How to Build an Effective PCLOB: CDT’s Recommendations to the UK Government

In tandem with the UK’s proposed Data Retention and Investigatory Powers Bill, UK Home Secretary Theresa May has declared her intention to establish a “Privacy and Civil Liberties Board, based on the US model”—a reference to the United States’ Privacy and Civil Liberties Oversight Board (“PCLOB”).  According to the Home Secretary, the new UK board’s mission will be to “consider the balance between security and privacy and liberty in the full context of the threat we face from terrorism.”

The Center for Democracy & Technology was a strong supporter of the recommendation of the US 9/11 Commission (page 395 of the report) that Congress create an independent body to oversee American counter-terrorism programs and offer advice to the government about how such programs could best protect civil liberties.  Along with other civil society organizations, we have actively engaged with PCLOB in a number of ways since its creation, including by testifying before the board and providing it with written recommendations.  We believe that any similar oversight body must have certain characteristics in order for it to be as effective as possible (although we note with concern that the word “oversight” is not included in the Home Secretary’s description of the planned UK board). These elements are derived from our long experience with PCLOB’s evolution and activities in the US.[1] It is our hope that the UK authorities will give this list, which reflects our “lessons learned,” serious consideration as they make plans for the new UK body.

Based on our experience, we believe that any privacy and civil liberties oversight body should be:

• Part of a complete, well-functioning, and transparent system of checks on surveillance powers, including judicial checks.  In the US, as in the UK, we have struggled to hold intelligence agencies accountable before courts and legislative bodies.  These other checks on the agencies’ activities are crucial, and an oversight body such as PCLOB does not (and cannot) serve as an adequate replacement for them.  One thing an oversight board can do is make findings and recommendations that inform the decisions and policies of these other bodies, as PCLOB does.

• Fully empowered to obtain all necessary documents and testimony.  Despite repeated urging by civil-liberties groups, the US Congress has not yet given the US PCLOB the power to compel any person or entity to produce documents (or testify).  (By a majority, the Board may decide to ask the Attorney General to compel the production of documents—or compel witnesses to testify—but the Attorney General is not required to comply with such a request.)  US PCLOB members have assured the public that they have received access to all of the information that they require, but the power to compel such access where necessary remains desirable.  Regardless of whether an oversight body has the power to order the production of documents and witnesses in this manner, all members should have (or be eligible to obtain) security clearances at whatever level is necessary for them to do their work effectively.  This may limit the number of potential candidates for membership in the body, but the ability to view classified information will be essential to their tasks.

• Independent.  By statute, the US PCLOB is “an independent agency within the executive branch,” meaning that it is not subservient to any other authority and is not in any way affiliated with the agencies whose surveillance activities it oversees.  Furthermore, its members cannot be current employees of the federal government, and the executive branch does not have the power to terminate their service on the Board.  Congress substantially increased PCLOB’s independence after an earlier iteration of the oversight board (with different members) permitted the White House to censor portions of a report it had written.

• Able to refer abuses of power to prosecutors.  The statute that established the US PCLOB emphasizes the importance of civil liberties and explicitly acknowledges the possibility that the US government may misuse its surveillance powers and/or overstep its legal bounds.  However, the statute unfortunately does not give PCLOB the power to refer cases of suspected criminal violations of the law for prosecution.

• Expert and credible.  The required qualifications of the members of such an oversight board should be considered carefully.  The US PCLOB includes lawyers with extensive expertise in privacy, data security and counterterrorism, as well as a former judge who served on an appeals court that regularly handles cases involving national security.  Although the Board’s members are appointed by the president, the Senate must confirm each of them.  These requirements help to ensure that appointees are credible and that their recommendations will be taken seriously.

• Balanced and representative of different views.  While all of the members of this type of oversight body should be committed to privacy and civil liberties, they should also be diverse as to gender, race, ethnicity and religion and include a variety of experiences and viewpoints.

• Transparent (and charged with promoting transparency).  The US PCLOB regularly holds public hearings and invites public comment, and it is able to enter a closed session when reviewing classified material.  Both are essential attributes of a well-functioning oversight body.  By law, the US PCLOB is required to make its reports public “to the greatest extent that is consistent with the protection of classified information and applicable law.”  To date, much of the evidence and documentation upon which the Board has relied remain classified.  The Board has sought and obtained the declassification of some materials; however, the fact that many documents remain classified means that it is sometimes difficult to evaluate the extent to which the Board’s reports are fully informed.  It may be advisable for the new UK oversight body to be able to recommend the declassification of particular documents and to trigger a mandatory process to evaluate whether such documents should be declassified.

• Adequately funded and staffed.  It would be difficult to overstate how miniscule the resources the US government has allotted to the PCLOB are in comparison with the amount it has budgeted for the intelligence agencies and relevant private contractors.  Better funding and an increase in staff support would likely lead to broader and deeper oversight of clandestine surveillance activities.  All members of such an oversight board should be fully compensated.

• Willing and empowered to ensure respect for the rights of non-citizens and non-residents.  The oversight body’s charter should make it clear that the body’s responsibilities extend to ensuring respect for the fundamental rights of persons who are not citizens or residents of the country that establishes it.  The US PCLOB’s statutory authorization is silent on this point, although the Board has stated an intention to weigh the rights of non-US persons.

• Obligated to report its activities and findings.  The US PCLOB is required by law to issue at least two reports per year concerning its activities, findings and recommendations, as well as any minority views among its members.  It sometimes issues additional reports on particular matters.

• Inclusive of, or supported by, independent and competent technical experts.  Given the level of complexity of the technology implicated in today’s secret surveillance programs, it is essential for an oversight board to include members or staff who have substantial training in computer science or engineering, or to be empowered to retain advisors who have such specialized training.  While the US PCLOB does not include any computer scientists, the Board has the power to retain consultants with such qualifications where necessary.

We are looking forward to working closely with our UK partners as the Home Secretary’s plans for the new oversight body continue to develop.