31 January 2014


'Corporate Investment and Stock Market Listing: A Puzzle?' by John Asker, Joan Farre-Mensa and Alexander Ljungqvist reports
sizeable and surprising differences in investment behavior between stock market listed and privately held firms in the U.S. using a rich new data source on private firms. Listed firms invest substantially less and are less responsive to changes in investment opportunities compared to matched private firms, even during the recent financial crisis. Ex ante differences between public and private firms such as lifecycle differences at most explain a third of the difference in investment behavior. The remainder appears most consistent with a propensity for public firms to suffer greater agency costs. In particular, evidence showing that investment behavior diverges most strongly in industries in which stock prices are particularly sensitive to current earnings news suggests public firms may suffer from managerial myopia. 
The authors comment that
 This paper compares the investment behavior of stock market listed (or ‘public’) firms to that of comparable privately held firms, using a novel panel dataset of private U.S. firms covering more than 400,000 firm-years over the period 2001-2011. Almost everything we know about investment at the micro level is based on evidence from public firms, which number only a few thousand, yet private firms form a substantial part of the U.S. economy. We estimate that in 2010, private U.S. firms accounted for 52.8% of aggregate non-residential fixed investment, 68.7% of private-sector employment, 58.7% of sales, and 48.9% of aggregate pre-tax profits. Nearly all of the 5.7 million firms in the U.S. are private (only 0.06% are listed), and many are small, but even among the larger ones, private firms predominate: among those with 500+ employees, for example, private firms accounted for 86.4% in 2010. 
Our empirical tests unearth two new patterns. First, private firms invest substantially more than public ones, holding firm size and industry constant. The average investment rate among private firms is nearly twice as high as among public firms, at 6.8% versus 3.7% of total assets per year. Second, private firms’ investment decisions are more than four times more responsive to changes in investment opportunities than are those of public firms, based on standard investment regressions in the tradition of tests of the Q theory of investment (see Hayashi (1982) or, more recently, Gomes (2001), Cummins, Hassett, and Oliner (2006), Bloom, Bond, and van Reenen (2007), and Bakke and Whited (2010)). This is true even during the recent financial crisis. 
We find similar patterns when we exploit within-firm variation in listing status a sample of firms that go public without raising new capital and so change only their ownership structure: IPO firms are significantly more sensitive to investment opportunities in the five years before they go public than after. Indeed, once they have gone public, their investment sensitivity becomes indistinguishable from that of observably similar, already-public firms. We also find similar results when we instrument a firm’s listing status with plausibly exogenous variation in the supply of VC funding across U.S. states and time. 
What would cause public and private firms to invest so differently? One possibility is that the striking difference in investment sensitivities is simply an artifact of our sampling, measurement, or methodological choices. However, extensive robustness tests show that our samples are representative, that our results are robust to various alternative matching approaches, and that the difference in investment behavior does not appear to be driven by how we measure investment opportunities. 
This suggests that we need to look to more fundamental economic differences between public and private firms for an explanation. Lifecycle differences between public and private firms play only a limited role in explaining our results, accounting for less than a third of the difference in investment sensitivities. After ruling out other systematic differences between public and private firms (such as investment in intangibles, tax treatment, and accounting choices), we are left with differences in ownership and agency problems as the leading candidate explanation. 
The corporate finance literature has long argued that stock market listed firms are prone to agency problems. While listing a firm on a stock market provides access to a deep pool of low cost capital, this can also have two detrimental effects. First, ownership and control must be at least partially separated, as shares are sold to outside investors who are not involved in managing the firm. This can lead to agency problems if managers’ interests diverge from those of their investors (Berle and Means (1932), Jensen and Meckling (1976)). Second, liquidity makes it easy for shareholders to sell their stock at the first sign of trouble rather than actively monitoring management – a practice sometimes called the ‘Wall Street walk.’ This can weaken incentives for effective corporate governance (Bhide (1993)). 
Private firms, in contrast, are often owner-managed and even when not, are both illiquid and typically have highly concentrated ownership, which encourages their owners to monitor management more closely. Indeed, analysis of the Federal Reserve’s 2003 Survey of Small Business Finances (SSBF) shows that 94.1% of the larger private firms in that survey have fewer than ten shareholders (most have fewer than three), and 83.2% are managed by the controlling shareholder. According to another survey, keeping it that way is the main motivation for staying private in the U.S. (Brau and Fawcett (2006)). As a result, agency problems are likely to be greater among public firms than among private ones. 
There are three strands of the agency literature that argue public firm’s investment decisions might be distorted due to agency problems. First, Baumol (1959), Jensen (1986), and Stulz (1990) argue that managers have a preference for scale which they satisfy by ‘empire building.’ Empire builders invest regardless of the state of their investment opportunities. This could explain the lower investment sensitivity we observe among public firms. 
Second, Bertrand and Mullainathan (2003) argue the opposite: managers may have a preference for the ‘quiet life.’ When poorly monitored, managers may avoid the costly effort involved in making investment decisions, leading to lower investment levels and, presumably, lower investment sensitivities. 
Third, models of ‘managerial myopia’ or ‘short-termism’ argue that a focus on short-term profits may distort investment decisions from the first-best when public-firm managers derive utility from both the firm’s current stock price and its long-term value.4 If investors have incomplete information about how much the firm should invest to maximize its long-term value, managers may see underinvestment as a way to create the impression that the firm’s profitability is greater than it really is, hoping to thereby boost today’s share price (Stein (1989)). This would lead managers to use a higher hurdle rate when evaluating investment projects than would be used absent myopic distortions, resulting in lower investment levels and lower sensitivity to changes in investment opportunities. Importantly, this would occur even if investors can perfectly observe actual investment (Grenadier and Wang (2005)). The fact that we find lower investment levels among public firms seems inconsistent with empire building. On the other hand, both the quiet life argument and short-termism predict underinvestment, thus fitting the empirical facts we document. To shed further light on what drives the observed investment difference between public and private firms, we explore how it varies with a parameter that plays a central role in short-termism models: the sensitivity of share prices to earnings news. As we explain in Section 4, under short-termism a public-firm manager has no incentive to underinvest if current earnings news has no impact on the firm’s share price, in which case we expect no difference in investment behavior. But the more sensitive share prices are to earnings news, the greater the incentive to distort investment and hence the greater the difference in public and private firms’ investment sensitivities. 
To test these predictions, we follow the accounting literature and measure the sensitivity of share prices to earnings news using ‘earnings response coefficients’ or ERC (Ball and Brown (1968)). For industries whose share prices are unresponsive to earnings news (ERC = 0), we find no significant difference in investment sensitivities between public and private firms. As ERC increases, public firms’ investment sensitivity falls significantly while that of private firms remains unchanged. In other words, the difference in investment sensitivities between public and private firms increases in ERC, and this increase is driven by a change in public-firm behavior. In addition, we show that investment sensitivity is especially low among public firms with high levels of transient (i.e., short-term focused) institutional ownership and a propensity to “meet or beat” analysts’ earnings forecasts. These cross-sectional patterns are consistent with the notion that short-termist pressures induce public firms to invest myopically. 
Our paper makes two contributions. First, we document economically important differences in the investment behavior of private and public firms. Because few private firms have an obligation to disclose their financials, relatively little is known about how private firms invest. A potential caveat is that our analysis focuses on public and private firms that are similar in size, so we essentially compare large private firms to smaller public firms. To what extent do our results extend to larger public firms? We show that the low investment sensitivity among smaller public firms is typical of the investment behavior of all but the largest decile of public firms, which are substantially more sensitive to investment opportunities than the public firms in the other nine deciles. 
Second, our analysis suggests that agency problems in public firms, and in particular short-termism, are a plausible driver of the differences in investment behavior that we document. This finding adds to existing survey evidence of widespread short-termism in the U.S. Poterba and Summers (1995) find that public-firm managers prefer investment projects with shorter time horizons, in the belief that stock market investors fail to properly value long-term projects. Ten years on, Graham, Harvey, and Rajgopal (2005, p. 3) report the startling survey finding that “the majority of managers would avoid initiating a positive NPV project if it meant falling short of the current quarter’s consensus earnings [forecast].” This is not to say that effective corporate governance cannot reduce public-firm managers’ focus on short-term objectives. Tirole (2001) argues that large shareholders have an incentive to actively monitor managers and fire them if necessary, while Edmans’ (2009) model shows that the presence of large shareholders can reduce managerial myopia. But it is an empirical question whether these mechanisms are sufficiently effective on average. Our evidence suggests that, at least on the dimension of investment, this may not be the case. 
The paper proceeds as follows. Section 1 reviews related literature. Section 2 introduces a rich new database of private U.S. firms created by Sageworks Inc. Section 3 establishes our main empirical results, that public firms invest less and are less responsive to changes in investment opportunities than private firms. Section 4 investigates possible explanations for these findings. Section 5 examines the extent to which our results might be driven by the endogeneity of a firm’s listing status. Section 6 concludes.

A South Australian 'Privacy Tort'?

The South Australian Law Reform Institute has released an issues paper [PDF] and questionnaire [PDF] regarding the 'privacy tort'.

The Institute's inquiry is independent of the current Australian Law Reform Commission consultation highlighted elsewhere in this blog.

The Too much information: A statutory cause of action for invasion of privacy paper states that
This review was initiated by the Institute itself, after noting:
  • that it is not clear whether there is a tort of invasion of privacy at common law; 
  • that the remedies available to those whose personal privacy is invaded are limited; 
  • that modern technology makes it increasingly easy to invade personal privacy, to publish material or information so gained and to reach a wider audience than ever before, with often devastating and sometimes irreversible consequences; 
  • that a statutory cause of action for invasion of privacy has been identified by comprehensive Australian and international reviews as a potentially valuable civil remedy for, and deterrent against, serious invasions of privacy; and 
  • that there appear to be constitutional and political obstacles to establishing a national statutory cause of action for invasion of privacy.
The aim of the review is to investigate whether there is scope for South Australia to legislate its own statutory cause of action for invasion of privacy. After canvassing the views of South Australia’s legal profession, media, interest groups and the public at large, the Institute will report its findings and recommendations to the Attorney-General of South Australia.
The Institute comments that
1. Questions of what is privacy and what should be done by the State to protect it are live and complex in the 21st century. The pace of technological development and the changing ways in which we use technology to interact with each other necessitates a discussion about the way the law protects personal privacy. 
2. This paper discusses whether our privacy would be better protected if South Australia had a statutory cause of action for invasion of privacy. It outlines the history of attempted reform in South Australia and the range of approaches recently recommended by other law reform bodies in Australia. It sets out broadly the arguments for and against statutory reform, considers the characteristics of a statutory cause of action and poses questions for discussion. 
3. The Institute recognises that there is already a substantial amount of work on this topic and does not attempt to repeat it. In particular, the Institute refers to and relies on the following sources and encourages those seeking further information to go to these sources:
  • ALRC Discussion Paper 
  • ALRC Final Report 
  • ALRC Issues Paper 
  • NSWLRC Consultation Paper 
  • NSWLRC Final Report 
  • VLRC Information Paper 
  • VLRC Final Report 
  • Commonwealth Issues Paper
4. Forty years ago, the South Australian Law Reform Committee recommended that a general right of privacy be created by this State.  Bills attempting to create a cause of action were introduced into the South Australian Parliament in 1974 and again in 1991. Each was defeated after fierce and lengthy debate. A summary of the history of those Bills and the debate surrounding them is set out in Appendix 1 to this paper. 
5. In as many years, three law reform bodies in Australia have recommended the introduction of a statutory cause of action for invasion of privacy, given that there is doubt about whether one exists or will develop at common law: the Australian Law Reform Commission (ALRC) in 2008, the New South Wales Law Reform Commission (NSWLRC) in 2009 and the Victorian Law Reform Commission (VLRC) in 2010.  In New Zealand, where there is a limited common law tort of invasion of privacy, a review of privacy laws led to a recommendation by the New Zealand Law Commission in 20106 that there be no statutory enactments and that the tort be left to develop at common law. In September 2011, as part of its response to the 2008 ALRC Final Report, the Commonwealth Government released an Issues Paper inviting submissions on the ALRC recommendations for a Commonwealth cause of action for serious invasion of privacy. 
8. In June 2013, having reviewed submissions to the Commonwealth Issues Paper and concluded that they showed little consensus on how a legal right to sue for breach of privacy should be created, or if it should be created at all, the Commonwealth Attorney- General asked the ALRC to conduct another inquiry, this time into ‘the protection of privacy in the digital era’. A copy of those terms of reference is in Appendix 3 to this paper. 
9. On 8 October 2013, shortly before publication of this paper, the ALRC released its Issues Paper on ‘Serious Invasions of Privacy in the Digital Era’ as part of its response to the Commonwealth reference. 
10. At the core of the privacy debate is the tension between a right to privacy on the one hand and a right to freedom of expression on the other. Key international human rights instruments, to which Australia is a party, recognise a right to privacy along with other rights such as freedom of expression. These human rights stand equally, although often in competition. There is a strong argument that a democratic society should not shirk from giving effect to one human right simply because it is difficult to reconcile it with another. 
11. In Australia, concerns about freedom of expression have so far defeated attempts to introduce direct protection of privacy by a statutory cause of action. The development of a common law right to privacy in Australia has also gained little ground.   
12. This is in part because privacy is a concept that is difficult to define. It means different things to different people, and the distinction between ‘public’ and ‘private’ changes over time. Privacy is perhaps best described as involving the right of an individual to personal autonomy.  This autonomy not only encompasses privacy of personal information and communications, but also physical and territorial space. Privacy law in Australia, and in particular the Privacy Act 1988 (Cth), has largely focused on information privacy. This protection is principally limited to the collection, storage, use and disclosure of certain personal information by Governments and corporations. 
13. A useful American description of the kinds of conduct that should make a person liable to another for breaching their privacy,11 and which has informed the recent debate in Australia, including the recommendations by Australian law reform bodies, is this:
(a) ...intentionally intrud[ing], physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns ... if the intrusion would be highly offensive to a reasonable person; 
(b) ... appropriat[ing] to [one’s] own use or benefit the name or likeness of another ...; 
(c) ... giv[ing] publicity to a matter concerning the private life of another ... if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public; 
(d) ... giv[ing] publicity to a matter concerning another that places the other before the public in a false light ..., if (a) the false light in which the other was placed would be highly offensive to a reasonable person, and (b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicised matter and the false light in which the other would be placed. 
14. This paper asks whether there is a gap in our laws to be filled by a statutory cause of action for invasion of privacy and, if so, what that cause of action might look like. 
15. Although these questions were considered in earlier South Australian reform debates, the impetus for reform in 2013 is very different. We are now more vulnerable to invasions of privacy than ever before because of the ease with which individuals can now find, access, disseminate or broadcast information and material. In the digital age, new ways to pierce a person’s ‘sphere of inviolability’ are being discovered and developed at an unprecedented pace. 
16. Privacy is protected, directly and indirectly, by various State and Commonwealth civil and criminal laws, industry codes of conduct and administrative instructions. The recent recommendations of the ALRC, the NSWLRC and the VLRC for the enactment of a statutory cause of action for invasion of privacy formed part of a wider review of privacy protection more generally afforded by these laws, codes and instructions. The Institute does not at this stage intend to replicate these reviews but rather to draw from them in its inquiry into whether a general right to personal privacy should be protected in South Australia by a statutory cause of action.


The short 'Intellectual Diversity in the Legal Academy' by Nicholas Quinn Rosenkranz in (2014) 37(1) Harvard Journal of Law and Public Policy laments that
Elite law faculties are overwhelmingly liberal. Jim Lindgren has proven the point empirically. I will just add my impressions from Georgetown Law School to reinforce the point. We are a faculty of 120, and, to my knowledge, the number of professors who are openly conservative, or libertarian, or Republican or, in any sense, to the right of the American center, is three — three out of 120. There are more conservatives on the nine-member United States Supreme Court than there are on this 120-member faculty. Moreover, the ideological median of the other 117 seems to lie not just left of center, but closer to the left edge of the Democratic Party. Many are further left than that.
Oh dear.

Rosenkranz continues -
But at least there are three. And the good news is that this number has tripled in the last decade. The bad news, though, is that, at Georgetown, the consensus seems to be that three is plenty — and perhaps even one or two too many. 
These numbers are stark, but they are not unusual; this ratio actually seems fairly typical of most elite law schools. This lop- sidedness would be a shame in any academic department. But it is a particularly ironic sort of shame at a law school. After all, it is a fundamental axiom of American law that the best way to get to truth is through the clash of zealous advocates on both sides. All of these law professors have, in theory, dedicated their lives to the study of this axiomatically adversarial system. And yet, at most of these schools, on most of the important issues of the day, one side of the debate is dramatically underrepresented, or not represented at all. 
One result, unfortunately, is a certain lack of rigor. To be blunt, a kind of intellectual laziness can set in when everyone agrees. Faculty workshops fail to challenge basic premises. Scholarship becomes unreflective and imprecise. 
Worse yet, this intellectual homogeneity impairs analysis of law in progress — law as it unfolds out in the world. Analyzing and predicting actual American law would seem to be an important aspect of the job. After all, the country would like to be able to turn to these elite faculties for wisdom and insight about contemporary legal controversies. But because elite American faculties are so far to the left of the American judiciary, these faculties can be startlingly poor at analyzing the actual practice of American law.

30 January 2014

Bathsheba and contemporary peeping

People have been peering at each other for a very long time. I've been thinking of Bathsheba and of Susanna (Daniel 13:16)  - and of Rembrandt's Susanna and the Elders, another form of peeping - after encountering the ABC report that a sadly "obsessed" Tasmanian man has "admitted secretly filming" his younger wife through a hole he drilled in the wall of their bathroom.

The report indicates that Stephen John Earl pleaded guilty in Magistrates Court in Hobart "to one count of observing, or recording, in breach of privacy".

Earl was reportedly caught by his wife watching her undress in their bathroom and was seen peering from a water tank outside the bathroom window. "She had confronted him and discussed her right to privacy." She subsequently found a hole, hidden behind a picture that allowed him to watch her in the bathroom.

Earl admitted he had videotaped his wife. In court he indicated that " the marriage failed spectacularly after she found the spy hole".

The ABC states that
Chief Magistrate Michael Hill said he had never come across a case like it. 
He did not record a conviction on the condition Earl was of good behaviour for two years.
Section 13A of the Police Offences Act 1935 (Tas) deals with "Observation or recording in breach of privacy" as follows
 (1) A person who observes or visually records another person, in circumstances where a reasonable person would expect to be afforded privacy –
(a) without the other person's consent; and 
(b) when the other person – (i) is in a private place; or (ii) is engaging in a private act and the observation or visual recording is made for the purpose of observing or visually recording a private act
– is guilty of an offence.
Penalty: Fine not exceeding 50 penalty units or imprisonment for a term not exceeding 12 months, or both. 
(2) A person who observes or visually records another person's genital or anal region, in circumstances where a reasonable person would expect to be afforded privacy in relation to that region –
(a) without the other person's consent; and 
(b) when the observation or visual recording is made for the purpose of observing or visually recording the other person's genital or anal region
– is guilty of an offence.
Penalty: Fine not exceeding 50 penalty units or imprisonment for a term not exceeding 12 months, or both.
Section 14A ("Peering into dwelling-houses, etc" under "Offences relating to trespass to lands")  - a restatement of the traditional 'peeping & prying' offence - provides that
(1) A person shall not without lawful excuse (proof whereof shall lie on him) –
(a) peep or peer into the window or door of a dwelling-house; or 
(b) lurk, loiter, or secrete himself on any land within the curtilage of a dwelling-house. 
(2) A person who contravenes a provision of subsection (1) is guilty of an offence and is liable on summary conviction to a penalty not exceeding 5 penalty units or to imprisonment for a term not exceeding 6 months.
In the Old Testament the virtue of the surveilled women is affirmed by God and several of the peepers come to an unpleasant end. The impious youth who improperly glanced at Lady Godiva was supposedly punished with exemplary blindness, as I noted in a paper last year for the Newcastle Law Society about the proposed Australian privacy tort. In the Tasmanian incident the real punishment of Mr Earl, apart from the ending of his marriage, is presumably the glances of his neighbours and associates after reading the ABC report and other coverage in the mass media. Shaming can be particularly painful.


IP Australia has established a Register of Directions that records directions made by the
  • Registrar of Trade Marks, 
  • Registrar of Designs, 
  • Registrar of Plant Breeders Rights, and 
  •  Commissioner of Patents. 
A direction has been issued under r.21.22(3) of the Trade Marks Regulations 1995, r.22.1(1) of the Patents Regulations 1991, and r. 11.01(6) of the Designs Regulations 2004.

The direction prescribes the means by which fees can be paid to IP Australia.

29 January 2014


The London Independent, having a bad day by the look of its headlines, reports breathlessly 'Italian man accused of adopting black cats to eat them: Animal welfare activists claim the man ate ‘at least 15 cats in two years’'.

50-year-old Francesco F, was the subject of a complaint from the Italian animal welfare association, which alleged that he adopted and then ate at least 15 cats over two years.
 Activists with the organisation in the northern province of Brianza first became suspicious because the man would ask specifically to adopt a three-year-old cat with black fur and “a bit of flesh on it”. ... 
“After several reports from different catteries we began to suspect that he was involved in some sort of Satanist group,” ... When confronted, he reportedly seemed confused and asked if killing and eating cats was against the law.
Mr F supposedly “admitted to killing black cats and eating them in the company of friends”. He has been charged with animal abuse, and if convicted faces up to 12 months in jail.

In Australia there is no general prohibition on the consumption of cat, dog, ferret, mouse, parrot, budgie or other pet. There are restrictions on the sale of the meat and statutory frameworks regarding cruelty. Typically an organisation or individual processing meat intended for sale and human consumption must comply with state/territory meat production legislation, including be registration requirements and adherence to a formal Code/Standard or Regulation. The Codes exclude domestic as distinct from 'consumable' or 'abattoir' animals (which encompass sheep, cattle, pigs, goats, buffalo, deers and rabbit), game (e.g. crocodile) and poultry (duck, turkey, pigeon, pheasant, fowl).

I'm reminded of the Goncourt Brothers on the Siege of Paris (camel, kangaroo, sewer rat etc) and Francis Trevelyan Buckland (1826-1880) (dormice on toast, giraffe, wombat and other delicacies not found at your local supermarket). The Goncourts noted
On today's bill of fare in the restaurants we have authentic buffalo, antelope, and kangaroo. ... 
You talk only about what is eaten, can be eaten, or can be found to eat. Conversation does not go beyond that. 
"You know, a fresh egg costs twenty-five sous!" 
"I hear there is an individual who is buying up all the candles in Paris, and out of them, by adding a little color, he makes that grease which is so expensive." 
"Oh, keep away from cocoa butter; it stinks up the house for at least three days." 
"I saw some dog cutlets; they're really very appetizing: they look just like mutton chops." 
"Now tell me, who has eaten kangaroo?" ….
Horseflesh has entered on the sly into the diet of Paris. The day before yesterday Pelagic bought a piece of fillet which looked suspicious, and so I did not eat it. Yesterday, at Peter's, they brought me a roast beef of a blackish red of which my artist's eyes made me suspicious. The waiter merely assured me quite peacefully that this horse is beef. 
A shoulder of mutton is brought along.
"Oh !" says Hebrard, "we shall be eating the shepherd at our next dinner." 
In fact, it is a very nice shoulder of dog. "Dog, you say it's dog," cried Saint-Victor, in the tearful voice of an angry child , "this isn't dog, is it, waiter?" 
"But it's the third time you have had dog here." 
"No, it isn't true, M. Brebant is an honest man; he would have warned us . .. . but dog is an impure meat . . ." he said, with a ludicrous horror. 
"Give me horse, but not dog."
"Dog or sheep," mumbles Nefftzer, with his mouth full, "I've never eaten such a good roast . . . but if Brebant gave us rat . . . I know . . It's very good . . . tastes like a mixture of pork and pheasant!"
I had the curiosity to call on Roos, the English butcher of the Boulevard Haussmann. I saw all sorts of strange relics. On the wall, hanging in a place of honour, is the trunk of young Pollux, the elephant from the Jardin d'Acclimatation ; and in the midst of nameless meats, and of unusual horns, a boy is offering camel kidneys.
The master butcher is holding forth, surrounded by a circle of women: "It's forty francs the pound for the fillet, and for the trunk . . . yes, forty francs . . . You find that dear ? . . . Well, really, I don't see what I am going to get out of it. ... I reckoned on 3,000 pounds, and I've only got 2,300. . . . The feet you want to know how much the feet are ? They are twenty francs. Other parts go from eight to forty francs. . . . Yes, I can recommend those sausages ; elephant's blood, you know, is most nourishing ... his heart weighs twenty-five pounds. . . . Yes, there's some onion in the sausage. . . ."
In the Australian Capital Territory you can't purchase elephant sausage. The processing and selling cat or dog meat is prohibited under the Food Act 2001 (ACT), with killing of dogs or cats for dinner potentially covered under the Animal Welfare Act 1992 (ACT). The latter encompasses cruelty to "a live member of a vertebrate species", including an amphibian; a bird; a fish; a mammal (other than a human being); a reptile; a live cephalopod; or a live crustacean intended for human consumption.

In New South Wales processing and sale of dog and cat meat is prohibited under Food Act 2003 (NSW), with killing potentially an offence under the Prevention of Cruelty to Animals Act 1979 (NSW). Victoria addresses the killing of cats or dogs for food under the Animal Welfare Act 2002 (Vic), with a prohibition on processing and sale as part of the Food Act 2008 (Vic). Western Australia deals with cruelty under the Animal Welfare Act 2002 (WA); processing and sale cat or dog meat is prohibited under Food Act 2008 (WA).

Tasmania prohibits processing and selling cat or dog meat under the Meat Hygiene Act 1985 (Tas), with the Animal Welfare Act 1993 (Tas) dealing with the killing of cats or dogs for such a purpose. Queensland covers processing and sale under the Food Production (Safety) Act 2000 (Qld), with the cruelty offence under the Animal Care and Protection Act 2001 (Qld) In the Northern Territory the processing and selling of cat or dog meat for human is prohibited under Food Act 2004 (NT), cruelty being covered under the Animal Welfare Act 2007 (NT).

South Australia exceptionally has a specific provision - Summary Offences Act 1953 (SA) s 10 - regarding consumption of cat and dog meat, in addition to prohibition on killing, processing and sale for the purpose of consumption. That section doesn't cover the eating of hamsters, iguanas, ferrets, lemurs and other fun pets.

Privacy law students will recall Lenah Game Meats, which reflects the legality of processing and sale of possum meat for human consumption.


'Secret without Reason and Costly without Accomplishment: Questioning the National Security Agency’s Metadata Program' [PDF] by John Mueller and Mark G. Stewart comments that
When Edward Snowden’s revelations emerged in June 2013 about the extent to which the National Security Agency was secretly gathering communications data as part of the country’s massive 9/11-induced effort to catch terrorists, the administration of Barack Obama set in motion a program to pursue him to the ends of the earth in order to have him prosecuted to the full extent of the law for illegally exposing state secrets.
However, the President also said that the discussions about the programs these revelations triggered have actually been a good thing: “I welcome this debate. And I think it’s healthy for our democracy. I think it’s a sign of maturity because probably five years ago, six years ago, we might not have been having this debate.” There may be something a bit patronizing in the implication that the programs have been secret because we weren’t yet mature enough to debate them when they were put into place. Setting that aside, however, a debate is surely to be welcomed—indeed, much overdue. It should be conducted not only about the National Security Agency’s amazingly extensive data-gathering programs to amass information on telephone and e-mail conversations—programs that have, according to the President, included “modest encroachments” on privacy—but also more generally about the phenomenal expansion of intelligence and policing efforts in the wake of 9/11.
As Dana Priest and William Arkin have documented in their the remarkable book, Top Secret America, by 2009 there were something like 1,074 federal government organizations and almost 2,000 private companies devoted to counterterrorism, homeland security, and intelligence spread over more than 17,000 locations within the country. At least 263 of these were created or reorganized after 9/11. Collectively this apparatus launched far more covert operations in the aftermath of 9/11 than it had during the entire 45 years of the Cold War.
A comparison might be useful. Since 9/11, 53 cases have come to light of Islamist extremist terrorism, whether based in the United States or abroad, in which the United States itself has been, or apparently has been, targeted. The total number of real terrorists, would-be terrorists, and putative terrorists populating this set of cases, excluding FBI and police undercover operatives, is less than 100. Thus, the United States has created or reorganized three entire counterterrorism organizations for every terrorist arrest or apprehension it has made of people plotting to do damage within the country.
Although much of discussion in this article can be extrapolated more widely, it focuses primarily—and for starters—on one of the two surveillance programs revealed by Snowden. These two programs have often been mixed in, or confused, with each other.
One of them, Prism, somewhat more commonly known from its section in the law as 702, permits NSA to gather electronic communication information on e-mail and phone conversations after approval by a judge if the target is both outside the United States and not an American citizen and if there is an appropriate and documented foreign intelligence purpose for the collection.
The other, known as 215, authorizes the gathering in bulk of business and communication records within the United States. It has been used in particular to amass telephone billing records—numbers called, numbers received, and conversation length—for every telephone in the U.S. In principle, the 215 data are only supposed to be collected if there are “reasonable grounds to believe” the records are “relevant” to a terrorist investigation of a “known or unknown” terrorist organization or operative. Creatively expanding the word “relevant” to the breaking point, it has been taken in practice to mean that NSA can gather billing records for every telephone conversation in the country: if there might be a known or unknown needle in the haystack, the entire haystack becomes “relevant.” As many, including Senator Patrick Leahy, have pointed out, this broad approach could also be applied to banking, credit card, medical, financial, and library records, all of which could be held as reasonably to be somehow “relevant” to the decidedly wide-ranged quest to catch terrorists.
The information gathered by either program can be held for five years.
This article primarily deals with the 215 program, the more controversial of the two, the one that involves the massive gathering of telephone billing records, or “metadata,” within the United States.
In the debate that has burgeoned since Snowden’s revelations, a number of questions have been raised about the civil liberties and privacy implications of NSA’s massive surveillance efforts. This article focuses on three additional questions. None of these is terribly legalistic, but they are questions that ought to be given more thorough examination.
The first two—why was the program secret and how much does it cost?—seem never to come up even though they are crucial if we are going to have an adult conversation on the issue. The third—what has the program accomplished?—has attracted some attention, but it clearly needs much more, and this article examines it in the broader context of the obsessive, and massively expensive, efforts by police and intelligence since 9/11 to deal with the threat that is envisioned to be presented by terrorism, a quest that has involved following literally millions of leads that go nowhere.
Although those opposed to the program are deeply concerned about privacy issues, they have also argued that the program fails to be “an effective counterterrorism tool,” in the words of Senator Patrick Leahy. In December 2013, two judges came to opposite conclusions about the 215 metadata program, and it is clear the program’s effectiveness figured importantly in their decisions. Judge Richard J. Leon, in finding the program was likely unconstitutional, noted that the government “does not cite a single instance” in which analysis of bulk metadata collection “actually stopped an imminent attack,” failed to present “any indication of a concrete danger,” and provided “no proof that the program prevented terrorist attacks.” Eleven days later, Judge William Pauley, in approving the program, stressed in his first sentence that the world is “dangerous and interconnected” and went on to insist that the effectiveness of the data collection program “cannot seriously be disputed, ” noting that the “the Government has acknowledged several successes in Congressional testimony and in declarations.” Meanwhile, a special Presidential group set up to review the NSA programs, while dwelling mostly on legal issues, also noted, in recommending the termination of 215, that information provided by the program “was not essential to preventing attacks and could readily have been obtained in a timely manner” otherwise, and that “there has been no instance in which NSA could say with confidence that the outcome would have been different” without the program.
In all this, the key question, as the Presidential review group points out, is not whether a surveillance program “makes us incrementally safer, but whether the additional safety is worth the sacrifice in terms of individual privacy, personal liberty, and public trust.”
The analysis in this article suggests that any benefit of the 215 metadata program is considerably outweighed by its cost even assuming that the unknown, and perhaps unknowable, cost figure is quite small. If the issue is security versus privacy, in this case privacy wins.

PCLOB on NSA metadata collection

The US Privacy and Civil Liberties Oversight Board (PCLOB) "in-depth analysis of the bulk telephone records program operated by the National Security Agency" under s 215 of the USA PATRIOT Act and review of the operation of the Foreign Intelligence Surveillance Court (FISC or FISA court) [PDF] features the following summary -
Overview of the Report
A. Background: Description and History of the Section 215 Program
The NSA’s telephone records program is operated under an order issued by the FISA court pursuant to Section 215 of the Patriot Act, an order that is renewed approximately every ninety days. The program is intended to enable the government to identify communications among known and unknown terrorism suspects, particularly those located inside the United States. When the NSA identifies communications that may be associated with terrorism, it issues intelligence reports to other federal agencies, such as the FBI, that work to prevent terrorist attacks. The FISC order authorizes the NSA to collect nearly all call detail records generated by certain telephone companies in the United States, and specifies detailed rules for the use and retention of these records. Call detail records typically include much of the information that appears on a customer’s telephone bill: the date and time of a call, its duration, and the participating telephone numbers. Such information is commonly referred to as a type of “metadata.” The records collected by the NSA under this program do not, however, include the content of any telephone conversation. After collecting these telephone records, the NSA stores them in a centralized database. Initially, NSA analysts are permitted to access the Section 215 calling records only through “queries” of the database. A query is a search for a specific number or other selection term within the database. Before any specific number is used as the search target or “seed” for a query, one of twenty-two designated NSA officials must first determine that there is a reasonable, articulable suspicion (“RAS”) that the number is associated with terrorism. Once the seed has been RAS-approved, NSA analysts may run queries that will return the calling records for that seed, and permit “contact chaining” to develop a fuller picture of the seed’s contacts. Contact chaining enables analysts to retrieve not only the numbers directly in contact with the seed number (the “first hop”), but also numbers in contact with all first hop numbers (the “second hop”), as well as all numbers in contact with all second hop numbers (the “third hop”).
The Section 215 telephone records program has its roots in counterterrorism efforts that originated in the immediate aftermath of the September 11 attacks. The NSA began collecting telephone metadata in bulk as one part of what became known as the President’s Surveillance Program. From late 2001 through early 2006, the NSA collected bulk telephony metadata based upon presidential authorizations issued every thirty to forty-five days. In May 2006, the FISC first granted an application by the government to conduct the telephone records program under Section 215. The government’s application relied heavily on the reasoning of a 2004 FISA court opinion and order approving the bulk collection of Internet metadata under a different provision of FISA.
On June 5, 2013, the British newspaper The Guardian published an article based on unauthorized disclosures of classified documents by Edward Snowden, a contractor for the NSA, which revealed the telephone records program to the public. On August 29, 2013, FISC Judge Claire Eagan issued an opinion explaining the court’s rationale for approving the Section 215 telephone records program. Although prior authorizations of the program had been accompanied by detailed orders outlining applicable rules and minimization procedures, this was the first judicial opinion explaining the FISA court’s legal reasoning in authorizing the bulk records collection. The Section 215 program was reauthorized most recently by the FISC on January 3, 2014.
Over the years, a series of compliance issues were brought to the attention of the FISA court by the government. However, none of these compliance issues involved significant intentional misuse of the system. Nor has the Board seen any evidence of bad faith or misconduct on the part of any government officials or agents involved with the program. Rather, the compliance issues were recognized by the FISC — and are recognized by the Board — as a product of the program’s technological complexity and vast scope, illustrating the risks inherent in such a program.
B. Legal Analysis: Statutory and Constitutional Issues
Section 215 is designed to enable the FBI to acquire records that a business has in its possession, as part of an FBI investigation, when those records are relevant to the investigation. Yet the operation of the NSA’s bulk telephone records program bears almost no resemblance to that description. While the Board believes that this program has been conducted in good faith to vigorously pursue the government’s counterterrorism mission and appreciates the government’s efforts to bring the program under the oversight of the FISA court, the Board concludes that Section 215 does not provide an adequate legal basis to support the program.
There are four grounds upon which we find that the telephone records program fails to comply with Section 215. First, the telephone records acquired under the program have no connection to any specific FBI investigation at the time of their collection. Second, because the records are collected in bulk — potentially encompassing all telephone calling records across the nation — they cannot be regarded as “relevant” to any FBI investigation as required by the statute without redefining the word relevant in a manner that is circular, unlimited in scope, and out of step with the case law from analogous legal contexts involving the production of records. Third, the program operates by putting telephone companies under an obligation to furnish new calling records on a daily basis as they are generated (instead of turning over records already in their possession) — an approach lacking foundation in the statute and one that is inconsistent with FISA as a whole. Fourth, the statute permits only the FBI to obtain items for use in its investigations; it does not authorize the NSA to collect anything.
In addition, we conclude that the program violates the Electronic Communications Privacy Act. That statute prohibits telephone companies from sharing customer records with the government except in response to specific enumerated circumstances, which do not include Section 215 orders.
Finally, we do not agree that the program can be considered statutorily authorized because Congress twice delayed the expiration of Section 215 during the operation of the program without amending the statute. The “reenactment doctrine,” under which Congress is presumed to have adopted settled administrative or judicial interpretations of a statute, does not trump the plain meaning of a law, and cannot save an administrative or judicial interpretation that contradicts the statute itself. Moreover, the circumstances presented here differ in pivotal ways from any in which the reenactment doctrine has ever been applied, and applying the doctrine would undermine the public’s ability to know what the law is and hold their elected representatives accountable for their legislative choices.
The NSA’s telephone records program also raises concerns under both the First and Fourth Amendments to the United States Constitution. We explore these concerns and explain that while government officials are entitled to rely on existing Supreme Court doctrine in formulating policy, the existing doctrine does not fully answer whether the Section 215 telephone records program is constitutionally sound. In particular, the scope and duration of the program are beyond anything ever before confronted by the courts, and as a result of technological developments, the government possesses capabilities to collect, store, and analyze data not available when existing Supreme Court doctrine was developed. Without seeking to predict the direction of changes in Supreme Court doctrine, the Board urges as a policy matter that the government consider how to preserve underlying constitutional guarantees in the face of modern communications technology and surveillance capabilities.
C. Policy Implications of the Section 215 Program
The threat of terrorism faced today by the United States is real. The Section 215 telephone records program was intended as one tool to combat this threat — a tool that would help investigators piece together the networks of terrorist groups and the patterns of their communications with a speed and comprehensiveness not otherwise available. However, we conclude that the Section 215 program has shown minimal value in safeguarding the nation from terrorism. Based on the information provided to the Board, including classified briefings and documentation, we have not identified a single instance involving a threat to the United States in which the program made a concrete difference in the outcome of a counterterrorism investigation. Moreover, we are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack. And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect. Even in that case, the suspect was not involved in planning a terrorist attack and there is reason to believe that the FBI may have discovered him without the contribution of the NSA’s program.
The Board’s review suggests that where the telephone records collected by the NSA under its Section 215 program have provided value, they have done so primarily in two ways: by offering additional leads regarding the contacts of terrorism suspects already known to investigators, and by demonstrating that foreign terrorist plots do not have a U.S. nexus. The former can help investigators confirm suspicions about the target of an inquiry or about persons in contact with that target. The latter can help the intelligence community focus its limited investigatory resources by avoiding false leads and channeling efforts where they are needed most. But with respect to the former, our review suggests that the Section 215 program offers little unique value but largely duplicates the FBI’s own information gathering efforts. And with respect to the latter, while the value of proper resource allocation in time-sensitive situations is not to be discounted, we question whether the American public should accept the government’s routine collection of all of its telephone records because it helps in cases where there is no threat to the United States.
The Board also has analyzed the Section 215 program’s implications for privacy and civil liberties and has concluded that they are serious. Because telephone calling records can reveal intimate details about a person’s life, particularly when aggregated with other information and subjected to sophisticated computer analysis, the government’s collection of a person’s entire telephone calling history has a significant and detrimental effect on individual privacy. The circumstances of a particular call can be highly suggestive of its content, such that the mere record of a call potentially offers a window into the caller’s private affairs. Moreover, when the government collects all of a person’s telephone records, storing them for five years in a government database that is subject to high-speed digital searching and analysis, the privacy implications go far beyond what can be revealed by the metadata of a single telephone call.
Beyond such individual privacy intrusions, permitting the government to routinely collect the calling records of the entire nation fundamentally shifts the balance of power between the state and its citizens. With its powers of compulsion and criminal prosecution, the government poses unique threats to privacy when it collects data on its own citizens. Government collection of personal information on such a massive scale also courts the ever-present danger of “mission creep.” An even more compelling danger is that personal information collected by the government will be misused to harass, blackmail, or intimidate, or to single out for scrutiny particular individuals or groups. To be clear, the Board has seen no evidence suggesting that anything of the sort is occurring at the NSA and the agency’s incidents of non-compliance with the rules approved by the FISC have generally involved unintentional misuse. Yet, while the danger of abuse may seem remote, given historical abuse of personal information by the government during the twentieth century, the risk is more than merely theoretical.
Moreover, the bulk collection of telephone records can be expected to have a chilling effect on the free exercise of speech and association, because individuals and groups engaged in sensitive or controversial work have less reason to trust in the confidentiality of their relationships as revealed by their calling patterns. Inability to expect privacy vis-à-vis the government in one’s telephone communications means that people engaged in wholly lawful activities — but who for various reasons justifiably do not wish the government to know about their communications — must either forgo such activities, reduce their frequency, or take costly measures to hide them from government surveillance. The telephone records program thus hinders the ability of advocacy organizations to communicate confidentially with members, donors, legislators, whistleblowers, members of the public, and others. For similar reasons, awareness that a record of all telephone calls is stored in a government database may have debilitating consequences for communication between journalists and sources.
To be sure, detailed rules currently in place limit the NSA’s use of the telephone records it collects. These rules offer many valuable safeguards designed to curb the intrusiveness of the program. But in our view, they cannot fully ameliorate the implications for privacy, speech, and association that follow from the government’s ongoing collection of virtually all telephone records of every American. Any governmental program that entails such costs requires a strong showing of efficacy. We do not believe the NSA’s telephone records program conducted under Section 215 meets that standard.
D. Operation of the Foreign Intelligence Surveillance Court
Congress created the FISA court in 1978 in response to concerns about the abuse of electronic surveillance. This represented a major restructuring of the domestic conduct of foreign intelligence surveillance, with constitutional implications. Prior to then, successive Presidents had authorized national security wiretaps and other searches solely on the basis of their executive powers under Article II of the Constitution. The Foreign Intelligence Surveillance Act (“FISA”) of 1978 provided a procedure under which the Attorney General could obtain a judicial warrant authorizing the use of electronic surveillance in the United States for foreign intelligence purposes.
Over time, the scope of FISA and the jurisdiction of the FISA court have evolved. Initially, the FISC’s sole role was to approve individualized FISA warrants for electronic surveillance relating to a specific person, a specific place, or a specific communications account or device. Beginning in 2004, the role of the FISC changed when the government approached the court with its first request to approve a program involving what is now referred to as “bulk collection.” In conducting this study, the Board was told by former FISA court judges that they were quite comfortable hearing only from government attorneys when evaluating individual surveillance requests but that the judges’ decision making would be greatly enhanced if they could hear opposing views when ruling on requests to establish new surveillance programs.
Upon the FISC’s receipt of a proposed application, a member of the court’s legal staff will review the application and evaluate whether it meets the legal requirements under FISA. The FISC’s legal staff are career employees who have developed substantial expertise in FISA, but they serve as staff to the judges rather than as advocates. While their role includes identifying any flaws in the government’s statutory or constitutional analysis, it does not reach to contesting the government’s arguments in the manner of an opposing party. The FISA court process for considering applications may include a hearing, and FISC judges have the authority to take testimony from government employees familiar with the technical details of an application. FISA does not provide a mechanism for the court to invite non-governmental parties to provide views on pending government applications or otherwise participate in FISC proceedings prior to approval of an application.
FISA also established a Foreign Intelligence Court of Review (“FISCR”), comprised of three judges drawn from U.S. district courts or courts of appeals. Appeals to the FISCR have been rare: thus far there have been only two decisions issued by the court. Electronic communications service providers have some limited ability to appeal FISC orders, but FISA does not provide a way for the FISCR to receive the views of other non-governmental parties on appeals pending before it.
The FISC’s ex parte, classified proceedings have raised concerns that the court does not take adequate account of positions other than those of the government. It is critical to the integrity of the process that the public has confidence in its impartiality and rigor. Therefore, the Board believes that some reforms are appropriate and would help bolster public confidence in the operation of the court. The most important reforms proposed by the Board are: (1) creation of a panel of private attorneys, Special Advocates, who can be brought into cases involving novel and significant issues by FISA court judges; (2) development of a process facilitating appellate review of such decisions; and (3) providing increased opportunity for the FISC to receive technical assistance and legal input from outside parties.
E. Transparency Issues
In a representative democracy, the tension between openness and secrecy is inevitable and complex. The challenges are especially acute in the area of intelligence collection, where the powers exercised by the government implicate fundamental rights and our enemies are constantly trying to understand our capabilities in order to avoid detection. In this context, both openness and secrecy are vital to our survival, and we must strive to develop and implement intelligence programs in ways that serve both values.
Transparency is one of the foundations of democratic governance. Our constitutional system of government relies upon the participation of an informed electorate. This in turn requires public access to information about the activities of the government. Transparency supports accountability. It is especially important with regard to activities of the government that affect the rights of individuals, where it is closely interlinked with redress for violations of rights. In the intelligence context, although a certain amount of secrecy is necessary, transparency regarding collection authorities and their exercise can increase public confidence in the intelligence process and in the monumental decisions that our leaders make based on intelligence products.
In the aftermath of the Snowden disclosures, the government has released a substantial amount of information on the leaked government surveillance programs. Although there remains a deep well of distrust, these official disclosures have helped foster greater public understanding of government surveillance programs. However, to date the official disclosures relate almost exclusively to specific programs that had already been the subject of leaks, and we must be careful in citing these disclosures as object lessons for what additional transparency might be appropriate in the future.
The Board believes that the government must take the initiative and formulate long-term solutions that promote greater transparency for government surveillance policies more generally, in order to inform public debate on technology, national security, and civil liberties going beyond the current controversy. In this effort, all three branches have a role. For the executive branch, disclosures about key national security programs that involve the collection, storage and dissemination of personal information — such as the operation of the National Counterterrorism Center — show that it is possible to describe practices and policies publicly, even those that have not been otherwise leaked, without damage to national security or operational effectiveness.
With regard to the legislative process, even where classified intelligence operations are involved, the purposes and framework of a program for domestic intelligence collection should be debated in public. During the process of developing legislation, some hearings and briefings may need to be conducted in secret to ensure that policymakers fully understand the intended use of a particular authority. But the government should not base an ongoing program affecting the rights of Americans on an interpretation of a statute that is not apparent from a natural reading of the text. In the case of Section 215, the government should have made it publicly clear in the reauthorization process that it intended for Section 215 to serve as legal authority to collect data in bulk on an ongoing basis.
There is also a need for greater transparency regarding operation of the FISA court. Prospectively, we encourage the FISC judges to continue the recent practice of writing opinions with an eye to declassification, separating specific sensitive facts peculiar to the case at hand from broader legal analyses. We also believe that there is significant value in producing declassified versions of earlier opinions, and recommend that the government undertake a classification review of all significant FISC opinions and orders involving novel interpretations of law. We realize that the process of redacting opinions not drafted for public disclosure will be more difficult and will burden individuals with other pressing duties, but we believe that it is appropriate to make the effort where those opinions and orders complete the historical picture of the development of legal doctrine regarding matters within the jurisdiction of the FISA court. In addition, should the government adopt our recommendation for a Special Advocate in the FISC, the nature and extent of that advocate’s role must be transparent to be effective.
It is also important to promote transparency through increased reporting to the public on the scope of surveillance programs. We urge the government to work with Internet service providers and other companies to reach agreement on standards allowing reasonable disclosures of aggregate statistics that would be meaningful without revealing sensitive government capabilities or tactics. We recommend that the government should also increase the level of detail in its unclassified reporting to Congress and the public regarding surveillance programs. 
PCLOB’s recommendations are -
R1: The government should end its Section 215 bulk telephone records program.
The Section 215 bulk telephone records program lacks a viable legal foundation under Section 215, implicates constitutional concerns under the First and Fourth Amendments, raises serious threats to privacy and civil liberties as a policy matter, and has shown only limited value. As a result, the Board recommends that the government end the program.
Without the current Section 215 program, the government would still be able to seek telephone calling records directly from communications providers through other existing legal authorities. The Board does not recommend that the government impose data retention requirements on providers in order to facilitate any system of seeking records directly from private databases.
Once the Section 215 bulk collection program has ended, the government should purge the database of telephone records that have been collected and stored during the program’s operation, subject to limits on purging data that may arise under federal law or as a result of any pending litigation. The Board also recommends against the enactment of legislation that would merely codify the existing program or any other program that collects bulk data on such a massive scale regarding individuals with no suspected ties to terrorism or criminal activity. Moreover, the Board’s constitutional analysis should provide a message of caution, and as a policy matter, given the significant privacy and civil liberties interests at stake, if Congress seeks to provide legal authority for any new program, it should seek the least intrusive alternative and should not legislate to the outer bounds of its authority.
The Board recognizes that the government may need a short period of time to explore and institutionalize alternative approaches, and believes it would be appropriate for the government to wind down the 215 program over a brief interim period. If the government does find the need for a short wind-down period, the Board urges that it should follow the procedures under Recommendation 2 below.
R2: The government should immediately implement additional privacy safeguards in operating the Section 215 bulk collection program.
The Board recommends that the government immediately implement several additional privacy safeguards to mitigate the privacy impact of the present Section 215 program. The recommended changes can be implemented without any need for congressional or FISC authorization. Specifically, the government should: (a) reduce the retention period for the bulk telephone records program from five years to three years; (b) reduce the number of “hops” used in contact chaining from three to two; (c) submit the NSA’s “reasonable articulable suspicion” determinations to the FISC for review after they have been approved by NSA and used to query the database; and (d) require a “reasonable articulable suspicion” determination before analysts may submit queries to, or otherwise analyze, the “corporate store,” which contains the results of contact chaining queries to the full “collection store.”
R3: Congress should enact legislation enabling the FISC to hear independent views, in addition to the government’s views, on novel and significant applications and in other matters in which a FISC judge determines that consideration of the issues would merit such additional views.
Congress should authorize the establishment of a panel of outside lawyers to serve as Special Advocates before the FISC in appropriate cases. The Presiding Judge of the FISC should select attorneys drawn from the private sector to serve on the panel. The attorneys should be capable of obtaining appropriate security clearances and would then be available to be called upon to participate in certain FISC proceedings.
The decision as to whether the Special Advocate would participate in any particular matter should be left to the discretion of the FISC. The Board expects that the court would invite the Special Advocate to participate in matters involving interpretation of the scope of surveillance authorities, other matters presenting novel legal or technical questions, or matters involving broad programs of collection. The role of the Special Advocate, when invited by the court to participate, would be to make legal arguments addressing privacy, civil rights, and civil liberties interests. The Special Advocate would review the government’s application and exercise his or her judgment about whether the proposed surveillance or collection is consistent with law or unduly affects privacy and civil liberties interests.
R4: Congress should enact legislation to expand the opportunities for appellate review of FISC decisions by the FISCR and for review of FISCR decisions by the Supreme Court of the United States.
Providing for greater appellate review of FISC and FISCR rulings will strengthen the integrity of judicial review under FISA. Providing a role for the Special Advocate in seeking that appellate review will further increase public confidence in the integrity of the process.
R5: The FISC should take full advantage of existing authorities to obtain technical assistance and expand opportunities for legal input from outside parties. FISC judges should take advantage of their ability to appoint Special Masters or other technical experts to assist them in reviewing voluminous or technical materials, either in connection with initial applications or in compliance reviews. In addition, the FISC and the FISCR should develop procedures to facilitate amicus participation by third parties in cases involving questions that are of broad public interest, where it is feasible to do so consistent with national security.
R6: To the maximum extent consistent with national security, the government should create and release with minimal redactions declassified versions of new decisions, orders and opinions by the FISC and FISCR in cases involving novel interpretations of FISA or other significant questions of law, technology or compliance.  FISC judges should continue their recent practice of drafting opinions in cases involving novel issues and other significant decisions in the expectation that declassified versions will be released to the public. The government should promptly create and release declassified versions of these FISC opinions.
R7: Regarding previously written opinions, the government should perform a declassification review of decisions, orders and opinions by the FISC and FISCR that have not yet been released to the public and that involve novel interpretations of FISA or other significant questions of law, technology or compliance.
Although it may be more difficult to declassify older FISC opinions drafted without expectation of public release, the release of such older opinions is still important to facilitate public understanding of the development of the law under FISA. The government should create and release declassified versions of older opinions in novel or significant cases to the greatest extent possible consistent with protection of national security. This should cover programs that have been discontinued, where the legal interpretations justifying such programs have ongoing relevance.
R8: The Attorney General should regularly and publicly report information regarding the operation of the Special Advocate program recommended by the Board. This should include statistics on the frequency and nature of Special Advocate participation in FISC and FISCR proceedings.
These reports should include statistics showing the number of cases in which a Special Advocate participated, as well as the number of cases identified by the government as raising a novel or significant issue, but in which the judge declined to invite Special Advocate participation. The reports should also indicate the extent to which FISC decisions have been subject to review in the FISCR and the frequency with which Special Advocate requests for FISCR review have been granted.
R9: The government should work with Internet service providers and other companies that regularly receive FISA production orders to develop rules permitting the companies to voluntarily disclose certain statistical information. In addition, the government should publicly disclose more detailed statistics to provide a more complete picture of government surveillance operations. The Board urges the government to pursue discussions with communications service providers to determine the maximum amount of information that companies could voluntarily publish to show the extent of government surveillance requests they receive per year in a way that is consistent with protection of national security. In addition, the  government should itself release annual reports showing in more detail the nature and scope of FISA surveillance for each year.  
R10: The Attorney General should fully inform the PCLOB of the government’s activities under FISA and provide the PCLOB with copies of the detailed reports submitted under FISA to the specified committees of Congress. This should include providing the PCLOB with copies of the FISC decisions required to be produced under Section 601(a)(5).24  
R11: The Board urges the government to begin developing principles and criteria for transparency. The Board urges the Administration to commence the process of articulating principles and criteria for deciding what must be kept secret and what can be released as to existing and future programs that affect the American public.
R12: The scope of surveillance authorities affecting Americans should be public.
In particular, the Administration should develop principles and criteria for the public articulation of the legal authorities under which it conducts surveillance affecting Americans. If the text of the statute itself is not sufficient to inform the public of the scope of asserted government authority, then the key elements of the legal opinion or other documents describing the government’s legal analysis should be made public so there can be a free and open debate regarding the law’s scope. This includes both original enactments such as 215’s revisions and subsequent reauthorizations. While sensitive operational details regarding the conduct of government surveillance programs should remain classified, and while legal interpretations of the application of a statute in a particular case may also be secret so long as the use of that technique in a particular case is secret, the government’s interpretations of statutes that provide the basis for ongoing surveillance programs affecting Americans can and should be made public.
A later report by PCLOB is noted here.

28 January 2014

EU and CoE Data Protection Frameworks

The 210pp Handbook on European data protection law [PDF] released today by the European Union Agency for Fundamental Rights and European Court of Human Rights is promoted as
the first comprehensive guide to Council of Europe and European Union law on data protection, taking into account the case law from the European Court of Human Rights and the Court of Justice of the European Union. It covers among other issues: data protection terminology; key principles and the rules of data protection law; data subjects’ rights and their enforcement; transborder data flow; data protection in the context of police and criminal justice; and other specific data protection laws. 
The Agency's report on Data Protection Remedies is noted here.

Key points from the Handbook are -
The right to data protection
  • Under Article 8 of the ECHR, a right to protection against the collection and use of personal data forms part of the right to respect for private and family life, home and correspondence. 
  • CoE Convention 108 is the first international legally binding instrument dealing explicitly with data protection. 
  • Under EU law, data protection was regulated for the first time by the Data Protection Directive. 
  • Under EU law, data protection has been acknowledged as a fundamental right.
Balancing rights
  • The right to data protection is not an absolute right; it must be balanced against other rights
Personal Data
  • Data are personal data if they relate to an identified or at least identifiable person, the data subject. 
  • A person is identifiable if additional information can be obtained without unreasonable effort, allowing the identification of the data subject by name. 
  • Authentication means proving that a certain person possesses a certain identity and/or is authorised to carry out certain activities. 
  • There are special categories of data, so-called sensitive data, listed in Convention 108 and in the Data Protection Directive, which require enhanced protection and, therefore, are subject to a special legal regime. 
  • Data are anonymised if they no longer contain any identifiers; they are pseudonymised if the identifiers are encrypted. 
  • In contrast to anonymised data, pseudonymised data are personal data.
Data processing
  • The term ‘processing’ refers primarily to automated processing. 
  • Under EU law, ‘processing’ refers additionally to manual processing in structured filing systems. 
  • Under CoE law, the meaning of ‘processing’ can be extended by domestic law to include manual processing. 
The users of personal data
  • Whoever decides to process personal data of others is a ‘controller’ under data protection law; if several persons take this decision together, they may be ‘joint controllers’. 
  • A ‘processor’ is a legally separate entity that processes personal data on behalf of a controller. 
  • A processor becomes a controller if he or she uses data for his or her own purposes, not following the instructions of a controller. Anybody who receives data from a controller is a ‘recipient’. 
  • A ‘third party’ is a natural or legal person who does not act under instructions of the controller (and is not the data subject). 
  • A ‘third party recipient’ is a person or entity that is legally separate from the controller, but receives personal data from the controller.
  • Consent as a legal basis for processing personal data must be free, informed and specific. 
  • Consent must have been given unambiguously. 
  • Consent may either be given explicitly or implied by acting in a way which leaves no doubt that the data subject agrees to the processing of his or her data. 
  • Processing sensitive data on the basis of consent requires explicit consent. 
  • Consent can be withdrawn at any time.
The principle of lawful processing
  • In order to understand the principle of lawful processing, one has to refer to conditions for lawful limitations of the right to data protection in light of Article 52(1) of the Charter and requirements of justified interference under Article 8 (2) ECHR. 
  • Accordingly, the processing of personal data is lawful only if it: is in accordance with the law; and pursues a legitimate purpose; and
is necessary in a democratic society in order to achieve the legitimate 
The principle of purpose specification and limitation 
  • The purpose of processing data must be visibly defined before processing is started. 
  • Under EU law, the purpose of processing must be specifically documented; under CoE law, this question is left to domestic law. 
  • Processing for undefined purposes is not compliant with data protection law. 
  • Further use of data for another purpose needs an additional legal basis if the new purpose of processing is incompatible with the original one. 
  • Transfer of data to third parties is a new purpose needing an additional legal basis.
Data quality principles
  • The principles of data quality must be implemented by the controller in all processing operations. 
  • The principle of limited retention of data makes it necessary to delete data as soon as they are no longer needed for the purposes for which they were collected. 
  • Exemptions from the principle of limited retention must be set out by law and need special safeguards for the protection of data subjects.
The fair processing principle
  • Fair processing means transparency of processing, especially vis-à-vis data subjects. 
  • Controllers must inform data subjects before processing their data, at least about the purpose of processing and about the identity and address of the controller. 
  • Unless specifically permitted by law, there must be no secret and covert processing of personal data. 
  • Data subjects have the right to access their data wherever they are processed.
The principle of accountability
  • Accountability requires the active implementation of measures by controllers to promote and safeguard data protection in their processing activities. 
  • Controllers are responsible for the compliance of their processing operations with data protection law. 
  • Controllers should be able at any time to demonstrate compliance with data protection provisions to data subjects, to the general public and to supervisory authorities. 
Rules on lawful processing
  • Personal data may be lawfully processed if: the processing is based on the consent of the data subject; or vital interests of data subjects require the processing of their data; or legitimate interests of others are the reason for processing, but only as long as they are not overridden by interests in protecting the fundamental rights of the data subjects. 
  • Lawful processing of sensitive personal data is subject to a special, stricter regime.
Rules on security of processing
  • The rules on security of processing imply an obligation of the controller and the processor to implement appropriate technical and organisational measures in order to prevent any unauthorised interference with data processing operations. 
  • The necessary level of data security is determined by: 
the security features available in the market for any particular type of processing; and the costs; and the sensitivity of the data processed. 
  • The secure processing of data is further safeguarded by the general duty on all persons, controllers or processors, to ensure that data remain confidential.
Rules on transparency of processing 
  • Before starting to process personal data, the controller must, at the very least, inform the data subjects about the identity of the controller and the purpose of the data processing, unless the data subject already has this information. 
  • Where the data are collected from third parties, the obligation to provide information does not apply if: the data processing is provided for by law; or provision of information proves impossible or would involve a disproportionate effort. 
  • Before starting to process personal data, the controller must, additionally: notify the supervisory authority of the intended processing operations; or have the processing internally documented by an independent personal data protection official, if national law provides for such proceedings.
Rules on promoting compliance
  • Developing the principle of accountability, the Data Protection Directive mentions several instruments for promoting compliance: prior checking of intended processing operations by the national supervisory authority; personal data protection officials who shall provide the controller with special expertise in the field of data protection; codes of conduct specifying the existing data protection rules for application in a branch of society, especially of business. 
  • CoE law proposes similar instruments for promoting compliance in its Profiling Recommendation.
The rights of data subjects
  • Everyone shall have the right under national law to request from any controller information as to whether the controller is processing his or her data. 
  • Data subjects shall have the right under national law to: access their own data from any controller who processes such data; have their data rectified (or blocked, as appropriate) by the controller processing their data, if the data are inaccurate; have their data deleted or blocked, as appropriate, by the controller if the controller is processing their data illegally. 
  • Additionally, data subjects shall have the right to object to controllers about: automated decisions (made using personal data processed solely by automatic means); the processing of their data if it leads to disproportionate results; the use of their data for direct marketing purposes. Independent supervision
Independent Supervision
  • In order to ensure effective data protection, independent supervisory authorities must be established under national law. 
  • National supervisory authorities must act with complete independence, which must be guaranteed by the founding law and reflected in the specific organisational structure of the supervisory authority. 
  • Supervisory authorities have specific tasks, among others, to: monitor and promote data protection at the national level; advise data subjects and controllers as well as the government and the public at large; hear complaints and assist the data subject with alleged violations of data protection rights; supervise controllers and processors; intervene if necessary by warning, admonishing or even fining controllers and processors, ordering data to be rectified, blocked or deleted, imposing a ban on processing; refer matters to court.
Remedies and sanctions
  • According to Convention 108 as well as the Data Protection Directive, national law must set out appropriate remedies and sanctions against infringements of the right to data protection. The right to an effective remedy requires, under EU law that national law set out judicial remedies against infringements of data protection rights, irrespective of the possibility of approaching a supervisory authority. Sanctions must be set out by national law that are effective, equivalent, proportionate and dissuasive.      
  • Before turning to the courts, one must first approach a controller. Whether or not it is also mandatory to approach a supervisory authority before applying to a court, is left to regulation by national law. 
  • Data subjects may bring violations of data protection law, as a last resort and under certain conditions, before the ECtHR. 
  • In addition, the CJEU can be approached by data subjects, but only to a very limited extent.
Nature of transborder data flows
  • Transborder data flow is a transfer of personal data to a recipient who or which is subject to a foreign jurisdiction. 
Free data flows between Member States or between Contracting Parties
  • Transfer of personal data to another member state of the European Economic Area or to another Contracting Party to Convention must be free from restrictions
Free data flows to third countries
  • Transfer of personal data to third countries shall be free from restrictions under national data protection law, if: adequacy of data protection at the recipient has been ascertained; or it is necessary in the specific interests of the data subject or legitimate prevailing interests of others, especially important public interests. 
  • Adequacy of data protection in a third country means that the main principles of data protection have been effectively implemented in the national law of this country. 
  • Under EU law, the adequacy of data protection in a third country is assessed by the European Commission. 
  • Under CoE law, it is left to domestic law to regulate how adequacy is assessed. Restricted data flows to third countries 
Restricted data flows
  • Before exporting data to third countries not ensuring an adequate level of data protection, the controller must subject the intended data flow to examination by the supervisory authority. 
  • The controller who wants to export data must demonstrate two issues during this examination: that a legal basis exists for the data transfer to the recipient; and that measures are in place to safeguard adequate protection of the data at the recipient. 
  • Measures for establishing adequate data protection at the recipient may include: contractual stipulations between the data-exporting controller and the foreign data recipient; or binding corporate rules, usually applicable for data transfers within a multinational group of companies. 
  • Data transfers to foreign authorities can also be governed by a special international agreement.
CoE law on data protection in police and criminal justice matters
  • Convention 108 and the CoE Police Recommendation cover data protection across all areas of police work. 
  • The Cybercrime Convention (Budapest Convention) is a binding international legal instrument dealing with crimes committed against and by means of electronic networks.
EU law on data protection in police and criminal matters
  • At the EU level, data protection in the police and criminal justice sector is regulated only in the context of cross-border cooperation of police and judicial authorities. 
  • Special data protection regimes exist for the European Police Office (Europol) and the EU Judicial cooperation unit (Eurojust), which are EU bodies assisting and promoting cross-border law enforcement. 
  • Special data protection regimes also exist for the joint information systems which are established at the EU level for cross-border information exchange between the competent police and judicial authorities. Important examples are Schengen II, the Visa Information System (VIS) and Eurodac, a centralised system containing the fingerprint data of third-country nations applying for asylum in one of the EU Member States.
Electronic communications
  • Specific rules on data protection in the area of telecommunication, with particular reference to telephone services, are contained in the CoE Recommendation from _''(.      
  • The processing of personal data relating to the delivery of communications services at the EU level is regulated in the e-Privacy Directive. 
  • Confidentiality of electronic communications pertains not only to the content of a communication but also to traffic data, such as information about who communicated with whom, when and for how long, and location data, such as from where data were communicated. 
  • The Data Retention Directive obliges communication service providers to keep traffic data available, specifically for the purposes of fighting serious crime.
Employment data
  • Specific rules for data protection in employment relations are contained in the CoE Employment Data Recommendation. 
  • In the Data Protection Directive, employment relations are specifically referred to only in the context of the processing of sensitive data. 
  • The validity of consent, which must have been freely given, as a legal basis for processing data about employees may be doubtful, considering the economic imbalance between employer and employees. The circumstances of consenting must be assessed carefully.
Medical Data
  • Medical data are sensitive data and, therefore, enjoy specific protection.
Data processing for statistical purposes
  • Data collected for statistical purposes may not be used for any other purpose. 
  • Data collected legitimately for any purpose may be further used for statistical purposes, provided that national law prescribes adequate safeguards which are met by the users. For this purpose, particularly anonymisation or pseudonymisation before transmission to third parties should be envisaged.
Financial data
  • Although financial data are not sensitive data in the sense of Convention 108 or of the Data Protection Directive, their processing needs particular safeguards to ensure accuracy and data security. 
  • Electronic payment systems need built-in data protection, so-called privacy by design. 
  • Particular data protection problems arise in this area from the need to have appropriate mechanisms for authentication in place.