Come Thursday (Jan 11), students will receive their 2023 GCE O-Level examination results.

The stress over performance can take on a slightly different dimension at this juncture – on the one hand, there is a greater range of education options from the academic to the practical-oriented; on the other, teenagers will have to start thinking ahead to university and even career possibilities.

As educators, we are often asked by students for advice. In particular, those keen on pursuing the more academic A-Level route seek help deciding which subjects they should take at the Higher 2 (H2) level.

Our short answer tends to be a pragmatic question: Think ahead – what would you like to study at university? Take subjects that open those doors for you.

Read the full piece here.

Abstract

Once considered the final frontier, outer space has become the modern day Yukon territory. A burgeoning commercial economy is reshaping the balance of powers and expanding the breadth of activities beyond our atmosphere. Outer space is no longer the exclusive province of a select number of nation states engaged in geopolitical competition. A robust private sector has begun to stake its claim, ushering in a fundamentally different incentive environment that answers to shareholders and venture financers. As a consequence, the principles that persisted from the Cold War, and ultimately motivated the Outer Space Treaty[1] and its subsequent counterparts,[2] are no longer sufficient. Truth be told, they were never expected to be so. The United Nations Committee on the Peaceful Uses of Outer Space (“COPUOS”) never contemplated commercial uses when it adopted—and many nations subsequently ratified—its longstanding space treaties. While private actors have interacted with this environment for decades, the commercial space industry has only recently reached a point of maturity where entities can productively utilize orbital environments, cultivate an entirely new source of natural resources in lunar and cislunar space and further explore the translunar realm. Commercial space is having its moment, and it represents a monumental paradigm shift for space law and policy.

Considering the radical evolution of actors and activities in space, do the instruments and institutions that oversee it need to evolve as well? Traditional forms of public international lawmaking—multilateral treatymaking and institution building followed by each participant’s cooperative consent—may not meet the needs of private actors who bear little affiliation to the country they select to license their operations. Similarly, domestic regulations and policies from a government-mission minded era appear ill suited for the novel complexities of the commercial launch and communications capabilities that are rapidly eclipsing those of national governments. The diverse set of actors and activities in outer space also introduce a novel set of contexts and conflicts that impact private law. In effect, commercial space activity is spurring change that no one track can resolve independently, necessitating pluralist reform that extends the bounds of both public and private law.

A second-order problem that emerges is how to manage an ecosystem in which collective commercial interests diverge from national interests. As many nations become dependent on commercial space services and infrastructure, the balance of power is shifting toward a new calculus. Decisions by private actors now impose externalities that national actors experience immediately and directly, and vice versa, making both sides of the public-private dichotomy increasingly intertwined. Thus, if the law is intended to evolve into more efficient, wealth-maximizing rules, we must also ask who reaps the benefits of these efficiencies, and do they lead to sound policy?

These questions are vexing but timely and provide ample room for further scholarly development exploring ways to better manage the use of outer space. On February 3, 2023, the Journal of Law & Innovation hosted its symposium, “The Emerging Commercial Space Age: Legal and Policy Implications” at the University of Pennsylvania Carey School of Law.[3] The Symposium brought together leading international law scholars, economists, and telecommunications and antitrust policymakers to assess the twenty-first century space domain and its implications for legal and policy frameworks. Panelists and moderators emphasized the progress of commercial enterprise in outer space, how these increasingly complex and multifaceted interests would influence international space law and the paradigm shifts that must emerge in economic regulation and public policy to foster innovation and sustainable competition. The Articles in this volume touch each of these considerations and are an outgrowth of the presentations and moderated discussions at the Symposium.

[1] Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, Jan. 27, 1967, 18 U.S.T 2410, 610 U.N.T.S. 205 (entered into force Oct. 10, 1967) [hereinafter Outer Space Treaty].

[2] Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space, Apr. 22, 1968, 19 U.S.T. 7570, 672 U.N.T.S. 119; Convention on the International Liability for Damage Caused by Space Objects, Mar. 29, 1972, 24 U.S.T. 2389, 961 U.N.T.S. 187 [hereinafter Liability Convention]; Convention on Registration of Objects Launched into Outer Space, Nov. 12, 1974, 1023 U.N.T.S. 15; Agreement Governing the Activities of States on the Moon and Other Celestial Bodies, Dec. 5, 1979, 1363 U.N.T.S. 3 [hereinafter Moon Agreement].

[3] The symposium program and webcasts of the presentations and discussions are available at https://www.law.upenn.edu/institutes/ctic/jli/events.php.

Executive Summary

The EU Court of Justice’s (CJEU)  July 2020 Schrems II decision generated significant uncertainty, as well as enforcement actions in various EU countries, as it questioned the lawfulness of transferring data to the United States under the General Data Protection Regulation (GDPR)[1] while relying on “standard contractual clauses.”

President Joe Biden signed an executive order in October 2022 establishing a new data-protection framework to address this uncertainty. The European Commission responded in July 2023 by adopting an “Adequacy Decision” under Article 45(3) of the GDPR, formally deeming U.S. data-protection commitments to be adequate.

A member of the French Parliament has already filed the first legal challenge to the Adequacy Decision and another from Austrian privacy activist Max Schrems is expected soon.

This paper discusses key legal issues likely to be litigated:

1. The legal standard of an “adequate level of protection” for personal data. Although we know that the “adequate level” and “essential equivalence” of protection do not necessarily mean identical protection, the precise degree of flexibility remains an open question that the EU Court may need to clarify to a much greater extent.
2. The issue of proportionality of “bulk” data collection by the U.S. government. It examines whether the objectives pursued can be considered legitimate under EU law and, if so, whether the existing CJEU precedents preclude such collection from being considered proportionate under the GDPR.
3. The problem of effective redress—a cornerstone of the Schrems II decision. This paper explores debates around Article 47 of the EU Charter of Fundamental Rights, whether the new U.S. framework offers redress through an impartial tribunal, and whether EU persons can effectively access the redress procedure.
4. The issue of access to information about U.S. intelligence agencies’ data-processing activities.

I.        Introduction

Since the EU Court of Justice’s (CJEU) Schrems II decision,[2] it has been precarious whether transfers of personal data from the EU to the United States are lawful. It’s true that U.S. intelligence-collection rules and practices have changed since 2016, when the European Commission issued its assessment in the “Privacy Shield Decision” and to which facts the CJEU limited its reasoning. There has, however, also been a vocal movement among NGOs, European politicians, and—recently—national data-protection authorities to treat Schrems II as if it conclusively decided that exports of personal data to the United States could not be justified through standard contractual clauses (“SCC”) in most contexts (i.e., when data can be accessed in the United States). This interpretation has now led to a series of enforcement actions by national authorities in Austria, France, and likely in several other member states (notably in the “Google Analytics” cases, as well as the French “Doctolib/Amazon Web Services” case).[3]

Aiming to address this precarious situation, the White House adopted a new data-protection framework for intelligence-collection activities. On Oct. 7, 2022, President Joe Biden signed an executive order codifying that framework,[4] which had been awaited since U.S. and EU officials reached an agreement in principle on a new data-privacy framework in March 2022.[5] The European Commission responded by preparing a draft “Adequacy Decision” for the United States under Article 45(3) of the General Data Protection Regulation (GDPR), which was released in December 2022.[6] In July 2023, the European Commission formally adopted the Adequacy Decision.[7]

The first legal challenge to the decision has already been filed by Philippe Latombe, a member of the French Parliament and a commissioner of the French Data Protection Authority (CNIL).[8] Latombe is acting in his personal capacity, not as a French MP or a member of CNIL. He chose a direct action for annulment under Article 263 of the Treaty on the Functioning of the European Union (TFEU), which means that his case faces strict admissibility conditions. Based on precedent, it would not be surprising if the EU courts refuse to consider its merits.[9] Regarding the substance of Latombe’s action, he described it in very general terms in his press release (working translation from French):

The text resulting from these negotiations violates the Charter of Fundamental Rights of the Union, due to the insufficient guarantees of respect for private and family life with regard to the bulk collection of personal data, and the General Data Protection Regulation (GDPR), due to the absence of guarantees of a right to an effective remedy and access to an impartial tribunal, the absence of a framework for automated decisions or lack of guarantees relating to the security of the data processed: all violations of our law which I develop in the 33-page brief (+ 283 pages of annexes) filed with the TJUE yesterday.[10]

Latombe also complained about the Adequacy Decision being published only in English.[11] Irrespective of the legal merits of that complaint, however, it is already moot because the Adequacy Decision was subsequently published in the Official Journal of the European Union in all official EU languages.[12]

Reportedly, Max Schrems also plans to bring a legal challenge against the Adequacy Decision,[13] as he has successfully done with the two predecessors of the current EU-US framework.[14] This time, however, Schrems plans to begin the suit in the Austrian courts, hoping for a speedy preliminary reference to the EU Court of Justice (“CJEU”).[15]

This paper aims to present and discuss the key legal issues surrounding the European Commission’s Adequacy Decision, which are likely to be the subject of litigation. In Section II, I begin by problematizing the applicable legal standard of an “adequate level of protection” of personal data in a third country, noting that this issue remains open for the CJEU to address. This makes it more challenging to assess the Adequacy Decision’s chances before the Court and suggests that the conclusive tone adopted by some commentators is premature.

I then turn, in Section III, to the question of proportionality of bulk data collection by the U.S. government. I consider whether the objectives for which U.S. intelligence agencies collect personal data may constitute “legitimate objectives” under EU law. Secondly, I discuss whether bulk collection of personal data may be done in a way that does not jeopardize adequacy under the GDPR.

The second part of Section III is devoted to the problem of effective redress, which was the critical issue on which the CJEU relied in making its Schrems II decision. I note some confusion among the commentators about the precise role of Article 47 of the EU Charter of Fundamental Rights for a third-country adequacy assessment under the GDPR. I then outline the disagreement between the Commission and some commentators on whether the new U.S. data-protection framework provides redress through an independent and impartial tribunal with binding powers.

Finally, I discuss the issue of access to information about U.S. intelligence agencies’ data-processing activities.

II.      The Applicable Legal Standard: What Does ‘Adequacy’ Mean?

The overarching legal question that the CJEU will likely need to answer is whether the United States “ensures an adequate level of protection for personal data essentially equivalent to that guaranteed in the European Union by the GDPR, read in the light of Articles 7 and 8 of the [EU Charter of Fundamental Rights].”[16]

The words “essentially equivalent” are not to be found in the GDPR’s provision on adequacy decisions—i.e., in its Article 45, which merely refers to an “adequate level of protection” of personal data in a third country. Instead, we find them in the GDPR’s recital 104: “[t]he third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union (…).” This phrasing goes back to the CJEU’s Schrems I decision,[17] where the Court interpreted the old Data Protection Directive (Directive 95/46).[18] In Schrems I, the Court stated:

The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter.[19]

As Christakis, Propp, & have Swire noted,[20] the critical point that “a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order” was also accepted by the Advocate General Øe in Schrems II.[21]

In 2020, the European Data Protection Board (EDPB) issued recommendations “on the European Essential Guarantees for surveillance measures.”[22] The recommendations aim to “form part of the assessment to conduct in order to determine whether a third country provides a level of protection essentially equivalent to that guaranteed within the EU.”[23] The EDPB’s document is, of course, not a source of law binding the Court of Justice, but it attempts to interpret the law in light of the CJEU’s jurisprudence. The Court is free not to follow the EDPB’s legal interpretation, and thus the importance of the recommendations should not be overstated, either in favor or against the Adequacy Decision.

While we know that the “adequate level” and “essential equivalence” of protection do not necessarily mean identical protection, the precise degree of flexibility remains an open question—and one that the EU Court may need to clarify to a much greater extent.

III.    Arguments Likely to Be Made Against the Adequacy Decision

A.     Proportionality and Bulk Data Collection

Under Article 52(1) of the EU Charter of Fundamental Rights, restrictions on the right to privacy and the protection of personal data must meet several conditions. They must be “provided for by law” and “respect the essence” of the right. Moreover, “subject to the principle of proportionality, limitations may be made only if they are necessary” and meet one of the objectives recognized by EU law or “the need to protect the rights and freedoms of others.”

The October 2022 executive order supplemented the phrasing “as tailored as possible” present in 2014’s Presidential Policy Directive on Signals Intelligence Activities (PPD-28) with language explicitly drawn from EU law: mentions of the “necessity” and “proportionality” of signals-intelligence activities related to “validated intelligence priorities.”[24]

Doubts have been raised, however, as to whether this is sufficient. I consider two potential issues. First, whether the objectives for which U.S. intelligence agencies collect personal data may constitute “legitimate objectives” under EU law. Second, whether the bulk collection of personal data may be done in a way that does not jeopardize adequacy under the GDPR.

1.        Legitimate objectives

In his analysis of the adequacy under EU law of the new U.S. data-protection framework, Douwe Korff argues that:

The purposes for which the Presidential Executive Order allows the use of signal intelligence and bulk data collection capabilities are clearly not limited to what the EU Court of Justice regards as legitimate national security purposes.[25]

Korff’s concern is that the legitimate objectives listed in the executive order are too broad and could be interpreted to include, e.g., criminal or economic threats, which do not rise to the level of “national security” as defined by the CJEU.[26] Korff referred to the EDPB Recommendations, which reference CJEU decisions in La Quadrature du Net and Privacy International. Unlike Korff, however, the EDPB stresses that those CJEU decisions were “in relation to the law of a Member State and not to a third country law.”[27]

In contrast, in Schrems II, the Court did not consider legitimate objectives when assessing whether a third country provides adequate protection. In its recommendations, the EDPB discussed the legal material that was available, i.e., the CJEU decisions on intra-EU matters. Still, this approach can be taken too far without sufficient care. Just because some guidance is available (on intra-EU issues), it does not follow that it applies to data transfers outside the EU. It is instructive to consider, in this context, what Advocate General Øe said in Schrems II:

It also follows from that judgment [Schrems I – MB], in my view, that the law of the third State of destination may reflect its own scale of values according to which the respective weight of the various interests involved may diverge from that attributed to them in the EU legal order. Moreover, the protection of personal data that prevails within the European Union meets a particularly high standard by comparison with the level of protection in force in the rest of the world. The ‘essential equivalence’ test should therefore in my view be applied in such a way as to preserve a certain flexibility in order to take the various legal and cultural traditions into account. That test implies, however, if it is not to be deprived of its substance, that certain minimum safeguards and general requirements for the protection of fundamental rights that follow from the Charter and the ECHR have an equivalent in the legal order of the third country of destination.[28]

Hence, exclusive focus on what the EU law requires within the EU—however convenient this method may be—may be misleading in assessing the adequacy of a third country under Article 45.

Aside from the lack of direct guidance on the question of legitimate objectives under Article 45 GDPR, there is a second reason not to be too quick to conclude that the U.S. framework fails on this point. As the Commission noted in the Adequacy Decision:

(…) the legitimate objectives laid down in EO 14086 cannot by themselves be relied upon by intelligence agencies to justify signals intelligence collection but must be further substantiated, for operational purposes, into more concrete priorities for which signals intelligence may be collected. In other words, actual collection can only take place to advance a more specific priority. Such priorities are established through a dedicated process aimed at ensuring compliance with the applicable legal requirements, including those relating to privacy and civil liberties.[29]

It may be a formalistic mistake to consider the list of “legitimate objectives” in isolation from such additional requirements and process. The assessment of third-country adequacy cannot be constrained by the mere choice of words, even if they seem to correspond to an established concept in EU law. (Note that this also applies to “necessity” and “proportionality” as used in the executive order.)

2.        Can bulk collection be ‘adequate’?

As Max Schrems’ organization NOYB stated in response to the executive order’s publication:

(…) there is no indication that US mass surveillance will change in practice. So-called “bulk surveillance” will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not “proportionate” (under the European understanding of the word) twice.[30]

Korff echoed this view, noting, e.g.:

(…) – the EO [Executive Order – MB] does not stand in the way of the indiscriminate bulk collection of e-communications content data that the EU Court held does not respect the “essence” of data protection and privacy and that therefore, under EU law, must always be prohibited, even in relation to national security issues (as narrowly defined);

– the EO allows for indiscriminate bulk collection of e-communications metadata outside of the extreme scenarios in which the EU Court only, exceptionally, allows it in Europe; and

– the EO allows for indiscriminate bulk collection of those and other data for broadly defined not national security-related purposes in relation to which such collection is regarded as clearly not “necessary” or “proportionate” under EU law.[31]

The Schrems II Court indeed held that U.S. law and practices do not “[correlate] to the minimum safeguards resulting, under EU law, from the principle of proportionality.”[32] As, however, the EDPB noted in its opinion on a draft of the Adequacy Decision:

… the CJEU did not exclude, by principle, bulk collection, but considered in its Schrems II decision that for such bulk collection to take place lawfully, sufficiently clear and precise limits must be in place to delimit the scope of such bulk collection. (…)

The EDPB also recognizes that while replacing the PPD-28, the EO 14086 provides for new safeguards and limits to the collection and use of data collected outside the U.S., as the limitations of FISA or other more specific U.S. laws do not apply.[33]

As Korff observed, the CJEU has considered the question of bulk collection of electronic communication data, in an intra-EU context, in cases like Digital Rights Ireland[34] and La Quadrature du Net.[35] In Schrems I, the Court referenced Digital Rights Ireland, while stating:

(…) legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (…)[36]

This is potentially important, because the Court concluded the discussion included in this paragraph by saying that “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order” is “apparent in particular from the preceding paragraphs.”[37] This could suggest that, as under the Data Protection Directive in Schrems I, the Court may see the issue of bulk collection of the contents of electronic communications as a serious problem for adequacy under Article 45 GDPR.

The Commission addressed this in the Adequacy Decision as follows:

(…) collection of data within the United States, which is the most relevant for the present adequacy finding as it concerns data that has been transferred to organisations in the U.S., must always be targeted (…) ‘Bulk collection’ may only be carried out outside the United States, on the basis of EO 12333.[38]

The Commission relies on a distinction between data collection that the U.S. government does within the United States and outside of the United States. This likely refers to an argument—discussed by, e.g., Christakis[39] —that adequacy assessment should only concern the processing of personal data that takes place due to a data transfer to the country in question. In other words, it should only concern domestic surveillance, not international surveillance (if personal data transferred from the EU would fall under domestic surveillance in that third country).

The Commission also made a second relevant point:

(…) bulk collection under EO 12333 takes place only when necessary to advance specific validated intelligence priorities and is subject to a number of limitations and safeguards designed to ensure that data is not accessed on an indiscriminate basis. Bulk collection is therefore to be contrasted to collection taking place on a generalised and indiscriminate basis (‘mass surveillance’) without limitations and safeguards.[40]

In the Commission’s view, there is a categorical distinction between “bulk collection” as practiced by the United States and the “generalized and indiscriminate” mass surveillance that the CJEU scrutinized in Digital Rights Ireland and other cases. This may seem like an unnatural reading of “generalized and indiscriminate,” given that it is meant not to apply to “the collection of large quantities of signals intelligence that, due to technical or operational considerations, is acquired without the use of discriminants (for example, without the use of specific identifiers or selection terms).”[41] There may, however, be analogies in EU law that could lead the Court to agree with the Commission on this point.

Consider the Court’s interpretation of the prohibition on “general monitoring” obligations from Article 15(1) of the eCommerce Directive.[42] In Glawischnig-Piesczek, the Court interpreted this rule as not precluding member states from requiring hosting providers to monitor all the content they host in order to identify content identical to “the content of information which was previously declared to be unlawful.”[43] In other words, “general monitoring” was interpreted as not covering indiscriminate processing of all data stored by a hosting provider in order to find content identical to some other content.[44] The Court adopted an analogous approach with respect to Article 17 of the Copyright Directive.[45] This suggests that, in somewhat similar contexts, the Court is willing to see activities that may technically appear to be “general” as “not general,” if some procedural or substantive limitations are present.

B.     Effective Redress

The lack of effective redress available to EU citizens against potential restrictions of their right to privacy from U.S. intelligence activities was central to the Schrems II decision. Among the Court’s key findings were that “PPD-28 does not grant data subjects actionable rights before the courts against the US authorities”[46] and that, under Executive Order 12333, “access to data in transit to the United States [is possible] without that access being subject to any judicial review.”[47]

The new executive order introduced redress mechanisms that include creating a civil-liberties-protection officer in the Office of the Director of National Intelligence (DNI), as well as a new Data Protection Review Court (DPRC). The DPRC is proposed as an independent review body that will make decisions binding on U.S. intelligence agencies. The old framework had sparked concerns about the independence of the DNI’s ombudsperson, and what was seen as insufficient safeguards against external pressures, including the threat of removal. Under the new framework, the independence and binding powers of the DPRC are grounded in regulations issued by the U.S. attorney general.

In a recent public debate, Max Schrems argued that the CJEU would have a difficult time finding that this judicial procedure satisfies Article 47 of the EU Charter, while at the same time holding that some courts in Poland and Hungary do not satisfy it.[48]

1.        Article 47 of the Charter ‘contributes’ to the benchmark level of protection

Schrems’ comment raises two distinct issues. First, Schrems seems to suggest that an adequacy decision can only be granted if the available redress mechanism satisfies the requirements of Article 47 of the Charter of Fundamental Rights.[49] But this is a hasty conclusion. The CJEU’s phrasing in Schrems II is more cautious:

…Article 47 of the Charter, which also contributes to the required level of protection in the European Union, compliance with which must be determined by the Commission before it adopts an adequacy decision pursuant to Article 45(1) of the GDPR.[50]

In arguing that Article 47 “also contributes to the required level of protection,” the Court is not saying that it determines the required level of protection. This is potentially significant, given that the standard of adequacy is “essential equivalence,” not that it be procedurally and substantively identical. Moreover, the Court did not say that the Commission must determine compliance with Article 47 itself, but with the “required level of protection” (which, again, must be “essentially equivalent”). Hence, it is far from clear how the CJEU’s jurisprudence interpreting Article 47 of the Charter is to be applied in the context of an adequacy assessment under Article 45 GDPR.

2.        Is there an independent and impartial tribunal with binding powers?

Second, there is the related but distinct question of whether the redress mechanism is effective under the applicable standard of “required level of protection.” Christakis, Propp, & Swire offer helpful analysis suggesting that it is, considering the proposed DPRC’s independence, effective investigative powers, and authority to issue binding determinations.[51] Gorski & Korff argue that this is not the case, because the DPRC is not “wholly autonomous” and “free from hierarchical constraint.”[52]

The Commission stated in the Adequacy Decision that the available avenues of redress “allow individuals to have access to their personal data, to have the lawfulness of government access to their data reviewed and, if a violation is found, to have such violation remedied, including through the rectification or erasure of their personal data.”[53] Moreover:

(…) the executive branch (the Attorney General and intelligence agencies) are barred from interfering with or improperly influencing the DPRC’s review. The DPRC itself is required to impartially adjudicate cases and operates according to its own rules of procedure (adopted by majority vote) (…)[54]

Likely the most serious objection to this assessment (raised by Gorski) is that:

(…) the court’s decisions can be overruled by the President. Indeed, the President could presumably overrule these decisions in secret, since the court’s opinions are not issued publicly.[55]

Given that Christakis, Propp, & Swire appear to disagree,[56] this question of U.S. law may require further scrutiny. Even if the scenario sketched by Gorski is theoretically possible, however, the CJEU may take the view that it would not be appropriate to rule based on the assumption that the U.S. government would act to mislead the EU. And without that assumption, then the possibility of future changes to U.S. law appear to be adequately addressed by the adequacy-monitoring process (Article 45(4) GDPR).

3.        Do EU persons have effective access to the redress mechanism?

In the already-cited public debate, Max Schrems argued that it may be practically impossible for EU persons to benefit from the new redress mechanism, due to the requirements imposed on “qualifying complaints” under the executive order.[57] Presumably, Schrems implicitly refers to the requirements that a complaint:

(i) “alleges a covered violation has occurred that pertains to personal information of or about the complainant, a natural person, reasonably believed to have been transferred to the United States from a qualifying state after” the official designation of that country by the Attorney General;

(ii) includes “information that forms the basis for alleging that a covered violation has occurred, which need not demonstrate that the complainant’s data has in fact been subject to United States signals intelligence activities; the nature of the relief sought; the specific means by which personal information of or about the complainant was believed to have been transmitted to the United States; the identities of the United States Government entities believed to be involved in the alleged violation (if known); and any other measures the complainant pursued to obtain the relief requested and the response received through those other measures;”

(iii) “is not frivolous, vexatious, or made in bad faith”[58]

Given the qualifications that a complaint need only to “allege” a violation and “need not demonstrate that the complainant’s data has in fact been subject to United States signals intelligence activities,” it is unclear what Schrems’ basis for suggesting that it will not be possible for EU persons to benefit from this redress mechanism is.

C.     Access to Information About Data Processing

Finally, Schrems’ NOYB raised a concern that “judgment by ‘Court’ [is] already spelled out in Executive Order.”[59] This concern seems to be based on the view that a decision of the DPRC (“the judgment”) and what the DPRC communicates to the complainant are the same thing. In other words, the legal effects of a DPRC decision are exhausted by providing the individual with the neither-confirm-nor-deny statement set out in Section 3 of the executive order. This is clearly incorrect. The DPRC has the power to issue binding directions to intelligence agencies. The actual binding determinations of the DPRC are not predetermined by the executive order; only the information to be provided to the complainant is.

Relatedly, Korff argues that:

(…) the meaningless “boilerplate” responses that are spelled out in the rules also violate the principle, enshrined in the ECHR and therefore also applicable under the Charter, that any judgment of a court must be “pronounced publicly”. The “boilerplate” responses, in my opinion, do not constitute the “judgment” reached (…)[60]

Here, as before, Korff appears to elide the question of the legal standard of “adequacy,” directly applying to a third country what he argues is required under the European Convention of Human Rights and thus under the EU Charter.

The issues of access to information and data may, however, call for closer consideration. For example, in La Quadrature du Net, the CJEU looked at the difficult problem of notifying persons whose data has been subject to state surveillance, requiring individual notification “only to the extent that and as soon as it is no longer liable to jeopardise” the law-enforcement tasks in question.[61] Nevertheless, given the “essential equivalence” standard applicable to third-country adequacy assessments, it does not automatically follow that individual notification is at all required in that context.

Moreover, it also does not necessarily follow that adequacy requires that EU citizens have a right to access the data processed by foreign government agencies. The fact that there are significant restrictions on rights to information and access in some EU member states,[62] though not definitive (after all, those countries may be violating EU law), may be instructive for the purposes of assessing the adequacy of data protection in a third country, where EU law requires only “essential equivalence.”

The Commission’s Adequacy Decision accepted that individuals would have access to their personal data processed by U.S. public authorities, but clarifies that this access may be legitimately limited—e.g., by national-security considerations.[63] The Commission did not take the simplistic view that access to personal data must be guaranteed by the same procedure that provides binding redress, including through the Data Protection Review Court. Instead, the Commission accepts that other avenues, such as requests under the Freedom of Information Act, may perform that function.

IV.    Conclusion

With the Adequacy Decision, the European Commission announced that it has favorably assessed the October 2022 executive order’s changes to the U.S. data-protection framework, which apply to foreigners from friendly jurisdictions (presumed to include the EU). The Adequacy Decision is certain to be challenged before the CJEU by privacy advocates. As discussed above, the key legal concerns will likely be the proportionality of data collection and the availability of effective redress.

Opponents of granting an adequacy decision tend to rely on the assumption that a finding of adequacy requires virtually identical substantive and procedural privacy safeguards as required within the EU. As noted by the European Commission in its decision, this position is not well-supported by CJEU case law, which clearly recognizes that only “adequate level” and “essential equivalence” of protection are required from third-party countries under the GDPR. To date, the CJEU has not had to specify in greater detail precisely what, in their view, these provisions mean. Instead, the Court has been able to point to certain features of U.S. law and practice that were significantly below the GDPR standard (e.g., that the official responsible for providing individual redress was not guaranteed to be independent of political pressure). Future legal challenges to a new Adequacy Decision will most likely require the CJEU to provide more guidance on what “adequate” and “essentially equivalent” mean.

In the Adequacy Decision, the Commission carefully considered the features of U.S. law and practice that the Court previously found inadequate under the GDPR. Nearly half of the explanatory part of the decision is devoted to “access and use of personal data transferred from the [EU] by public authorities in the” United States, with the analysis grounded in CJEU’s Schrems II decision.

Overall, the Commission presents a sophisticated, yet uncynical, picture of U.S. law and practice. The lack of cynicism about, e.g., the independence of the DPRC adjudicative process, will undoubtedly be seen by some as naïve and unrealistic, even if the “realism” in this case is based on speculations of what might happen (e.g., secret changes to U.S. policy), rather than evidence. Litigants will likely invite the CJEU to assume that the U.S. government cannot be trusted and that it will attempt to mislead the European Commission and thus undermine the adequacy-monitoring process (Article 45(3) GDPR). It is not clear, however, that the Court will be willing to go that way—not least due to respect for comity in international law.

[1] Regulation (EU) 2016/679 (General Data Protection Regulation).

[2] Case C-311/18, Data Protection Comm’r v. Facebook Ireland Ltd. & Maximillian Schrems, ECLI:EU:C:2019:1145 (CJ, Jul. 16, 2020), available at http://curia.europa.eu/juris/liste.jsf?num=C-311/18 [hereinafter “Schrems II”].

[3] See, e.g., Ariane Mole, Willy Mikalef, & Juliette Terrioux, Why This French Court Decision Has Far-Reaching Consequences for Many Businesses, IAPP.org (Mar. 15, 2021), https://iapp.org/news/a/why-this-french-court-decision-has-far-reaching-consequences-for-many-businesses; Gabriela Zanfir-Fortuna, Understanding Why the First Pieces Fell in the Transatlantic Transfers Domino, The Future of Privacy Forum (2022), https://fpf.org/blog/understanding-why-the-first-pieces-fell-in-the-transatlantic-transfers-domino; Caitlin Fennessy, The Austrian Google Analytics decision: The Race Is On, IAPP Privacy Perspectives (Feb. 7, 2022) https://iapp.org/news/a/the-austrian-google-analytics-decision-the-race-is-on; Italian SA Bans Use of Google Analytics: No Adequate Safeguards for Data Transfers to the USA (Jun. 23, 2022), https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782874.

[4] Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, The White House (2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities.

[5] European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework, European Commission (Mar. 25, 2022), https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087.

[6] Draft Commission Implementing Decision Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the Adequate Level of Protection of Personal Data Under the EU-US Data Privacy Framework, European Commission (2022), available at https://commission.europa.eu/system/files/2022-12/Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf.

[7]  Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, OJ L 231, 20.9.2023, European Commission (2023), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023D1795 (hereinafter “Adequacy Decision”).

[8] See Patrice Navarro & Julie Schwartz, Member of French Parliament Lodges First Request for Annulment of EU-US Data Privacy Framework, Hogan Lovells Engage (Sep. 8, 2023), https://www.engage.hoganlovells.com/knowledgeservices/news/member-of-french-parliament-lodges-first-request-for-annulment-of-eu-us-data-privacy-framework; Philippe Latombe, Communiqué de Presse (Sep. 7, 2023), available at https://www.politico.eu/wp-content/uploads/2023/09/07/4_6039685923346583457.pdf.

[9] See, e.g., Joe Jones, EU-US Data Adequacy Litigation Negins, IAPP.org (Sep. 8, 2023), https://iapp.org/news/a/eu-u-s-data-adequacy-litigation-begins.

[10] Latombe, supra note 9.

[11] Id.

[12] See supra note 8.

[13] Mark Scott, We Don’t Talk About Fixing Social Media, Digital Bridge from Politico (Aug. 3, 2023), https://www.politico.eu/newsletter/digital-bridge/we-dont-talk-about-fixing-social-media. See also New Trans-Atlantic Data Privacy Framework Largely a Copy of “Privacy Shield”. NOYB Will Challenge the Decision, noyb.eu (2023), https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.

[14] Case C-362/14, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, available at https://curia.europa.eu/juris/liste.jsf?num=C-362/14 [hereinafter “Schrems I”].

[15] Scott, supra note 13.

[16] Schrems II [178].

[17] Case C?362/14, Maximillian Schrems v Data Protection Commissioner, EU:C:2015:650 (CJEU judgment of 6 October 2015) [hereinafter: “Schrems I”].

[18] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (“Data Protection Directive”).

[19] Schrems I [73].

[20] Theodore Christakis, Kenneth Propp, & Peter Swire, EU/US Adequacy Negotiations and the Redress Challenge: Whether a New U.S. Statute is Necessary to Produce an “Essentially Equivalent” Solution, European Law Blog (2022), https://europeanlawblog.eu/2022/01/31/eu-us-adequacy-negotiations-and-the-redress-challenge-whether-a-new-u-s-statute-is-necessary-to-produce-an-essentially-equivalent-solution.

[21] Opinion of Advocate General Saugmandsgaard Øe delivered on 19 December 2019, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, ECLI:EU:C:2019:1145 [248].

[22] European Data Protection Board, Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf (hereinafter: “EDPB Recommendations on surveillance measures”).

[23] EDPB Recommendations on surveillance measures [8].

[24] Executive Order, supra note 5, Sec. 2(a)(ii)(B).

[25] Douwe Korff, The Inadequacy of the October 2022 New US Presidential Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities, 13 (2022), https://www.ianbrown.tech/2022/11/11/the-inadequacy-of-the-us-executive-order-on-enhancing-safeguards-for-us-signals-intelligence-activities.

[26] Id. at 10–13.

[27] EDPB Recommendations on surveillance measures [34].

[28] Opinion of Advocate General Saugmandsgaard Øe in Schrems II [249].

[29] European Commission, supra note 8, Recital 135.

[30] New US Executive Order Unlikely to Satisfy EU Law, NOYB (Oct. 7, 2022), https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law.

[31] Korff, supra note 25 at 19.

[32] Schrems II [184].

[33] European Data Protection Supervisor, Opinion 5/2023 on the European Commission Draft Implementing Decision on the Adequate Protection of Personal Data Under the EU-US Data Privacy Framework, [134]-[135] (2023), https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-52023-european-commission-draft-implementing_en. See also Alex Joel, Necessity, Proportionality, and Executive Order 14086, Joint PIJIP/TLS Research Paper Series (2023), https://digitalcommons.wcl.american.edu/research/99.

[34] Digital Rights Ireland and Others, Cases C?293/12 and C?594/12, EU:C:2014:238.

[35] La Quadrature du Net and Others v Premier Ministre and Others, Case C-511/18, ECLI:EU:C:2020:791.

[36] Schrems I [94].

[37] Schrems I [96].

[38] European Commission, supra note 8, Recitals 140-141 (footnotes omitted).

[39] Theodore Christakis, Squaring the Circle? International Surveillance, Underwater Cables and EU-US Adequacy Negotiations (Part 1), European Law Blog (2021), https://europeanlawblog.eu/2021/04/12/squaring-the-circle-international-surveillance-underwater-cables-and-eu-us-adequacy-negotiations-part1; Theodore Christakis, Squaring the Circle? International Surveillance, Underwater Cables and EU-US Adequacy Negotiations (Part 2), European Law Blog (2021), https://europeanlawblog.eu/2021/04/13/squaring-the-circle-international-surveillance-underwater-cables-and-eu-us-adequacy-negotiations-part2.

[40] European Commission, supra note 8, Recital 141, footnote 250 (emphasis added).

[41] Id., Recital 141, footnote 250.

[42] Directive (EU) 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market (‘Directive on Electronic Commerce’) [2000] OJ L178/1.

[43] Case C-18/18, Eva Glawischnig-Piesczek v Facebook [2019] ECLI:EU:C:2019:821. See also Daphne Keller, Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling, 69 GRUR International 616 (2020).

[44] As Keller puts it: “Instead of defining prohibited ‘general’ monitoring as monitoring that affects every user, the Court effectively defines it as monitoring for content that was not specified in advance by a court.” Id. at 620.

[45] Case C?401/19, Poland v Parliament and Council [2022] ECLI:EU:C:2022:297; Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on Copyright and Related Rights in the Digital Single Market and Amending Directives 96/9/EC and 2001/29/EC (OJ 2019 L 130, p. 92). For background, see Christophe Geiger & Bernd Justin Jütte, Platform Liability Under Art. 17 of the Copyright in the Digital Single Market Directive, Automated Filtering and Fundamental Rights: An Impossible Match, 70 GRUR International 517 (2021).

[46] Schrems II [181].

[47] Schrems II [183].

[48] @MBarczentewicz, Twitter (Aug. 24, 2023, 9:43 AM), https://twitter.com/MBarczentewicz/status/1694707035659813023. See also Max Schrems, Open Letter on the Future of EU-US Data Transfers (May 23, 2022), https://noyb.eu/en/open-letter-future-eu-us-data-transfers.

[49] Similar phrasing can be found in Ashley Gorski, The Biden Administration’s SIGINT Executive Order, Part II: Redress for Unlawful Surveillance, Just Security (2022), https://www.justsecurity.org/83927/the-biden-administrations-sigint-executive-order-part-ii. Gorski’s text shows well how easy it is to elide, even unintentionally, the distinction between the Article 47 being a standard that must be satisfied by a third country, and it merely contributing to the level of protection that constitutes a benchmark for an adequacy assessment. At one point she notes that “the CJEU held that U.S. law failed to provide an avenue of redress ‘essentially equivalent’ to that required by Article 47.” In other places, however, she adopts the phrasing of “satisfying” Article 47.

[50] Schrems II [186].

[51] Theodore Christakis, Kenneth Propp & Peter Swire, The Redress Mechanism in the Privacy Shield Successor: On the Independence and Effective Powers of the DPRC, IAPP.org (2022), https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc.

[52] Gorski, supra note 49; Korff, supra note 25 at 21.

[53] European Commission, supra note 8, Recital 175.

[54] Id., Recital 187 (footnotes omitted).

[55] Gorski, supra note 49.

[56] According to them: “(…) key U.S. Supreme Court decisions have affirmed the binding force of a DOJ regulation and the legal conclusion that all of the executive branch, including the president and the attorney general, are bound by it.” Christakis, Propp, & Swire, supra note 51.

[57] @MBarczentewicz, Twitter (Aug. 24, 2023, 9:43 AM), https://twitter.com/MBarczentewicz/status/1694707035659813023.

[58] Executive Order, section 5(k)(i)-(iv).

[59] NOYB, New US Executive Order Unlikely to Satisfy EU Law (Oct. 7, 2022), https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law. See also NOYB, supra note 13.

[60] Korff, supra note 25 at 25.

[61] Joined cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and others, ECLI:EU:C:2020:791 [191].

[62] European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU – Volume II: Field Perspectives and Legal Update (2017) https://fra.europa.eu/en/publication/2017/surveillance-intelligence-services-fundamental-rights-safeguards-and-remedies-eu.

[63] European Commission, supra note 8, Recitals 199-200.

Abstract

English-architecture company law describes the distinct and diverse group of company or corporate law used in more than 60 jurisdictions worldwide. English-architecture company law provides a robust platform for innovation and development due to its permissive structure, opportunity for choice of law in an entity’s internal governance, and scalability permitting variation for small and large entities. It is the dominant form among International Financial Centers (IFCs), many of which have legal systems with a British connection. This body of law responds to competition and maintains dynamism by engaging its practice community through “learning by doing” and “frictioneering.” An architecture approach permits a broader review of developments in company law that more closely captures the reality of global law practice. The IFC experience of climbing the value chain from tax arbitrage to provide solutions for entities or structures left out in the corporate law of larger jurisdictions provides a useful global governance model to maintain normative, jurisprudential, and regulatory coherence even as it responds to more specialized and unanticipated needs. This Article explores what makes English-architecture company law so successful and how IFCs use it to compete in the global law market.

Abstract

We take advantage of the Brazilian mandatory corporate governance (CG) reporting system to build an overall Brazil Corporate Governance Index (BCGI) and subindices (CGIs), and track changes in firms’ scores over the 10-year period from 2010-2019. We show that overall CG level improved significantly between 2010 and 2019, with most of the improvement over the first part of this period. The improvement has two sources: an increase in the proportion of high-standard listings (Novo Mercado and Level 2, NML2) versus low-standard listings (Level 1 and regular, L1R), and within-firm improvement in CG practices. In the first half of the sample period, both NML2 and L1R firms improved CG practices considerably. Overall improvement in the second half of the sample period reflects an increasing proportion of NML2 firms, plus gradual improvement in L1R CG levels; with nearly constant NML2 levels. Improvements were stronger for Board Procedure and Disclosure. Firms in both listings improved their CG. Overall improvement was stronger in NML2 than in L2R, but was concentrated in the period from 2010-2015.

Abstract

We study the evolution of corporate governance (CG) practices in Brazil over 2010-2019, using a country-specific Brazil Corporate Governance Index (BCGI) validated in prior work. We study separately firms in high-governance and low-governance legal regimes, in a single country. CG improved considerably in Brazil over 2010-2015, with much smaller changes over 2015-2019. Positive CG changes are much more common than negative changes. Some firms made only minimal changes, despite low initial CG levels. We also study which firm financial factors predict both CG levels and changes in levels. None of the firm financial variables we study consistently predicts CG levels. However, for CG changes, a measure of equity financing need predicts CG improvements in the first half of the sample period, but only for firms in the lower governance regime, not for firms in the higher regime. This is the first article to find evidence for firm financial characteristics predicting CG changes, consistent with theoretical predictions, including stronger effects for firms in the lower governance regime.

Abstract

China is making an active push to enlarge its role in the development of Internet-related technical standards. The prevailing narrative surrounding this trend suggests that Beijing is aiming to uproot the liberal, democratic values embedded in the Internet’s technical foundation and governance arrangements in favor of authoritarian-friendly alternatives. For many, these fears were fully realized when Chinese tech giant Huawei came to the UN-affiliated International Telecommunications Union (ITU) and proposed the development of a future core Internet protocol called “New IP”. This proposal allegedly sought to redesign the architecture of the Internet in a way that would both enhance and export the Chinese government’s capacity for digital repression. Informed by the understanding of Chinese standards influence as a geopolitical and ideological threat, many are now calling for a more aggressive response to countering Chinese engagement in Internet standards bodies.

Yet, the conventional narrative seems to be missing something. Specifically, it overlooks the fact that the sophisticated Internet control apparatus China has developed over the years can already censor and surveil quite effectively at present and that shifting responsibility for core protocol development to the state-driven ITU would not necessarily enhance its ability to do so. A more comprehensive understanding of this trend is needed.

Using New IP as the primary case study, this article examines China’s standard-setting push, its potential motivations, and its implications for the future of the global Internet. We conclude that it is far from clear that New IP was indeed intended as a trojan horse for digital authoritarianism. Observing that technical evolution of the Internet—particularly the type endorsed in Huawei’s proposal—plays a prominent role in China’s long-term industrial policy strategy, we find it equally plausible that New IP was motivated by economic considerations, something that has largely been absent from the debate over China’s standards ambitions. We thus caution against the presumption that Chinese-developed standards are intended to advance the cause of digital repression as well as against politically driven opposition to growing Chinese participation at Internet standard-setting bodies. This insight is crucial, as the way American policymakers and Internet stakeholders respond to this trend will undoubtedly impact both the future of the global Internet and U.S. technological leadership in this domain.

Executive Summary

Under the auspices of Legislative Decree 9831, the Central Bank of Costa Rica (BCCR) has set maximum fees for acquiring and issuing banks in payment-card markets, with maximum acquisition fees (MDR) and interchange fees (IRF). Different fees were set for domestic transactions (i.e., those made using locally issued cards) and for cross-border transactions (i.e., those made using foreign-issued cards).

In November 2022, BCCR issued a proposal to retain the cross-border MDR cap at 2.5% and either to leave the cap on cross-border IRF unchanged at 2%, or to lower it to 1.25%. In the same document, BCCR proposed that the MDR for domestically issued cards would be capped at 2% and the IRF capped at 1.5%.

IRF for cross-border transactions typically are significantly higher than those for domestic transactions, primarily because cross-border transactions carry much higher risk of fraud. If BCCR caps cross-border interchange fees at the lower level it has proposed, foreign issuers are likely to respond by de-risking payment requests from acquirers in Costa Rica. This could take various forms, including rejecting payments from certain merchants, or simply increasing rejections rates across the board. Whatever approach, or mix of approaches, is taken, it is likely to cause problems both for merchants in Costa Rica and for their customers.

Prior to the COVID-19 pandemic, roughly 6.25% of Costa Rica’s gross domestic product (GDP) came from tourism, with a significant proportion of those tourist dollars spent using payment cards. Indeed, in 2021, even without a full resumption of pre-COVID rates of tourism, approximately 16% of credit-card payments in Costa Rica were cross-border. If tourists find that they are unable to make reservations at hotels in Costa Rica using their credit or debit cards because the payment is rejected by their issuer, they may well choose an alternative destination for their trip. Meanwhile, if tourists in Costa Rica are unable to pay for goods and services using their credit and debit cards, many will simply not make those payments. This could have a substantial negative effect on Costa Rica’s tourism and business-travel industries.

Introduction

Costa Rica Legislative Decree No. 9831—issued March 24, 2020—created a mandate to regulate acquisition fees (commonly known as the “merchant discount rate,” or MDR) and interchange reimbursement fees (IRF) charged by service providers on “the processing of transactions that use payment devices and the operation of the card system.”[1] The legislation’s stated objective was “to promote its efficiency and security, and guarantee the lowest possible cost for affiliates.”

Implementation was delegated to the Central Bank of Costa Rica (BCCR), which was tasked with responsibility to issue regulations and monitor compliance; ensure that the rule is “in the public interest”; and guarantee that fees charged to “affiliates” (i.e., merchants) are “the lowest possible … following international best practices.” Beginning Nov. 24, 2020, BCCR set the maximum IRF for domestic cards at 2.00% and the maximum MDR at 2.50%. These fell to 1.75% and 2.25%, respectively, in an updated regulation published in January 2022, and to 1.5% and 2% in February 2023.

In a study published in May 2022, we reviewed the available evidence regarding interchange fees and argued that it would be contrary to international best practices for Costa Rica to cap acquisition fees and interchange fees.[2] In particular, we raised specific concerns regarding the likely harmful effects of capping fees on cross-border transactions, owing to the higher risks and other costs associated with such transactions.

BCCR developed a technical study that considered the effects of different levels of caps on fees for both domestic and cross-border payment-card transactions and, in November 2022, issued a proposal to retain the cross-border MDR cap at 2.5% and either (1) leave the cap on cross-border IRF unchanged at 2%, or (2) lower the IRF cap for cross-border transactions to 1.25%.

If BCCR leaves the cross-border MDR cap unchanged but reduces the cross-border IRF cap to 1.25%, it might, in principle, appear to solve the immediate problem faced by acquiring banks. It would, however, create new problems for those banks, their customers, and the wider economy. It will also put Costa Rica in the unenviable position of being the only country in the world with a cross-border interchange fee that is below the domestic interchange fee.

This brief considers the international experience with cross-border payment-card transactions, with a focus on issues related to fraud, as well as the negative implications of imposing price caps. It begins with a brief discussion of the economics of interchange fees. Section II describes Costa Rica’s price controls on merchant acquisition and interchange fees. Section III discusses fraud and other costs associated with cross-border and card-not-present transactions. Section IV describes ways in which payment-card networks address issues related to fraud. And Section V assesses the likely implications for Costa Rica of price caps on cross-border interchange fees.

I.        The Economics of Interchange Fees

Payment systems are two-sided markets, with consumers on one side and merchants on the other; the payment network acts as a platform that facilitates interactions between the two sides.7F[3] For such a system to be successful, both merchants and consumers must perceive it as beneficial. If too few merchants accept a particular form of payment, consumers will have little reason to obtain it and issuers will have little incentive to issue it. Likewise, if too few consumers possess a form of payment, merchants will have little reason to accept it.

In any two-sided market, platform operators seek to encourage participation on each side of the market in ways that maximize the joint net benefits of the network to all participants—and to allocate system costs accordingly.8F[4] Among the means they employ to achieve this balance is by setting prices charged, respectively, to participants on each side of the market.9F[5] In the case of payments, if the platform operator sets the price too high for some consumers, they will be unwilling to use the platform; similarly, if the operator sets the price too high for some merchants, they will not be willing to use the platform.

In general, the costs of operating a platform will tend to fall on the party who is least sensitive to such costs (i.e., the party with the lower price elasticity). In the case of payment cards, that party is the merchant.13F[6] Merchants often pay, through transaction fees, not only all the costs of accessing the network, but also effectively subsidize participation by consumers—e.g., through cashback and other rewards programs, insurance, fraud protection, and other cardholder benefits that serve as incentives to card usage.

Merchants are willing to do this because they receive significant benefits from the use of payment cards, including: ticket lift (i.e., higher spending, due to the fact that consumers are not constrained by the cash in their pockets or, in the case of credit cards, the amount of cash currently in their bank accounts), guaranteed payment, reduced cash-management costs, and faster checkout times.

II.      Costa Rica’s Price Controls on Payment Card Fees

Article 14 of Legislative Decree 9831 requires the BCCR to undertake “ordinary reviews” of the price controls on MDR and IRF at least once annually. Its first such review, published in November 2021, set a timetable for maximum domestic-acquisition and interchange fees (see table below) and set maximum cross-border MDR at 2.5% and IRF at 2%.[7]

SOURCE: Banco Central de Costa Rica[8]

BCCR subsequently established a task force to develop proposals for setting payment-card fees. On Nov. 2, 2022, BCCR published the task force’s recommendations, which included, inter alia, the following:[9]

• Use international comparisons of IRFs and MDRs “as the best technical tool currently available to the BCCR to ensure the lowest possible cost for affiliates, in accordance with Legislative Decree 9831.”
• Maintain the differentiation of the ceilings on IRF and MDR between local and cross-border payment transactions, in accordance with Article 4 of Legislative Decree 9831, “as this leads to the proper functioning, efficiency and security of the Costa Rican payment system and the lowest cost for affiliates.”
• For 2023, set maximum fees for local payment transactions at 1.50% for IRF and 2.00% for MDR. This is in line with the proposal made in 2021.
• Maintain the cap of 2.50% on cross-border MDR, “since the information available in the international comparison does not allow modifications to be made to the limit established since 2020.”
• Propose two alternative options regarding the maximum cross-border IRF:
  • Option 1: maintain the current maximum, e., 2.00%; or
  • Option 2: reduce the maximum to 1.25%.

The BCCR offers various putative justifications for these proposed caps. For example, it notes that Option 2 would result in a maximum cross-border IRF that is midway between “the minimum cross-border IRF established by Mastercard and Visa card brands for the United States and Canada, as well as Visa for Australia in the case of non-Asia Pacific issuers” (i.e., 1.00%) and the IRF “agreed by Mastercard and Visa card brands for card-not-present payments in the EEA” (i.e., 1.50%).

Such justifications, however, are fundamentally inconsistent with the economics of two-sided markets. The current and proposed price caps thus represent essentially arbitrary interventions. By focusing narrowly on the costs incurred by merchants through IRFs and MDRs, BCCR fails to account adequately for the offsetting benefits that accrue to consumers and merchants—and the costs to provide those benefits.

Legislative Decree 9831 does, however, permit BCCR to take into consideration “[a]ny other element that reasonably allows the Central Bank of Costa Rica to guarantee the efficiency and security of the card systems.”[10] As discussed below, one such element that should be considered by BCCR is the potential effect of regulating international IRFs on merchants in Costa Rica, especially those catering to tourists and business travelers, and the wider effects on the economy.

III.    Fraud Risks Associated with Cross-Border Payments

In comparison to domestic payments, cross-border payments entail significantly higher risks of fraud, as be seen by looking at the incidence of payments fraud in the European Union (EU). Data from the European Central Bank (ECB) show unambiguously that the rates of fraud on cross-border transactions—both between EU member states and from outside the EU—is much higher than fraud on domestic transactions. In its 2021 Report on Card Fraud, the ECB found that, between 2015 and 2019, cross-border transactions represented only 10% of transactions by value but 65% of all fraud by value, as can be seen in Figure I.[11] Thus, in value terms, cross-border fraud represents a risk more than six times greater than domestic fraud.

SOURCE: European Central Bank[12]

For most EU member states, the situation is even more dramatic, with cross-border fraud representing more than 90% of all card fraud, as can be seen in Table II.

SOURCE: European Central Bank[13]

Looking at the types of transaction involved in card fraud, the vast majority (83%) are card-not-present (CNP) fraud, as can be seen in Figure II.

SOURCE: European Central Bank[14]

While these data relate to payments fraud in the EU, they are likely indicative of broader international trends. As such, they suggest that cross-border fraud in general and CNP cross-border fraud in particular is a far more significant problem than domestic fraud of all kinds.

IV.    How Card Networks Address Payment-Card Fraud

Card networks have developed numerous processes and technologies to address payment-card fraud, including the following.

Zero liability protection for cardholders. Card networks’ standard terms and conditions include clauses requiring issuers to protect personal cardholders from unauthorized transactions (subject to certain conditions, such as that cardholders report such transactions promptly to the card issuer).[15] This protection is an important benefit to cardholders, who otherwise might be wary of using their cards, especially for online transactions or in foreign countries.

Liability protection for merchants. Just as cardholders are protected from liability for unauthorized transactions, so too are merchants. Issuers are, by default, liable for unauthorized transactions. This is an important benefit to merchants, who might otherwise be reluctant to accept card-based payments.

Chargebacks. The above liability protections apply only to unauthorized transactions. Where a cardholder has authorized a payment, they will be liable. Meanwhile, if a merchant has processed a payment without obtaining the necessary authorization, and where that payment has been disputed by the cardholder, the issuer may initiate a “chargeback”: effectively reversing the payment.

Authorization, verification, and fraud monitoring. To complement the system of liability protection and chargebacks, payment networks have developed increasingly sophisticated and effective systems for transaction authorization and fraud monitoring, including:

• Tokenization—which underpins EMV (Europay, Mastercard, and Visa) chips, contactless cards, and smartphone-based payments—uses encrypted data to enable authorization without sharing personal account numbers;
• Machine-learning-based transaction monitoring, which creates a dynamic model of each cardholder’s transactions and flags as potentially fraudulent those payments that do not fit the model; and
• Contingent multifactor authentication, whereby transactions flagged as potentially fraudulent result in the cardholder being asked for secondary authentication.

These systems reduce the incidence of fraud and thereby reduce the liability of card issuers. For example, in 2015, payment networks changed the liability rules for U.S. merchants to encourage adoption of EMV cards. Estimates by Visa suggest that merchants that subsequently adopted EMV-compliant point-of-sale (POS) machines experienced an 87.5% reduction in fraud.[16] Nonetheless, as is clear from Section III, fraud remains a problem, especially for cross-border and CNP transactions.

The liability rules summarized above mean that the cost of fraud falls disproportionately on card issuers. In 2020, issuers bore nearly two-thirds of all card fraud losses worldwide.[17] The equitable and economically efficient solution is for issuers to charge higher fees for transactions that are more likely to be fraudulent.

In some cases, it may make sense to pass on some or all of these costs to consumers. In the case of cross-border transactions, some issuers do this by charging foreign-transaction fees on some cards.[18] Such fees can, however, discourage consumers from using their cards, so it may be preferable for merchants to pay higher fees instead. Thus, cards aimed at international travelers typically offer cardholders “no foreign-transaction fee” as a benefit. These cards instead charge a higher interchange fee for foreign transactions. Holders of such premium cards typically spend more, thereby benefiting the merchants (who pay slightly higher fees, if they are not on a blended rate).

V.      Possible Responses to Caps on Cross-Border Interchange Fees

As noted in Section II, the BCCR Task Force made two alternative proposals with respect to cross-border IRFs. The first would leave the current cap unchanged at 2.00%, while the second would reduce the cap to 1.25%.

Even the current cap is lower than the standard IRF charged for many credit cards that offer no foreign-transaction fee. Payments made using such cards in Costa Rica are thus effectively subsidized by merchants in other jurisdictions that do not impose such caps.

At the lower proposed rate, foreign issuers will receive a lower IRF than domestic-card issuers. Given the much higher fraud rate on cross-border payments, this is likely to cause significant problems, especially for premium cards that offer cardholders “no foreign-transaction fee” as well as other benefits, such as vehicle insurance, purchase-protection insurance, and rewards. The IRF revenue simply will not be sufficient to cover these benefits. As such, to reduce fraud, payments using such cards will be subject to greater scrutiny and many may well simply be rejected.

This is a problem not only for the cardholders, who will be frustrated when attempting to make purchases. It is also a problem for Costa Rica’s tourism and business-travel sectors. Consider what might happen when a prospective visitor attempts to book a room at a resort such as Tortuga Lodge, which takes bookings directly on its website and processes payments through its acquirer in Costa Rica.[19] The prospective visitor first tries their World Elite Mastercard and finds that it is rejected; they then try their Visa Infinite card and again find that the payment is rejected. Frustrated but undaunted, they instead decide to book rooms at Tortuga Lodge on Expedia.com, which uses a U.S. acquirer; this time, they have no problem making and paying for the booking, albeit at a higher price than was offered directly by the hotel. When they arrive in Costa Rica, however, they find that, once again, their cards are repeatedly rejected when they attempt to make purchases, whether it be at restaurants, tour agencies, or even an art gallery where they had hoped to buy a beautiful piece of local artwork.

The above scenario might already be happening, because the standard IRF for such transactions on the cards mentioned is higher than the current capped rate of 2.00%.[20] At the alternative lower proposed rate of 1.25%, rejections are a near certainty for at least some travelers. Worse, some prospective travelers who are looking for a more bespoke offering and want to book directly with the hotel are likely to abandon their plans to travel to Costa Rica at all and choose a different destination where they do not encounter such difficulties.

Ironically, prospective visitors who have standard debit or credit cards that charge foreign-transaction fees are much less likely to have their payments rejected.

Some other payment methods are not covered by the caps on MDRs and IRFs: specifically, wire transfers and other bank-to-bank transfers that do not involve the use of payment-card networks. Most likely, there will be a shift toward the use of such payment methods, as a result both of individuals paying directly through such transfers and an increase in payments from overseas agencies. In general, such alternative payment methods involve greater counterparty risk than payments made using cards due to their greater finality, which means it is more difficult to reverse a payment once made, and the lack of purchase insurance. To the extent that visitors to Costa Rica are limited to wire and bank transfers, as a result of their payment cards being declined, they are likely to reduce their spending.

These anecdotes and observations suggest a number of likely effects of the cap on interchange fees:

• First, booking and payment for accommodation and other pre-bookable tourism activities will shift from Costa Rica-based agents and acquirers to U.S.-based agents and acquirers. This will reduce margins for Costa Rican hotels and other tourism businesses.
• Second, higher–end tourists will likely spend less in Costa Rica because they will be less able to use their payment cards.
• Third, there will likely be an overall reduction in high-spending tourists visiting Costa Rica, with a concomitant reduction in total spending.

In 2019, Costa Rica received about 3.1 million visitors who stayed for one night or more, spending about $4 billion, roughly 6.25% of the country’s GDP.[21] The tourism industry employed more than 170,000 people, about 5% of the country’s working-age population.[22] Tourist numbers fell dramatically in 2020 due to the COVID-19 pandemic, leading to a dramatic decline in income and employment. Visitor numbers began to rise again in 2021 and, while total numbers remained below their pre-COVID highs, the number of visitors from the United States (245,000) was not far off the number for 2019 (280,000). In March 2022. Costa Rica announced its national tourism plan for 2022-2027, in which it sought to increase the number of annual visitors to 3.8 million by 2027, targeting tourism revenue of $4.8 billion.[23]

In 2019, Costa Rican merchants processed around 19 million cross-border payment-card transactions, with a total value of around $2 billion—representing about half the total tourism revenue and 16% of the value of all card transactions.[24] After falling in 2020, the number of cross-border payment-card transactions rose in 2021 to nearly 23 million, with a total value of $2 billion, which is consistent with the return of higher-spending tourists from the United States.[25]

If BCCR chooses to cap interchange fees on cross-border transactions at 1.25%, it is likely to impede Costa Rica’s national tourism plan, both by discouraging tourism and, more importantly, by reducing revenue from higher-spending tourists.

VI.    Conclusion

Based on this assessment, there are significant costs associated with caps on cross-border MDRs and IFRs. As noted above, Legislative Decree 9831 permits BCCR to take into consideration such costs to the extent that they affect BCCR’s ability “to guarantee the efficiency and security of the card systems.”[26] As such it is incumbent on BCCR to consider the potential economic harm that is likely to arise if it were to lower the cap on cross-border IFR to 1.25%.

[1] Note, translations from the Spanish original are approximate.

[2] Julian Morris, Regulating Payment Card Fees: International Best Practice and Lessons for Costa Rica, International Center for Law & Economics (May 25, 2022), https://laweconcenter.org/resources/regulating-payment-card-fees-international-best-practices-and-lessons-for-costa-rica.

[3] Jean-Charles Rochet & Jean Tirole, Two-Sided Markets: A Progress Report, 37 Rand J. Econ. 645 (2006); See also Todd J. Zywicki, The Economics of Payment Card Interchange Fees and the Limits of Regulation, International Center for Law and Economics, ICLE Financial Regulatory Program White Paper Series (Jun. 2, 2010), available at http://laweconcenter.org/images/articles/zywicki_interchange.pdf.

[4] Bruno Jullien, Alessandro Pavan, & Marc Rysman, Two-Sided Markets, Pricing, and Network Effects, in Handbook of Industrial Organization (Vol. 4), 485-592 (2021).

[5] Thomas Eisenmann, Geoffrey Parker, & Marshall W. Van Alstyne, Strategies for Two-Sided Markets, Harv. Bus. Rev. (Oct. 2006).

[6] Id., at 33.

[7] Fijación Ordinaria de Comisiones Máximas del Sistema de Tarjetas de Pago 2021, Banco Central de Costa Rica, (Nov. 2021).

[8] Id. at 3.

[9] Alcance No 237 A La Gaceta No 212, Imprenta Nacional de Costa Rica (Nov. 7, 2022).

[10] Decreta: Comisiones Máximas Del Sistema De Tarjetas, No. 9831, Art. 15(j), Legislative Assembly of the Republic of Costa Rica, (“Cualquier otro elemento que razonablemente permita al Banco Central de Costa Rica garantizar la eficiencia y seguridad de los sistemas de tarjetas.”), http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NRTC&nValor1=1&nValor2=90791&nValor3=119755&strTipM=TC (last visited Apr. 12, 2023).

[11]Seventh Report on Card Fraud, European Central Bank 2022 (Feb. 1, 2022), https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport202110~cac4c418e8.en.html#toc1.

[12] Id. SEPA refers to the Single Euro Payments Area.

[13] Id.

[14] Id. EA19 refers to the 19 EU member states that are members of the Euro zone.

[15] Zero Liability Protection, Mastercard (Oct. 17, 2014), https://www.mastercard.us/en-us/personal/get-support/zero-liability-terms-conditions.html; Zero Liability Policy, Visa, https://usa.visa.com/pay-with-visa/visa-chip-technology-consumers/zero-liability-policy.html (last visited Apr. 12, 2023).

[16] Visa EMV Chip Cards Help Reduce Counterfeit Fraud by 87 Percent, Visa (Sep. 3, 2019), https://usa.visa.com/visa-everywhere/blog/bdp/2019/09/03/visa-emv-chip-1567530138363.html.

[17] Card Issuers Accounted for 65.40% of Gross Losses to Fraud Worldwide in 2020, Nilson Report (Dec. 2021), Issue 1209, at 6.

[18] Jacqueline DeMarco & Poonkulali Thangavelu, A Guide to Foreign Transaction Fees, Bankrate.com (Feb. 24, 2023), https://www.bankrate.com/finance/credit-cards/a-guide-to-foreign-transaction-fees.

[19] Author’s personal communication with reservation specialist at Tortuga Lodge, April 2023.

[20] Mastercard 2022–2023 U.S. Region Interchange Programs and Rates, Effective April 22, 2022, Mastercard (2022), available at https://www.mastercard.us/content/dam/public/mastercardcom/na/us/en/documents/merchant-rates-2022-2023-apr22-2022.pdf; Visa USA Interchange Reimbursement Fees, Visa (Apr. 23, 2022), available at   https://usa.visa.com/content/dam/VCOM/download/merchants/visa-usa-interchange-reimbursement-fees.pdf.

[21] OECD Tourism Trends and Policies 2022: Costa Rica, Organisation for Economic Cooperation and Development (2022), https://www.oecd-ilibrary.org/sites/a99a4da2-en/index.html?itemId=/content/component/a99a4da2-en.

[22] Id.; see also, OECD Economic Surveys: Costa Rica 2023, Organisation for Economic Cooperation and Development (2023), https://www.oecd-ilibrary.org/sites/8e8171b0-en/1/2/2/index.html?itemId=/content/publication/8e8171b0-en&_csp_=0b8e1c4cf7b4fb558e396a4008a8398a&itemIGO=oecd&itemContentType=book.

[23] Plan Nacional de Turismo de Costa Rica 2022-2027, Aprobado en la sesión N° 6210 de la Junta Directiva del Instituto Costarricense de Turismo, Apartado 3.II, celebrada (Mar. 21, 2022),English summary: Costa Rica: National Tourism Development Plan 2022–2027, Tourism Analytics, https://tourismanalytics.com/news-articles/costa-rica-national-tourism-development-plan-2022-2027.

[24] Supra note 9, Table 9. Assumes an average Colones:USD exchange rate during 2019 of 0.0017.

[25] Id. The Colones:USD exchange rate averaged around 0.0016 during 2021.

[26] Decreta: Comisiones Máximas Del Sistema De Tarjetas, No. 9831, Art. 15(j), Legislative Assembly of the Republic of Costa Rica, (“Cualquier otro elemento que razonablemente permita al Banco Central de Costa Rica garantizar la eficiencia y seguridad de los sistemas de tarjetas.”), http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NRTC&nValor1=1&nValor2=90791&nValor3=119755&strTipM=TC (last visited Apr. 12, 2023).

Spring is here, and hope springs eternal in the human breast that competition enforcers will focus on welfare-enhancing initiatives, rather than on welfare-reducing interventionism that fails the consumer welfare standard.

Read the full piece here.