Executive Summary

Payment networks connect buyers with sellers. Success hinges on attracting sufficient participation on both sides of the market. Card issuers offer rewards, insurance, fraud prevention, and other benefits that create incentives for use. Issuers can do so, in part, because they receive an “interchange” fee from acquiring banks, who in turn charge a fee to merchants (the “merchant discount rate” or MDR).

Price controls on these fees interfere with the delicate balance of the two-sided market ecosystem. Interchange-fee caps in various jurisdictions have led banks to increase other fees (such as monthly account fees and annual card fees), reduce card benefits, and adjust product offerings. As a result, consumers—especially those with lower incomes—face higher costs and reduced access to financial services. These costs generally exceed by a wide margin any consumer savings from reduced prices. Price controls on MDR, seen recently in India and Costa Rica, have also distorted the market by impeding competition and favoring larger players (big-box merchants and internet-platform-service providers, which are able to monetize in other ways), while harming smaller entities and traditional banks.

Instead of imposing price controls, governments should reduce regulatory barriers and provide core public goods, such as courts of law and identity registers, which enable competition, market-driven innovation, and financial inclusion.

I. Introduction

Payment networks are integral to modern economies, facilitating the seamless exchange of goods and services across vast distances and among unfamiliar parties. This issue brief considers the effects of regulatory interventions on such networks, looking in particular at price controls on interchange fees and merchant discount rates (MDRs). While intended to reduce costs for merchants and consumers, the evidence shows these price controls impede competition and harm consumers.

For a payment network to be self-sustaining, there must be sufficient participation on both sides of the market—i.e., by both buyers and sellers. If too few sellers accept a particular form of payment, buyers will have little reason to adopt it. Likewise, if too few buyers hold a particular form of payment, sellers will have little reason to accept it. At the same time, payment networks must cover their costs of operation, including credit risk, monitoring costs, fraud risk, and investments in innovation. Payment networks typically address these two problems (optimizing participation and covering costs) simultaneously through various fees and incentives, thereby maximizing value to all participants.

Maximizing value often entails that one side of the market (usually, the merchants) subsidizes the other side (consumers) through an “interchange fee” received by the issuing bank from the acquiring bank. The interchange fee covers a much wider range of costs than the operational costs mentioned above. Specifically, it typically includes issuer costs associated with collection and default, as well as many of the additional benefits that cardholders typically receive, including various kinds of insurance and such rewards as cashback rewards and airline miles. The interchange fee, in turn, is typically covered by fees charged by the merchant’s acquiring bank (see Figure 1), known as the merchant discount rate (MDR) or merchant service charge (MSC).

FIGURE 1: Transactions in a Four-Party Card Model

Caps on interchange fees and/or MDR are price controls, which have the effect of reducing the incentive to supply the product subject to that control. Many countries have introduced price controls on interchange fees, and these have been much-studied. Section II presents a summary of the evidence of the effects of price controls on interchange fees.

By contrast, relatively few countries have imposed price controls on MDR and the effects of such price controls have rarely been scrutinized.[1] Section III thus offers an initial assessment of such effects. Finally, Section IV offers conclusions and policy recommendations.

II. Interchange-Fee Price Controls

This section considers the effects of price controls on interchange fees. While more than 30 jurisdictions have imposed such price controls, we focus on the jurisdictions for which we have the best evidence.^[2] While each jurisdiction and each price control is unique, the effects appear  to generalize readily. Therefore, the limited selection of jurisdictions here should be seen as typical examples.

This section begins with a brief description of the specific form price controls took in each jurisdiction. That is followed by a description of the response by (issuing) banks. Finally, the effects on consumers are evaluated.

A. How Jurisdictions Have Capped Interchange Fees

Various jurisdictions have taken a variety of approaches to the imposition of price controls on interchange fees. The following are examples of some of the better-studied interventions.[3] These examples show what happens in the period immediately following the introduction of interchange-fee price controls. While some price controls have been repealed or changed, their effects are most transparent in the immediate aftermath of their implementation, and the inclusion of these examples thus remains instructive.

1. Spain

Spain imposed caps on interchange fees for both credit and debit cards through agreements with merchant associations and card schemes in two distinct phases: the first ran from 1999 to 2003, the second from 2006 to 2010.[4] During the first phase, caps were initially set at 3.5%, falling to 2.75% in July 2002. Caps were much lower during the second phase and were lower for large banks (over €500 million), whose credit-card interchange fees were capped at 0.66% in 2006, falling to 0.45% by 2010, than for small banks (under €100 million), whose credit-card interchange fees were capped at 1.4% in 2006, falling to 0.79% in 2010.

2. Australia

The Reserve Bank of Australia (RBA) introduced caps on interchange fees for credit cards in 2003 under a “cost-based framework,” which adjusted interchange fees based on processing costs. As a result, the RBA aimed in the first instance to reduce interchange fees by 40%, from an average of 0.95% in 2002 to 0.6% in 2003.[5]

3. United States

Under a provision of the Dodd-Frank Wall Street Reform Act of 2010 known commonly as the “Durbin amendment,” the U.S. Federal Reserve imposed caps on debit-card interchange fees for large banks, as well as routing requirements for all debit-card issuers.[6] As a result, debit-card-interchange fees fell by about 50% for large banks almost immediately. Interchange fees on debit cards issued by smaller banks and credit unions initially fell by a smaller amount, and interchange fees on single-message (PIN) debit cards have now fallen to similar levels as PIN debit cards issued by larger banks.[7]

4. European Union

In 2015, the EU capped fees at 0.2% for debit cards and 0.3% for credit cards.[8] These are hard caps with few exceptions, and those rates rapidly became the norm for most transactions (with the exception of some domestic schemes that offer lower rates).[9]

B. Response by Banks

Faced with potentially large losses of revenue, banks adopted numerous strategies to limit their losses, including, most notably:

1. Increasing other fees and interest

Banks commonly increased other fees, including annual-card fees, account-maintenance fees, late fees, and interest on loans and credit cards. For example, in the United States, banks raised monthly account-maintenance fees and increased the minimum balance needed for a fee-free account.[10] In the EU, banks increased other fees and interest rates.[11]

2. Reduced card benefits

Banks reduced the rewards and benefits associated with those cards that were subject to price controls. This included reducing or eliminating cashback rewards, points, and other incentives that were previously funded, in part, by interchange fees. For example, U.S. banks subject to the Durbin amendment generally eliminated debit-card rewards. In Australia, meanwhile, the average value of rewards fell by about 30%.[12]

3. Adjusted product offerings

Some banks shifted their focus to products not affected by the caps. In the United States, where the Durbin amendment applied only to debit cards, banks shifted their promotional efforts toward credit cards. In Australia, banks issued “companion” cards on three-party networks that were initially exempt. In some EU jurisdictions, banks have promoted business credit cards, which are exempt.[13]

C. The Effects on Consumers

Interchange-fee caps make the vast majority of consumers worse off, especially those with lower incomes. This outcome primarily arises from several interconnected factors:

1. Higher costs

As noted, in response to the reduction in interchange fees, banks have increased a range of fees, including higher account-maintenance charges (and higher minimum-balance requirements to qualify for free accounts); larger overdraft fees; increased interest rates on loans and credit cards; and higher annual fees on credit cards. These increased fees have disproportionately affected lower-income consumers, who may struggle more to maintain minimum-balance requirements or avoid overdrafts.[14]

2. Loss of insurance, other services, and the financial benefits of rewards

The reductions in rewards and other benefits on cards subject to interchange-fee caps amount to a direct pecuniary loss for millions of consumers. Often, these losses far exceed the reduction in interchange fees that cause them. A case in point is insurance: credit-card-issuing banks are typically able to negotiate volume-based discounts on insurance, which means they pay less than would an individual seeking his or her own policy. But if there simply is not sufficient revenue to cover the continuation of such benefits, issuers are forced to withdraw it, as many issuers in the EU have done.

3. Lost access to financial services

Larger account fees and increased minimum-balance requirements have resulted in an increase in unbanked and underbanked households in the United States, particularly among lower-income consumers.[15] As a result, more households have become reliant on check-cashing services, payday loans, and other high-cost financial services.

4. Limited savings passed through to consumers

While larger merchants save on transaction fees, due to the lower interchange fees, these savings are not fully passed on to consumers in the form of lower prices. The degree of pass-through can vary greatly, depending on the competitive dynamics of various retail sectors. But in most cases, merchants have passed through the reduced costs associated with lower interchange fees at a lower rate than banks have passed through losses in fee revenue, in the form of higher-priced accounts, cards and services, and reductions in rewards. As such, consumers are, on net, worse off.^[16]

While the intended goal of interchange-fee caps may be to reduce merchants’ costs and generate savings for consumers, in practice, consumers see few, if any, retail-price reductions, even as they experience significantly reduced benefits from their payment cards, as well as increased banking costs.

III. MDR Caps

This section explores the effects of caps on merchant discount rates. As noted earlier, it is difficult to draw broad conclusions of the kind we were able to draw in Section II on the effects of interchange-fee caps. This is both because of the relative rarity of MDR caps, as well as the fact that they have—in the two cases examined here—coincided with other policy changes and broader economic and social phenomena that simultaneously have had significant effects on the payments system. The two case studies nonetheless offer salutary lessons about the problems inherent in imposing price controls on payment fees.

A. India

India’s MDR caps, which date back to 2012, were put in place as part of a series of interventions whose broad objective was to increase access to finance and shift transactions from paper to electronic money. These initiatives included (in order of implementation): a digital ID (launched in 2010); a domestic-card scheme and debit card (RuPay) with MDR caps (implemented in 2012); and a domestic faster-payments system (UPI, launched in 2016) with zero MDR for most transactions. This section focuses primarily on the implementation of UPI, its MDR caps, and the implications for consumers, merchants, and payment-service providers.

1.  Mobile payments in India and the role of MDR

Until 2015, the two largest companies offering mobile phone-based payment services in India were Paytm and MobiKwik, which both relied on MDR to facilitate their expansion. MDR enabled these services to offer consumers cashback rewards and other incentives. MobiKwik signed up 1.5 million merchants and 55 million registered users by 2015,[17] while Paytm had 100 million registered accounts in 2015.[18]

Payment services are the core of Paytm’s business, contributing 58% of its revenue in Q3 2023 (although it fell slightly in Q1 2024).[19] These services arise from users making payments from mobile wallets stored on Paytm’s platform, using debit cards and credit cards. The company charges merchants an MDR that ranges from 0.4% to 2.99% of the transaction amount, depending on the payment type (for small-to-medium-size businesses).[20] MobiKwik, meanwhile, generates revenue from commissions and advertisements from its Zaak payment-gateway franchise subsidiary,[21] as well as loans—including short-term credit, buy-now-pay-later, and personal loans—and investment advice.[22] Of note, Zaak is also highly reliant on MDR as a source of revenue.^[23]

2. Enter UPI

In 2016, the National Payments Corporation of India (NPCI), a public-private partnership between the Reserve Bank of India (RBI) and the Indian Banks Association (IBA), launched the Unified Payment Interface (UPI), an open-source interoperable API that facilitates real-time transfers between individuals with accounts at participating banks that have integrated the API into their smartphone apps.[24] NPCI also built its own app, BHIM UPI, that is available directly and can also be white-labelled by banks and PSPs.[25]

By any measure, UPI has been enormously successful. In April 2024, more than 80% of all retail payments by volume and about 30% by value were made using UPI.[26]

PhonePe, which launched in 2016, and Google Pay, which launched in India in 2017, have from the outset operated exclusively on UPI. PhonePe launched as a wholly owned subsidiary of Flipkart, India’s largest online marketplace. This enabled it to leverage the marketplace’s then-100 million users, as well as subsequent growth of Flipkart’s user base.[27] Although PhonePe has now separated from Flipkart, it is still owned by Walmart, which bought Flipkart in 2018, and is thus able to leverage the retail giant’s merchant ecosystem.

Google, meanwhile, was able to leverage its brand recognition and to monetize Google Pay through a combination of advertising and its local online marketplace. It is noteworthy that, in a 2023 survey, Google was ranked the top brand in India, followed by Amazon and YouTube (which is owned by Google).[28]

PhonePe is now the largest payment network in India, with approximately 200 million active users; Paytm ranks second, with approximately 100 million active users;[29] Google Pay is third, with about 67 million active users;[30] and MobiKwik is fourth, with 35 million active monthly users in 2023.[31]

In April 2024, PhonePe and Google Pay together represented 87% of UPI transactions by volume and value (Table 1). Paytm was the third-largest payment app on UPI, representing 8% of transactions and 6% of value. The fourth-largest app was CRED, which is a members-only app aimed at individuals with higher credit scores.[32] Together, these top four apps represented 96.5% of transaction volume and 95.5% of transaction value. The remaining apps combined all had less than 5% market share between them, and none had more than 1% individually.[33]

TABLE 1: UPI Transactions by App, April 2024

SOURCE: NPCI

Since UPI transactions represented about 80% of India’s retail volume, this means that the combination of Google Pay and PhonePe represented more than 70% of all non-cash retail transactions in India by volume.

3. How zero MDR distorts competition

The reason such as high proportion of UPI payments come from the top four apps is that their operators have been able to monetize transactions and encourage adoption on both sides of the market without relying on MDR. NPCI prohibits MDR for most applications (exceptions are pre-paid debit and rechargeable mobile wallets, which since April 2023 have been permitted to charge up to 1.1% in MDR).[34]

These MDR caps on UPI have, however, made it less economically viable for payment-services providers (PSPs) to offer such incentives for consumers. Indeed, Paytm has recently switched from offering cashback rewards to consumers to offering cashback rewards to merchants—presumably because it realizes it has to compete with other payments ecosystems that run on UPI and therefore charge zero MDR.[35]

Like the interchange-fee caps explored in Section II, MDR caps change the economics of payment systems by reducing the ability of card issuers and payment-app operators to balance the two sides of the market through cross-subsidies. These effects became most visible after UPI went live in 2016 with zero MDR.

As noted, both PhonePe and Google Pay were able to leverage existing networks to attract both merchants and users (Flipkart, in the case of PhonePe, and Google’s search engine and other products, in the case of Google Pay). Having built a significant base of participants on both sides of the market, the companies have been able to monetize their payment systems through product advertising, upselling of related products, and in-app transactions, thereby reinforcing the network effects.

While MDR is prohibited on UPI, PhonePe usually charges a 2% transaction fee for its online-payment gateway service. Acting as a payment gateway carries little counterparty or credit risk, and is typically offered in other jurisdictions for a small flat fee. The 2% charged by PhonePe therefore effectively goes straight to the bottom line, or can be used to cross-subsidize participation, thereby further enhancing the PSPs’ market share. Indeed, in July 2023, PhonePe began offering its payment gateway for free to new customers (an own-side subsidy: existing users subsidize new users).[36]

Google Pay, meanwhile, has offered cashback incentives for use of the service on apps within its own (Android) ecosystem.[37] This encourages the use of Google Pay in much the same way that traditional rewards offer incentives to use other payment systems. The merchant beneficiaries are, however, limited to participants in its app system, for which Google charges a 30% transaction fee.

While Paytm’s share of UPI is low compared to PhonePe and Google Pay, it can monetize such transactions both by providing add-on financial services, such as insurance and investments, as well as through the MDR it charges on non-UPI transactions.[38] Paytm has also built a rewards program for merchants that encourages participation in its marketplace.[39]

Finally, CRED has partnered with a range of high-end brands to undertake targeted advertising, the revenue from which enables CRED to offer rewards to users of various kinds, including cashback rewards.[40]

While UPI has likely contributed to increased financial inclusion, the prohibition on MDR for most types of transactions has distorted the entire market toward merchants affiliated with the large mobile-payment ecosystems (PhonePe, Google, and Paytm) and a payment network targeted at higher-income customers (CRED). Meanwhile, this has come at a huge price for the majority of banks and other PSPs that facilitate payments on UPI. The Payments Council of India estimates that its members lose 55 billion rupees (US$660 million) annually as a result of the zero MDR on UPI and RuPay transactions.[41] This is effectively a transfer from those banks to the companies whose apps monetize UPI transactions.

India’s government partly offsets this loss through a subsidy to UPI participants of between 15 and 25 billion rupees.[42] But this amounts to a subsidy to PhonePe, Google, Paytm, and CRED, which is odd. Moreover, experience with other systems that impose restrictions on payment-transaction fees suggests that banks will seek to recover these losses via other fees.[43] To the extent that such additional fees fall on lower-income account holders, the effect on financial inclusion is likely to be negative.

India’s government has also announced that it intends to cap the share of UPI transactions for any one service provider to 30% by the end of 2024, with the goal of reducing the dominance of Google Pay and PhonePe.[44] It remains unclear how such caps will be implemented, but it is almost certain that whatever mechanism is adopted would cause other harmful effects. Indeed, there is something slightly absurd about introducing a cap on participation in order to address the perverse consequences of caps on MDR.

Given that the MDR caps are the cause of Google Pay and PhonePe’s combined dominance, a far better solution would be to lift those caps. Indeed, based on the evidence adduced here, removing the MDR caps would likely unleash competition and innovation. Instead of being dominated by a few giant players, UPI would become what its visionaries intended: an inclusive platform that facilitates participation by a wide range of players. The platform could then further expand access to payments, enhance smaller merchants’ ability to compete, and improve financial inclusion.

B. Costa Rica

Costa Rica introduced price controls on payment cards in 2020. Legislative Decree No. 9831 authorized the Central Bank of Costa Rice (BCCR) to regulate fees charged by service providers on “the processing of transactions that use payment devices and the operation of the card system.”^[45] The legislation’s stated objective was “to promote its efficiency and security, and guarantee the lowest possible cost for affiliates.” BCCR was tasked with issuing regulations that would ensure the rule is “in the public interest” and guarantee that fees charged to “affiliates” (i.e., merchants) are “the lowest possible … following international best practices.”

Starting Nov. 24, 2020, BCCR set maximum interchange fees for domestic cards at 2.00% and maximum MDR at 2.50%. Over a four-year period, BCCR has gradually ratcheted down both MDR and interchange-fee caps, as shown in Table 2.

TABLE 2: Interchange Fee and MDR Caps in Costa Rica, 2020-2024

An unusual feature of BCCR’s regulation is the simultaneous cap on both MDR and interchange fees, which has the effect of limiting revenue to both acquiring banks and issuing banks. This has likely reduced investments by issuers and acquirers and led to lower levels of system efficiency and speed, and possibly to increased fraud.

It is also worth noting that both interchange fees and MDR vary according to merchant type and location, in large part because the risk of fraud varies among different types of merchants. There is a danger, therefore, that imposing price controls on both MDR and interchange fees could make it unprofitable for acquirers to process payments for some riskier merchants. In other words, in its attempt to reduce merchant costs, BCCR may inadvertently (but predictably) prohibit some merchants from being able to accept payment cards. This is neither efficient, nor is it in the public interest.

Looking at the trajectory of the mean and median MDRs for various merchant categories in Costa Rica before price controls were imposed (as shown in Figures 1 and 2), MDRs were, on average, quite high (a mean of about 4%) but the medians were even higher (ranging from 4% to 10% for all categories except gas stations and passenger transportation). This significant difference between the mean and median MDRs suggests either that a large proportion of merchants represented a particularly high risk (e.g., from fraud and/or chargebacks) or that there was a lack of competition among acquiring banks (and perhaps even collusion)—or perhaps both.

FIGURE 2: Mean MDR for Various Merchants in Costa Rica, 2019-2022 (%)

SOURCE: Author’s calculations based on data from BCCR

If the previously high MDRs were a function of merchant-associated risk, capping MDRs would be expected to cause acquiring banks to drop some merchants. The data, however, show that the number of merchants increased from 2020 to 2022, which suggests that lack of competition among acquirers is a more likely explanation.[46]

FIGURE 2: Median MDR for Various Merchants in Costa Rica, 2019-2022 (%)

SOURCE: Author’s calculations based on data from BCCR

To the extent that these high MDRs reflect a lack of competition among acquiring banks, the appropriate response would have been to seek to understand what was causing this lack of competition and then to remedy that directly. For example, if the lack of competition arose from regulations imposed by BCCR, it would be incumbent on BCCR to modify its regulations to reduce barriers to competition. Capping MDR does not address the underlying problem; indeed, it likely makes it worse, by inhibiting acquirers from being able to differentiate themselves on price or quality.

IV. Conclusions and Policy Implications

In competitive markets without price controls, prices evolve in ways that tend to maximize value for all participants. In payment networks, interchange fees play an important role, enabling issuers to develop appealing and competitive products with features that range from cashback rewards to travel insurance. This encourages customers to use the card or app in question, which, in turn, benefits merchants who see greater sales. The fees also facilitate associated innovations, such as AI-based fraud detection, contactless payments, and online token vaults.

When governments impose price controls on payment fees—whether in the form of caps on interchange fees or on MDR, or both—bank revenue from card transactions falls. Issuers (and acquirers, in the case of MDR caps) respond by increasing other fees, reducing card benefits, and reducing investments in improvements. The ecosystem becomes distorted, unbalanced, and fundamentally less competitive.

The beneficiaries of such interventions tend to be larger merchants and other participants in the system (including larger financial technology, or “fintech,” players). These players can leverage and reinforce their loyal customer base, and often charge fees for services (such as payment gateways) that are as high or higher than interchange fees, and even MDR.

India’s government recognizes the anticompetitive nature of its MDR caps, but appears to think that this is best-addressed by introducing new caps on participation. Costa Rica, meanwhile, appears to have suffered from a lack of competition among merchant acquirers, which drove up the cost of MDR—leading it to introduce caps on MDR.

But, in both cases, regulation is the problem, not the solution. In India’s case, various regulations—especially the caps on MDR for UPI transactions, as well as the government subsidies to UPI—have resulted in heavy concentration and impeded competition from fintech startups. Meanwhile, in Costa Rica, existing regulatory barriers likely impeded competition in the acquisition market, which enabled acquirers to charge excessive rates. This has prompted BCCR to impose MDR and interchange-fee caps that, in turn, have impeded competition in issuance.

The biggest losers from such interventions tend to be lower-income consumers, who end up paying higher bank fees and leaving—or not entering—the banking system. But there are many other losers, including the majority of consumers, and the many potential competitors that are excluded from participation because they are unable to monetize their investments via interchange and/or MDR fees.

Governments should not distort markets in these ways. Quite the opposite: they should be as neutral as possible. Rather than imposing price controls on payment systems, they might look to review and repeal existing government-created barriers to financial inclusion. These could include licensing requirements for banks that limit competition and enable acquirers to charge abnormal MDR rates.

In other words, rather than layer additional distorting regulations atop existing regulations, further harming the operation of complex private-market ecosystems, they should look for ways to reduce government-imposed barriers to competition. And, generally, they should limit themselves to the production of genuine public goods, such as courts and identity registers. Doing so will enable greater participation, competition, and innovation, which will drive financial inclusion.

[1] Other jurisdictions, such as Denmark and China, also have imposed restrictions on MDR/MSC, but this author was unable to adduce sufficient information about the nature and effects of these interventions to develop substantive analyses.

[2] We draw extensively on our earlier review: Julian Morris, Todd J. Zywicki, & Geoffrey A. Manne, The Effects of Price Controls on Payment-Card Interchange Fees: A Review and Update,  (ICLE White Paper 2022-03-04 & George Mason L. & Econ. Research Paper No. 22-07, 2022), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4063914. See also Fumiko Hayashi & Jesse Leigh Maniff, Public Authority Involvement in Payment Card Markets: Various Countries, August 2020 Update, Fed. Res. Bank of Kan. City (August 2020), available at https://www.kansascityfed.org/documents/6660/PublicAuthorityInvolvementPaymentCardMarkets_VariousCountries_August2020Update.pdf.

[3] Morris et al., supra note 2.

[4] Juan Iranzo, Pascual Fernández, Gustavo Matías, & Manuel Delgado, The Effects of the Mandatory Decrease of Interchange Fees in Spain (Munich Personal RePEc Archive, MPRA Working Paper No. 43097, 2012), available at https://mpra.ub.unimuenchen.de/43097/1/MPRA_%20paper_43097.pdf.

[5] Press Release, Reform of Credit Card Schemes in Australia, Res. Bank of Austl. (Aug. 27, 2002), https://www.rba.gov.au/media-releases/2002/mr-02-15.html.

[6] H.R.4173 – Dodd-Frank Wall Street Reform and Consumer Protection Act, s.1075(a)(3); Debit Card Interchange Fees and Routing; Final Rule, 76 Fed. Reg. 43,393-43,475, (Jul. 20, 2011).

[7] Todd J. Zywicki, Geoffrey A. Manne, & Julian Morris, Unreasonable and Disproportionate: How the Durbin Amendment Harms Poorer Americans and Small Businesses, Int’l Cntr For L. & Econ. (Apr. 25, 2017), available at https://laweconcenter.org/wp-content/uploads/2017/08/icle-durbin_update_2017_final-1.pdf.

[8] Regulation (EU) 2015/751 of the European Parliament and of the Council of 29 April 2015 on Interchange Fees for Card-Based Payment Transactions, 2015, O.J. (L 123) 1, 10-11 (hereinafter “IFR”).

[9] Ferdinand Pavel et al., Study on the Application of the Interchange Fee Regulation: Final Report 89, European Commission Directorate-General for Competition (2020), https://op.europa.eu/s/zKl2.

[10] Mark D. Manuszak & Krzysztof Wozniak, The Impact of Price Controls in Two-Sided Markets: Evidence From US Debit Card Interchange Fee Regulation (Bd. of Governors of the Fed. Res. Sys. Fin. & Econ. Discussion Series, Working Paper No. 2017-074,  2017); Vladimir Mukharlyamov & Natasha Sarin, Price Regulation in Two-Sided Markets: Empirical Evidence From Debit Cards (SSRN Working Paper, 2019), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3328579.

[11] Interchange Fee Regulation (IFR) Impact Study Report, Edgar Dunn & Co. (Jan. 21, 2020), https://www.edgardunn.com/reports/interchange-fee-regulation-ifr-impact-assessment-study-report.

[12] Iris Chan, Sophia Chong, & Stephen Mitchell, The Personal Credit Card Market in Australia: Pricing Over the Past Decade, Res. Bank Of Austl. Bull. (2012), available at https://www.rba.gov.au/publications/bulletin/2012/mar/pdf/bu-0312-7.pdf.

[13] IFR, supra note 8, Art. 1(3)(a).

[14] Mukharlyamov & Sarin, supra note 10.

[15] Id.

[16] Iranzo et al., supra note 4 at 34-37; Ian Lee, Geoffrey A. Manne, Julian Morris, & Todd J. Zywicki, Credit Where It’s Due: How Payment Cards Benefit Canadian Merchants and Consumers, and How Regulation Can Harm Them, Macdonald-Laurier Institute 1, 27 (2013); Morris, Zywicki, & Manne, supra note 7 at 23-29.

[17] Shabana Hussain, MobiKwik’s Journey and the Path Ahead, Forbes India (Apr. 6, 2015), http://forbesindia.com/article/work-in-progress/mobikwiks-journey-and-the-path-ahead/39905/1 .

[18] Paytm Reaches 100 Million Users, Business World (Aug. 11, 2015), https://businessworld.in/article/paytm-reaches-100-million-users–84698.

[19] Press Release, Paytm’s Earning’s Release for Quarter and Year Ending March 2024, Paytm (May 22, 2024), available at https://paytm.com/document/ir/financial-results/Paytm_Earnings-Release_INR_Q4_FY24.pdf.

[20] Paytm’s Pricing, Paytm, https://business.paytm.com/pricing (last visited Jun. 07, 2024).

[21] MobiKwik Consolidated Financial Statement, MobiKwik (2023), available at https://documents.mobikwik.com/files/investor-relations/statements/mobikwik/Consolidated-Financials-Sept2023.pdf; Report on the Audit of Special Purpose Interim Financial Statements, Tattvam & Co. (Dec. 31, 2023), available at https://documents.mobikwik.com/files/investor-relations/statements/zaakpay/zaakpay-financials-sept2023.pdf; Subsidiary Financials, MobiKwik, https://www.mobikwik.com/ir/subsidiary-financials (last visited Jun. 7, 2024); Status of Applications Received from Online Payment Aggregators (PAs) Under Payment and Settlement Systems Act, 2007, Res. Bank of India, https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=4236 (last updated Jun. 1, 2024).

[22] Id., Res. Bank of India.

[23] Pratik Bhakta, MobiKwik to Add Muscle to Its Payment Gateway Business, The Economic Times (May 13, 2017),  https://economictimes.indiatimes.com/small-biz/startups/mobikwik-shifting-focus-to-payment-gateway-space/articleshow/58655807.cms?from=mdr.

[24] Unified Payments Interface (UPI), National Payments Corporation of India (2024), https://www.npci.org.in/what-we-do/upi/product-overview; UPI Live Members, National Payments Corporation of India (2024),  https://www.npci.org.in/what-we-do/upi/live-members.

[25] BHIM, https://www.bhimupi.org.in (last visited Jun. 7, 2024); Pratik Bhakta, BHIM to Be the Right Platform for Small Banks to Enter Payment Space, The Economic Times (Feb. 3, 2017), https://economictimes.indiatimes.com/small-biz/security-tech/technology/bhim-to-be-the-right-platform-for-small-banks-to-enter-payment-space/articleshow/56945820.cms?from=mdr.

[26] Payment System Indicators, Res. Bank of India (Apr. 2024), https://www.rbi.org.in/Scripts/PSIUserView.aspx?Id=35.

[27] Alnoor Peermohamed, Flipkart Grows User Base to 100 million, Business Standard (Jun. 6, 2024), https://www.business-standard.com/article/companies/flipkart-grows-user-base-to-100-million-116092100216_1.html.

[28] Gaurav Laghate, Google, Amazon, YouTube Top India brands, Livemint (Jun. 27, 2023), https://www.livemint.com/companies/news/google-amazon-youtube-top-india-brands-11687887362055.html.

[29] Paytm Surpasses 100 Million Monthly Transacting Users for the First Time in Q3 FY24, Livemint (Jan. 22, 2024), https://www.livemint.com/companies/news/paytm-surpasses-100-million-monthly-transacting-users-for-the-first-time-in-q3-fy24-11705932856486.html.

[30] Michael G. William, How Many People Use Google Pay in 2023?, Watcher Guru (Sep. 14, 2023), https://watcher.guru/news/how-many-people-use-google-pay-in-2023#google_vignette.

[31] MobiKwik Continues Profitable Streak for Second Quarter in a Row, The Economic Times (Oct. 05, 2023), https://economictimes.indiatimes.com/tech/technology/mobikwik-continues-profitable-streak-for-second-quarter-in-a-row/articleshow/104183594.cms?from=mdr.

[32] CRED, https://cred.club/ipl (last visited Jun. 07, 2024).

[33] Eight other apps had between 0.25% and 0.75% of transaction volume and/or value: Amazon Pay, ICICI Bank Apps, Fampay, Kotak Mahindra Bank Apps, HDFC Bank Apps, WhatsApp, BHIM, and Yes Bank Apps.

[34] Upasana Taku, NPCI’s 1.1% Interchange Fee on UPI Payments Via Wallet – The Watershed Moment for Fintech in India, The Times of India (May 15, 2023), https://timesofindia.indiatimes.com/blogs/voices/npcis-1-1-interchange-fee-on-upi-payments-via-wallet-the-watershed-moment-for-fintech-in-india.

[35] Pratik Bhakta, Inside Paytm’s Cashback Offers for Retailers, The Economic Times (Jul. 7, 2023),   https://economictimes.indiatimes.com/tech/startups/in-through-the-other-door-inside-paytms-cashback-offers-for-retailers/articleshow/101551675.cms?from=mdr.

[36] Mayur Shetty, PhonePe Cuts Fees for Payment Gateway Services, The Times of India (Jun. 14, 2023),  https://timesofindia.indiatimes.com/business/india-business/phonepe-cuts-fees-for-payment-gateway-services/articleshow/100986915.cms.

[37] Manish Singh, Google’s New Plan to Push Google Pay in India: Cashback Incentives in Android Apps, TechCrunch (May 16, 2019), https://techcrunch.com/2019/05/16/google-pay-india-android-cashback.

[38] Paytm, supra note 20.

[39] An Overview of Merchant Discount Rate Charges, AMLegals (Mar. 15, 2024), https://amlegals.com/an-overview-of-merchant-discount-rate-charges.

[40] CRED Pay, https://cred.club/cred-pay/onboarding (last visited Jun. 7, 2024).

[41] Roll Back Zero Merchant Discount Rate on UPI, Rupay Debit Card Payments, Industry Body Payments Council of India Writes to Finance Ministry, The Indian Express (Jan. 23, 2022), https://indianexpress.com/article/business/banking-and-finance/merchant-discount-rate-rollback-on-upi-rupay-debit-cards-7737229.

[42] Pratik Bhakta, Fintechs Await Government Word on MDR Subsidy Allocation, The Economic Times (Feb. 22, 2024), https://economictimes.indiatimes.com/tech/technology/fintechs-await-government-support-for-promoting-digital-payments-for-current-fiscal/articleshow/107891943.cms?from=mdr.

[43] Morris et al., supra note 2.

[44] Ajinkya Kawale,  NPCI to Review by End of Year Decision on 30% UPI Market Share Cap, Business Standard (Apr. 19, 2024), https://www.business-standard.com/markets/news/npci-to-review-30-market-share-cap-decision-by-year-end-124041901059_1.html.

[45] Author’s translations from the Spanish original are approximate.

[46] Fijación Ordinaria de Comisiones Máximas del Sistema de Tarjetas de Pago, Banco Centrale de Costa Rica (Oct. 2023), 12, available at https://www.bccr.fi.cr/en/payments-system/DocCards/Estudio_tecnico_2023_fijacion_ordinaria_comisiones_CP.pdf.

Come Thursday (Jan 11), students will receive their 2023 GCE O-Level examination results.

The stress over performance can take on a slightly different dimension at this juncture – on the one hand, there is a greater range of education options from the academic to the practical-oriented; on the other, teenagers will have to start thinking ahead to university and even career possibilities.

As educators, we are often asked by students for advice. In particular, those keen on pursuing the more academic A-Level route seek help deciding which subjects they should take at the Higher 2 (H2) level.

Our short answer tends to be a pragmatic question: Think ahead – what would you like to study at university? Take subjects that open those doors for you.

Read the full piece here.

Abstract

Once considered the final frontier, outer space has become the modern day Yukon territory. A burgeoning commercial economy is reshaping the balance of powers and expanding the breadth of activities beyond our atmosphere. Outer space is no longer the exclusive province of a select number of nation states engaged in geopolitical competition. A robust private sector has begun to stake its claim, ushering in a fundamentally different incentive environment that answers to shareholders and venture financers. As a consequence, the principles that persisted from the Cold War, and ultimately motivated the Outer Space Treaty[1] and its subsequent counterparts,[2] are no longer sufficient. Truth be told, they were never expected to be so. The United Nations Committee on the Peaceful Uses of Outer Space (“COPUOS”) never contemplated commercial uses when it adopted—and many nations subsequently ratified—its longstanding space treaties. While private actors have interacted with this environment for decades, the commercial space industry has only recently reached a point of maturity where entities can productively utilize orbital environments, cultivate an entirely new source of natural resources in lunar and cislunar space and further explore the translunar realm. Commercial space is having its moment, and it represents a monumental paradigm shift for space law and policy.

Considering the radical evolution of actors and activities in space, do the instruments and institutions that oversee it need to evolve as well? Traditional forms of public international lawmaking—multilateral treatymaking and institution building followed by each participant’s cooperative consent—may not meet the needs of private actors who bear little affiliation to the country they select to license their operations. Similarly, domestic regulations and policies from a government-mission minded era appear ill suited for the novel complexities of the commercial launch and communications capabilities that are rapidly eclipsing those of national governments. The diverse set of actors and activities in outer space also introduce a novel set of contexts and conflicts that impact private law. In effect, commercial space activity is spurring change that no one track can resolve independently, necessitating pluralist reform that extends the bounds of both public and private law.

A second-order problem that emerges is how to manage an ecosystem in which collective commercial interests diverge from national interests. As many nations become dependent on commercial space services and infrastructure, the balance of power is shifting toward a new calculus. Decisions by private actors now impose externalities that national actors experience immediately and directly, and vice versa, making both sides of the public-private dichotomy increasingly intertwined. Thus, if the law is intended to evolve into more efficient, wealth-maximizing rules, we must also ask who reaps the benefits of these efficiencies, and do they lead to sound policy?

These questions are vexing but timely and provide ample room for further scholarly development exploring ways to better manage the use of outer space. On February 3, 2023, the Journal of Law & Innovation hosted its symposium, “The Emerging Commercial Space Age: Legal and Policy Implications” at the University of Pennsylvania Carey School of Law.[3] The Symposium brought together leading international law scholars, economists, and telecommunications and antitrust policymakers to assess the twenty-first century space domain and its implications for legal and policy frameworks. Panelists and moderators emphasized the progress of commercial enterprise in outer space, how these increasingly complex and multifaceted interests would influence international space law and the paradigm shifts that must emerge in economic regulation and public policy to foster innovation and sustainable competition. The Articles in this volume touch each of these considerations and are an outgrowth of the presentations and moderated discussions at the Symposium.

[1] Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, Jan. 27, 1967, 18 U.S.T 2410, 610 U.N.T.S. 205 (entered into force Oct. 10, 1967) [hereinafter Outer Space Treaty].

[2] Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space, Apr. 22, 1968, 19 U.S.T. 7570, 672 U.N.T.S. 119; Convention on the International Liability for Damage Caused by Space Objects, Mar. 29, 1972, 24 U.S.T. 2389, 961 U.N.T.S. 187 [hereinafter Liability Convention]; Convention on Registration of Objects Launched into Outer Space, Nov. 12, 1974, 1023 U.N.T.S. 15; Agreement Governing the Activities of States on the Moon and Other Celestial Bodies, Dec. 5, 1979, 1363 U.N.T.S. 3 [hereinafter Moon Agreement].

[3] The symposium program and webcasts of the presentations and discussions are available at https://www.law.upenn.edu/institutes/ctic/jli/events.php.

Executive Summary

The EU Court of Justice’s (CJEU)  July 2020 Schrems II decision generated significant uncertainty, as well as enforcement actions in various EU countries, as it questioned the lawfulness of transferring data to the United States under the General Data Protection Regulation (GDPR)[1] while relying on “standard contractual clauses.”

President Joe Biden signed an executive order in October 2022 establishing a new data-protection framework to address this uncertainty. The European Commission responded in July 2023 by adopting an “Adequacy Decision” under Article 45(3) of the GDPR, formally deeming U.S. data-protection commitments to be adequate.

A member of the French Parliament has already filed the first legal challenge to the Adequacy Decision and another from Austrian privacy activist Max Schrems is expected soon.

This paper discusses key legal issues likely to be litigated:

1. The legal standard of an “adequate level of protection” for personal data. Although we know that the “adequate level” and “essential equivalence” of protection do not necessarily mean identical protection, the precise degree of flexibility remains an open question that the EU Court may need to clarify to a much greater extent.
2. The issue of proportionality of “bulk” data collection by the U.S. government. It examines whether the objectives pursued can be considered legitimate under EU law and, if so, whether the existing CJEU precedents preclude such collection from being considered proportionate under the GDPR.
3. The problem of effective redress—a cornerstone of the Schrems II decision. This paper explores debates around Article 47 of the EU Charter of Fundamental Rights, whether the new U.S. framework offers redress through an impartial tribunal, and whether EU persons can effectively access the redress procedure.
4. The issue of access to information about U.S. intelligence agencies’ data-processing activities.

I.        Introduction

Since the EU Court of Justice’s (CJEU) Schrems II decision,[2] it has been precarious whether transfers of personal data from the EU to the United States are lawful. It’s true that U.S. intelligence-collection rules and practices have changed since 2016, when the European Commission issued its assessment in the “Privacy Shield Decision” and to which facts the CJEU limited its reasoning. There has, however, also been a vocal movement among NGOs, European politicians, and—recently—national data-protection authorities to treat Schrems II as if it conclusively decided that exports of personal data to the United States could not be justified through standard contractual clauses (“SCC”) in most contexts (i.e., when data can be accessed in the United States). This interpretation has now led to a series of enforcement actions by national authorities in Austria, France, and likely in several other member states (notably in the “Google Analytics” cases, as well as the French “Doctolib/Amazon Web Services” case).[3]

Aiming to address this precarious situation, the White House adopted a new data-protection framework for intelligence-collection activities. On Oct. 7, 2022, President Joe Biden signed an executive order codifying that framework,[4] which had been awaited since U.S. and EU officials reached an agreement in principle on a new data-privacy framework in March 2022.[5] The European Commission responded by preparing a draft “Adequacy Decision” for the United States under Article 45(3) of the General Data Protection Regulation (GDPR), which was released in December 2022.[6] In July 2023, the European Commission formally adopted the Adequacy Decision.[7]

The first legal challenge to the decision has already been filed by Philippe Latombe, a member of the French Parliament and a commissioner of the French Data Protection Authority (CNIL).[8] Latombe is acting in his personal capacity, not as a French MP or a member of CNIL. He chose a direct action for annulment under Article 263 of the Treaty on the Functioning of the European Union (TFEU), which means that his case faces strict admissibility conditions. Based on precedent, it would not be surprising if the EU courts refuse to consider its merits.[9] Regarding the substance of Latombe’s action, he described it in very general terms in his press release (working translation from French):

The text resulting from these negotiations violates the Charter of Fundamental Rights of the Union, due to the insufficient guarantees of respect for private and family life with regard to the bulk collection of personal data, and the General Data Protection Regulation (GDPR), due to the absence of guarantees of a right to an effective remedy and access to an impartial tribunal, the absence of a framework for automated decisions or lack of guarantees relating to the security of the data processed: all violations of our law which I develop in the 33-page brief (+ 283 pages of annexes) filed with the TJUE yesterday.[10]

Latombe also complained about the Adequacy Decision being published only in English.[11] Irrespective of the legal merits of that complaint, however, it is already moot because the Adequacy Decision was subsequently published in the Official Journal of the European Union in all official EU languages.[12]

Reportedly, Max Schrems also plans to bring a legal challenge against the Adequacy Decision,[13] as he has successfully done with the two predecessors of the current EU-US framework.[14] This time, however, Schrems plans to begin the suit in the Austrian courts, hoping for a speedy preliminary reference to the EU Court of Justice (“CJEU”).[15]

This paper aims to present and discuss the key legal issues surrounding the European Commission’s Adequacy Decision, which are likely to be the subject of litigation. In Section II, I begin by problematizing the applicable legal standard of an “adequate level of protection” of personal data in a third country, noting that this issue remains open for the CJEU to address. This makes it more challenging to assess the Adequacy Decision’s chances before the Court and suggests that the conclusive tone adopted by some commentators is premature.

I then turn, in Section III, to the question of proportionality of bulk data collection by the U.S. government. I consider whether the objectives for which U.S. intelligence agencies collect personal data may constitute “legitimate objectives” under EU law. Secondly, I discuss whether bulk collection of personal data may be done in a way that does not jeopardize adequacy under the GDPR.

The second part of Section III is devoted to the problem of effective redress, which was the critical issue on which the CJEU relied in making its Schrems II decision. I note some confusion among the commentators about the precise role of Article 47 of the EU Charter of Fundamental Rights for a third-country adequacy assessment under the GDPR. I then outline the disagreement between the Commission and some commentators on whether the new U.S. data-protection framework provides redress through an independent and impartial tribunal with binding powers.

Finally, I discuss the issue of access to information about U.S. intelligence agencies’ data-processing activities.

II.      The Applicable Legal Standard: What Does ‘Adequacy’ Mean?

The overarching legal question that the CJEU will likely need to answer is whether the United States “ensures an adequate level of protection for personal data essentially equivalent to that guaranteed in the European Union by the GDPR, read in the light of Articles 7 and 8 of the [EU Charter of Fundamental Rights].”[16]

The words “essentially equivalent” are not to be found in the GDPR’s provision on adequacy decisions—i.e., in its Article 45, which merely refers to an “adequate level of protection” of personal data in a third country. Instead, we find them in the GDPR’s recital 104: “[t]he third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union (…).” This phrasing goes back to the CJEU’s Schrems I decision,[17] where the Court interpreted the old Data Protection Directive (Directive 95/46).[18] In Schrems I, the Court stated:

The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter.[19]

As Christakis, Propp, & have Swire noted,[20] the critical point that “a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order” was also accepted by the Advocate General Øe in Schrems II.[21]

In 2020, the European Data Protection Board (EDPB) issued recommendations “on the European Essential Guarantees for surveillance measures.”[22] The recommendations aim to “form part of the assessment to conduct in order to determine whether a third country provides a level of protection essentially equivalent to that guaranteed within the EU.”[23] The EDPB’s document is, of course, not a source of law binding the Court of Justice, but it attempts to interpret the law in light of the CJEU’s jurisprudence. The Court is free not to follow the EDPB’s legal interpretation, and thus the importance of the recommendations should not be overstated, either in favor or against the Adequacy Decision.

While we know that the “adequate level” and “essential equivalence” of protection do not necessarily mean identical protection, the precise degree of flexibility remains an open question—and one that the EU Court may need to clarify to a much greater extent.

III.    Arguments Likely to Be Made Against the Adequacy Decision

A.     Proportionality and Bulk Data Collection

Under Article 52(1) of the EU Charter of Fundamental Rights, restrictions on the right to privacy and the protection of personal data must meet several conditions. They must be “provided for by law” and “respect the essence” of the right. Moreover, “subject to the principle of proportionality, limitations may be made only if they are necessary” and meet one of the objectives recognized by EU law or “the need to protect the rights and freedoms of others.”

The October 2022 executive order supplemented the phrasing “as tailored as possible” present in 2014’s Presidential Policy Directive on Signals Intelligence Activities (PPD-28) with language explicitly drawn from EU law: mentions of the “necessity” and “proportionality” of signals-intelligence activities related to “validated intelligence priorities.”[24]

Doubts have been raised, however, as to whether this is sufficient. I consider two potential issues. First, whether the objectives for which U.S. intelligence agencies collect personal data may constitute “legitimate objectives” under EU law. Second, whether the bulk collection of personal data may be done in a way that does not jeopardize adequacy under the GDPR.

1.        Legitimate objectives

In his analysis of the adequacy under EU law of the new U.S. data-protection framework, Douwe Korff argues that:

The purposes for which the Presidential Executive Order allows the use of signal intelligence and bulk data collection capabilities are clearly not limited to what the EU Court of Justice regards as legitimate national security purposes.[25]

Korff’s concern is that the legitimate objectives listed in the executive order are too broad and could be interpreted to include, e.g., criminal or economic threats, which do not rise to the level of “national security” as defined by the CJEU.[26] Korff referred to the EDPB Recommendations, which reference CJEU decisions in La Quadrature du Net and Privacy International. Unlike Korff, however, the EDPB stresses that those CJEU decisions were “in relation to the law of a Member State and not to a third country law.”[27]

In contrast, in Schrems II, the Court did not consider legitimate objectives when assessing whether a third country provides adequate protection. In its recommendations, the EDPB discussed the legal material that was available, i.e., the CJEU decisions on intra-EU matters. Still, this approach can be taken too far without sufficient care. Just because some guidance is available (on intra-EU issues), it does not follow that it applies to data transfers outside the EU. It is instructive to consider, in this context, what Advocate General Øe said in Schrems II:

It also follows from that judgment [Schrems I – MB], in my view, that the law of the third State of destination may reflect its own scale of values according to which the respective weight of the various interests involved may diverge from that attributed to them in the EU legal order. Moreover, the protection of personal data that prevails within the European Union meets a particularly high standard by comparison with the level of protection in force in the rest of the world. The ‘essential equivalence’ test should therefore in my view be applied in such a way as to preserve a certain flexibility in order to take the various legal and cultural traditions into account. That test implies, however, if it is not to be deprived of its substance, that certain minimum safeguards and general requirements for the protection of fundamental rights that follow from the Charter and the ECHR have an equivalent in the legal order of the third country of destination.[28]

Hence, exclusive focus on what the EU law requires within the EU—however convenient this method may be—may be misleading in assessing the adequacy of a third country under Article 45.

Aside from the lack of direct guidance on the question of legitimate objectives under Article 45 GDPR, there is a second reason not to be too quick to conclude that the U.S. framework fails on this point. As the Commission noted in the Adequacy Decision:

(…) the legitimate objectives laid down in EO 14086 cannot by themselves be relied upon by intelligence agencies to justify signals intelligence collection but must be further substantiated, for operational purposes, into more concrete priorities for which signals intelligence may be collected. In other words, actual collection can only take place to advance a more specific priority. Such priorities are established through a dedicated process aimed at ensuring compliance with the applicable legal requirements, including those relating to privacy and civil liberties.[29]

It may be a formalistic mistake to consider the list of “legitimate objectives” in isolation from such additional requirements and process. The assessment of third-country adequacy cannot be constrained by the mere choice of words, even if they seem to correspond to an established concept in EU law. (Note that this also applies to “necessity” and “proportionality” as used in the executive order.)

2.        Can bulk collection be ‘adequate’?

As Max Schrems’ organization NOYB stated in response to the executive order’s publication:

(…) there is no indication that US mass surveillance will change in practice. So-called “bulk surveillance” will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not “proportionate” (under the European understanding of the word) twice.[30]

Korff echoed this view, noting, e.g.:

(…) – the EO [Executive Order – MB] does not stand in the way of the indiscriminate bulk collection of e-communications content data that the EU Court held does not respect the “essence” of data protection and privacy and that therefore, under EU law, must always be prohibited, even in relation to national security issues (as narrowly defined);

– the EO allows for indiscriminate bulk collection of e-communications metadata outside of the extreme scenarios in which the EU Court only, exceptionally, allows it in Europe; and

– the EO allows for indiscriminate bulk collection of those and other data for broadly defined not national security-related purposes in relation to which such collection is regarded as clearly not “necessary” or “proportionate” under EU law.[31]

The Schrems II Court indeed held that U.S. law and practices do not “[correlate] to the minimum safeguards resulting, under EU law, from the principle of proportionality.”[32] As, however, the EDPB noted in its opinion on a draft of the Adequacy Decision:

… the CJEU did not exclude, by principle, bulk collection, but considered in its Schrems II decision that for such bulk collection to take place lawfully, sufficiently clear and precise limits must be in place to delimit the scope of such bulk collection. (…)

The EDPB also recognizes that while replacing the PPD-28, the EO 14086 provides for new safeguards and limits to the collection and use of data collected outside the U.S., as the limitations of FISA or other more specific U.S. laws do not apply.[33]

As Korff observed, the CJEU has considered the question of bulk collection of electronic communication data, in an intra-EU context, in cases like Digital Rights Ireland[34] and La Quadrature du Net.[35] In Schrems I, the Court referenced Digital Rights Ireland, while stating:

(…) legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (…)[36]

This is potentially important, because the Court concluded the discussion included in this paragraph by saying that “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order” is “apparent in particular from the preceding paragraphs.”[37] This could suggest that, as under the Data Protection Directive in Schrems I, the Court may see the issue of bulk collection of the contents of electronic communications as a serious problem for adequacy under Article 45 GDPR.

The Commission addressed this in the Adequacy Decision as follows:

(…) collection of data within the United States, which is the most relevant for the present adequacy finding as it concerns data that has been transferred to organisations in the U.S., must always be targeted (…) ‘Bulk collection’ may only be carried out outside the United States, on the basis of EO 12333.[38]

The Commission relies on a distinction between data collection that the U.S. government does within the United States and outside of the United States. This likely refers to an argument—discussed by, e.g., Christakis[39] —that adequacy assessment should only concern the processing of personal data that takes place due to a data transfer to the country in question. In other words, it should only concern domestic surveillance, not international surveillance (if personal data transferred from the EU would fall under domestic surveillance in that third country).

The Commission also made a second relevant point:

(…) bulk collection under EO 12333 takes place only when necessary to advance specific validated intelligence priorities and is subject to a number of limitations and safeguards designed to ensure that data is not accessed on an indiscriminate basis. Bulk collection is therefore to be contrasted to collection taking place on a generalised and indiscriminate basis (‘mass surveillance’) without limitations and safeguards.[40]

In the Commission’s view, there is a categorical distinction between “bulk collection” as practiced by the United States and the “generalized and indiscriminate” mass surveillance that the CJEU scrutinized in Digital Rights Ireland and other cases. This may seem like an unnatural reading of “generalized and indiscriminate,” given that it is meant not to apply to “the collection of large quantities of signals intelligence that, due to technical or operational considerations, is acquired without the use of discriminants (for example, without the use of specific identifiers or selection terms).”[41] There may, however, be analogies in EU law that could lead the Court to agree with the Commission on this point.

Consider the Court’s interpretation of the prohibition on “general monitoring” obligations from Article 15(1) of the eCommerce Directive.[42] In Glawischnig-Piesczek, the Court interpreted this rule as not precluding member states from requiring hosting providers to monitor all the content they host in order to identify content identical to “the content of information which was previously declared to be unlawful.”[43] In other words, “general monitoring” was interpreted as not covering indiscriminate processing of all data stored by a hosting provider in order to find content identical to some other content.[44] The Court adopted an analogous approach with respect to Article 17 of the Copyright Directive.[45] This suggests that, in somewhat similar contexts, the Court is willing to see activities that may technically appear to be “general” as “not general,” if some procedural or substantive limitations are present.

B.     Effective Redress

The lack of effective redress available to EU citizens against potential restrictions of their right to privacy from U.S. intelligence activities was central to the Schrems II decision. Among the Court’s key findings were that “PPD-28 does not grant data subjects actionable rights before the courts against the US authorities”[46] and that, under Executive Order 12333, “access to data in transit to the United States [is possible] without that access being subject to any judicial review.”[47]

The new executive order introduced redress mechanisms that include creating a civil-liberties-protection officer in the Office of the Director of National Intelligence (DNI), as well as a new Data Protection Review Court (DPRC). The DPRC is proposed as an independent review body that will make decisions binding on U.S. intelligence agencies. The old framework had sparked concerns about the independence of the DNI’s ombudsperson, and what was seen as insufficient safeguards against external pressures, including the threat of removal. Under the new framework, the independence and binding powers of the DPRC are grounded in regulations issued by the U.S. attorney general.

In a recent public debate, Max Schrems argued that the CJEU would have a difficult time finding that this judicial procedure satisfies Article 47 of the EU Charter, while at the same time holding that some courts in Poland and Hungary do not satisfy it.[48]

1.        Article 47 of the Charter ‘contributes’ to the benchmark level of protection

Schrems’ comment raises two distinct issues. First, Schrems seems to suggest that an adequacy decision can only be granted if the available redress mechanism satisfies the requirements of Article 47 of the Charter of Fundamental Rights.[49] But this is a hasty conclusion. The CJEU’s phrasing in Schrems II is more cautious:

…Article 47 of the Charter, which also contributes to the required level of protection in the European Union, compliance with which must be determined by the Commission before it adopts an adequacy decision pursuant to Article 45(1) of the GDPR.[50]

In arguing that Article 47 “also contributes to the required level of protection,” the Court is not saying that it determines the required level of protection. This is potentially significant, given that the standard of adequacy is “essential equivalence,” not that it be procedurally and substantively identical. Moreover, the Court did not say that the Commission must determine compliance with Article 47 itself, but with the “required level of protection” (which, again, must be “essentially equivalent”). Hence, it is far from clear how the CJEU’s jurisprudence interpreting Article 47 of the Charter is to be applied in the context of an adequacy assessment under Article 45 GDPR.

2.        Is there an independent and impartial tribunal with binding powers?

Second, there is the related but distinct question of whether the redress mechanism is effective under the applicable standard of “required level of protection.” Christakis, Propp, & Swire offer helpful analysis suggesting that it is, considering the proposed DPRC’s independence, effective investigative powers, and authority to issue binding determinations.[51] Gorski & Korff argue that this is not the case, because the DPRC is not “wholly autonomous” and “free from hierarchical constraint.”[52]

The Commission stated in the Adequacy Decision that the available avenues of redress “allow individuals to have access to their personal data, to have the lawfulness of government access to their data reviewed and, if a violation is found, to have such violation remedied, including through the rectification or erasure of their personal data.”[53] Moreover:

(…) the executive branch (the Attorney General and intelligence agencies) are barred from interfering with or improperly influencing the DPRC’s review. The DPRC itself is required to impartially adjudicate cases and operates according to its own rules of procedure (adopted by majority vote) (…)[54]

Likely the most serious objection to this assessment (raised by Gorski) is that:

(…) the court’s decisions can be overruled by the President. Indeed, the President could presumably overrule these decisions in secret, since the court’s opinions are not issued publicly.[55]

Given that Christakis, Propp, & Swire appear to disagree,[56] this question of U.S. law may require further scrutiny. Even if the scenario sketched by Gorski is theoretically possible, however, the CJEU may take the view that it would not be appropriate to rule based on the assumption that the U.S. government would act to mislead the EU. And without that assumption, then the possibility of future changes to U.S. law appear to be adequately addressed by the adequacy-monitoring process (Article 45(4) GDPR).

3.        Do EU persons have effective access to the redress mechanism?

In the already-cited public debate, Max Schrems argued that it may be practically impossible for EU persons to benefit from the new redress mechanism, due to the requirements imposed on “qualifying complaints” under the executive order.[57] Presumably, Schrems implicitly refers to the requirements that a complaint:

(i) “alleges a covered violation has occurred that pertains to personal information of or about the complainant, a natural person, reasonably believed to have been transferred to the United States from a qualifying state after” the official designation of that country by the Attorney General;

(ii) includes “information that forms the basis for alleging that a covered violation has occurred, which need not demonstrate that the complainant’s data has in fact been subject to United States signals intelligence activities; the nature of the relief sought; the specific means by which personal information of or about the complainant was believed to have been transmitted to the United States; the identities of the United States Government entities believed to be involved in the alleged violation (if known); and any other measures the complainant pursued to obtain the relief requested and the response received through those other measures;”

(iii) “is not frivolous, vexatious, or made in bad faith”[58]

Given the qualifications that a complaint need only to “allege” a violation and “need not demonstrate that the complainant’s data has in fact been subject to United States signals intelligence activities,” it is unclear what Schrems’ basis for suggesting that it will not be possible for EU persons to benefit from this redress mechanism is.

C.     Access to Information About Data Processing

Finally, Schrems’ NOYB raised a concern that “judgment by ‘Court’ [is] already spelled out in Executive Order.”[59] This concern seems to be based on the view that a decision of the DPRC (“the judgment”) and what the DPRC communicates to the complainant are the same thing. In other words, the legal effects of a DPRC decision are exhausted by providing the individual with the neither-confirm-nor-deny statement set out in Section 3 of the executive order. This is clearly incorrect. The DPRC has the power to issue binding directions to intelligence agencies. The actual binding determinations of the DPRC are not predetermined by the executive order; only the information to be provided to the complainant is.

Relatedly, Korff argues that:

(…) the meaningless “boilerplate” responses that are spelled out in the rules also violate the principle, enshrined in the ECHR and therefore also applicable under the Charter, that any judgment of a court must be “pronounced publicly”. The “boilerplate” responses, in my opinion, do not constitute the “judgment” reached (…)[60]

Here, as before, Korff appears to elide the question of the legal standard of “adequacy,” directly applying to a third country what he argues is required under the European Convention of Human Rights and thus under the EU Charter.

The issues of access to information and data may, however, call for closer consideration. For example, in La Quadrature du Net, the CJEU looked at the difficult problem of notifying persons whose data has been subject to state surveillance, requiring individual notification “only to the extent that and as soon as it is no longer liable to jeopardise” the law-enforcement tasks in question.[61] Nevertheless, given the “essential equivalence” standard applicable to third-country adequacy assessments, it does not automatically follow that individual notification is at all required in that context.

Moreover, it also does not necessarily follow that adequacy requires that EU citizens have a right to access the data processed by foreign government agencies. The fact that there are significant restrictions on rights to information and access in some EU member states,[62] though not definitive (after all, those countries may be violating EU law), may be instructive for the purposes of assessing the adequacy of data protection in a third country, where EU law requires only “essential equivalence.”

The Commission’s Adequacy Decision accepted that individuals would have access to their personal data processed by U.S. public authorities, but clarifies that this access may be legitimately limited—e.g., by national-security considerations.[63] The Commission did not take the simplistic view that access to personal data must be guaranteed by the same procedure that provides binding redress, including through the Data Protection Review Court. Instead, the Commission accepts that other avenues, such as requests under the Freedom of Information Act, may perform that function.

IV.    Conclusion

With the Adequacy Decision, the European Commission announced that it has favorably assessed the October 2022 executive order’s changes to the U.S. data-protection framework, which apply to foreigners from friendly jurisdictions (presumed to include the EU). The Adequacy Decision is certain to be challenged before the CJEU by privacy advocates. As discussed above, the key legal concerns will likely be the proportionality of data collection and the availability of effective redress.

Opponents of granting an adequacy decision tend to rely on the assumption that a finding of adequacy requires virtually identical substantive and procedural privacy safeguards as required within the EU. As noted by the European Commission in its decision, this position is not well-supported by CJEU case law, which clearly recognizes that only “adequate level” and “essential equivalence” of protection are required from third-party countries under the GDPR. To date, the CJEU has not had to specify in greater detail precisely what, in their view, these provisions mean. Instead, the Court has been able to point to certain features of U.S. law and practice that were significantly below the GDPR standard (e.g., that the official responsible for providing individual redress was not guaranteed to be independent of political pressure). Future legal challenges to a new Adequacy Decision will most likely require the CJEU to provide more guidance on what “adequate” and “essentially equivalent” mean.

In the Adequacy Decision, the Commission carefully considered the features of U.S. law and practice that the Court previously found inadequate under the GDPR. Nearly half of the explanatory part of the decision is devoted to “access and use of personal data transferred from the [EU] by public authorities in the” United States, with the analysis grounded in CJEU’s Schrems II decision.

Overall, the Commission presents a sophisticated, yet uncynical, picture of U.S. law and practice. The lack of cynicism about, e.g., the independence of the DPRC adjudicative process, will undoubtedly be seen by some as naïve and unrealistic, even if the “realism” in this case is based on speculations of what might happen (e.g., secret changes to U.S. policy), rather than evidence. Litigants will likely invite the CJEU to assume that the U.S. government cannot be trusted and that it will attempt to mislead the European Commission and thus undermine the adequacy-monitoring process (Article 45(3) GDPR). It is not clear, however, that the Court will be willing to go that way—not least due to respect for comity in international law.

[1] Regulation (EU) 2016/679 (General Data Protection Regulation).

[2] Case C-311/18, Data Protection Comm’r v. Facebook Ireland Ltd. & Maximillian Schrems, ECLI:EU:C:2019:1145 (CJ, Jul. 16, 2020), available at http://curia.europa.eu/juris/liste.jsf?num=C-311/18 [hereinafter “Schrems II”].

[3] See, e.g., Ariane Mole, Willy Mikalef, & Juliette Terrioux, Why This French Court Decision Has Far-Reaching Consequences for Many Businesses, IAPP.org (Mar. 15, 2021), https://iapp.org/news/a/why-this-french-court-decision-has-far-reaching-consequences-for-many-businesses; Gabriela Zanfir-Fortuna, Understanding Why the First Pieces Fell in the Transatlantic Transfers Domino, The Future of Privacy Forum (2022), https://fpf.org/blog/understanding-why-the-first-pieces-fell-in-the-transatlantic-transfers-domino; Caitlin Fennessy, The Austrian Google Analytics decision: The Race Is On, IAPP Privacy Perspectives (Feb. 7, 2022) https://iapp.org/news/a/the-austrian-google-analytics-decision-the-race-is-on; Italian SA Bans Use of Google Analytics: No Adequate Safeguards for Data Transfers to the USA (Jun. 23, 2022), https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782874.

[4] Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, The White House (2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities.

[5] European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework, European Commission (Mar. 25, 2022), https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087.

[6] Draft Commission Implementing Decision Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the Adequate Level of Protection of Personal Data Under the EU-US Data Privacy Framework, European Commission (2022), available at https://commission.europa.eu/system/files/2022-12/Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf.

[7]  Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, OJ L 231, 20.9.2023, European Commission (2023), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023D1795 (hereinafter “Adequacy Decision”).

[8] See Patrice Navarro & Julie Schwartz, Member of French Parliament Lodges First Request for Annulment of EU-US Data Privacy Framework, Hogan Lovells Engage (Sep. 8, 2023), https://www.engage.hoganlovells.com/knowledgeservices/news/member-of-french-parliament-lodges-first-request-for-annulment-of-eu-us-data-privacy-framework; Philippe Latombe, Communiqué de Presse (Sep. 7, 2023), available at https://www.politico.eu/wp-content/uploads/2023/09/07/4_6039685923346583457.pdf.

[9] See, e.g., Joe Jones, EU-US Data Adequacy Litigation Negins, IAPP.org (Sep. 8, 2023), https://iapp.org/news/a/eu-u-s-data-adequacy-litigation-begins.

[10] Latombe, supra note 9.

[11] Id.

[12] See supra note 8.

[13] Mark Scott, We Don’t Talk About Fixing Social Media, Digital Bridge from Politico (Aug. 3, 2023), https://www.politico.eu/newsletter/digital-bridge/we-dont-talk-about-fixing-social-media. See also New Trans-Atlantic Data Privacy Framework Largely a Copy of “Privacy Shield”. NOYB Will Challenge the Decision, noyb.eu (2023), https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.

[14] Case C-362/14, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, available at https://curia.europa.eu/juris/liste.jsf?num=C-362/14 [hereinafter “Schrems I”].

[15] Scott, supra note 13.

[16] Schrems II [178].

[17] Case C?362/14, Maximillian Schrems v Data Protection Commissioner, EU:C:2015:650 (CJEU judgment of 6 October 2015) [hereinafter: “Schrems I”].

[18] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (“Data Protection Directive”).

[19] Schrems I [73].

[20] Theodore Christakis, Kenneth Propp, & Peter Swire, EU/US Adequacy Negotiations and the Redress Challenge: Whether a New U.S. Statute is Necessary to Produce an “Essentially Equivalent” Solution, European Law Blog (2022), https://europeanlawblog.eu/2022/01/31/eu-us-adequacy-negotiations-and-the-redress-challenge-whether-a-new-u-s-statute-is-necessary-to-produce-an-essentially-equivalent-solution.

[21] Opinion of Advocate General Saugmandsgaard Øe delivered on 19 December 2019, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, ECLI:EU:C:2019:1145 [248].

[22] European Data Protection Board, Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf (hereinafter: “EDPB Recommendations on surveillance measures”).

[23] EDPB Recommendations on surveillance measures [8].

[24] Executive Order, supra note 5, Sec. 2(a)(ii)(B).

[25] Douwe Korff, The Inadequacy of the October 2022 New US Presidential Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities, 13 (2022), https://www.ianbrown.tech/2022/11/11/the-inadequacy-of-the-us-executive-order-on-enhancing-safeguards-for-us-signals-intelligence-activities.

[26] Id. at 10–13.

[27] EDPB Recommendations on surveillance measures [34].

[28] Opinion of Advocate General Saugmandsgaard Øe in Schrems II [249].

[29] European Commission, supra note 8, Recital 135.

[30] New US Executive Order Unlikely to Satisfy EU Law, NOYB (Oct. 7, 2022), https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law.

[31] Korff, supra note 25 at 19.

[32] Schrems II [184].

[33] European Data Protection Supervisor, Opinion 5/2023 on the European Commission Draft Implementing Decision on the Adequate Protection of Personal Data Under the EU-US Data Privacy Framework, [134]-[135] (2023), https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-52023-european-commission-draft-implementing_en. See also Alex Joel, Necessity, Proportionality, and Executive Order 14086, Joint PIJIP/TLS Research Paper Series (2023), https://digitalcommons.wcl.american.edu/research/99.

[34] Digital Rights Ireland and Others, Cases C?293/12 and C?594/12, EU:C:2014:238.

[35] La Quadrature du Net and Others v Premier Ministre and Others, Case C-511/18, ECLI:EU:C:2020:791.

[36] Schrems I [94].

[37] Schrems I [96].

[38] European Commission, supra note 8, Recitals 140-141 (footnotes omitted).

[39] Theodore Christakis, Squaring the Circle? International Surveillance, Underwater Cables and EU-US Adequacy Negotiations (Part 1), European Law Blog (2021), https://europeanlawblog.eu/2021/04/12/squaring-the-circle-international-surveillance-underwater-cables-and-eu-us-adequacy-negotiations-part1; Theodore Christakis, Squaring the Circle? International Surveillance, Underwater Cables and EU-US Adequacy Negotiations (Part 2), European Law Blog (2021), https://europeanlawblog.eu/2021/04/13/squaring-the-circle-international-surveillance-underwater-cables-and-eu-us-adequacy-negotiations-part2.

[40] European Commission, supra note 8, Recital 141, footnote 250 (emphasis added).

[41] Id., Recital 141, footnote 250.

[42] Directive (EU) 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market (‘Directive on Electronic Commerce’) [2000] OJ L178/1.

[43] Case C-18/18, Eva Glawischnig-Piesczek v Facebook [2019] ECLI:EU:C:2019:821. See also Daphne Keller, Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling, 69 GRUR International 616 (2020).

[44] As Keller puts it: “Instead of defining prohibited ‘general’ monitoring as monitoring that affects every user, the Court effectively defines it as monitoring for content that was not specified in advance by a court.” Id. at 620.

[45] Case C?401/19, Poland v Parliament and Council [2022] ECLI:EU:C:2022:297; Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on Copyright and Related Rights in the Digital Single Market and Amending Directives 96/9/EC and 2001/29/EC (OJ 2019 L 130, p. 92). For background, see Christophe Geiger & Bernd Justin Jütte, Platform Liability Under Art. 17 of the Copyright in the Digital Single Market Directive, Automated Filtering and Fundamental Rights: An Impossible Match, 70 GRUR International 517 (2021).

[46] Schrems II [181].

[47] Schrems II [183].

[48] @MBarczentewicz, Twitter (Aug. 24, 2023, 9:43 AM), https://twitter.com/MBarczentewicz/status/1694707035659813023. See also Max Schrems, Open Letter on the Future of EU-US Data Transfers (May 23, 2022), https://noyb.eu/en/open-letter-future-eu-us-data-transfers.

[49] Similar phrasing can be found in Ashley Gorski, The Biden Administration’s SIGINT Executive Order, Part II: Redress for Unlawful Surveillance, Just Security (2022), https://www.justsecurity.org/83927/the-biden-administrations-sigint-executive-order-part-ii. Gorski’s text shows well how easy it is to elide, even unintentionally, the distinction between the Article 47 being a standard that must be satisfied by a third country, and it merely contributing to the level of protection that constitutes a benchmark for an adequacy assessment. At one point she notes that “the CJEU held that U.S. law failed to provide an avenue of redress ‘essentially equivalent’ to that required by Article 47.” In other places, however, she adopts the phrasing of “satisfying” Article 47.

[50] Schrems II [186].

[51] Theodore Christakis, Kenneth Propp & Peter Swire, The Redress Mechanism in the Privacy Shield Successor: On the Independence and Effective Powers of the DPRC, IAPP.org (2022), https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc.

[52] Gorski, supra note 49; Korff, supra note 25 at 21.

[53] European Commission, supra note 8, Recital 175.

[54] Id., Recital 187 (footnotes omitted).

[55] Gorski, supra note 49.

[56] According to them: “(…) key U.S. Supreme Court decisions have affirmed the binding force of a DOJ regulation and the legal conclusion that all of the executive branch, including the president and the attorney general, are bound by it.” Christakis, Propp, & Swire, supra note 51.

[57] @MBarczentewicz, Twitter (Aug. 24, 2023, 9:43 AM), https://twitter.com/MBarczentewicz/status/1694707035659813023.

[58] Executive Order, section 5(k)(i)-(iv).

[59] NOYB, New US Executive Order Unlikely to Satisfy EU Law (Oct. 7, 2022), https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law. See also NOYB, supra note 13.

[60] Korff, supra note 25 at 25.

[61] Joined cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and others, ECLI:EU:C:2020:791 [191].

[62] European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU – Volume II: Field Perspectives and Legal Update (2017) https://fra.europa.eu/en/publication/2017/surveillance-intelligence-services-fundamental-rights-safeguards-and-remedies-eu.

[63] European Commission, supra note 8, Recitals 199-200.

Abstract

English-architecture company law describes the distinct and diverse group of company or corporate law used in more than 60 jurisdictions worldwide. English-architecture company law provides a robust platform for innovation and development due to its permissive structure, opportunity for choice of law in an entity’s internal governance, and scalability permitting variation for small and large entities. It is the dominant form among International Financial Centers (IFCs), many of which have legal systems with a British connection. This body of law responds to competition and maintains dynamism by engaging its practice community through “learning by doing” and “frictioneering.” An architecture approach permits a broader review of developments in company law that more closely captures the reality of global law practice. The IFC experience of climbing the value chain from tax arbitrage to provide solutions for entities or structures left out in the corporate law of larger jurisdictions provides a useful global governance model to maintain normative, jurisprudential, and regulatory coherence even as it responds to more specialized and unanticipated needs. This Article explores what makes English-architecture company law so successful and how IFCs use it to compete in the global law market.

Abstract

We take advantage of the Brazilian mandatory corporate governance (CG) reporting system to build an overall Brazil Corporate Governance Index (BCGI) and subindices (CGIs), and track changes in firms’ scores over the 10-year period from 2010-2019. We show that overall CG level improved significantly between 2010 and 2019, with most of the improvement over the first part of this period. The improvement has two sources: an increase in the proportion of high-standard listings (Novo Mercado and Level 2, NML2) versus low-standard listings (Level 1 and regular, L1R), and within-firm improvement in CG practices. In the first half of the sample period, both NML2 and L1R firms improved CG practices considerably. Overall improvement in the second half of the sample period reflects an increasing proportion of NML2 firms, plus gradual improvement in L1R CG levels; with nearly constant NML2 levels. Improvements were stronger for Board Procedure and Disclosure. Firms in both listings improved their CG. Overall improvement was stronger in NML2 than in L2R, but was concentrated in the period from 2010-2015.

Abstract

We study the evolution of corporate governance (CG) practices in Brazil over 2010-2019, using a country-specific Brazil Corporate Governance Index (BCGI) validated in prior work. We study separately firms in high-governance and low-governance legal regimes, in a single country. CG improved considerably in Brazil over 2010-2015, with much smaller changes over 2015-2019. Positive CG changes are much more common than negative changes. Some firms made only minimal changes, despite low initial CG levels. We also study which firm financial factors predict both CG levels and changes in levels. None of the firm financial variables we study consistently predicts CG levels. However, for CG changes, a measure of equity financing need predicts CG improvements in the first half of the sample period, but only for firms in the lower governance regime, not for firms in the higher regime. This is the first article to find evidence for firm financial characteristics predicting CG changes, consistent with theoretical predictions, including stronger effects for firms in the lower governance regime.

Abstract

China is making an active push to enlarge its role in the development of Internet-related technical standards. The prevailing narrative surrounding this trend suggests that Beijing is aiming to uproot the liberal, democratic values embedded in the Internet’s technical foundation and governance arrangements in favor of authoritarian-friendly alternatives. For many, these fears were fully realized when Chinese tech giant Huawei came to the UN-affiliated International Telecommunications Union (ITU) and proposed the development of a future core Internet protocol called “New IP”. This proposal allegedly sought to redesign the architecture of the Internet in a way that would both enhance and export the Chinese government’s capacity for digital repression. Informed by the understanding of Chinese standards influence as a geopolitical and ideological threat, many are now calling for a more aggressive response to countering Chinese engagement in Internet standards bodies.

Yet, the conventional narrative seems to be missing something. Specifically, it overlooks the fact that the sophisticated Internet control apparatus China has developed over the years can already censor and surveil quite effectively at present and that shifting responsibility for core protocol development to the state-driven ITU would not necessarily enhance its ability to do so. A more comprehensive understanding of this trend is needed.

Using New IP as the primary case study, this article examines China’s standard-setting push, its potential motivations, and its implications for the future of the global Internet. We conclude that it is far from clear that New IP was indeed intended as a trojan horse for digital authoritarianism. Observing that technical evolution of the Internet—particularly the type endorsed in Huawei’s proposal—plays a prominent role in China’s long-term industrial policy strategy, we find it equally plausible that New IP was motivated by economic considerations, something that has largely been absent from the debate over China’s standards ambitions. We thus caution against the presumption that Chinese-developed standards are intended to advance the cause of digital repression as well as against politically driven opposition to growing Chinese participation at Internet standard-setting bodies. This insight is crucial, as the way American policymakers and Internet stakeholders respond to this trend will undoubtedly impact both the future of the global Internet and U.S. technological leadership in this domain.

Executive Summary

Under the auspices of Legislative Decree 9831, the Central Bank of Costa Rica (BCCR) has set maximum fees for acquiring and issuing banks in payment-card markets, with maximum acquisition fees (MDR) and interchange fees (IRF). Different fees were set for domestic transactions (i.e., those made using locally issued cards) and for cross-border transactions (i.e., those made using foreign-issued cards).

In November 2022, BCCR issued a proposal to retain the cross-border MDR cap at 2.5% and either to leave the cap on cross-border IRF unchanged at 2%, or to lower it to 1.25%. In the same document, BCCR proposed that the MDR for domestically issued cards would be capped at 2% and the IRF capped at 1.5%.

IRF for cross-border transactions typically are significantly higher than those for domestic transactions, primarily because cross-border transactions carry much higher risk of fraud. If BCCR caps cross-border interchange fees at the lower level it has proposed, foreign issuers are likely to respond by de-risking payment requests from acquirers in Costa Rica. This could take various forms, including rejecting payments from certain merchants, or simply increasing rejections rates across the board. Whatever approach, or mix of approaches, is taken, it is likely to cause problems both for merchants in Costa Rica and for their customers.

Prior to the COVID-19 pandemic, roughly 6.25% of Costa Rica’s gross domestic product (GDP) came from tourism, with a significant proportion of those tourist dollars spent using payment cards. Indeed, in 2021, even without a full resumption of pre-COVID rates of tourism, approximately 16% of credit-card payments in Costa Rica were cross-border. If tourists find that they are unable to make reservations at hotels in Costa Rica using their credit or debit cards because the payment is rejected by their issuer, they may well choose an alternative destination for their trip. Meanwhile, if tourists in Costa Rica are unable to pay for goods and services using their credit and debit cards, many will simply not make those payments. This could have a substantial negative effect on Costa Rica’s tourism and business-travel industries.

Introduction

Costa Rica Legislative Decree No. 9831—issued March 24, 2020—created a mandate to regulate acquisition fees (commonly known as the “merchant discount rate,” or MDR) and interchange reimbursement fees (IRF) charged by service providers on “the processing of transactions that use payment devices and the operation of the card system.”[1] The legislation’s stated objective was “to promote its efficiency and security, and guarantee the lowest possible cost for affiliates.”

Implementation was delegated to the Central Bank of Costa Rica (BCCR), which was tasked with responsibility to issue regulations and monitor compliance; ensure that the rule is “in the public interest”; and guarantee that fees charged to “affiliates” (i.e., merchants) are “the lowest possible … following international best practices.” Beginning Nov. 24, 2020, BCCR set the maximum IRF for domestic cards at 2.00% and the maximum MDR at 2.50%. These fell to 1.75% and 2.25%, respectively, in an updated regulation published in January 2022, and to 1.5% and 2% in February 2023.

In a study published in May 2022, we reviewed the available evidence regarding interchange fees and argued that it would be contrary to international best practices for Costa Rica to cap acquisition fees and interchange fees.[2] In particular, we raised specific concerns regarding the likely harmful effects of capping fees on cross-border transactions, owing to the higher risks and other costs associated with such transactions.

BCCR developed a technical study that considered the effects of different levels of caps on fees for both domestic and cross-border payment-card transactions and, in November 2022, issued a proposal to retain the cross-border MDR cap at 2.5% and either (1) leave the cap on cross-border IRF unchanged at 2%, or (2) lower the IRF cap for cross-border transactions to 1.25%.

If BCCR leaves the cross-border MDR cap unchanged but reduces the cross-border IRF cap to 1.25%, it might, in principle, appear to solve the immediate problem faced by acquiring banks. It would, however, create new problems for those banks, their customers, and the wider economy. It will also put Costa Rica in the unenviable position of being the only country in the world with a cross-border interchange fee that is below the domestic interchange fee.

This brief considers the international experience with cross-border payment-card transactions, with a focus on issues related to fraud, as well as the negative implications of imposing price caps. It begins with a brief discussion of the economics of interchange fees. Section II describes Costa Rica’s price controls on merchant acquisition and interchange fees. Section III discusses fraud and other costs associated with cross-border and card-not-present transactions. Section IV describes ways in which payment-card networks address issues related to fraud. And Section V assesses the likely implications for Costa Rica of price caps on cross-border interchange fees.

I.        The Economics of Interchange Fees

Payment systems are two-sided markets, with consumers on one side and merchants on the other; the payment network acts as a platform that facilitates interactions between the two sides.7F[3] For such a system to be successful, both merchants and consumers must perceive it as beneficial. If too few merchants accept a particular form of payment, consumers will have little reason to obtain it and issuers will have little incentive to issue it. Likewise, if too few consumers possess a form of payment, merchants will have little reason to accept it.

In any two-sided market, platform operators seek to encourage participation on each side of the market in ways that maximize the joint net benefits of the network to all participants—and to allocate system costs accordingly.8F[4] Among the means they employ to achieve this balance is by setting prices charged, respectively, to participants on each side of the market.9F[5] In the case of payments, if the platform operator sets the price too high for some consumers, they will be unwilling to use the platform; similarly, if the operator sets the price too high for some merchants, they will not be willing to use the platform.

In general, the costs of operating a platform will tend to fall on the party who is least sensitive to such costs (i.e., the party with the lower price elasticity). In the case of payment cards, that party is the merchant.13F[6] Merchants often pay, through transaction fees, not only all the costs of accessing the network, but also effectively subsidize participation by consumers—e.g., through cashback and other rewards programs, insurance, fraud protection, and other cardholder benefits that serve as incentives to card usage.

Merchants are willing to do this because they receive significant benefits from the use of payment cards, including: ticket lift (i.e., higher spending, due to the fact that consumers are not constrained by the cash in their pockets or, in the case of credit cards, the amount of cash currently in their bank accounts), guaranteed payment, reduced cash-management costs, and faster checkout times.

II.      Costa Rica’s Price Controls on Payment Card Fees

Article 14 of Legislative Decree 9831 requires the BCCR to undertake “ordinary reviews” of the price controls on MDR and IRF at least once annually. Its first such review, published in November 2021, set a timetable for maximum domestic-acquisition and interchange fees (see table below) and set maximum cross-border MDR at 2.5% and IRF at 2%.[7]

SOURCE: Banco Central de Costa Rica[8]

BCCR subsequently established a task force to develop proposals for setting payment-card fees. On Nov. 2, 2022, BCCR published the task force’s recommendations, which included, inter alia, the following:[9]

• Use international comparisons of IRFs and MDRs “as the best technical tool currently available to the BCCR to ensure the lowest possible cost for affiliates, in accordance with Legislative Decree 9831.”
• Maintain the differentiation of the ceilings on IRF and MDR between local and cross-border payment transactions, in accordance with Article 4 of Legislative Decree 9831, “as this leads to the proper functioning, efficiency and security of the Costa Rican payment system and the lowest cost for affiliates.”
• For 2023, set maximum fees for local payment transactions at 1.50% for IRF and 2.00% for MDR. This is in line with the proposal made in 2021.
• Maintain the cap of 2.50% on cross-border MDR, “since the information available in the international comparison does not allow modifications to be made to the limit established since 2020.”
• Propose two alternative options regarding the maximum cross-border IRF:
  • Option 1: maintain the current maximum, e., 2.00%; or
  • Option 2: reduce the maximum to 1.25%.

The BCCR offers various putative justifications for these proposed caps. For example, it notes that Option 2 would result in a maximum cross-border IRF that is midway between “the minimum cross-border IRF established by Mastercard and Visa card brands for the United States and Canada, as well as Visa for Australia in the case of non-Asia Pacific issuers” (i.e., 1.00%) and the IRF “agreed by Mastercard and Visa card brands for card-not-present payments in the EEA” (i.e., 1.50%).

Such justifications, however, are fundamentally inconsistent with the economics of two-sided markets. The current and proposed price caps thus represent essentially arbitrary interventions. By focusing narrowly on the costs incurred by merchants through IRFs and MDRs, BCCR fails to account adequately for the offsetting benefits that accrue to consumers and merchants—and the costs to provide those benefits.

Legislative Decree 9831 does, however, permit BCCR to take into consideration “[a]ny other element that reasonably allows the Central Bank of Costa Rica to guarantee the efficiency and security of the card systems.”[10] As discussed below, one such element that should be considered by BCCR is the potential effect of regulating international IRFs on merchants in Costa Rica, especially those catering to tourists and business travelers, and the wider effects on the economy.

III.    Fraud Risks Associated with Cross-Border Payments

In comparison to domestic payments, cross-border payments entail significantly higher risks of fraud, as be seen by looking at the incidence of payments fraud in the European Union (EU). Data from the European Central Bank (ECB) show unambiguously that the rates of fraud on cross-border transactions—both between EU member states and from outside the EU—is much higher than fraud on domestic transactions. In its 2021 Report on Card Fraud, the ECB found that, between 2015 and 2019, cross-border transactions represented only 10% of transactions by value but 65% of all fraud by value, as can be seen in Figure I.[11] Thus, in value terms, cross-border fraud represents a risk more than six times greater than domestic fraud.

SOURCE: European Central Bank[12]

For most EU member states, the situation is even more dramatic, with cross-border fraud representing more than 90% of all card fraud, as can be seen in Table II.

SOURCE: European Central Bank[13]

Looking at the types of transaction involved in card fraud, the vast majority (83%) are card-not-present (CNP) fraud, as can be seen in Figure II.

SOURCE: European Central Bank[14]

While these data relate to payments fraud in the EU, they are likely indicative of broader international trends. As such, they suggest that cross-border fraud in general and CNP cross-border fraud in particular is a far more significant problem than domestic fraud of all kinds.

IV.    How Card Networks Address Payment-Card Fraud

Card networks have developed numerous processes and technologies to address payment-card fraud, including the following.

Zero liability protection for cardholders. Card networks’ standard terms and conditions include clauses requiring issuers to protect personal cardholders from unauthorized transactions (subject to certain conditions, such as that cardholders report such transactions promptly to the card issuer).[15] This protection is an important benefit to cardholders, who otherwise might be wary of using their cards, especially for online transactions or in foreign countries.

Liability protection for merchants. Just as cardholders are protected from liability for unauthorized transactions, so too are merchants. Issuers are, by default, liable for unauthorized transactions. This is an important benefit to merchants, who might otherwise be reluctant to accept card-based payments.

Chargebacks. The above liability protections apply only to unauthorized transactions. Where a cardholder has authorized a payment, they will be liable. Meanwhile, if a merchant has processed a payment without obtaining the necessary authorization, and where that payment has been disputed by the cardholder, the issuer may initiate a “chargeback”: effectively reversing the payment.

Authorization, verification, and fraud monitoring. To complement the system of liability protection and chargebacks, payment networks have developed increasingly sophisticated and effective systems for transaction authorization and fraud monitoring, including:

• Tokenization—which underpins EMV (Europay, Mastercard, and Visa) chips, contactless cards, and smartphone-based payments—uses encrypted data to enable authorization without sharing personal account numbers;
• Machine-learning-based transaction monitoring, which creates a dynamic model of each cardholder’s transactions and flags as potentially fraudulent those payments that do not fit the model; and
• Contingent multifactor authentication, whereby transactions flagged as potentially fraudulent result in the cardholder being asked for secondary authentication.

These systems reduce the incidence of fraud and thereby reduce the liability of card issuers. For example, in 2015, payment networks changed the liability rules for U.S. merchants to encourage adoption of EMV cards. Estimates by Visa suggest that merchants that subsequently adopted EMV-compliant point-of-sale (POS) machines experienced an 87.5% reduction in fraud.[16] Nonetheless, as is clear from Section III, fraud remains a problem, especially for cross-border and CNP transactions.

The liability rules summarized above mean that the cost of fraud falls disproportionately on card issuers. In 2020, issuers bore nearly two-thirds of all card fraud losses worldwide.[17] The equitable and economically efficient solution is for issuers to charge higher fees for transactions that are more likely to be fraudulent.

In some cases, it may make sense to pass on some or all of these costs to consumers. In the case of cross-border transactions, some issuers do this by charging foreign-transaction fees on some cards.[18] Such fees can, however, discourage consumers from using their cards, so it may be preferable for merchants to pay higher fees instead. Thus, cards aimed at international travelers typically offer cardholders “no foreign-transaction fee” as a benefit. These cards instead charge a higher interchange fee for foreign transactions. Holders of such premium cards typically spend more, thereby benefiting the merchants (who pay slightly higher fees, if they are not on a blended rate).

V.      Possible Responses to Caps on Cross-Border Interchange Fees

As noted in Section II, the BCCR Task Force made two alternative proposals with respect to cross-border IRFs. The first would leave the current cap unchanged at 2.00%, while the second would reduce the cap to 1.25%.

Even the current cap is lower than the standard IRF charged for many credit cards that offer no foreign-transaction fee. Payments made using such cards in Costa Rica are thus effectively subsidized by merchants in other jurisdictions that do not impose such caps.

At the lower proposed rate, foreign issuers will receive a lower IRF than domestic-card issuers. Given the much higher fraud rate on cross-border payments, this is likely to cause significant problems, especially for premium cards that offer cardholders “no foreign-transaction fee” as well as other benefits, such as vehicle insurance, purchase-protection insurance, and rewards. The IRF revenue simply will not be sufficient to cover these benefits. As such, to reduce fraud, payments using such cards will be subject to greater scrutiny and many may well simply be rejected.

This is a problem not only for the cardholders, who will be frustrated when attempting to make purchases. It is also a problem for Costa Rica’s tourism and business-travel sectors. Consider what might happen when a prospective visitor attempts to book a room at a resort such as Tortuga Lodge, which takes bookings directly on its website and processes payments through its acquirer in Costa Rica.[19] The prospective visitor first tries their World Elite Mastercard and finds that it is rejected; they then try their Visa Infinite card and again find that the payment is rejected. Frustrated but undaunted, they instead decide to book rooms at Tortuga Lodge on Expedia.com, which uses a U.S. acquirer; this time, they have no problem making and paying for the booking, albeit at a higher price than was offered directly by the hotel. When they arrive in Costa Rica, however, they find that, once again, their cards are repeatedly rejected when they attempt to make purchases, whether it be at restaurants, tour agencies, or even an art gallery where they had hoped to buy a beautiful piece of local artwork.

The above scenario might already be happening, because the standard IRF for such transactions on the cards mentioned is higher than the current capped rate of 2.00%.[20] At the alternative lower proposed rate of 1.25%, rejections are a near certainty for at least some travelers. Worse, some prospective travelers who are looking for a more bespoke offering and want to book directly with the hotel are likely to abandon their plans to travel to Costa Rica at all and choose a different destination where they do not encounter such difficulties.

Ironically, prospective visitors who have standard debit or credit cards that charge foreign-transaction fees are much less likely to have their payments rejected.

Some other payment methods are not covered by the caps on MDRs and IRFs: specifically, wire transfers and other bank-to-bank transfers that do not involve the use of payment-card networks. Most likely, there will be a shift toward the use of such payment methods, as a result both of individuals paying directly through such transfers and an increase in payments from overseas agencies. In general, such alternative payment methods involve greater counterparty risk than payments made using cards due to their greater finality, which means it is more difficult to reverse a payment once made, and the lack of purchase insurance. To the extent that visitors to Costa Rica are limited to wire and bank transfers, as a result of their payment cards being declined, they are likely to reduce their spending.

These anecdotes and observations suggest a number of likely effects of the cap on interchange fees:

• First, booking and payment for accommodation and other pre-bookable tourism activities will shift from Costa Rica-based agents and acquirers to U.S.-based agents and acquirers. This will reduce margins for Costa Rican hotels and other tourism businesses.
• Second, higher–end tourists will likely spend less in Costa Rica because they will be less able to use their payment cards.
• Third, there will likely be an overall reduction in high-spending tourists visiting Costa Rica, with a concomitant reduction in total spending.

In 2019, Costa Rica received about 3.1 million visitors who stayed for one night or more, spending about $4 billion, roughly 6.25% of the country’s GDP.[21] The tourism industry employed more than 170,000 people, about 5% of the country’s working-age population.[22] Tourist numbers fell dramatically in 2020 due to the COVID-19 pandemic, leading to a dramatic decline in income and employment. Visitor numbers began to rise again in 2021 and, while total numbers remained below their pre-COVID highs, the number of visitors from the United States (245,000) was not far off the number for 2019 (280,000). In March 2022. Costa Rica announced its national tourism plan for 2022-2027, in which it sought to increase the number of annual visitors to 3.8 million by 2027, targeting tourism revenue of $4.8 billion.[23]

In 2019, Costa Rican merchants processed around 19 million cross-border payment-card transactions, with a total value of around $2 billion—representing about half the total tourism revenue and 16% of the value of all card transactions.[24] After falling in 2020, the number of cross-border payment-card transactions rose in 2021 to nearly 23 million, with a total value of $2 billion, which is consistent with the return of higher-spending tourists from the United States.[25]

If BCCR chooses to cap interchange fees on cross-border transactions at 1.25%, it is likely to impede Costa Rica’s national tourism plan, both by discouraging tourism and, more importantly, by reducing revenue from higher-spending tourists.

VI.    Conclusion

Based on this assessment, there are significant costs associated with caps on cross-border MDRs and IFRs. As noted above, Legislative Decree 9831 permits BCCR to take into consideration such costs to the extent that they affect BCCR’s ability “to guarantee the efficiency and security of the card systems.”[26] As such it is incumbent on BCCR to consider the potential economic harm that is likely to arise if it were to lower the cap on cross-border IFR to 1.25%.

[1] Note, translations from the Spanish original are approximate.

[2] Julian Morris, Regulating Payment Card Fees: International Best Practice and Lessons for Costa Rica, International Center for Law & Economics (May 25, 2022), https://laweconcenter.org/resources/regulating-payment-card-fees-international-best-practices-and-lessons-for-costa-rica.

[3] Jean-Charles Rochet & Jean Tirole, Two-Sided Markets: A Progress Report, 37 Rand J. Econ. 645 (2006); See also Todd J. Zywicki, The Economics of Payment Card Interchange Fees and the Limits of Regulation, International Center for Law and Economics, ICLE Financial Regulatory Program White Paper Series (Jun. 2, 2010), available at http://laweconcenter.org/images/articles/zywicki_interchange.pdf.

[4] Bruno Jullien, Alessandro Pavan, & Marc Rysman, Two-Sided Markets, Pricing, and Network Effects, in Handbook of Industrial Organization (Vol. 4), 485-592 (2021).

[5] Thomas Eisenmann, Geoffrey Parker, & Marshall W. Van Alstyne, Strategies for Two-Sided Markets, Harv. Bus. Rev. (Oct. 2006).

[6] Id., at 33.

[7] Fijación Ordinaria de Comisiones Máximas del Sistema de Tarjetas de Pago 2021, Banco Central de Costa Rica, (Nov. 2021).

[8] Id. at 3.

[9] Alcance No 237 A La Gaceta No 212, Imprenta Nacional de Costa Rica (Nov. 7, 2022).

[10] Decreta: Comisiones Máximas Del Sistema De Tarjetas, No. 9831, Art. 15(j), Legislative Assembly of the Republic of Costa Rica, (“Cualquier otro elemento que razonablemente permita al Banco Central de Costa Rica garantizar la eficiencia y seguridad de los sistemas de tarjetas.”), http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NRTC&nValor1=1&nValor2=90791&nValor3=119755&strTipM=TC (last visited Apr. 12, 2023).

[11]Seventh Report on Card Fraud, European Central Bank 2022 (Feb. 1, 2022), https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport202110~cac4c418e8.en.html#toc1.

[12] Id. SEPA refers to the Single Euro Payments Area.

[13] Id.

[14] Id. EA19 refers to the 19 EU member states that are members of the Euro zone.

[15] Zero Liability Protection, Mastercard (Oct. 17, 2014), https://www.mastercard.us/en-us/personal/get-support/zero-liability-terms-conditions.html; Zero Liability Policy, Visa, https://usa.visa.com/pay-with-visa/visa-chip-technology-consumers/zero-liability-policy.html (last visited Apr. 12, 2023).

[16] Visa EMV Chip Cards Help Reduce Counterfeit Fraud by 87 Percent, Visa (Sep. 3, 2019), https://usa.visa.com/visa-everywhere/blog/bdp/2019/09/03/visa-emv-chip-1567530138363.html.

[17] Card Issuers Accounted for 65.40% of Gross Losses to Fraud Worldwide in 2020, Nilson Report (Dec. 2021), Issue 1209, at 6.

[18] Jacqueline DeMarco & Poonkulali Thangavelu, A Guide to Foreign Transaction Fees, Bankrate.com (Feb. 24, 2023), https://www.bankrate.com/finance/credit-cards/a-guide-to-foreign-transaction-fees.

[19] Author’s personal communication with reservation specialist at Tortuga Lodge, April 2023.

[20] Mastercard 2022–2023 U.S. Region Interchange Programs and Rates, Effective April 22, 2022, Mastercard (2022), available at https://www.mastercard.us/content/dam/public/mastercardcom/na/us/en/documents/merchant-rates-2022-2023-apr22-2022.pdf; Visa USA Interchange Reimbursement Fees, Visa (Apr. 23, 2022), available at   https://usa.visa.com/content/dam/VCOM/download/merchants/visa-usa-interchange-reimbursement-fees.pdf.

[21] OECD Tourism Trends and Policies 2022: Costa Rica, Organisation for Economic Cooperation and Development (2022), https://www.oecd-ilibrary.org/sites/a99a4da2-en/index.html?itemId=/content/component/a99a4da2-en.

[22] Id.; see also, OECD Economic Surveys: Costa Rica 2023, Organisation for Economic Cooperation and Development (2023), https://www.oecd-ilibrary.org/sites/8e8171b0-en/1/2/2/index.html?itemId=/content/publication/8e8171b0-en&_csp_=0b8e1c4cf7b4fb558e396a4008a8398a&itemIGO=oecd&itemContentType=book.

[23] Plan Nacional de Turismo de Costa Rica 2022-2027, Aprobado en la sesión N° 6210 de la Junta Directiva del Instituto Costarricense de Turismo, Apartado 3.II, celebrada (Mar. 21, 2022),English summary: Costa Rica: National Tourism Development Plan 2022–2027, Tourism Analytics, https://tourismanalytics.com/news-articles/costa-rica-national-tourism-development-plan-2022-2027.

[24] Supra note 9, Table 9. Assumes an average Colones:USD exchange rate during 2019 of 0.0017.

[25] Id. The Colones:USD exchange rate averaged around 0.0016 during 2021.

[26] Decreta: Comisiones Máximas Del Sistema De Tarjetas, No. 9831, Art. 15(j), Legislative Assembly of the Republic of Costa Rica, (“Cualquier otro elemento que razonablemente permita al Banco Central de Costa Rica garantizar la eficiencia y seguridad de los sistemas de tarjetas.”), http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NRTC&nValor1=1&nValor2=90791&nValor3=119755&strTipM=TC (last visited Apr. 12, 2023).