333 (international collection)issues do not go to the Foreign Intelligence Surveillance Court A year to respond to public and private comments Christakis, Propp & Swire, EU/US Adequacy Negotiations and the Redress Challenge: Whether a New U.S. Statuteis Necessary to Produce an Essentially Equivalent Solution (January 2022) C/P/S, EU/US Adequacy Negotiations and the Redress Challenge: How to Create an Independent Authority with Effective Remedy Powers (February 2022) After Biden EO, C/P/S The redress mechanism in the Privacy Shield successor: On the independence and effective powers of the Data Protection Review Court EU Commission and EDPB responses

Are U.S. Constitutional Constraints Relevant to the Data Privacy Framework? Should it matter to the CJEU if it requires something under the Charter that violates the U.S. constitution? I suggest yes Unprecedented no previous CJEU ruling Comity/respect for a long-standing democracy and ally If the answer is no, then what happens? U.S. constitution only 15 new amendments since 1789 Then, no legislation in EU or U.S. can make transfers lawful A reason for essential equivalence, such as to protect the essence of the right

Standing and Access to U.S. Federal Courts Art. 47 Charter: individual right to an effective remedy before an independent and impartial tribunal Critique of DPF: redress claims should be decided by U.S. federal courts U.S. constitutional constraint: standing and Article III Must show injury in fact Ramirez vs. Trans-Union (2021) Mistake in processing of PII not itself injury in fact - need additional showing of harm Even a violation of the statute not enough to create injury in fact for all EU persons. DPF solution: independent adjudication, but not in Article III courts

Independence of Tribunal (1 of 2) Art. 47 of the Charter requires an effective remedy by an independent and impartial tribunal Critique of DPF: new Data Protection Review Court is not independent Limits on Congress power to create independent tribunals U.S. v. Arthrex (2021) Statute created patent judges, independent of the Patent Office or the Secretary of Commerce Held unconstitutional Executive branch decision must have recourse to a politically accountable official An example of the unified executive approach taken by this Supreme Court The puzzle how to create an independent tribunal with recourse to a politically accountable official The DPF answer the officials (President, Attorney General) voluntarily yield some of their discretion/power, in a legally binding way

Independence of Tribunal (2 of 2) The DPF answer the officials (President, Attorney General) voluntarily yield some of their discretion/power Attorney general issues regulation, yielding his discretionary power to the Data Protection Review Court President issues EO, yielding his power to the binding decisions of the DPRC Note they can take back their power, but EU would have notice and cancel an adequacy decision Supreme Court precedent for this discretionary-yet-binding yielding of power U.S. v. Nixon DOJ regulation by AG, giving powers to independent prosecutor AG and President objected to a subpoena Supreme Court upheld the subpoena independence existed so long as the regulation was in effect U.S. v. Accardi DOJ regulation by AG, giving powers to immigration court AG tried to overturn a deportation decision Supreme Court upheld the regulation and decision of the immigration court DPF answer: Independence and no executive branch official can overrule

Neither Confirm nor Deny DPF critique: each redress complaint receives the same answer, that either no violation or violation has been remedied Two reasons for prudence (caution) by judges, before striking down the DPF The member states also use neither confirm nor deny Say vital to protect sources and methods Provide safeguards to data subject rights through overall process Prudence perhaps this is a wise approach Almost zero complaints to date One under Privacy Shield, none yet for DPF U.S. officials asking for complaints, to demonstrate independent oversight by PCLOB Prudence Perhaps the redress right is not a wise basis for blocking all transfers to the U.S. Especially given good faith of U.S. redress procedures

NCND: Right to Remedy & Classified Information DPF critique: data subject should get access, even to classified information European law for data protection and classified information EU courts very cautious to order declassification Discussion with Joe Cannataci Test the necessity and proportionality of regime for (de) classification Must be established by law DPF answers: U.S. redress procedures: investigation and advocates access classified data U.S. (de) classification established by law Data subject gets (limited) access Automatic declassification (after 50 years) Duty of officials (including DPRC) to get declassification if was unlawful to classify, e.g., to cover up wrongdoing

Conclusion DPF has thoughtful responses to: Why no claim in U.S. federal courts Why DPRC/overall procedures are independent Why NCND here is lawful