Get serious about reining in national security surveillance.
“The EU should suspend the ‘Safe Harbor’ agreement with the US.”
This is one of the conclusions of the Advocate General of the Court of Justice of the EU, in his 23 September opinion on the ‘Schrems case’, and the one that has drawn the most headlines. It echoes repeated demands by the European Parliament that the European Commission should declare the agreement invalid. A suspension would certainly be a dramatic (and to many policymakers and advocates, an attractive) political gesture, no doubt causing significant economic costs and creating legal issues and operational problems for the companies that transfer data under the scheme.
However, the reality is that if the CJEU were to follow the AG’s guidance and strike down the Safe Harbour Agreement, it would do little to advance global norms or dialogue on data protection, nor help protect EU citizens from electronic surveillance and indiscriminate collection of personal data by US or other nations’ security agencies.
This is because the Safe Harbor is a commercial data governance and compliance scheme, designed to ensure that companies collect and manage data in accordance with EU standards. Neither the Safe Harbor nor other modes of transferring personal data from the EU to the US (Binding Corporate Rules, and Model Contracts) can control or regulate the practices of security agencies conducting national security surveillance. The existing EU Data Protection Directive (and its successor, the draft General Data Protection Regulation) have explicit carve-outs for national security matters, an area in which the European institutions do not have competence to act or legislate. European Data Protection Authorities do not have authority to oversee European states’ intelligence agencies, and the US Federal Trade Commission does not have authority to oversee the NSA or other US agencies. Legally, administratively and constitutionally, these are different realms.
Therefore, although the Safe Harbor is very much implicated in this legal proceeding, it is not the substantive core. The heart of the matter on which the AG published his opinion is the nature of US national security surveillance programmes, and their invasion of the privacy rights of EU (and other) citizens. The AG found, correctly, that “…the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection.”
The AG’s analysis is therefore first and foremost a damning verdict on the scope and scale of NSA intelligence gathering and the resulting erosion of privacy protection for US citizens, for Europeans, and people worldwide.
The AG’s analysis is therefore first and foremost a damning verdict on the scope and scale of NSA intelligence gathering and the resulting erosion of privacy protection for US citizens, for Europeans, and people worldwide. For several years, CDT and others have argued consistently for comprehensive reform, and for substantive privacy protections to be extended to non-US persons. We have made some progress towards reform. The adoption of the USA Freedom Act was a welcome step in the right direction.
However, the AG Opinion is a wake-up call to the US Administration and US lawmakers that much, much more needs to be done. On the commercial side, in the long run, the goal must be comprehensive, baseline privacy and data protection in the United States.
With respect to surveillance, better protections must be afforded to non-US persons under US privacy and surveillance laws.
In particular, an urgent next step should be reform of Section 702 of the 2008 Foreign Intelligence Surveillance Amendments Act.
In particular, an urgent next step should be reform of Section 702 of the 2008 Foreign Intelligence Surveillance Amendments Act. CDT has laid out the elements that comprehensive reform of Section 702 surveillance should include: limitations on the purposes for which surveillance can be conducted, an enhanced role for the FISA Court in approving and overseeing such surveillance, and the elimination of the collection of communications that are neither to nor from a surveillance target, and instead are “about” the target. Additional reforms are also necessary, and are actively being considered by a working group CDT is leading. Section 702 is set expire on December 31, 2017, but we should not wait for that date; reform should take place as a matter of urgency. The AG’s conclusions about the inadequacy of US privacy protections are well-founded and this decision must bring new urgency to US surveillance reform efforts.
In addition, they should spur much-needed progress in reforming European countries’ surveillance programmes. One of the conclusions that could be drawn following the Snowden revelations was that European and other intelligence agencies run programmes similar to those of the NSA, often in formal (e.g. “five eyes”) or informal cooperation with the NSA. There is little indication that European Union Member States are prepared to set limits on electronic surveillance. On the contrary, countries such as the UK, France, and the Netherlands are expanding surveillance capabilities, and creating new legal bases for the types of indiscriminate, mass collection of citizens’ data the AG correctly denounces. However, Germany is beginning to consider steps to rein in surveillance, including an important proposal by the Social Democrats [in German] to require independent approval of selectors used to identify communications that will be intercepted. If this model is adopted in Germany – and it should be – it could become a model for other countries.
As CDT said to the European Parliament civil liberties committee when we provided evidence to the Committee’s post-Snowden inquiry on electronic surveillance, what is required is the US and European countries setting proper legal standards, safeguards and oversight for the conduct of electronic surveillance for national security purposes, and ensuring that these programmes respect international human rights norms. The Safe Harbor scheme is under review, and the European Commission is in the final stages of negotiations with the FTC in this regard. The resulting improvements will hopefully be meaningful and substantive, but neither amending/revising the Safe Harbor scheme, or cancelling it outright as the AG suggests, will achieve the comprehensive surveillance reform that remains urgently needed.