'The Feasibility of Transatlantic Privacy-Protective Standards for Surveillance' by Ian Brown
considers
the feasibility of the adoption of specific, international human rights law-compliant, transatlantic standards on foreign surveillance, in the context of Edward Snowden’s revelations of large-scale surveillance programs operated by the US National Security Agency (NSA) and selected European intelligence services. The article describes examples of current good State practice, and options for setting standards for transatlantic data sharing, control of state interception and data monitoring capabilities, and oversight of intelligence agencies. It identifies relevant principles developed by civil society and industry groups that are leading political campaigns for reform, and the conditions under which these efforts are likely to succeed. It concludes by discussing the key intergovernmental forums where these standards could be considered.
Brown comments that
The US and European states are all parties to the UN’s International Covenant on Civil and Political Rights (ICCPR), which protects privacy and correspondence under Article 17, while the regional European Convention on Human Rights (ECHR) Article 8 has been interpreted in a robust way by the European Court of Human Rights to restrict governmental surveillance. The European Union’s Data Protection Directive (95/46/EC) and Charter of Fundamental Rights both apply additional strong privacy protections – although not in the area of national security, which is a competence reserved to the Member States.
This section describes privacy standards developed from these instruments by civil society, political bodies and courts, covering international sharing of personal data, controls on government surveillance activities, and oversight of intelligence agencies. ...
There are several US-EU agreements allowing bulk data sharing of air passenger and financial transaction records, and a Mutual Legal Assistance Treaty (MLAT) allowing a case-by-case sharing of law enforcement information. The two parties have been attempting to negotiate an overarching data protection agreement, as urged by the European Parliament, but have so far found their differences insurmountable.
The US and EU agreed in 2004 to allow EU-based air carriers to supply the US Department of Homeland Security with Passenger Name Record (PNR) data on passengers flying to the US, as required by US law. Without this agreement, airlines would have been in breach of EU data protection law if they supplied the data. A second agreement was reached in 2007, after the European Court of Justice found that the EU concluded the first agreement on the wrong legal basis. A third agreement was made in 2011 following the Lisbon Treaty, which gives the European Parliament (EP) greater power over justice and home affairs issues, and requires its consent for treaties.
Serious political controversy resulted from the revelation in June 2006 that the Belgium-based SWIFT global inter-bank payment service was providing the US Treasury with access to its transaction database in the US, containing all transaction instructions. The European Data Protection Supervisor criticised the European Central Bank, as a SWIFT oversight group member, for allowing this, while the Belgian data protection authority found that SWIFT had broken European data protection law.
In response, SWIFT redesigned its computing system so that, from 2010, intra- European bank instructions were not automatically copied to the US processing centre. The EU and US concluded an agreement allowing targeted access to European instructions. However, it does not require a judicial ruling for data transfer; contains a broad definition of terrorism; and provides EU citizens with no legal redress in US courts. There are allegations that the US Treasury is still receiving up to 25% of all SWIFT transactions – billions each year – since SWIFT is only able technically to provide bulk access to data. Controls are in place on searches of this data, with data mining banned, and regular reviews by an EU team.
Following revelations that NSA has anyway gained unauthorised access to SWIFT’s data systems, the European Parliament resolved that the agreement should be suspended, and reiterated its call for “any data sharing agreement with the US [to be based on] on a coherent legal data protection framework offering legally binding personal data protection standards, including with regard to purpose limitation, data minimisation, information, access, correction, erasure and redress”.
The EU-US Mutual Legal Assistance Treaty was agreed in 2003, but not concluded until November 2009. It allows the use of shared data for the purpose of criminal investigations and proceedings, and for preventing an ‘immediate and serious threat to ... public security’. Both NGOs and industry have called for all future US foreign data collection to take place through such MLATs, and that the US ‘desist from any and all data collection measures which are not targeted and not based on concrete suspicions’. Industry groups have also called on the US Congress to fully fund the Department of Justice’s processing of MLAT requests, given that they can currently take up to 18 months – far too long for law enforcement agencies’ needs.
Additionally, a joint set of principles endorsed by over 200 NGOs argues: ‘Where States seek assistance for law enforcement purposes, the principle of dual criminality should be applied. States may not use mutual legal assistance processes and foreign requests for protected information to circumvent domestic legal restrictions on communications surveillance. Mutual legal assistance processes and other agreements should be clearly documented, publicly available, and subject to guarantees of procedural fairness.’
Europol and Eurojust have signed agreements with the US on policing (dated 6/12/2001) and judicial cooperation (dated 6/11/2006). Transfer of data to third countries is addressed in the EU Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, which is currently being revised by the European Parliament.
Since 2006 the European Commission has been negotiating an overarching agreement with the US on information sharing and privacy, initially in an informal High Level Contact Group, and since 2011 with a formal negotiating mandate. The mandate is confidential, but a draft was leaked and is likely to be substantively similar. The intention is for this to be a binding instrument that sets data protection standards without itself authorizing specific data sharing, which would be done in specific further instruments. After three years the privacy standards would apply to existing EU and member state agreements, including the PNR and SWIFT agreements, unless they are brought into conformity in that time.
In response to the final report from the High Level Contact Group, the European Data Protection Supervisor suggested a number of principles that should guide an EU-US sharing agreement. Most are at least partially included in the European Commission negotiating mandate, but some remain controversial with the US government:
‘Clarification as to the nature of the instrument, which should be legally binding in order to provide sufficient legal certainty;
A thorough adequacy finding, based on essential requirements addressing the substance, specificity and oversight aspects of the scheme. The EDPS considers that the adequacy of the general instrument could only be acknowledged if combined with adequate specific agreements on a case by case basis.
A circumscribed scope of application, with a clear and common definition of law enforcement purposes at stake;
Precisions as to the modalities according to which private entities might be involved in data transfer schemes;
Compliance with the proportionality principle, implying exchange of data on a case by case basis where there is a concrete need;
Strong oversight mechanisms, and redress mechanisms available to data subjects, including administrative and judicial remedies;
Effective measures guaranteeing the exercise of their rights to all data subjects, irrespective of their nationality;
Involvement of independent data protection authorities, in relation especially to oversight and assistance to data subjects.’
…
Because nation states jealously guard their sovereignty over ‘national security’ issues, it will be more difficult to impose international standards on surveillance by intelligence agencies. Taking lawsuits through Europe’s national courts to the European Court of Human Rights is one possible mechanism. NGOs Privacy International and Liberty have commenced actions in the UK Investigatory Powers Tribunal (IPT), which has exclusive competence to hear complaints on intelligence matters, while a Paris court has opened an investigation following complaints from the International Federation of Human Rights and the French League of Human Rights. Big Brother Watch, the Open Rights Group and English PEN have made an application directly to the European Court of Human Rights, claiming that English law cannot provide a remedy for breaches of Article 8 because of the limited capacity of the IPT.
While Canada, Australia and New Zealand are also members of the ‘Five Eyes’ intelligence alliance, the US and UK governments are the most important actors in Snowden’s leaks. A number of bills have already been proposed in Congress to constrain the NSA’s domestic surveillance, and key existing powers (such as the Patriot Act s 215, which NSA has used to gather records of all US telephone calls) must be renewed between 2015-2017. EFF, ACLU and EPIC have taken a number of court actions in an attempt to uncover and restrain NSA surveillance activities. However, the privacy rights of non-US persons are negligible under the US Constitution and Privacy Act of 1974, which has received very little US political attention.
A case can be made that the European Convention on Human Rights requires States parties to protect the privacy rights of all those within their jurisdiction – including those spied upon internationally – but achieving this in the US without the cooperation of the executive branch will be extremely difficult, involving modification of the Privacy Act and either a Constitutional amendment or the overturning of several Supreme Court precedents. It will be difficult to persuade the US that it should accept any limitations on its abilities to monitor data and communications relating to non-US persons that physically transit US territory – which NSA Director Keith Alexander has called a huge ‘home-field advantage’.
However, as a party to the ICCPR and the Council of Europe Cybercrime Convention, civil society has argued that the US is bound ‘to extend privacy protection to non-US citizens and to observe the principles of legality, necessity and proportionality ... in their surveillance activities.’ EPIC has previously made detailed proposals for an update to the Privacy Act. North American and European advocates have also called on the US government to support high EU standards for data protection; reform Patriot and FISA Amendments Act provisions, enact the Consumer Privacy Bill of Rights, stop lobbying against the EU Data Protection Regulation, and to ratify the Council of Europe’s Convention 108 on data protection.
Internationally, civil society groups have identified some key features of a more human rights-compliant legal framework, and produced a joint set of principles that have been endorsed by over 200 organisations. These include:
- Intelligence agencies should only have targeted, limited access to data. EFF suggests ‘a specific person or specific identifier (like a phone number or email address) or a reasonable, small and well-cabined category (like a group on the terrorist list or member of a foreign spy service).’ EDRi suggests a ban on ‘all data collection measures which are not targeted and not based on concrete suspicions’.
- Agency access should be to specific records and communications. They should not be authorised to undertake ‘bulk’, ‘pervasive or systematic monitoring, [which] has the capacity to reveal private information far in excess of its constituent parts’ – such as the submarine cable taps that give NSA and GCHQ access to vast quantities of data, which they then winnow down in secret, or be given access to all telephone records. Any data access should trigger legal protections – this should not come only when data is picked out of a large datastream already collected by an agency.
- Data collected using special national security powers should be completely blocked from use for other government purposes, including law enforcement. It should be retained for limited periods, and deleted once no longer required.
- ‘Metadata’/’communications data’ can be extremely revealing about individuals’ lives, and currently receives very low levels of legal protection. This was highlighted by the EU Court of Justice in its judgment invalidating the Data Retention Directive, which required the storage of such data for a period of up to two years.47 EFF has called for a requirement for a probable cause warrant for agencies to access previously non-public information e.g. revealing identity, websites/info accessed, who with/where/when people communicate.
- Strict limits on intrusion into freedom of association by network analysis (the creation of very large datasets linking people through several communication hops – three in the NSA’s case, which can intrude on the privacy of millions of people).
- The incorporation of privacy-protective technologies and limitations within surveillance systems. As President Obama has observed: ‘[T]echnology itself may provide us some additional safeguards. So for example, if people don't have confidence that the law, the checks and balances of the court and Congress, are sufficient to give us confidence that government's not snooping, well, maybe we can embed technologies in there that prevent the snooping regardless of what government wants to do.’ EFF has campaigned against the extension of interception capability requirements to social networking sites and other Internet services, while the joint NGO principles say: ‘States should not compel service providers or hardware or software vendors to build surveillance
or monitoring capability into their systems, or to collect or retain particular information purely for State surveillance purposes... and refrain from compelling the identification of users as a precondition for service provision.’
- Illegal surveillance should be criminalised, with effective remedies when individuals’ rights are breached. Illegally gathered material should be inadmissible as evidence, while whistleblowers should be protected for revealing illegal behaviour.
EDRi has demanded ‘that any foreign data collection measures include provisions giving all affected individuals, at the very least, equal rights to US citizens at all stages of an investigation and, to avoid ‘jurisdiction-shopping’, rights that are not significantly lower than any democratically approved safeguards in their country of residence’ The European Commission is pushing for this in their negotiations with the US over a data sharing privacy agreement. ...
Finally, stronger oversight of intelligence agencies can reduce the likelihood that they misuse their surveillance powers. All democracies acknowledge the necessity of this oversight (especially to protect against the risk of their abuse against political opponents of the government): agencies have very intrusive powers and wide discretion in their use, but the secrecy they operate under severely hinders the scrutiny measures applied to the rest of government. Oversight can also improve agency effectiveness, by challenging waste and poor performance.
All of the European and North American democracies have special bodies appointed by the legislature and/or executive to oversee intelligence agency activity. Key features for effective oversight include the active participation of opposition parties, the resourcing of expert investigators and advisers, and full access to agency documents. The joint NGO principles state: ‘Oversight mechanisms should have the authority to access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information; to assess whether the State is making legitimate use of its lawful capabilities; to evaluate whether the State has been transparently and accurately publishing information about the use and scope of communications surveillance techniques and powers; and to publish periodic reports and other information relevant to communications surveillance.’
Many countries also have specific officials responsible for oversight, including the NSA Inspector General and a to-be-appointed Privacy and Civil Liberties Officer, and the UK’s Interception of Communications Commissioner and independent reviewer of terrorism legislation. In the light of the Snowden revelations, the impact of the US and UK oversight bodies and officials has clearly been limited. A broader membership of oversight panels could be one way to improve their ability to challenge disproportionate surveillance – in particular including individuals with the technical expertise required to understand complex surveillance systems, which it seems has been a severe challenge for the Foreign Intelligence Surveillance Court. Requirements for individuals to undergo highly intrusive security vetting before participating in oversight activities will reduce the diversity of those willing to do so. The European Parliament has stated that “oversight of intelligence services’ activities should be based on both democratic legitimacy (strong legal framework, ex ante authorisation and ex post verification) and adequate technical capability and expertise, the majority of current EU and US oversight bodies dramatically lack both, in particular the technical capabilities”.
NGOs are campaigning for greater transparency of surveillance activities, with publication of details of all surveillance programmes, allowing the media, civil society and individuals to understand and if necessary criticise agency activity. Industry groups are also attempting to persuade the US government to allow them to publish more detailed statistics on access to their customer data, with Microsoft and Google taking legal action to uphold their ‘clear right under the U.S. Constitution to share more information with the public.’
The NGO joint surveillance principles further require notification of surveillance targets once investigations have concluded; publication of aggregate information on the number of requests approved and rejected or contested by courts (including the number of users affected), with a disaggregation of the requests by service provider and by investigation type and purpose; and the removal of confidentiality requirements that block Internet companies from publishing details of the procedures they apply when they receive surveillance orders.
NGOs have also suggested that secret procedures used to authorise surveillance should feature a ‘privacy advocate’ making a case against the government request. President Obama has already conceded that such an advocate should appear in appropriate cases at the US Foreign Intelligence Surveillance Court. EFF suggests that such an advocate needs full access to case materials, with the ‘independence and protections that public defenders enjoy’.