‘Data Protection Review Court’ an idea worth expanding

In March 2022, the U.S. and EU announced an agreement “in principle” to replace the Trans-Atlantic data sharing agreement known as “Privacy Shield,” which was invalidated by the Court of Justice of the European Union (CJEU) in July 2020 due, in part, to the lack of an adequate remedy under U.S. law for privacy harms suffered by EU citizens. 

Notably, the proposal for addressing this lack of redress is the creation of a “Data Protection Review Court,” through Executive Order (EO) of the president.  

It remains to be seen whether this agreement will stand up to the U.S. government’s interagency process and CJEU scrutiny — not to mention an inevitable challenge by Max Schrems; in a May 23 open letter, Schrems specifically argued that an Executive Branch-created Data Protection Review Court is inadequate to constitute true judicial redress.

Putting aside his concerns about the court — some of which are fair — the fact that we’re considering creation of such a mechanism in the first place highlights an issue that goes beyond just redress for non-U.S. citizens. Given the absence of a federal privacy law, coupled with the patchwork of state privacy laws, even U.S. citizens wrestle with redress for privacy harms incurred at the hands of the U.S. government or the private sector. Indeed, one of the recurring sticking points in state and federal debates about a privacy law has been whether to grant a private right of action to consumers.

According to a recent analysis of federal privacy bills by the International Association of Privacy Professionals, one of “the two most contentious issues” in such debates remains creating a private right of action. Of course, there’s good reason for concern about a private right of action, given the litigious nature of our society, the high cost of litigation and overly congested court dockets. But if there were an alternative to the massive, time-consuming discovery, voluminous motion practice, and years-long docket delays in traditional litigation, perhaps there’d be more openness.

Coincidentally, the answer to the Privacy Shield redress dilemma — a privacy-focused Data Protection Review Court — may also hold the answer to this problem. 

Admittedly, as Schrems pointed out, there are some significant shortcomings in the proposed Data Protection Review Court, not the least of which is that the Executive Branch cannot offer the redress of a judicial court, whether that be access to evidence, the option to appeal a decision, or having your case heard by an impartial judge (given the inherent conflict-of-interest of an Executive Branch-created court adjudicating challenges relating to Executive Branch agency actions).

But a Data Protection Review Court is an out-of-the-box solution meriting serious consideration, just in a slightly different form.

We already have precedent for creating specialized federal courts in the U.S. pursuant to Congress’s power under Article 3, Section 1 of the Constitution, which authorizes the creation of “inferior Courts as the Congress may from time to time ordain and establish.” Examples of such courts include the U.S. Court of International Trade and the Foreign Intelligence Surveillance Court (FISC).

If properly designed, such a court could address many of the concerns raised in opposition to a private right of action, permitting only limited discovery and motion practice, requiring aggressive timelines and expedited hearing schedules, and allowing only bench trials (i.e., a judge, not a jury).

To address oft-cited concerns about class action lawsuits — where plaintiffs end up with little and law firms rake in millions — this court could also limit fees recoverable, or even prohibit class actions altogether, ensuring narrowly tailored solutions for individual harms.

Interestingly, the creation of this court could also address another area of privacy harm wanting for a solution — namely, the privacy issues implicated by the U.S. Government’s use of the Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments Act (FAA).

As highlighted by the Privacy & Civil Liberties Oversight Board (PCLOB) in its review of the U.S. Government’s Section 215 surveillance program in January 2014, the FISC — a secretive court providing review and oversight of national security matters — regularly issues orders allowing the government to surveil individuals and access their personal information, without their knowledge or an opportunity to refute the government’s case, raising the potential for undiscoverable/undiscovered privacy harms.

Notably, one of the PCLOB’s recommendations was for the FISC to hear “independent views, in addition to the government’s views, on novel and significant applications,” providing a counterpoint to the government’s one-sided arguments. But to date, this recommendation hasn’t been implemented.

Considering that the primary purpose of the Data Protection Review Court would be to address concerns about the government’s use of its intelligence authorities under EO 12333 and FISA/FAA — the very authorities of concern to the CJEU when invalidating Privacy Shield — individuals practicing before the Data Protection Review Court would have the precise credentials to also serve as third party advocates before the FISC.

Of course, there are still questions about information access in a Data Protection Review Court, with Schrems alleging that “EU data subjects would not be able to access information about potential surveillance operations concerning them during proceedings.” But even if data subjects themselves cannot access information, advocates before the FISC would be able to do so.

At the end of the day, the U.S.-EU proposal will likely evolve over the coming months, and whether or not one agrees with Schrems’s concerns about a Data Protection Review Court, this idea is precisely the type of bold thinking we need in today’s privacy-centric world.

But not just as part of a Privacy Shield replacement.

If we focus solely on EU citizen redress — admittedly, the current political imperative — foreigners end up with more robust redress options than U.S. citizens, creating further privacy inequities in the U.S.

As the age-old adage goes, a rising tide lifts all ships. To that point, we need a holistic approach to redress, establishing both a federal privacy law and the infrastructure to expeditiously hear cases under that law, for both U.S. citizens and foreigners alike.

Joel Schwarz is a consultant and attorney specializing in privacy, cybersecurity, cyber-intelligence and compliance oversight. He’s currently a director and privacy and data protection lead for MBL Technologies and an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He previously served as the Civil Liberties and Privacy Officer (CLPO) for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Dept. and N.Y. State Attorney General’s Office. He also previously served as counsel on e-commerce and privacy for MetLife.