IAPP_Salary-Survey_300x250_FINAL
OneTrust_Square Banner_300x250_DD_ROS_01_19
MetaCompliance_Webcon
Don’t Strike Down the Safe Harbor Based on Inaccurate Views About U.S. Intelligence Law

Important legal decisions should be based on an accurate understanding of the law and facts. Unfortunately, that is not the case for the Advocate General’s (AG’s) recent Opinion finding that the Safe Harbor agreement between the U.S. and the EU unlawful. As the U.S. Mission to the EU has also noted, the Opinion suffers from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. It relies on these incorrect facts about PRISM to reach its conclusion, removing the factual basis for its overall findings.

My comments here focus on the Opinion’s incorrect description of U.S. intelligence law and practice. In my experience as a scholar and practitioner in the field, the U.S. has far more extensive legal rules, oversight and other checks and balances on intelligence agencies than is generally true in E.U. member states.

The AG’s opinion reflects the frustration and anger of many Europeans and Americans who learned about practices of the U.S. and European intelligence agencies from documents leaked by Edward Snowden beginning in June, 2013. The scope and nature of the intelligence surveillance far exceeded what most people previously understood. As a long-time legal scholar on these issues, and participant in previous rounds of policy debates, I have shared the view that important new legal checks and balances have been needed on intelligence activities. I also have sympathy and respect for the goals of European data protection law, having written a book on the subject as well as participating in the negotiation of the Safe Harbor itself.

The AG’s opinion reflects the frustration and anger of many Europeans and Americans who learned about practices of the U.S. and European intelligence agencies from documents leaked by Edward Snowden beginning in June, 2013

One response to the public concern was that President Obama created an independent Review Group on Intelligence and Communications Technology, to advise him on how to respond to concerns about intelligence agency activities. In my role as one of the five members, I know that we were briefed at the most classified levels, were provided all of the information and briefings we requested, and issued our 300-page report in December, 2013. The administration informed us that it has adopted at least 70 percent of our 46 recommendations; in addition, all of the major provisions of the USA Freedom Act, passed by Congress in 2015, were derived from Review Group recommendations.

None of these legal and administrative changes is reflected in the AG’s Opinion.

This lapse is particularly troubling because the Opinion based its analysis on the following statement: “In order to ensure effective judicial review of that type of decision, the assessment of its validity must therefore in my view be carried out by reference to the current factual and legal context.” (emphasis added) Unfortunately, the Opinion reached its conclusions with no reference to changes since 2013, and based on a demonstrably incorrect reading of the applicable law.

The central factual inaccuracies of the Opinion concern the PRISM program. It is worthwhile examining this issue in some depth, due to its status as the key factual basis for the AG’s views.

The Opinion bases itself on the Snowden revelations: “According to those revelations, the NSA established a programme called ‘PRISM’ under which it obtained unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the Internet and technology field, such as Facebook USA.” Later, the Opinion states as fact: ‘’Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.” The Opinion says the access covers “in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued.” It adds that, for information transferred by a company such as Facebook to the U.S., there is “mass, indiscriminate surveillance.”

As has been widely reported and based on my work on the Review Group, the PRISM program is governed by Section 702 of the law enacted in 2008 to amend the Foreign Intelligence Surveillance Act. The Review Group, in its Appendix B, set forth privacy protections applicable to Europeans and other non-U.S. persons under the law. Together these show the enormous gap between the statements in the Opinion and U.S. law and practice:

(1) Targeting must be for a valid foreign intelligence purpose in response to National Intelligence Priorities;

(2) Targetings must be under a Foreign Intelligence Surveillance Court (FISC) approved Section 702 Certification and targeted at a person overseas;

(3) All targeting is governed by FISC-approved targeting procedures;

(4) Specific communications identifiers (such as a phone number or email address) are used to limit collections only to communications to, from, or about a valid foreign intelligence target;

(5) Queries into collected data must be designed to return valid foreign intelligence and overly broad queries are prohibited and supervised by the FISC;

(6) Disseminations to external entities, included select foreign partners (such as E.U. member states) are made for valid foreign intelligence purposes; and

(7) Raw data is destroyed after two years or five years, depending on the collection source.

The PCLOB has precisely the attributes of independence and investigatory powers that European privacy officials have long emphasized

In addition to the Review Group, the five-member, independent Privacy and Civil Liberties Oversight Board (PCLOB) issued a 191-page report on Section 702 in July, 2014. The PCLOB has precisely the attributes of independence and investigatory powers that European privacy officials have long emphasized; indeed, in contrast to the essentially non-existent powers of European Data Protection Authorities in intelligence matters, the PCLOB has the ability to conduct investigations based on classified briefings about the nation’s anti-terrorist surveillance activities. The PCLOB’s general findings are inconsistent with the factual statements in the Opinion: “Overall, the Board has found that the information the program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence. The program has operated under a statute that was publicly debated, and the text of the statute outlines the basic structure of the program. Operation of the Section 702 program has been subject to judicial oversight and extensive internal supervision, and the Board has found no evidence of intentional abuse.”

In short, based on investigation by an independent agency, the program has been necessary, effective and governed by law.

The independent Review Group and PCLOB reports refute the factual basis for the AG’s Opinion. Instead of the alleged “unrestricted access to bulk data,” the PCLOB found that the “program does not operate by collecting communications in bulk.” Instead of applying to “all means of electronic communications,” the program applies only to “specific communications identifiers” where the communication is to, from or about a valid foreign intelligence target. Instead of applying “without any differentiation, limitation or exception according to the objective of general interest pursued,” the program applies only to persons and queries for defined foreign intelligence purposes.

The U.S. government’s reforms and review have continued since the Review Group and PCLOB reports. We have witnessed a broader range of changes relevant to EU citizens than most have realized. Early in 2015, the PCLOB issued an assessment of how its recommendations have been implemented, finding: “The administration has accepted virtually all recommendations in the Board’s 702 report.” As one example relevant to the AG’s concern about indiscriminate surveillance unrelated to a legitimate purpose, the PCLOB recommended and the administration has accepted new definitional and oversight procedures about the purpose of each surveillance request. The new procedures create stricter definition and documentation of the purpose of each request, subject to two levels of approval within the NSA as well as independent judiciary review by the FISC.

The Section 702 discussion here illustrates the dense web of rules and oversight that exists for information collection by U.S. intelligence agencies seeking data held in the U.S. Transfer of data to the U.S. therefore does not remove legal protections against intelligence activities compared to data held in the E.U.

photo credit: 3D Scales of Justice via photopin (license)

Written By

Peter Swire, CIPP/US

5 Comments

If you want to comment on this post, you need to login.

  • John Kropf Oct 5, 2015

    Well said and there is no better authority to set the record straight.  I suppose, however, if you want to reach a certain policy result even the facts can be ignored.  More fundamentally, I wonder if the ECJ will fail see that data protection issues have to apply principles of international law when it interacts with other legal systems.   A fundamental principle of international law is that every sovereign state is bound to respect the independence of every other sovereign state, and the courts will not sit in judgment of another government's acts done within its own territory.
  • Joerg Steinhaus Oct 6, 2015

    The ECJ decision is a political one. It is based on a European understanding of basic rights which differs from the ideas on the other side of the Atlantic. To discuss these different point of view is important for a new and common agreement on the processing of personal data. And it is the result of the Snowden revelations to do so. Therefore, the ECJ decision is based on right assumptions and a great signal that mass surveillance is against our, hopefully: common, values. Now we should look forward how to handle the emerging challenges of international data transfers.
  • Steve Sanford Oct 6, 2015

    "The PCLOB’s general findings are inconsistent with the factual statements in the Opinion: “Overall, the Board has found that the information the program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence."
    Please site at least ONE example to back up this statement.  Can you say that the Boston bombings were prevented?  
    Can you say that any violent act or act of internal spying by a state federal employee or contractor (such as Snowden) was caught?.  
    Can we site any occurrence of any act being stopped or mitigated?
  • Neil Riemann Oct 6, 2015

    Thanks for the illuminating analysis and many good points. But it is an unfortunate consequence of our government's longstanding and affirmative effort to deceive the public about its practices in this area that foreign courts are unexcited about extending us the benefit of the doubt and uninterested in engaging in the fine analysis of US intelligence practices. This is particularly true because people tend to believe that if they are deceived once, the deception might be ongoing.
  • Shava Nerad Oct 11, 2015

    Perhaps the court was not explicit in entering the evidence between 2013 and 2015, but it is out there.  The FISC has protested how the NSA has ignored their guidance.  Google publishes quarterly (delayed) reports as to the thousands of National Security Letters it is served and required to fulfill constantly under the requirements of the USA PATRIOT Act.  
    
    The US standards for protecting user data from breaches are that we close the doors after the horse is stolen, which is completely different from the EU -- VISA/MC went out of their way to cover for Target so as to preserve "consumer confidence" rather than censure them for violating their obligation to protect user data privacy and security as obligated by contract.  The CFAA keeps our businesses dependent on a weak standard of evidence, so prosecutors can use really slack technical work to bring in cases, and businesses can use CFAA threats to bargain with gray security researchers for patches.
    
    Angela Merkel's government leaked that her cell phone was tapped by the NSA and that our president told her, basically, to suck it up -- a woman who grew up in East German under the Stasi, who told Obama that his high policing was like the Stasi.
    
    These are American cultural and business and governmental phenomena.  To the outside world, they look insane.
    
    Critiques of these institutions should give us pause, but of course, such noise is just something that came out of the foreign press -- like this decision -- and therefor people such as yourself dismiss it. 
    
    I believe that we should be, like Europe, treating user privacy as consumer protection, as well as civil liberties.  
    
    Without privacy, civic dissent withers.  COINTELPRO and the birth of the FISC court are great examples of the abuse of high policing in our recent history.  Our nation would have been stillborn without the use of pseudonymous and anonymous publishing by our founders, for example in our Revolutionary War and during the Constitutional Congress.
    
    But today, privacy is under fire from the engines of marketing -- the loudest and most compelling voices in our culture.  Commercial interest in selling the public on the death of privacy is against the best interests of the republic, but there's very little money opposing it.  And as we all know, money is political speech.
    
    I really hope that outside pressure is enough to give us the incentive to actually form up a "Church Committee" with teeth -- something that we will never create out of a Congress under surveillance.
    
    Today, asymmetrical wars are fought with violence (rarely, and more successfully, with nonviolence); symmetrical wars are fought with economics and more subtle tools, including every tool in the obscurantist's quiver.  The spy/surveillance, high policing, chilling effects, propaganda, big lies, pressure to conform through cultural/economic norms.  These tools are available to democracies, if the electorate can be disengaged from oversight and civic literacy.  If the "political class" can be convinced that the electorate must be manipulated, rather than engaged.
    
    We all need to be honest about where we are in this conflict.  On the side of the consumer?  On the side of the electorate?  On the side of government reform?  On the side of American business being better trusted abroad?
    
    Just the sheer idiocy of having the FBI stand before Congress speaking against strong encryption -- the foundation of our modern economy?  Our banks, markets, commodities, e-commerce?  
    
    That the FBI this week admitted that their reporting of police violence against civilians was inaccurately reported, and The Guardian and the Washington Post had better numbers -- and that was "ridiculous" was refreshing.  But that no one, including the newspapers involved, bothered to note that this implied that the reports that the FBI had published using the same flawed methodology for decades were also flawed, implies that we simply republish government statements.  Or people who give government a blank check, such as yourself.
    
    We can't afford this.
    
    We need better long term solutions, and they may not include Adm. John Poindexter's paranoid inheritances in uncompromising contrast with American business interests.  We can not live in a safe world, and we can not live in a world where the American public lives in an isolated oasis without risks.
    
    We have to reasonably introduce our people to the global situation, and diffuse the GWOT bloat before it takes over our government irreducibly.
    
    We need to talk about that openly -- not privately.  We need better dialogue, point by point, looking for solutions.
    
    Shava Nerad
    former executive director, The Tor Project
    retired, speaking for myself

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»