In the aftermath of the July 16 Schrems II judgment by the Court of Justice of the European Union (CJEU) invalidating a principal legal method for transferring personal data from EU territory to the United States, the future of data flows for transatlantic commerce is dangerously uncertain. The more than 5,300 companies that relied on the U.S.-EU Privacy Shield are scrambling to find another basis under EU law for transferring personal data to the United States, and their principal alternative—standard privacy protection clauses in international data transfer contracts—also appears unlikely to survive ensuing European litigation. In these circumstances, the United States government should look closely at whether the perceived defects in U.S. surveillance law identified by the EU’s judicial branch can be fixed.
Establishing a lasting foundation for data transfers in transatlantic commerce means addressing the core fundamental rights concerns expressed by the CJEU. In particular, this would require making some provision for meaningful individual redress when the government obtains personal data by means of surveillance. Redress entails, at a minimum, constructing a system of administrative fact-finding and judicial review to respond to individual complaints. Fortunately, there’s no need to start from scratch. As we propose here, existing institutional mechanisms within U.S. surveillance law can be adapted to this task, albeit with certain modest statutory adjustments.