| From | xxxxxx <[email protected]> |
| Subject | Inside Biden’s Secret Surveillance Court |
| Date | January 22, 2024 5:01 AM |
Links have been removed from this email. Learn more in the FAQ.
Links have been removed from this email. Learn more in the FAQ.
[In a deal to let companies keep trading transatlantic data, the
White House built an opaque new forum that could affect national
security and privacy rights — without any public paper trail.]
[[link removed]]
INSIDE BIDEN’S SECRET SURVEILLANCE COURT
[[link removed]]
Alfred Ng, John Sakellariadis
January 17, 2024
Politico
[[link removed]]
*
[[link removed]]
*
[[link removed]]
*
*
[[link removed]]
_ In a deal to let companies keep trading transatlantic data, the
White House built an opaque new forum that could affect national
security and privacy rights — without any public paper trail. _
The global importance of data is large and growing: It facilitates up
to $1 trillion in trade between the U.S. and the EU alone, but is
governed by legal regimes that differ sharply across borders., Oli
Scarff/AFP via Getty Images
At an undetermined date, in an undisclosed location, the Biden
administration began operating a secretive new court to protect
Europeans’ privacy rights under U.S. law.
Officially known as the Data Protection Review Court, it was
authorized in an October 2022 executive order to fix a collision of
European and American law that had been blocking the lucrative flow of
consumer data between American and European companies for three years.
The court’s eight judges were named last November
[[link removed]],
including former U.S. Attorney General Eric Holder. Its existence has
allowed companies to resume the lucrative transatlantic data trade
with the blessing of EU officials.
The details get blurry after that.
The court’s location is a secret, and the Department of Justice will
not say if it has taken a case yet, or when it will. Though the court
has a clear mandate — ensuring Europeans their privacy rights under
U.S. law — its decisions will also be kept a secret, from both the
EU residents petitioning the court and the federal agencies tasked
with following the law. Plaintiffs are not allowed to appear in person
and are represented by a special advocate, appointed by the U.S.
attorney general.
And critics worry it will tie the hands of U.S. intelligence agencies
with an unusual power: It can make binding decisions on surveillance
practices with federal agencies, which won’t be able to challenge
those decisions.
“Until there’s some clarity on how that’s going to operate, I
think you could expect the intelligence community to be nervous about
what it might mean, especially since it’s not even clear what its
caseload is going to look like,” said Matthew Waxman, a State
Department and National Security Council veteran and chair of the
national security law program at Columbia University.
For the European citizens it is supposed to help, the picture is just
as murky. Privacy advocates argue it will be nearly impossible for
European residents to bring cases, given they will have to suspect
they are being surveilled to file a complaint.
“I don’t think anybody sitting around in Spain that is unhappy
about his visa being denied is going to think that it could be based
on data transfers to the U.S. and go through this process,” said Max
Schrems, an Austrian privacy advocate whose lawsuits ended a previous
transatlantic data deal.
For the business community, however, the court has already done its
first job: Its very existence allowed EU regulators to finally bless
the resumption of cross-border data flows last summer.
What happens next — or, perhaps, is already happening — is far
less clear.
An expensive blockage
The Data Protection Review Court is a solution to a transatlantic
problem that had bedeviled much of corporate America, and Big Tech
companies in particular.
The global importance of data is large and growing: It facilitates up
to $1 trillion in trade between the U.S. and the EU alone, but is
governed by legal regimes that differ sharply across borders.
The private data of European citizens can legally be surveilled by
U.S. intelligence agencies, but unlike Americans, Europeans have no
recourse under American law if agencies overreach. As Europe began to
implement its stringent 2018 data-privacy law, that imbalance sat
badly with EU authorities — and in both a 2015 and a 2020 ruling, a
European court barred companies outright from transferring or
processing EU citizens’ data in the U.S., at least until their
citizens had a way to pursue their rights.
The 2020 ruling officially halted the flow of personal data between
the EU and the United States, and created the risks of large fines for
companies that continued to put European data on U.S. servers. Meta,
most prominently, was hit with a $1.2 billion fine in May
[[link removed]] for
continuing to transfer European user data to its U.S. servers.
Biden’s proposal for a new data court created a path for Europeans
to access American surveillance protections, and in July, European
officials declared it adequate to the task, reopening a smoother
transatlantic data trade.
The court never officially opened for business, at least not publicly.
The closest thing to an announcement was Merrick Garland’s press
conference last November, naming the eight judges who would hear
cases.
Of those, four have deep-rooted experience with classified information
from their previous careers in the NSA, the National Security Council
and the Department of Justice.
Experts called for this story say the judges are considered
independent decision-makers without bias toward the government’s
surveillance programs.
Former Attorney General Eric Holder, for example, called Edward
Snowden’s 2013 NSA leaks a “public service,” while also calling
his actions illegal
[[link removed]].
Virginia Seitz, another appointed judge, formerly led a Justice
Department office that offered legal advice on surveillance issues
[[link removed]].
Rajesh De, an appointed judge who previously served as the NSA’s top
lawyer, told The Boston Globe in 2015
[[link removed]] that
he sought to ensure that the agency’s actions are within what a
reasonable person would expect from their government.
“These are people who will call them like they see them,” said
Alex Joel, a former civil liberties protection officer for the Office
of the Director of National Intelligence. “And that’s also a risk
for the intelligence community if these judges disagree with some of
their views on how some of these provisions are done.”
Experts believe the intelligence community is cautiously waiting for
the court’s decisions, with the hope there won’t be new
restrictions imposed on its operations. The judges’ final authority,
however, creates a degree of concern.
That finality could create unanticipated problems for the
administration, according to some intelligence experts. They believe
the court could not just constrain the government’s spying activity
in specific cases but set precedents that cut against administration
policy.
The executive order’s language specifies that the court’s rulings
should apply to only the individual cases they are hearing — though
experts believe the decisions could still create an unofficial
precedent for other surveillance operations.
Americans left out
The court’s creation is also raising fears within U.S. circles that
Europeans could get certain privacy protections that American citizens
lack.
U.S. residents who suspect they are under improper surveillance cannot
go to the Data Protection Review Court. Under U.S. law, they can go to
a federal court — but only if they can show a concrete wrong or harm
that gives them legal standing, which presents a Catch-22, since they
can’t prove what they don’t know.
Adam Klein, former chair of the Privacy and Civil Liberties Oversight
Board, an independent agency within the Executive Branch, pointed to
former Trump campaign adviser Carter Page as the type of individual
who could have benefited from a mechanism like the DPRC. Page was
surveilled by the FBI during the 2016 presidential election as part of
a probe into Russian influence in U.S. politics — and Justice
Department inspector general investigation later found a swath of
errors and material omissions in the documents used to seek the
surveillance warrant. An FBI lawyer ultimately pleaded guilty to
altering a document used for that warrant.
But Page himself had little recourse. He filed a lawsuit in 2020
seeking $75 million from the government and several current and former
FBI and DOJ officials for violating his constitutional rights.
A federal judge called
[[link removed]] the
FBI’s conduct “troubling,” but ultimately found the law bars
Page from pursuing a civil lawsuit. An appeal is pending.
Now, with the DPRC in place, “We’re in an odd place when
non-residents have easier access to a place to raise their concerns
about U.S. government surveillance than Americans do,” said Klein.
For Europeans, an unclear path
EU privacy advocates say the court is perhaps most confusing for the
people it is supposed to serve.
According to the executive order, getting before the DPRC starts with
a long preliminary process: a citizen complaint first has to shuttle
between an EU data protection official and the U.S.’ Office of the
Director of National Intelligence, which decides whether there was a
civil rights violation from the data collection.
Regardless of the results, the response to the initial complaint will
neither confirm or deny that the EU resident was under U.S.
surveillance. The response will say there either was no violation
found, or that there was a violation found and that the U.S.
government took appropriate steps to resolve it. It won’t specify
which one.
The EU resident can then appeal directly to the DPRC in America, —
with the assistance of a court-appointed special advocate. That
advocate will have the details from the underlying ODNI decision —
although that decision remains off-limits to the person making the
appeal.
“What are you going to write in the appeal? Nothing, because you
don’t know what the answer is,” Schrems said. “As a lawyer,
it’s really hard that you’ll ever win a case by saying ‘I
appeal’ without saying what your problem is with the decision.”
Critics argue that it’s nearly impossible to tell if the process
works: Europeans in the DPRC can’t represent themselves, aren’t
shown the underlying decision, and can’t look at the results. And
whatever the decision is, it can’t be appealed.
A Justice Department official acknowledged the court was opaque, but
argued it was necessary to address the kinds of issues that will come
before the judges.
“There’s actual honest-to-goodness, something going on behind
that, which is the investigation the ODNI does and the decision of the
court,” that official said.
A previous version of the U.S.-EU data deal, the 2016 Privacy Shield
agreement, created a similar mechanism run through the Department of
State, which almost no Europeans actually used In four years of
existence. (It fielded an “extremely low, single digits” amount of
complaints, a Justice Department official said.)
Schrems, who successfully challenged that agreement in court, said it
was because many EU citizens aren’t aware they’re subjects of U.S.
surveillance — and expects the same under the newly established
court.
“90 percent of the cases will never even see that court,” Schrems
said of the DPRC. “If [intelligence agencies] do their jobs well, no
one is even going to bring a case because they wouldn’t know
they’re under surveillance.”
“If [intelligence agencies] do their jobs well, no one is even going
to bring a case because they wouldn’t know they’re under
surveillance.”
Max Schrems, Austrian privacy advocate
A challenge in the works
For all its opacity, the court does include an oversight plan:
According to the executive order, an annual review will be conducted
by the PCLOB.
The report, officials said, would provide transparency on how many
cases the court hears, how many decisions it makes and whether or not
the intelligence agencies are complying with the orders. If the court
isn’t hearing any cases at all, or rejecting all European
complaints, this report would show that, the official said.
A classified version of the report would go to the president, the
attorney general, congressional intelligence committees and heads of
the intelligence community. An unclassified version would be released
to the public.
“We’re going to try to make as much information public as
possible, because the whole point is to inspire confidence that
we’re conducting activities appropriately,” the official said.
The court may also face a new legal challenge from the European side.
Schrems, whose 2020 case against the transatlantic agreement
dismantled the EU-U.S. Privacy Shield, says he has been preparing a
new legal challenge ever since Biden signed the executive order in
October 2022. He believes the executive order doesn’t resolve
European requirements for an adequate redress method for surveillance,
and joked that the new framework is so similar he could just copy and
paste the 2020 lawsuit.
If his suit prevails, and invalidates EU-US data transfers for a third
time, Schrems says he expects both governments to build up another
legal framework to keep data moving between companies on both sides of
the Atlantic.
On the surface, industry groups and companies have shown confidence
that the framework will hold up to scrutiny from a third challenge.
The Information Technology Industry Council, an industry group
representing companies such as Apple, Amazon, Meta and Google,
welcomed the framework, calling it a “clear and reliable system”
that provides legal certainty for businesses. A few companies, like
Microsoft and TikTok, have backup plans with servers based in the EU
in the event Schrems is able to invalidate the agreement for a third
time.
For the privacy advocates, many of whom see government surveillance as
incompatible with serious privacy laws, fighting these agreements is
getting tiring.
“I think everyone is sick of the topic. I am too,” said Schrems.
“I don’t think we can solve this issue by passing a law over and
over again.”
_Josh Gerstein contributed to this report._
_ALFRED NG is a privacy reporter at POLITICO. His beat includes
coverage of government surveillance, consumer privacy and tech policy.
He previously worked at The Markup, CNET and the New York Daily News._
_JOHN SAKELLARIADIS is a reporter at POLITICO._
_POLITICO is the global authority on the intersection of politics,
policy, and power. It is the most robust news operation and
information service in the world specializing in politics and policy,
which informs the most influential audience in the world with insight,
edge, and authority. Founded in 2007, POLITICO has grown to a team of
700 working across North America, more than half of whom are editorial
staff._
* US Justice System
[[link removed]]
* privacy
[[link removed]]
* U.S. Intelligence
[[link removed]]
* Private Data
[[link removed]]
*
[[link removed]]
*
[[link removed]]
*
*
[[link removed]]
INTERPRET THE WORLD AND CHANGE IT
Submit via web
[[link removed]]
Submit via email
Frequently asked questions
[[link removed]]
Manage subscription
[[link removed]]
Visit xxxxxx.org
[[link removed]]
Twitter [[link removed]]
Facebook [[link removed]]
[link removed]
To unsubscribe, click the following link:
[link removed]
White House built an opaque new forum that could affect national
security and privacy rights — without any public paper trail.]
[[link removed]]
INSIDE BIDEN’S SECRET SURVEILLANCE COURT
[[link removed]]
Alfred Ng, John Sakellariadis
January 17, 2024
Politico
[[link removed]]
*
[[link removed]]
*
[[link removed]]
*
*
[[link removed]]
_ In a deal to let companies keep trading transatlantic data, the
White House built an opaque new forum that could affect national
security and privacy rights — without any public paper trail. _
The global importance of data is large and growing: It facilitates up
to $1 trillion in trade between the U.S. and the EU alone, but is
governed by legal regimes that differ sharply across borders., Oli
Scarff/AFP via Getty Images
At an undetermined date, in an undisclosed location, the Biden
administration began operating a secretive new court to protect
Europeans’ privacy rights under U.S. law.
Officially known as the Data Protection Review Court, it was
authorized in an October 2022 executive order to fix a collision of
European and American law that had been blocking the lucrative flow of
consumer data between American and European companies for three years.
The court’s eight judges were named last November
[[link removed]],
including former U.S. Attorney General Eric Holder. Its existence has
allowed companies to resume the lucrative transatlantic data trade
with the blessing of EU officials.
The details get blurry after that.
The court’s location is a secret, and the Department of Justice will
not say if it has taken a case yet, or when it will. Though the court
has a clear mandate — ensuring Europeans their privacy rights under
U.S. law — its decisions will also be kept a secret, from both the
EU residents petitioning the court and the federal agencies tasked
with following the law. Plaintiffs are not allowed to appear in person
and are represented by a special advocate, appointed by the U.S.
attorney general.
And critics worry it will tie the hands of U.S. intelligence agencies
with an unusual power: It can make binding decisions on surveillance
practices with federal agencies, which won’t be able to challenge
those decisions.
“Until there’s some clarity on how that’s going to operate, I
think you could expect the intelligence community to be nervous about
what it might mean, especially since it’s not even clear what its
caseload is going to look like,” said Matthew Waxman, a State
Department and National Security Council veteran and chair of the
national security law program at Columbia University.
For the European citizens it is supposed to help, the picture is just
as murky. Privacy advocates argue it will be nearly impossible for
European residents to bring cases, given they will have to suspect
they are being surveilled to file a complaint.
“I don’t think anybody sitting around in Spain that is unhappy
about his visa being denied is going to think that it could be based
on data transfers to the U.S. and go through this process,” said Max
Schrems, an Austrian privacy advocate whose lawsuits ended a previous
transatlantic data deal.
For the business community, however, the court has already done its
first job: Its very existence allowed EU regulators to finally bless
the resumption of cross-border data flows last summer.
What happens next — or, perhaps, is already happening — is far
less clear.
An expensive blockage
The Data Protection Review Court is a solution to a transatlantic
problem that had bedeviled much of corporate America, and Big Tech
companies in particular.
The global importance of data is large and growing: It facilitates up
to $1 trillion in trade between the U.S. and the EU alone, but is
governed by legal regimes that differ sharply across borders.
The private data of European citizens can legally be surveilled by
U.S. intelligence agencies, but unlike Americans, Europeans have no
recourse under American law if agencies overreach. As Europe began to
implement its stringent 2018 data-privacy law, that imbalance sat
badly with EU authorities — and in both a 2015 and a 2020 ruling, a
European court barred companies outright from transferring or
processing EU citizens’ data in the U.S., at least until their
citizens had a way to pursue their rights.
The 2020 ruling officially halted the flow of personal data between
the EU and the United States, and created the risks of large fines for
companies that continued to put European data on U.S. servers. Meta,
most prominently, was hit with a $1.2 billion fine in May
[[link removed]] for
continuing to transfer European user data to its U.S. servers.
Biden’s proposal for a new data court created a path for Europeans
to access American surveillance protections, and in July, European
officials declared it adequate to the task, reopening a smoother
transatlantic data trade.
The court never officially opened for business, at least not publicly.
The closest thing to an announcement was Merrick Garland’s press
conference last November, naming the eight judges who would hear
cases.
Of those, four have deep-rooted experience with classified information
from their previous careers in the NSA, the National Security Council
and the Department of Justice.
Experts called for this story say the judges are considered
independent decision-makers without bias toward the government’s
surveillance programs.
Former Attorney General Eric Holder, for example, called Edward
Snowden’s 2013 NSA leaks a “public service,” while also calling
his actions illegal
[[link removed]].
Virginia Seitz, another appointed judge, formerly led a Justice
Department office that offered legal advice on surveillance issues
[[link removed]].
Rajesh De, an appointed judge who previously served as the NSA’s top
lawyer, told The Boston Globe in 2015
[[link removed]] that
he sought to ensure that the agency’s actions are within what a
reasonable person would expect from their government.
“These are people who will call them like they see them,” said
Alex Joel, a former civil liberties protection officer for the Office
of the Director of National Intelligence. “And that’s also a risk
for the intelligence community if these judges disagree with some of
their views on how some of these provisions are done.”
Experts believe the intelligence community is cautiously waiting for
the court’s decisions, with the hope there won’t be new
restrictions imposed on its operations. The judges’ final authority,
however, creates a degree of concern.
That finality could create unanticipated problems for the
administration, according to some intelligence experts. They believe
the court could not just constrain the government’s spying activity
in specific cases but set precedents that cut against administration
policy.
The executive order’s language specifies that the court’s rulings
should apply to only the individual cases they are hearing — though
experts believe the decisions could still create an unofficial
precedent for other surveillance operations.
Americans left out
The court’s creation is also raising fears within U.S. circles that
Europeans could get certain privacy protections that American citizens
lack.
U.S. residents who suspect they are under improper surveillance cannot
go to the Data Protection Review Court. Under U.S. law, they can go to
a federal court — but only if they can show a concrete wrong or harm
that gives them legal standing, which presents a Catch-22, since they
can’t prove what they don’t know.
Adam Klein, former chair of the Privacy and Civil Liberties Oversight
Board, an independent agency within the Executive Branch, pointed to
former Trump campaign adviser Carter Page as the type of individual
who could have benefited from a mechanism like the DPRC. Page was
surveilled by the FBI during the 2016 presidential election as part of
a probe into Russian influence in U.S. politics — and Justice
Department inspector general investigation later found a swath of
errors and material omissions in the documents used to seek the
surveillance warrant. An FBI lawyer ultimately pleaded guilty to
altering a document used for that warrant.
But Page himself had little recourse. He filed a lawsuit in 2020
seeking $75 million from the government and several current and former
FBI and DOJ officials for violating his constitutional rights.
A federal judge called
[[link removed]] the
FBI’s conduct “troubling,” but ultimately found the law bars
Page from pursuing a civil lawsuit. An appeal is pending.
Now, with the DPRC in place, “We’re in an odd place when
non-residents have easier access to a place to raise their concerns
about U.S. government surveillance than Americans do,” said Klein.
For Europeans, an unclear path
EU privacy advocates say the court is perhaps most confusing for the
people it is supposed to serve.
According to the executive order, getting before the DPRC starts with
a long preliminary process: a citizen complaint first has to shuttle
between an EU data protection official and the U.S.’ Office of the
Director of National Intelligence, which decides whether there was a
civil rights violation from the data collection.
Regardless of the results, the response to the initial complaint will
neither confirm or deny that the EU resident was under U.S.
surveillance. The response will say there either was no violation
found, or that there was a violation found and that the U.S.
government took appropriate steps to resolve it. It won’t specify
which one.
The EU resident can then appeal directly to the DPRC in America, —
with the assistance of a court-appointed special advocate. That
advocate will have the details from the underlying ODNI decision —
although that decision remains off-limits to the person making the
appeal.
“What are you going to write in the appeal? Nothing, because you
don’t know what the answer is,” Schrems said. “As a lawyer,
it’s really hard that you’ll ever win a case by saying ‘I
appeal’ without saying what your problem is with the decision.”
Critics argue that it’s nearly impossible to tell if the process
works: Europeans in the DPRC can’t represent themselves, aren’t
shown the underlying decision, and can’t look at the results. And
whatever the decision is, it can’t be appealed.
A Justice Department official acknowledged the court was opaque, but
argued it was necessary to address the kinds of issues that will come
before the judges.
“There’s actual honest-to-goodness, something going on behind
that, which is the investigation the ODNI does and the decision of the
court,” that official said.
A previous version of the U.S.-EU data deal, the 2016 Privacy Shield
agreement, created a similar mechanism run through the Department of
State, which almost no Europeans actually used In four years of
existence. (It fielded an “extremely low, single digits” amount of
complaints, a Justice Department official said.)
Schrems, who successfully challenged that agreement in court, said it
was because many EU citizens aren’t aware they’re subjects of U.S.
surveillance — and expects the same under the newly established
court.
“90 percent of the cases will never even see that court,” Schrems
said of the DPRC. “If [intelligence agencies] do their jobs well, no
one is even going to bring a case because they wouldn’t know
they’re under surveillance.”
“If [intelligence agencies] do their jobs well, no one is even going
to bring a case because they wouldn’t know they’re under
surveillance.”
Max Schrems, Austrian privacy advocate
A challenge in the works
For all its opacity, the court does include an oversight plan:
According to the executive order, an annual review will be conducted
by the PCLOB.
The report, officials said, would provide transparency on how many
cases the court hears, how many decisions it makes and whether or not
the intelligence agencies are complying with the orders. If the court
isn’t hearing any cases at all, or rejecting all European
complaints, this report would show that, the official said.
A classified version of the report would go to the president, the
attorney general, congressional intelligence committees and heads of
the intelligence community. An unclassified version would be released
to the public.
“We’re going to try to make as much information public as
possible, because the whole point is to inspire confidence that
we’re conducting activities appropriately,” the official said.
The court may also face a new legal challenge from the European side.
Schrems, whose 2020 case against the transatlantic agreement
dismantled the EU-U.S. Privacy Shield, says he has been preparing a
new legal challenge ever since Biden signed the executive order in
October 2022. He believes the executive order doesn’t resolve
European requirements for an adequate redress method for surveillance,
and joked that the new framework is so similar he could just copy and
paste the 2020 lawsuit.
If his suit prevails, and invalidates EU-US data transfers for a third
time, Schrems says he expects both governments to build up another
legal framework to keep data moving between companies on both sides of
the Atlantic.
On the surface, industry groups and companies have shown confidence
that the framework will hold up to scrutiny from a third challenge.
The Information Technology Industry Council, an industry group
representing companies such as Apple, Amazon, Meta and Google,
welcomed the framework, calling it a “clear and reliable system”
that provides legal certainty for businesses. A few companies, like
Microsoft and TikTok, have backup plans with servers based in the EU
in the event Schrems is able to invalidate the agreement for a third
time.
For the privacy advocates, many of whom see government surveillance as
incompatible with serious privacy laws, fighting these agreements is
getting tiring.
“I think everyone is sick of the topic. I am too,” said Schrems.
“I don’t think we can solve this issue by passing a law over and
over again.”
_Josh Gerstein contributed to this report._
_ALFRED NG is a privacy reporter at POLITICO. His beat includes
coverage of government surveillance, consumer privacy and tech policy.
He previously worked at The Markup, CNET and the New York Daily News._
_JOHN SAKELLARIADIS is a reporter at POLITICO._
_POLITICO is the global authority on the intersection of politics,
policy, and power. It is the most robust news operation and
information service in the world specializing in politics and policy,
which informs the most influential audience in the world with insight,
edge, and authority. Founded in 2007, POLITICO has grown to a team of
700 working across North America, more than half of whom are editorial
staff._
* US Justice System
[[link removed]]
* privacy
[[link removed]]
* U.S. Intelligence
[[link removed]]
* Private Data
[[link removed]]
*
[[link removed]]
*
[[link removed]]
*
*
[[link removed]]
INTERPRET THE WORLD AND CHANGE IT
Submit via web
[[link removed]]
Submit via email
Frequently asked questions
[[link removed]]
Manage subscription
[[link removed]]
Visit xxxxxx.org
[[link removed]]
Twitter [[link removed]]
Facebook [[link removed]]
[link removed]
To unsubscribe, click the following link:
[link removed]
Message Analysis
- Sender: Portside
- Political Party: n/a
- Country: United States
- State/Locality: n/a
- Office: n/a
-
Email Providers:
- L-Soft LISTSERV