The Supreme Court just made a US-EU Privacy Shield agreement even harder
The U.S. Supreme Court’s decision this month in FBI v. Fazaga, a case challenging FBI surveillance, will make it significantly harder for people to pursue surveillance cases, and for U.S. and European Union (EU) negotiators to secure a lasting agreement for transatlantic transfers of private data.
The justices gave the U.S. government more latitude to invoke “state secrets” in spying cases. But ironically, that victory undercuts the Biden administration’s efforts to show that the United States has sufficiently strong privacy protections to sustain a new Privacy Shield agreement — unless Congress steps in now.
In July 2020, the EU Court of Justice (CJEU) struck down the EU-U.S. Privacy Shield, a legal framework used by thousands of U.S. companies to facilitate data transfers, because the U.S. failed to provide adequate protection for data belonging to people from the EU. Specifically, the court found that U.S. surveillance authorities, including Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, permit unjustifiably broad government surveillance. The court also found that the Privacy Shield failed to provide adequate redress mechanisms for Europeans whose data is transferred to the U.S. — namely, the ability to be heard by an independent court that can order binding remedies.
In striking down Privacy Shield, the CJEU was clear: no EU-U.S. data-transfer agreement will survive the court’s scrutiny until the U.S. narrows the scope of its surveillance and ensures that individuals subject to potentially illegal surveillance have a real, meaningful way to pursue accountability.
Although U.S. federal courts have the power and independence to provide remedies for illegal government spying, the Fazaga decision means that Americans and Europeans alike will face more arduous odds if they try to challenge secret U.S. government surveillance in U.S. courts. It also makes it less likely that the U.S. will meet these minimum privacy safeguards going forward.
FBI v. Fazaga stems from an FBI operation in 2006 and 2007, in which agents sent a paid informant into some of the largest mosques in Orange County, Calif., and instructed him to pose as a convert to Islam. The FBI informant indiscriminately gathered names, telephone numbers and email addresses, as well as information on the religious and political beliefs of hundreds of Muslim Americans who were exercising their constitutional right to religious freedom.
After the plaintiffs — an imam and two congregants — filed suit, the government argued that the “state secrets privilege” required the court to dismiss claims the FBI had unlawfully targeted Muslim community members for surveillance because of their religion. The court of appeals rejected that argument, holding that the plaintiffs’ claims should go forward using special procedures mandated by Congress decades ago, which require courts to review sensitive evidence behind closed doors in spying cases.
Unfortunately, the Supreme Court disagreed, ruling that Congress did not eliminate the state secrets privilege for spying cases when it enacted watershed surveillance reforms in FISA, after an earlier era of abuses. Though the opinion left open the possibility that people such as the Fazaga plaintiffs nonetheless could pursue claims based on public information about the government’s surveillance, most people need sensitive information from the government to help prove that its surveillance was illegal. The decision could make it easier for the government to shield such information from judges, and therefore harder for most people challenging surveillance to prove their claims and obtain justice in court.
Thus, Fazaga adds to the evidence that safeguards in the U.S. are inadequate — and showcases why they fail to satisfy the EU’s privacy rules. Only Congress can put in place the privacy reforms needed to deliver a durable EU-U.S. agreement.
The Biden administration has been attempting to negotiate a new data-transfer deal with the European Commission. But the issues the CJEU identified — especially the inability to pursue remedies for unlawful surveillance — can’t be fixed by executive branch action alone. That’s because, as we noted, EU law requires that people must be able to seek redress before an independent decision-maker; the remedies must be binding; and people must be able to raise fundamental legal challenges to the surveillance, not just question whether the government followed its surveillance procedures.
If the Biden administration and the European Commission reach an agreement without legislative reforms, that agreement almost certainly will be struck down again — and thousands of U.S. companies once again could face enormous costs and legal risks associated with data transfers. The companies most affected likely will be the small- and medium-sized businesses that depend heavily on data they transfer from Europe but often lack the financial resources to hire lawyers to fashion a stopgap solution.
Congress can ensure this doesn’t happen. By establishing clear procedures for judges to examine secret evidence in lawsuits that challenge illegal spying, Congress would prevent the executive branch from using the state secrets privilege to frustrate court review in cases going forward. Reforms such as this will benefit U.S. companies by helping to put the next Privacy Shield on a stronger legal footing, and also help ensure that ordinary Americans harmed by unlawful surveillance can have their day in court.
Patrick Toomey and Ashley Gorski are senior staff attorneys with the ACLU’s National Security Project. They were co-counsel for the plaintiffs in FBI v. Fazaga.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.