TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | U.S. surveillance and the eye of the beholder Related reading: It’s Schrems, round two

rss_feed
iapp-privacycore
Webcon_PA_300x250_ad_September_2017_OneTrust
PSR17_WebBanner_300x250-COPY
6, 12, 19
Editor's Note:

As the privacy world eagerly awaits the Irish High Court’s findings in what’s known as Schrems 2.0, a case challenging the legitimacy of using standard contractual clauses as a basis for data transfer from the EU to the U.S. and elsewhere, the IAPP has collected the testimony of the expert in U.S. law selected by Max Schrems, Ashley Gorski of the American Civil Liberties Union, followed by testimony of two experts selected by Facebook, Professor Peter Swire, CIPP/US, of the Georgia Institute of Technology and Professor Stephen Vladeck of the University of Texas. The IAPP also invited the two experts who were selected by the Data Protection Commissioner of Ireland, but they declined to publish their testimony. The rules for expert witnesses are different under Irish law than under U.S. law. Under Irish rules, experts are required to be independent of the party that selected them. Experts swear to the following statement: “I understand that it is my duty as an expert to assist the Court as to matters within my field of expertise and this overrides any duty or obligation that I may owe to the party by whom I have been engaged or to any party liable to pay my fees.”
Read it here.

Is a country’s privacy regime adequate? To people who are not privacy professionals, this question may seem odd. What does adequacy of a legal framework mean? Is being “adequate” even a good thing?

But for privacy professionals, the context is clear. European law allows the transfer of personal data to non-European countries only if they “ensure an adequate level of protection.” The U.S.-EU Safe Harbor framework was believed to provide such adequate safeguards, but, in its October 2015 decision in Maximillian Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the framework. In the background were Edward Snowden’s revelations about the prevalence of access to private communications data by the U.S. government, particularly the NSA.

Commentators warned that the Schrems decision could have profound implications for much more than just the Safe Harbor. The logic underlying that decision could easily extend to undermine transfers to other “adequate” countries, including Five Eyes members like Canada and New Zealand, or U.S. intelligence partners such as Israel, as well as alternative transfer mechanisms, such as standard contractual clauses and binding corporate rules.

Sure enough, in December 2015, Schrems himself amended his original complaint to the Irish Data Protection Commissioner, challenging the validity of Facebook Ireland’s alleged transfer of his data to the U.S. based on the European Commission approved standard contractual clauses (Schrems 2.0). The Irish DPC held that the complaint is well founded, but in line with the CJEU’s Schrems decision, petitioned the Irish High Court asking to refer the matter for ruling by the CJEU on the question of whether the European Commission’s standard contractual clause decisions are valid under European law. Under Schrems, “the [CJEU] alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid.”

In Schrems, the CJEU delivered its decision based on the thinnest of factual bases, relying on the European Commission’s failure to examine “rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States.”

In Schrems, the CJEU delivered its decision based on the thinnest of factual bases, relying on the European Commission’s failure to examine “rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States.” The CJEU’s most elaborate factual finding was a reference to the Irish High Court’s, noting that “revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies.” In contrast, in Schrems 2.0, the Irish High Court set out to explore the surveillance oversight laws of the U.S. This is a monumental task. A court’s thorough assessment of its own country’s surveillance laws is rare enough, let alone the laws of another country, and even more so a country like the U.S., which quite possibly has the most detailed, elaborate and transparent legal framework applicable to intelligence gathering by domestic and foreign surveillance agencies. 

Are U.S. surveillance laws adequate? Like the classic Twilight Zone episode, it all depends on the eye of the beholder when the bandages are pulled off. The collection of opinions we have collected here, by experts on both sides of the litigation, helps shed light on some of its intricacies. Georgia Institute of Technology Professor, and Alston & Bird Counsel, Peter Swire, selected by Facebook, concludes that “overall intelligence-related safeguards for personal data held in the U.S. are greater than in EU Member States.” Conversely, analyzing the same laws, ACLU Staff Attorney Ashley Gorsky, selected by Schrems, states “U.S. surveillance law is extremely permissive, as the government claims broad authority to acquire the communications and data of non-U.S. persons located abroad.”

Other resources exist, though are not plentiful. A recent Oxford University Press book edited by Fred Cate and Jim Dempsey, assesses systematic government access to private-sector data in a dozen jurisdictions, including the U.S., France and Germany, Brazil, Japan, Korea and even India and China. In an article recently published by the Wisconsin International Law Journal, Gabe Maldoff and I examine the adequacy of Canada’s surveillance laws.

In the next few years, the debate will continue to rage. As the U.K. breaks ranks with its EU partners, its laws too could be deemed “inadequate.” In fact, while not subject to the jurisdiction of the European Commission, national security regimes of European Member States are drawing wide criticism for being overly lenient, cryptic and opaque. To perhaps avoid widely divergent opinion on the relative beauty or ugliness of U.S. surveillance law, this collection will help inform the conversation and ground it in solid facts.

Photo credit: Video still courtesy Daily Motion.

1 Comment

If you want to comment on this post, you need to login.

  • comment Sheila Dean • Sep 7, 2017
    Mass surveillance in the United States during both Bush and Obama advanced offensively against US privacy law and global personal data.  If you want an accurate accounting of U.S. Intelligence treatment of US personal (citizen) data please pick up a copy of Jennifer Granick's book, American Spies: Modern Surveillance, Why You Should Care and What You Can Do About It.  The spoiler is that US federal intelligence treatments of personal data isn't operating on the same legal nomenclature as US civilian law.  So if your lawyer says "collection" it translates to US intelligence as "any machine learned data".  Since we are in an age of parallel construction and legal invention coming from a global clandestine State, it is ethical to give privacy professionals fair warning they need someone who can localize not just for US State laws but also someone with a US security clearance to transliterate the Five (Nine, Fourteen) Eyes treatment of personal data in order to evaluate its legal protections.  It is also sage to reconcile, or at least inquire, of an immediate history (6 months to a year) of E-government compliance, Privacy Impact Assessments and Privacy Act(1974) compliances conducted by US public data and mass surveillance data holders.  If a public record of these things are not available or US public data holders are struggling or fighting to provide you with the information, it is likely the compliance data is not there or they are not meeting legal information requirements over personal data.