When the European Court of Justice and its Advocate General found the Safe Harbor unlawful in October, a major reason was their concern about the U.S. surveillance system. This week the Belgian Privacy Authority hosted a forum on the Schrems Safe Harbor case, and I was asked to comment on two questions:
- Is U.S. surveillance law fundamentally compatible with EU data protection law?
- What actions and reforms has the U.S. taken since the Snowden revelations began in June 2013?
To assist the consideration of these issues, I have prepared a 40-page white paper, published this week by the Future of Privacy Forum, that provides clear answers, with copious footnotes, to these important questions. The paper has three chapters.
First, there is a fundamental equivalence of the United States and EU member states as constitutional democracies under the rule of law. In the Schrems decision, the U.S. was criticized for failing to ensure “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” This chapter critiques that finding, instead showing that the United States has strict rule of law, separation of powers and judicial oversight of law enforcement and national security surveillance, which together make the U.S. legal order “essentially equivalent” to the EU legal order.
Second, the Section 702 PRISM and Upstream programs are reasonable and lawful responses to changing technology.The Advocate General’s opinion in the Schrems case said that the PRISM program gave the NSA “unrestricted access to mass data” stored in the U.S., and that Section 702 enabled NSA access “in a generalised manner” for “all persons and all means of electronic communications.” This chapter refutes those claims, which appear to be based in part on incorrect stories in the press. Instead, the Section 702 programs operate with judicial supervision and subject to numerous safeguards and limitations. They examine the communications only of targeted individuals, and only for listed foreign intelligence purposes. The total number of individuals targeted under Section 702 in 2013 was 92,707, a tiny fraction of Internet users in the EU or globally.
Third, the U.S. Congress and executive branch have instituted two dozen significant reforms to surveillance law and practice since 2013. The Schrems opinion said that U.S. privacy protections must be evaluated in the “current factual and legal context,” but did not address the numerous changes put in place since 2013. This chapter provides a readable explanation of each of these actions, which together constitute the biggest set of pro-privacy actions in U.S. surveillance law since creation of the Foreign Intelligence Surveillance Act in 1978.
From my years of writing about EU data protection law, I know that it is often complex and confusing, including for many Americans. The same is true about U.S. surveillance law. The whitepaper attempts to bring these two divergent areas of law together in a readable form. An accurate understanding of the law and facts is essential to achieving the best possible outcome for Safe Harbor 2.0, and for the many ongoing issues that will arise in subsequent legal proceedings and implementation of the General Data Protection Regulation. I hope this whitepaper can help clarify these discussions, and I welcome comments and corrections.