Caveat 10.14.20
Ep 50 | 10.14.20

EU-US Privacy Shield invalidated.

Transcript

Travis Leblanc: The PCLOB is unique in the federal government in that it is the only federal agency that works on privacy full time. And it is also an agency that is focused on, really, the activities of the United States government, not so much the commercial sector.

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben looks at California's Prop 24 fight over the future of privacy. I take a look at the conclusions of a House report that many of tech's biggest firms are enjoying unfair monopoly power. And later in the show, my conversation with Travis LeBlanc from Cooley. We're going to be discussing how the European Court recently invalidated the EU-U.S. Privacy Shield. So be sure to stick around for that. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben. Let's dig in here. But before we start in with our stories, time to, I guess, mark a little milestone for our own little show here. 

Ben Yelin: Absolutely. This is our 50th episode. So I guess that's the silver anniversary. 

Dave Bittner: (Laughter) That's right. Yes. 

Ben Yelin: But just an important time to stop and pause. I think we've done - despite everything that's gone on in the world, we just skipped two weeks for the holidays, so this is also the one-year anniversary of our podcast. 

Dave Bittner: Yeah. 

Ben Yelin: It's been a pleasure. I hope everybody has enjoyed listening. Make sure you get your friends to subscribe and be part of the "Caveat" community. But thanks everybody who's contributed questions, comments. We really appreciate you listening and your support. 

Dave Bittner: Yeah, it's been a heck of a year to start a podcast, hasn't it? (Laughter). 

Ben Yelin: It really has. But if we can make it through this year - I should not jinx it. 

Dave Bittner: That's right. That's right. 

Ben Yelin: I'm not going to jinx it. It could always get worse. 

Dave Bittner: Yeah. And I echo what Ben says - thanks to all of you for listening and, you know, providing us with the audience that you do. And help spread the word. If you know anybody who you think might be interested in our show, please reach out and let them know about it. That's the best way for us to get more ears on the show. And, of course, that makes our advertisers happy, and that's how we're able to keep this coming to you every week. 

Dave Bittner: All right. Well, let's jump in here with our stories. Ben, why don't you start things off for us? 

Ben Yelin: One of the things that's really torturous, to be frank, about being a California voter... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Is you get a giant handbook - it's basically the size of, like, a high school textbook - that describes all of the ballot propositions that you have to vote on in a general election. And one of the ballot propositions this year, Proposition 24, is about the California Consumer Protection Act. And this proposition would make a series of technical changes that, depending on who you talk to, either strengthens the law or weakens it. 

Dave Bittner: (Laughter). 

Ben Yelin: I'm going to try and go into at least a little detail as to what the proposition will do, although myself and several experts who I have heard from and spoken to aren't exactly sure what's in this proposition, which tells you something. But I also want to talk, generally, about the whole process of governing by ballot proposition and giving this responsibility to the voters. So the proposition itself is a 52-page legal document, which I'm sure all voters have time to read thoroughly and, you know, cross-reference... 

Dave Bittner: (Laughter). 

Ben Yelin: ...With their favorite legal database. And it would make certain strengthening amendments to the existing California Consumer Privacy Act. So a couple of things it would do that critics have raised as potential red flags is it would increase the use of what's called pay-for-privacy schemes, where individuals, if they pay for a premium service on a website, will not receive advertising, will not have their information sold to third parties. But if you don't buy into that system, then you will still have your information sold to third parties. You will lose those privacy protections. And so privacy advocates disfavor this position because, you know, I think, it creates a further separation between the haves and the have-nots, where only people who have certain means would be able to obtain the privacy protections in this law. 

Ben Yelin: Other things that Proposition 24 does - it takes what they call sort of a half-step on minimization. So according to the proposition, businesses must be prohibited from collecting a consumer's personal information beyond what is necessary to provide the consumer the good or service that they requested. So that's good. But what several privacy advocates have said is, instead of looking at the consumer's own expectations, it's up to the business itself to determine what a business purpose is. So that takes that out of the hands of the consumer. 

Ben Yelin: Another change that this proposition does not make, which I think is a missed opportunity for privacy advocates, is - currently, the way the CCPA works is you have to affirmatively opt out of your information being sold to third parties or collected when you go on to a website. I think California legislators and advocates thought, we could put this proposition together to improve the CCPA. This would be a perfect opportunity to make it opt in, where the default was privacy and you would have to affirmatively opt in to allow companies to sell your information or distribute it to third parties. 

Ben Yelin: The rest of this 52-page document, this 52-page proposition, is confusing. It's subject to a bunch of different interpretations, and it's confusing to the extent that groups like the Electronic Frontier Foundation have not been able to either endorse or not endorse this program. 

Dave Bittner: Wow. 

Ben Yelin: They basically say it makes some positive changes, some negative changes. So much of it is up to interpretation. We don't have enough information to make an educated decision. 

Dave Bittner: Wow (laughter). 

Ben Yelin: And I saw some of the newspaper editorials saying the same thing. So if these so-called experts at both, you know, these privacy organizations, the ACLU, some of the legislators who designed the CCPA in the first place and some of the major news publications in California, don't know exactly what to make of Proposition 24. And I think it's not exactly fair to put that responsibility on the voters. 

Dave Bittner: Is it possible to shelve it, or has that horse left the barn? 

Ben Yelin: Well, the horse has left the barn. Ballots have already gone out, and these ballot handbooks have gone out. So people do get basic information about what Proposition 24 does. It's hard to distill a 52-page amendment to a major law into a few sentences. And saying things the way organizations try and simplify the language so that average voters understand will say things like, it strengthens some of the privacy protections in the CCPA. I mean, that's just wholly inadequate for a voter to be informed as to whether these changes are beneficial, whether they're negative, whether it gives more power to the consumer or whether it gives more power to the tech companies. 

Ben Yelin: And, you know, frankly, I think a lot of privacy advocates are nervous that the tech companies haven't, you know, thrown all their money behind opposition to this proposition because what that indicates to them is that the tech companies aren't that worried that this is going to significantly strengthen the CCPA and cut into the bottom line. 

Dave Bittner: (Laughter) Right. Right. Don't throw us into the briar patch. 

Ben Yelin: Exactly. Exactly. So I think the broader point here is we should not trust - I love voters. I'm very pro-democracy. But when we're talking about largely technical changes to an issue that, I think, frankly requires a lot of very specific expertise, that's not something that should be handed to the voters in a ballot proposition. And, you know, I think that was a mistake by the advocates of this policy. I think they should have tried to work through the Legislature. I think they had tried to do a ballot initiative on this, you know, back in 2016, before the CCPA passed. For a bunch of reasons, that effort was not successful. They were able to succeed in the Legislature, although that law has had its own flaws. 

Ben Yelin: So they thought they'd have another bite at the apple going to the voters, but I think that's just an unfair expectation to put on the voters, that they'd be able to understand and make educated decisions about such a complicated policy. So that's my little rant on the California proposition process. 

Dave Bittner: Can you give us a little insight as to why California does things this way? I mean, why do so many things end up on propositions in California when that doesn't happen, you know, in other states? 

Ben Yelin: You know, a couple of basic things. Getting something on the ballot for a proposition is relatively easy in California. It doesn't require a significant number of signatures, especially since it's such a large state with a large population. If you're determined enough and if you have an interest group money behind you, you should be able to get enough signatures to get your ballot initiative on the ballot for that general election. So that's part of it. 

Ben Yelin: There are a lot of complicated historical reasons. A lot of times, the California state Legislature has not been responsive to the general political mood of the California electorate. And activists have taken matters into their own hands and tried to bypass the Legislature by using this proposition process. And it's worked many times - most famously, Proposition 13 in 1978, which capped property taxes in the state of California and had a really detrimental effect on public schools, but also was supported by a large majority of the population because it had that cut on property taxes - is something where that went against the desires of the Legislature, but some anti-tax advocates were able to get it on the ballot and enact this provision into law via the proposition process. 

Ben Yelin: You know, there are other complications. A lot of things in California law require supermajority passage in the state Legislature, you know, just based on past decisions that either the voters or the Legislatures have made. So if it's something where the Legislature can't secure a two-thirds vote majority to enact something into law, then the next best option might be to take that directly to the voters. To a certain extent, I think the idea behind it is admirable. You want to give the people a direct say in making policies. But from my perspective, the reason you elect legislators is they're supposed to represent the interests of their constituents. 

Dave Bittner: Right. 

Ben Yelin: And they're supposed to be the ones whose full-time job is to understand these issues and make well-reasoned, educated decisions on them. So, you know, I think from my perspective, that's where the California proposition process really fails. 

Dave Bittner: Yeah. 

Ben Yelin: And I will say, for those of you listening to this who are California residents who vote in California elections, it's hard for me to even talk about whether you should or should not support this initiative. It's almost besides the point. And I think it's not just me who's saying that; it's a lot of advocacy groups who see how complicated this is, who see that a lot of these technical changes are canceled out by other technical changes in this 52-page proposition. It's hard for a voter to know exactly what to do. And I think that speaks to the problems inherent in this process. 

Dave Bittner: Yeah. This is a law of unintended consequences, right? 

Ben Yelin: Absolutely. Yeah. 

Dave Bittner: (Laughter) All right. Well, we'll see how that one plays out, for sure. My story this week is - this is a big one that dropped. The House of Representatives have released their report, 449-page report - which I'm sure you've read every page of, Ben. It's a real page-turner, right? This is... 

Ben Yelin: Oh, yeah. Yeah. All 400-some odd pages of it. 

Dave Bittner: (Laughter). It's just... 

Ben Yelin: Some light bedtime reading, yeah. 

Dave Bittner: Sure. Well, you know, if you have insomnia, this is - this'll fix that in a jiffy (laughter). So the House of Representatives, in their antitrust subcommittee, they've been looking at some of the big tech companies - you know, folks like Facebook, Amazon, Google, Apple - and they've been at this for about 16 months or so. And they released their report, and what they conclude is that these companies are enjoying monopoly advantages and there needs to be some changes. In fact, they compare these companies to the era of the oil barons and railroad tycoons, which I suppose is effective rhetoric if you're going to be talking about monopolies. 

Ben Yelin: Absolutely. 

Dave Bittner: So I think it's interesting that this report came out. I think, certainly, it's no surprise that these companies have been under scrutiny for the size of their - the size of influence that they have, the control over markets that they have. Look at a company like Google and how they control search. You look at YouTube and video. You look at Facebook. Yes, there are competitors. Are they meaningful competitors? And I suppose that's part of what... 

Ben Yelin: Yeah. Is Bing really a competitor? I mean, can we even call it that? I don't know. 

Dave Bittner: Yeah. Right. 

Ben Yelin: Yeah. 

Dave Bittner: Yeah, yeah. Absolutely. And that is part of what this report looks into. I'm really interested in your take on this, Ben. What's your initial reaction to the report? 

Ben Yelin: I'll start with a very, very general statement that monopolization is bad. 

(LAUGHTER) 

Ben Yelin: We started to address this problem in this country during the Progressive Era more than a hundred years ago, and there's still a major problem of anti-competitive practices in all different types of industries. And that's really bad for consumers. And it's not just monopolies; it's the phenomena we've been seeing since the 1980s, where big companies start merging with one another, there are fewer options on the market, prices get raised, and, you know, these anti-competitive practices make a consumer's life more difficult. I mean, I always think about the airline industry. There are only, you know, four or five legitimate domestic carriers now. When one of them decides to charge a fee for airline baggage, all of the others know that they can do that without losing customers because there's just such a relatively small market and there are so many significant barriers to entry. 

Ben Yelin: And so I think that's exactly what's happening on a much larger scale with these tech companies. They are valued - the ones that they analyzed in this report, the Googles and Facebooks of the world - at $5 trillion. You know, so that's more than the United States government spends on average in a given year on all of its policies combined. So it's a lot of money. They've been able to maintain their power through anti-competitive business practices. 

Ben Yelin: And they - you know, we now have one or two companies that dominate a general field, what we consider online communications. Amazon dominates the retail market. Google dominates the search engine market. Facebook dominates the social networking market. And, you know, that gives them agency to engage in practices that really hurt the consumers because what's the consumer going to do? You know, if Google does something that the consumer objects to - we're so used to Googling things, it's very unlikely that we're going to migrate over to a different search engine. If Facebook suffers things like the Cambridge Analytica incident or its propagation of fake news, that certainly makes consumers very unhappy, but that's the one venue that's established itself in the market as the place where we can see what our, you know, high school friends have been up to for the past several years and see the political rantings of our extended relatives. 

Ben Yelin: So, you know, it ends up being very bad for the consumer, and I think this report highlights that. And it's important for the public to know about it. It's important for the public to understand the detrimental power of monopolization. And, you know, I think we kind of have to have a general awareness of the problem before we can do anything to address it. 

Dave Bittner: So what happens next? This report has come out. You know, people have a chance to look at it, analyze it. Obviously, you know, the big companies, they disagree with it. Where does it go from here? 

Ben Yelin: The report issues a bunch of policy recommendations to restore competition in the digital economy - and so, you know, strengthen some of our antitrust laws. So things like reducing conflicts of interest through structural separations, promoting innovation through interoperability and open access, reducing market power through merger presumptions - mergers is one of the things we had just talked about. In terms of antitrust laws, you know, try and rehabilitate some of the monopolization laws that we passed in the Progressive Era that have laid sort of dormant over the past 30 years. And, you know, things like augmented antitrust enforcement, greater congressional oversight, greater oversight on the part of federal agencies. 

Ben Yelin: These are, of course, simply recommendations. Congress does not have to act on them. If the House of Representatives decided to enact these recommendations into law, the current - or to pass a bill enacting these recommendations, it's very unlikely that that would be signed into law based on the current political circumstances we find ourselves in. I don't think Mitch McConnell's Senate would ever take up a bill that contained these recommendations. But, you know, you get into a situation in the future where you have unified, democratic control of all of the branches of government and there's really a political groundswell against monopolization, then, you know, I think these recommendations could form the basis of new legislation. 

Ben Yelin: And I'll also mention, there are a lot of people on the political right who have somewhat similar objections to the big tech platforms. And, you know, that might make for strange bedfellows when it comes to this type of legislation. So, you know, I don't think we can definitively say that this is just going to devolve into a partisan and polarizing issue. I think there are critiques of the monopolizing power of these platforms on both the left and the right, and perhaps these recommendations in this report could start a groundswell of a movement on these issues. 

Dave Bittner: Yeah. I mean, is my perception correct, that it just seems like - I don't know - over the past few decades, going after monopolies is just something that we don't do anymore? 

Ben Yelin: No, I mean, we really don't. You know, I don't want to get too conspiratorial here... 

Dave Bittner: (Laughter). 

Ben Yelin: ...But building up monopoly power also builds political power. You make a lot of money. You hire the best lobbyists. You can contribute to a lot of political campaigns and political action committees. And you gain a sphere of influence. And what the tech companies would say - and I think this is perfectly reasonable - is they need space to innovate. They need space to earn their market share. And, you know, having overly strict monopolization restrictions from the federal government, from federal agencies, would inhibit their ability to create platforms or services that are more beneficial to their users, that would please the consumers. I think, abstractly, consumers largely support the effort to cut down on monopolies. 

Ben Yelin: This report cites some public opinion polling to that effect. But, you know, I'm not sure how that would survive a campaign from the tech companies saying, you know the service you really enjoy, Amazon, where we can deliver packages to your door the same day that you order them? That's going to be put in jeopardy if Congress or the executive branch starts targeting us and starts, you know, enforcing antitrust laws. So I think public opinion on this could potentially be malleable for that reason. I know that's a long-winded answer to your question. But... 

Dave Bittner: No, no, no. It's a good - good insights, for sure. 

Dave Bittner: All right. Well, those are our stories for this week. Of course, if you have a question for us, we would love to hear it. You can call in and leave us a message. It's at 410-618-3720. You can also send us email at caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Travis LeBlanc from Cooley. And we spoke about how the European Court recently invalidated the EU-U.S. Privacy Shield. Lots of interesting implications there. Here's my conversation with Travis LeBlanc. 

Dave Bittner: Can you give us kind of a brief overview of the history here and what led us to where we find ourselves today? 

Travis Leblanc: I will do my best... 

Dave Bittner: How much time do I have? 

(LAUGHTER) 

Travis Leblanc: ...In a relatively short period because it is a rather extenuated history. Suffice it to say, I won't start at the beginning of time. 

Dave Bittner: Yeah. 

Travis Leblanc: But I will start with the original Schrems I decision that invalidated the Safe Harbor. So there was, prior to 2015 or so, a bilateral agreement between the United States and Europe that permitted the transfer of personal data about Europeans across the Atlantic to the United States. So if you were a company that operated in Europe, whether a United States company or a European company, and you wanted to - or any other nationality - and wanted to transfer data outside of Europe, you have to ensure that any country that you transfer it to has adequate protections for the privacy rights of European data subjects. 

Travis Leblanc: Safe Harbor was the framework that the United States had negotiated with Europe for a determination of adequacy. In 2015 or so, there was a decision out of the European Court of Justice, Schrems - now known as Schrems I. The case was brought by Max Schrems, who's an Austrian privacy activist. It was brought against Facebook and was challenging Facebook's transfer of data about Europeans to the United States and argued, largely in part, that the Safe Harbor framework was not an adequate protection under European law because the national security programs and activities of the United States government would require Facebook and any other company in the United States to permit access - to either permit it or to not have the ability to prevent access to - access by the United States government to the personal data of Europeans. 

Travis Leblanc: In 2015, the ECJ says that the protections, due to the national security activities of the United States government, were not adequate. Many of these activities had been exposed by Edward Snowden, and that is what became the basis of the lawsuit and much of the decision. Shortly after that decision came down, the United States and the European Commission went back to the table to negotiate a new agreement that would permit the transfer of personal data about Europeans to the United States. That new agreement was called Privacy Shield. 

Travis Leblanc: It was announced in approximately 2016 and was largely based off of Safe Harbor, although there were several new components to the agreement around national security. One, for example, was the creation of an ombudsman position or ombudsperson position at the State Department. Another was an enhanced role for the Privacy and Civil Liberties Oversight Board, the agency on which I sit, that would also have a role in ensuring oversight of the intelligence community in the United States. And there were - you know, there was also a letter submitted by then the general counsel of the Office of the Director of National Intelligence, ODNI, - the general counsel at that time was Bob Litt - to give some assurances on the oversight that - of the intelligence community that takes place in the United States. 

Travis Leblanc: A few years later, Schrems again litigates the issue up to the European Court of Justice - Europe's highest court, considered their Supreme Court - which in July of this year concluded in the Schrems II decision that the Privacy Shield framework, nevertheless, was not an adequate framework for the protection of the rights of European data subjects, largely for many of the same reasons that the ECJ had identified in the Schrems I decision. But, again, it goes back to the intelligence community, the national security activities of the United States government, and the lack, for example, of a European to challenge the exercise of those authorities in the United States, the relative lack of authority for the ombudsperson. 

Travis Leblanc: And now we find ourselves in the position of having Europe and the United States go back to the table again to attempt to identify another framework that could be used in place of Privacy Shield. 

Dave Bittner: And so what are the main sticking points here? What's keeping us from coming up with something that everyone can agree on? 

Travis Leblanc: Well, you know, by and large, the main sticking points are not the activities of the, you know, 5,000-plus companies that relied upon Privacy Shield. By and large, the concerns of the European Commission - I mean, of the European Court of Justice are that there isn't a, you know, due process right for Europeans to challenge the exercise of the national security authorities of the United States government, that there isn't a way to - that some of the authorities exceed the privacy right, you know, the privacy rights as they see it, of Europeans in particular. It really does go to national security. And, you know, the challenge after Safe Harbor was that the Privacy Shield framework did not come into existence along with substantial modifications to the intelligence authorities of the United States government. 

Travis Leblanc: And so, you know, part of the negotiation will certainly be around, you know, what additional insurances the U.S. government can give as to the, you know, transparency and the limits of the authorities of the United States intelligence community. But I do suspect that without changes to those authorities, meaning changes by law, it's going to be quite difficult to get the ECJ on board. What we've seen now is that the European Commission has been able to get assurances that the United States is satisfactorily, in their view, protecting the rights of European data subjects. 

Travis Leblanc: Every year after Privacy Shield was implemented was an annual review, where either the Americans go to Europe or the Europeans come to America for two days of meetings, where the representatives of the Europeans are largely, you know, getting briefings and also asking a lot of questions about what the United States has done in the last year to ensure that it's able to meet its obligations under Privacy Shield. After each of those, the European Commission puts out a report on how the annual review went, and each time the Europeans have concluded that the United States is satisfactorily meeting its commitments and, therefore, that the United States remain adequate. 

Travis Leblanc: Here, however, the ECJ is disagreeing and, really, is disagreeing not only with, you know, what the United States government does, but it's disagreeing with the judgment of the European Commission. And in many ways, the decision was - you know, out of Schrems II was not just a criticism or a rebuke of the United States, but in many ways also the commission itself. You know, I think the challenge that they will face going forward as well is that much of the criticism around the United States intelligence community practices have resulted from the fact that the United States is more transparent than many other countries in the world, in part as a result of the Snowden disclosures, but - and that the United States has a lot of oversight and is willing to talk about the oversight that it has, whereas many other countries in the world don't. 

Travis Leblanc: And so it's going to be really interesting to see whether, for example, the United Kingdom, which is no longer part of the European Union, will be deemed adequate by the commission and also, frankly, by the ECJ. Many of the same concerns that the ECJ expressed about Europe would seem to apply equally to the United Kingdom. And so it will be interesting to see how the adequacy of the United Kingdom is assessed, you know, as well as, frankly, other members of what are known as the Five Eye countries - Australia, for example, New Zealand or Canada. 

Travis Leblanc: And then the last thing I'll note is, you know, many of the European countries engage in the same conduct that is frowned upon by the ECJ, as the United States does. But, you know, because of European law, those - and the national security authorities are not considered - the national security authorities of European Union members are not considered by the ECJ in these circumstances for purposes of adequacy. So many of the European countries that also engage in the same activities don't have to stand to answer for these activities before the ECJ. 

Dave Bittner: Well, I mean, you mentioned oversight, and you serve on the Privacy and Civil Liberties Oversight Board. Can you give us some insights there? First of all, what is that group tasked with? What's your contribution there? 

Travis Leblanc: The Privacy and Civil Liberties Oversight Board - the PCLOB, as the acronym goes - is a bipartisan independent agency within the executive branch that is charged with ensuring that the counterterrorism programs of the United States government adequately balance privacy and civil liberties. The PCLOB was created out of a recommendation of the 9/11 Commission that, you know, recognizing many of the new surveillance authorities that were being put in place to prevent another 9/11 also could impact and did impact privacy and civil liberties. 

Travis Leblanc: We are a five-member agency. There are three - because the president is currently a Republican, there are three Republican members. There are two Democratic members. I'm one of the Democratic members. We're all nominated by the president and confirmed by the US Senate. Only the chairman is full time at the agency. The other four members are part time, which allows me, for example, to continue to work at Cooley as a partner while also serving on the on the PCLOB. There is a full-time staff that works at the agency full time every day. And, largely, you know, most people see us as the agency that oversees the intelligence community's surveillance authorities. And by intelligence community, that includes the CIA, the NSA, the FBI, the Department of Homeland Security and about 12 or 13 other agencies. 

Travis Leblanc: We all have security clearances at the top-secret level. And we primarily do two types of projects. There are our oversight projects, and there are our advice projects. The oversight projects involve the board identifying and issue a program or an activity that is worthy of an independent investigation. And a - usually a report is produced at the end. Probably the most famous of the board's oversight projects was of the 702 program after the Snowden leaks. But we recently put out a report earlier this year on an NSA program in connection with the USA Freedom Act that allowed the collection, really, and bulk of the call detail records of millions and millions and millions of calls. The program has now been shuttered after spending $100 million. It's now been shuttered and everything deleted about it. 

Travis Leblanc: But we do oversight. We report to Congress as well as share our reports with the intelligence community when they are released and, to the extent possible, with the public. The other type of work that we do is advice. And in our advice capacity, components within the intelligence community will come to us and ask us to assist them with evaluating the privacy and civil liberties impacts of a program or activity of the government. Typically, we do not make those advice projects public, but we do several of them at any given time. The PCLOB is unique in the federal government in that it is the only federal agency that works on privacy full time, and it is also an agency that is focused on, really, the activities of the United States government, not so much the commercial sector. 

Travis Leblanc: And so when it comes to Privacy Shield and, in particular, to the Europeans as they consider adequacy, the PCLOB has been instrumental in producing reports on programs that were of concern to the Europeans. It has also been instrumental in participating in the annual review with the Europeans as well. And we also do reach out and interface with our colleagues abroad who also have a similar mission of overseeing the national security or the surveillance programs of their own countries. 

Dave Bittner: The PCLOB itself and your relationship to the intelligence community - is it a collaborative relationship? Is it adversarial? Does it depend on what you're working on? What's - how exactly does that interaction work? 

Travis Leblanc: I would say that it is generally collaborative. Because we all have the highest clearances, the fact that a program is classified is not a basis to prohibit us from gaining access to information. In our statute, every federal agency is directed to comply with our requests for documents and information. And, generally speaking, the agencies that we work with we are regularly in touch with - not just on one given oversight project. But, for example, you know, there are various policies and procedures that they may need to have approved by the attorney general. And, you know, they'll go through us as well in preparation of an approval by the attorney general. 

Travis Leblanc: So I would say it is generally collaborative. We do not go to court with them, you know. And, generally speaking, if there are issues with compliance with our requests, we either raise them up within the administration or, you know, if we're unable to resolve them there, we are directed and do alert Congress to this situation in case Congress would like to get involved. 

Dave Bittner: Yeah, it's interesting. Well, I mean, getting back to the Privacy Shield issue, how do you suspect this is going to play out? What do you see as some of the possible resolutions here? 

Travis Leblanc: The Europeans and the Americans are already negotiating. We know that. They've been quite transparent about the existence of the negotiations. You know, we've seen an effort by the U.S. Department of Commerce to try and keep the Privacy Shield framework at least nominally in existence. For example, you know, the Department of Commerce has announced that it's going to continue to process applications to join Privacy Shield. I personally am perplexed by that decision because, you know, the European Court of Justice and the data protection authorities over in Europe have made quite clear that they don't view the Privacy Shield as a valid framework. 

Travis Leblanc: And so, you know, it's not clear to me why the Department of Commerce would want to keep that in play. But my best guess is that, in the negotiations, the United States would seek to use the Privacy Shield framework as, essentially, a model for or a basis for whatever comes, you know, next. Since, largely, there aren't concerns with the principles that the Privacy Shield framework espouses vis-a-vis the companies that agree to it, there largely wasn't a concern also with the redress mechanisms that were built into it vis-a-vis corporations and European data subjects. 

Travis Leblanc: For example, there was the creation in Privacy Shield of an arbitration panel. I actually, in 2017, was selected by both the Department of Commerce and by the European Commission as one of the 17 or so arbitrators under the Privacy Shield framework. So if a European person had a concern about a corporate practice of a company that had access to their personal data, they had the option as - one of many options - to bring an arbitration against the company. 

Travis Leblanc: Largely, I would anticipate that this arbitration mechanism would be kept going forward into the framework. I think the challenges that we really face right now, at least on the American side - what we have to do is give the Europeans the comfort that there is sufficient transparency and oversight of the intelligence community in the United States, that they do not have to be concerned, you know, about the NSA, for example, you know, breaking into Facebook to obtain access to European data or that, otherwise, there would be a, you know, redress mechanism available. That's going to be a challenge. 

Travis Leblanc: The United States did a lot in the negotiations around Privacy Shield to try to assuage Europe of these concerns. It was apparent from the ECJ decision that a lot of the information from the Snowden disclosures have continued to impact at least the justices there and many of the data protection authorities, to be honest. And so I think the challenge we're going to face is, you know, identifying who in the intelligence community in the United States is going to go to the table with the Europeans and whether we will need to, you know, make any changes to the, you know, authorities of the ombudsperson, the authorities of the Privacy and Civil Liberties Oversight Board, the rights of, you know, Europeans or Americans to challenge exercise of certain intelligence authorities and, you know, probably also whether there's going to be any FISA-related reform. I think a lot - Foreign Intelligence Surveillance Act is FISA... 

Dave Bittner: Yeah. 

Travis Leblanc: ...Which, you know, some of those authorities expired earlier this year. So there's a lot on the table. And it is apparent that the Department of Commerce alone won't be able to make all the assurances that are necessary, but that the intelligence community or at least some component of it will have to be at the table as well, as it was in the negotiations after Safe Harbor and that put in place Privacy Shield. 

Dave Bittner: All right, Ben. What do you think? 

Ben Yelin: First of all, I'm nerding out here (laughter) 'cause I've read a lot of reports from the Privacy and Civil Liberties Oversight Board. I use their reports as material in a lot of my law school courses. 

Dave Bittner: Yeah. 

Ben Yelin: And so to hear from one of the members of that board, you know, I'm like a teenage girl going to a Jonas Brothers concert. So... 

Dave Bittner: (Laughter) He's a pretty cool guy, isn't he? 

Ben Yelin: He is a pretty cool guy. I hope he likes me. 

Dave Bittner: (Laughter). 

Ben Yelin: So that was just fascinating to hear. The Privacy and Civil Liberties Oversight Board is just an excellent institution. It was, as he mentioned, passed in the aftermath of 9/11, where we started to have some of these more questionable and controversial surveillance tactics. And they've written very detailed public reports on how these programs work, what the privacy and civil liberties concerns are. And it's so interesting to me that they've worked closely with their European counterparts to try and make things like Privacy Shield work, to make sure that not only are these programs protecting the civil rights and civil liberties of U.S. persons, but they would allow the European Union to feel comfortable engaging in data sharing agreements with the United States. 

Ben Yelin: And despite, I think, the best efforts of the Privacy and Civil Liberties Oversight Board, Schrems II - this summer - indicates that we're not there yet. And, you know, I think that's reflected in, you know, some of the surveillance practices we've talked about many times on this podcast - Section 702 of the FISA Amendments Act, Executive Order 12333. These are practices where the U.S. government really does have extensive power to collect communications, both metadata and content. So it was just really interesting to hear his perspective on that, and I'm just really interested to see what happens now that we have to go back to the drawing board and, you know, create a new data sharing agreement in the aftermath of this judicial decision. 

Dave Bittner: Yeah, I have to say, I really, you know, truly enjoyed the conversation. And it was - it lifted my spirits to know that someone with his thoughtfulness and intellect is part of that organization, is on that board, is helping, you know, guide our movements and privacies in that area. I think, you know, it's easy to get down on this stuff. But when you actually speak to someone who clearly has Travis' capabilities, that was reassuring to me. 

Ben Yelin: It was. I think they're an extremely valuable agency. They issued some really critical reports on our surveillance practices back in 2014 that uncovered a lot of things that the public didn't know about. Now, I will say this - I know I've defended Edward Snowden, probably much to the chagrin of many of our listeners, several times on this podcast. Privacy and Civil Liberties Oversight Board was created in 2004, and I believe they did not hold their first meeting until 2013, after the Snowden disclosures. So that could also be one of the lingering effects of the decision he made to leak these documents, for better or worse. 

Dave Bittner: Interesting. All right. Well, again, our thanks to Travis LeBlanc from Cooley for joining us. Really interesting conversation there. We do appreciate him taking the time. 

Dave Bittner: That is our show, we want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.