Inside Biden’s secret surveillance court
In a deal to let companies keep trading transatlantic data, the White House built an opaque new forum that could affect national security and privacy rights — without any public paper trail.
At an undetermined date, in an undisclosed location, the Biden administration began operating a secretive new court to protect Europeans’ privacy rights under U.S. law.
Officially known as the Data Protection Review Court, it was authorized in an October 2022 executive order to fix a collision of European and American law that had been blocking the lucrative flow of consumer data between American and European companies for three years.
The court’s eight judges were named last November, including former U.S. Attorney General Eric Holder. Its existence has allowed companies to resume the lucrative transatlantic data trade with the blessing of EU officials.
The details get blurry after that.
The court’s location is a secret, and the Department of Justice will not say if it has taken a case yet, or when it will. Though the court has a clear mandate — ensuring Europeans their privacy rights under U.S. law — its decisions will also be kept a secret, from both the EU residents petitioning the court and the federal agencies tasked with following the law. Plaintiffs are not allowed to appear in person and are represented by a special advocate, appointed by the U.S. attorney general.
And critics worry it will tie the hands of U.S. intelligence agencies with an unusual power: It can make binding decisions on surveillance practices with federal agencies, which won’t be able to challenge those decisions.
"Until there's some clarity on how that's going to operate, I think you could expect the intelligence community to be nervous about what it might mean, especially since it's not even clear what its caseload is going to look like," said Matthew Waxman, a State Department and National Security Council veteran and chair of the national security law program at Columbia University.
For the European citizens it is supposed to help, the picture is just as murky. Privacy advocates argue it will be nearly impossible for European residents to bring cases, given they will have to know they are being surveilled to file a complaint.
“I don’t think anybody sitting around in Spain that is unhappy about his visa being denied is going to think that it could be based on data transfers to the U.S. and go through this process,” said Max Schrems, an Austrian privacy advocate whose lawsuits ended a previous transatlantic data deal.
For the business community, however, the court has already done its first job: Its very existence allowed EU regulators to finally bless the resumption of cross-border data flows last summer.
What happens next — or, perhaps, is already happening — is far less clear.
An expensive blockage
The Data Protection Review Court is a solution to a transatlantic problem that had bedeviled much of corporate America, and Big Tech companies in particular.
The global trade in personal data is a large and growing business, up to $7.1 trillion between the U.S. and the EU alone, but governed by legal regimes that differ sharply across borders.
The private data of European citizens can legally be surveilled by U.S. intelligence agencies, but unlike Americans, Europeans have no recourse under American law if agencies overreach. As Europe began to implement its stringent 2018 data-privacy law, that imbalance sat badly with EU authorities — and in both a 2015 and a 2020 ruling, a European court barred companies outright from transferring or processing EU citizens' data in the U.S., at least until their citizens had a way to pursue their rights.
The 2020 ruling officially halted the flow of personal data between the EU and the United States, and created the risks of large fines for companies that continued to put European data on U.S. servers. Meta, most prominently, was hit with a $1.2 billion fine in May for continuing to transfer European user data to its U.S. servers.
Biden’s proposal for a new data court created a path for Europeans to access American surveillance protections, and in July, European officials declared it adequate to the task, reopening a smoother transatlantic data trade.
The court never officially opened for business, at least not publicly. The closest thing to an announcement was Merrick Garland’s press conference last November, naming the eight judges who would hear cases.
Of those, four have deep-rooted experience with classified information from their previous careers in the NSA, the National Security Council and the Department of Justice.
Experts called for this story say the judges are considered independent decision-makers without bias toward the government’s surveillance programs.
Former Attorney General Eric Holder, for example, called Edward Snowden’s 2013 NSA leaks a “public service,” while also calling his actions illegal. Virginia Seitz, another appointed judge, formerly led a Justice Department office that offered legal advice on surveillance issues. Rajesh De, an appointed judge who previously served as the NSA’s top lawyer, told The Boston Globe in 2015 that he sought to ensure that the agency’s actions are within what a reasonable person would expect from their government.
“These are people who will call them like they see them,” said Alex Joel, a former civil liberties protection officer for the Office of the Director of National Intelligence. “And that’s also a risk for the intelligence community if these judges disagree with some of their views on how some of these provisions are done.”
Experts believe the intelligence community is cautiously waiting for the court’s decisions, with the hope there won’t be new restrictions imposed on its operations. The judges’ final authority, however, creates a degree of concern.
That finality could create unanticipated problems for the administration, according to some intelligence experts. They believe the court could not just constrain the government’s spying activity in specific cases but set precedents that cut against administration policy.
The executive order’s language specifies that the court’s rulings should apply to only the individual cases they are hearing — though experts believe the decisions could still create an unofficial precedent for other surveillance operations.
Americans left out
The court’s creation is also raising fears within U.S. circles that Europeans could get certain privacy protections that American citizens lack.
U.S. residents who suspect they are under improper surveillance cannot go to the Data Protection Review Court. Under U.S. law, they can go to a federal court — but only if they can show a concrete wrong or harm that gives them legal standing, which presents a Catch-22, since they can’t prove what they don’t know.
Adam Klein, former chair of the Privacy and Civil Liberties Oversight Board, an independent agency within the Executive Branch, pointed to former Trump campaign adviser Carter Page as the type of individual who could have benefited from a mechanism like the DPRC. Page was surveilled by the FBI during the 2016 presidential election as part of a probe into Russian influence in U.S. politics — and Justice Department inspector general investigation later found a swath of errors and material omissions in the documents used to seek the surveillance warrant. An FBI agent ultimately pleaded guilty to altering a document used for that warrant.
But Page himself had little recourse. He filed a lawsuit in 2020 seeking $75 million from the government and several current and former FBI and DOJ officials for violating his constitutional rights. A federal judge called the FBI’s conduct “troubling,” but ultimately found the law bars Page from pursuing a civil lawsuit. An appeal is pending.
Now, with the DPRC in place, “We’re in an odd place when non-residents have easier access to a place to raise their concerns about U.S. government surveillance than Americans do,” said Klein.
For Europeans, an unclear path
EU privacy advocates say the court is perhaps most confusing for the people it is supposed to serve.
According to the executive order, getting before the DPRC starts with a long preliminary process: a citizen complaint first has to shuttle between an EU data protection official and the U.S.’ Office of the Director of National Intelligence, which decides whether there was a civil rights violation from the data collection.
Regardless of the results, the response to the initial complaint will neither confirm or deny that the EU resident was under U.S. surveillance. The response will say there either was no violation found, or that there was a violation found and that the U.S. government took appropriate steps to resolve it. It won’t specify which one.
The EU resident can then appeal directly to the DPRC in America, — with the assistance of a court-appointed special advocate. That advocate will have the details from the underlying ODNI decision — although that decision remains off-limits to the person making the appeal.
“What are you going to write in the appeal? Nothing, because you don’t know what the answer is,” Schrems said. “As a lawyer, it’s really hard that you’ll ever win a case by saying ‘I appeal’ without saying what your problem is with the decision.”
Critics argue that it’s nearly impossible to tell if the process works: Europeans in the DPRC can’t represent themselves, aren’t shown the underlying decision, and can’t look at the results. And whatever the decision is, it can’t be appealed.
A Justice Department official acknowledged the court was opaque, but argued it was necessary to address the kinds of issues that will come before the judges.
“There’s actual honest-to-goodness, something going on behind that, which is the investigation the ODNI does and the decision of the court,” that official said.
A previous version of the U.S.-EU data deal, the 2016 Privacy Shield agreement, created a similar mechanism run through the Department of State, which almost no Europeans actually used In four years of existence. (It fielded an “extremely low, single digits” amount of complaints, a Justice Department official said.)
Schrems, who successfully challenged that agreement in court, said it was because many EU citizens aren’t aware they’re subjects of U.S. surveillance — and expects the same under the newly established court.
“90 percent of the cases will never even see that court,” Schrems said of the DPRC. “If [intelligence agencies] do their jobs well, no one is even going to bring a case because they wouldn’t know they’re under surveillance.”
A challenge in the works
For all its opacity, the court does include an oversight plan: According to the executive order, an annual review will be conducted by the PCLOB.
The report, officials said, would provide transparency on how many cases the court hears, how many decisions it makes and whether or not the intelligence agencies are complying with the orders. If the court isn’t hearing any cases at all, or rejecting all European complaints, this report would show that, the official said.
A classified version of the report would go to the president, the attorney general, congressional intelligence committees and heads of the intelligence community. An unclassified version would be released to the public.
“We’re going to try to make as much information public as possible, because the whole point is to inspire confidence that we’re conducting activities appropriately,” the official said.
The court may also face a new legal challenge from the European side.
Schrems, whose 2020 case against the transatlantic agreement dismantled the EU-U.S. Privacy Shield, says he has been preparing a new legal challenge ever since Biden signed the executive order in October 2022. He believes the executive order doesn’t resolve European requirements for an adequate redress method for surveillance, and joked that the new framework is so similar he could just copy and paste the 2020 lawsuit.
If his suit prevails, and invalidates EU-US data transfers for a third time, Schrems says he expects both governments to build up another legal framework to keep data moving between companies on both sides of the Atlantic.
On the surface, industry groups and companies have shown confidence that the framework will hold up to scrutiny from a third challenge. The Information Technology Industry Council, an industry group representing companies such as Apple, Amazon, Meta and Google, welcomed the framework, calling it a “clear and reliable system” that provides legal certainty for businesses. A few companies, like Microsoft and TikTok, have backup plans with servers based in the EU in the event Schrems is able to invalidate the agreement for a third time.
For the privacy advocates, many of whom see government surveillance as incompatible with serious privacy laws, fighting these agreements is getting tiring.
“I think everyone is sick of the topic. I am too,” said Schrems. “I don’t think we can solve this issue by passing a law over and over again.”
Josh Gerstein contributed to this report.