mixmagic - stock.adobe.com
The US should reform its surveillance legislation as a matter of urgency if the EU and US are to reach an agreement on transatlantic data-sharing, according to a study for an influential European parliamentary committee.
A study commissioned by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) warns that without substantive changes to US surveillance practices, it will not be possible for the EU and the US to reach an agreement.
The study, written by data protection and security specialist Ian Brown and Douwe Korff, emeritus professor of international law, calls for the US to limit its bulk collection of phone and internet data, set stronger standards to justify surveillance targets, and provide EU citizens with effective legal redress in the US.
The reforms are part of a package of recommendations designed to pave the way for the EU and the US to replace the Privacy Shield data-sharing agreement, which was struck down by the European Court of Justice in 2020, with an agreement that safeguards the privacy of EU citizens.
The European court found two fundamental flaws in US laws that govern the surveillance of non-US citizens. First, US surveillance law did not meet European requirements that intrusions on privacy are necessary and proportionate. Second, it found that EU citizens have no effective right of redress before an independent body if their privacy rights are breached
Brown, visiting CyberBRICS professor at FGV Law School in Brazil, said: “Those two things need to be reformed in US law before any kind of successor to the Privacy Shield has a chance of standing up to a further court case in Europe.”
Section 702 of the Foreign Intelligence Surveillance Act (FISA), along with Executive Order 12333, allows US intelligence agencies to collect data from internet service providers and cloud computing providers relating to non-US citizens.
Although former US president Barack Obama placed limits on how bulk intelligence can be used with Presidential Policy Directive 28 (PPD 28) in 2014, the European court has not accepted that it ensures that US surveillance is necessary and proportionate.
Impact of surveillance on EU citizens
Because such operations are highly classified, EU citizens who are subject US surveillance cannot know whether their communications have been intercepted.
But EU citizens could be impacted in practical ways, said Brown. For example, they might find it difficult to obtain an ESTA visa waiver or may be stopped at the US border.
“You could imagine that European businesses, particularly if they are competing for large contracts with US companies, might wonder sometimes if information about their bids have been shared with US competitors – there have been allegations of that over the years,” he said.
Last month, there was an outcry in Germany when it emerged that Denmark’s secret service had helped the US National Security Agency to spy on German politicians, including chancellor Angela Merkel.
Brown said: “I take it for granted that whenever I talk to members of the European Parliament or their staff or officials, and the European Commission, that unless their communications are well protected by encryption, they would come under this kind of targeting.”
The practice in the US of using secret opinions to interpret surveillance laws is particularly problematic for EU law, which requires surveillance laws to be published, legally binding, clear and “foreseeable” in the way that they are used, according to the LIBE report.
US surveillance law, and the FISA law in particular, does not require surveillance measures to serve a “legitimate purpose” in a democratic society because it allows espionage for political and economic purposes.
“They do not in themselves define the scope and application of the relevant surveillance measures – but rather, leave many matters to executive discretion,” says the report. “Nor do they require that any specific measures imposed in a specific context be ‘necessary’ and ‘proportionate’.
“In sum, secret or excessively vague rules, or rules that grant unfettered discretion, do not constitute ‘law’ in the European human rights sense.”
US authorities consistently argue that the “mere” collection and retaining of personal data does not interfere with privacy as long as no official has looked at it, even though the data might be subject to automatic filtering, says the study.
Four steps to a replacement for Privacy Shield
- EU and US should begin discussions on a significantly enhanced and strengthened self-certification scheme for US corporations.
- The US should urgently reform its federal surveillance legislation. This should involve:
- Limiting bulk collection.
- Narrowing the definition of foreign information.
- Setting stronger standards to justify surveillance targets.
- Reducing the default retention period from five years to three.
- Increasing transparency about surveillance.
- Providing EU residents with an effective remedy before an independent impartial tribunal, for example the Foreign Intelligence Surveillance Court.
- Bring surveillance in the EU and the “Five Eyes” under the rule of law:
- Agree a treaty between EU/EEA states and “Five Eyes” intelligence partners.
- The 35 countries should agree as an interim measure not to spy on each other’s citizens and their data without agreement from the citizens’ own state.
- The EU should introduce a US-style class action remedy for violations of GDPR, allowing anyone who has suffered damage from GDPR violations to seek compensation.
There are no serious safeguards to ensure that sharing of data between the US and intelligence agencies in different countries does not undermine privacy protections granted under EU law, it says.
“It is clear US surveillance laws manifestly fail to meet the standards adduced in the case-law of the European Court of Human Rights and the Court of Justice of the EU,” the report says.
The study argues that the US should be urged to reform its surveillance legislation urgently by introducing a raft of measures, including increasing transparency about surveillance measures and granting EU citizens the right to seek judicial review from the Foreign Intelligence Surveillance Court (FISC).
It cites the US Open Technology Institute, which has recommended that the US government limits the collection of bulk communications and adopts binding rules ensuring that bulk surveillance is necessary and proportionate.
Its report, co-authored by Sharon Bradford Franklin, former executive director of the Privacy and Civil Liberties Oversight Board (PCLOB), also calls for stronger standards to be set to justify surveillance targets and independent reviews of the necessity and proportionality of targeting decisions.
The American Civil Liberties Union has gone further, calling for the banning of bulk collection under EO 12333 and for surveillance targets to be notified once investigations are complete.
Right for EU citizens to appeal to FISA court
Under the LIBE proposals, Europeans would be able to complain to US government departments and have their complaints investigated without the need to pay for US lawyers.
If they are unhappy with the outcome, they could go on to complain to the Foreign Intelligence Surveillance Court and have the decision appealed by an independent body.
“The Foreign Intelligence Surveillance Court would need to be able to issue binding judgments, which could stop the agencies doing something which they had done and to change what they’re doing with surveillance materials,” said Brown.
“It could not be clearer that people should get a remedy before an impartial tribunal if their rights are breached, and that’s not currently the case.”
The EU and the European Parliament should demand that EU member states and other countries bring their intelligence practices into line with human rights laws, the report argues.
The starting point should be the development of “mini-lateral” treaties between the 30 EU/EEA states and the “Five Eyes” countries – the USA, the UK, Australia, Canada and New Zealand.
These countries should agree not to spy on each other’s citizens without notification and the agreement of the citizens’ home state.
“The idea of this treaty would be for those countries to initially agree standards that would meet their own national requirements,” said Brown. “It would not be easy, but if they could do that, it would very significantly reduce the difficulty of allowing Privacy Shield agreements to work in future.”
Other recommendations include setting up an enhanced self-certification scheme for US corporations to comply with the EU’s General Data Protection Regulation (GDPR), backed with stronger enforcement powers.
The study proposes that the US Federal Trade Commission is given powers to police the scheme, which would have to meet all “substantive requirements” of GDPR.
EU should allow class actions over data breaches
The EU should offer the US and other countries the ability to take part in class action litigation when their rights are violated under GDPR, the study says.
This would overcome concerns that EU data subjects’ interests are not often effectively enforced by data protection regulators, and that the costs of court actions can be prohibitive.
“The US class action system in this regard does work better, so this might be a way to make it easier for Europeans in Europe, as well as potentially Americans, to get better enforcement of their rights,” said Brown.
If these recommendations are implemented, EU-US data transfers could be reintroduced without the risk that a new adequacy decision would be invalidated by the European court.
“We don’t think this is a lost cause,” said Brown. “We can have an agreement with the US on this, if the US can make reasonable reforms. They are significant reforms. We are not saying they are straightforward, or will not face potentially significant opposition in Congress. But we do think it is possible.”
Until that time, transfers of personal data from the EU to the US will require safeguards, including standard contractual clauses (SCCs) and binding corporate rules.
They will need to be accompanied with supplementary measures, such as strong encryption to prevent data being accessed by the US intelligence agencies.
Audits, logs and reporting mechanisms could be used to protect non-sensitive data that is not of interest to the intelligence services.
But the study warns that effective supplementary measures have yet to be identified that could protect sensitive data, such as communications data, financial data and travel data, sent to the US in non-encrypted form.
“The issues therefore need to be addressed urgently,” says the study.
Foreign Intelligence Surveillance Act (FISA) Section 702
FISA Section 702 allows the collection of “foreign intelligence information”, which is broadly defined to include information that relates to the national defence of security of the US and the conduct of foreign affairs of the US.
It allows the US government to require telecoms and internet service providers and “remote communication service providers”, such as cloud computing companies or data processing companies, to give “all information, facilities or assistance” needed.
Former NSA contractor Edward Snowden disclosed that FISA had been used by the US to spy on allies and leading EU politicians, including, it emerged, German chancellor Angela Merkel.
Former US attorney-general Jack Goldsmith said it could also be assumed that the US used FISA to collect commercial and economic information. He suggested the world had little reason to trust that stolen secrets would not be passed to US firms.
FISA allows the US National Security Agency to direct ISPs, telephone companies and email providers to provide all communications sent to or from “a selector”, such as an email address. The programme, known as Upstream, was previously called PRISM.
The US National Security Agency has the authority under FISA to collect all communications, apart from phone calls, from companies that offer long-distance, high-capacity internet cables using “selectors”.
Executive Order 12333
US Presidential Executive Order 1233 governs the targeting of non-US citizens by the intelligence services. It allows the National Security Agency to “collect (including through clandestine means), process, analyse, produce and disseminate signals intelligence information and data for foreign intelligence and counter-intelligence purposes to support national and departmental missions”. It gives no right of redress to non-US citizens.
Presidential Policy Directive 28 (PPD-28)
PPD-28 was issued by US president Obama following the Edward Snowden leaks. It places limits on how bulk signals intelligence can be used.
These include detecting and countering espionage and other threats and activities directed by foreign powers against the US and interests, threats to the US and its interests from terrorism, threats from weapons of mass destruction, cyber security threats, threats to the US armed forces or other personnel, and transnational criminal threats.
The directive requires that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside”. It says US Signals Intelligence activities must include appropriate safeguards for all individuals, irrespective of their nationality.
The US president may nonetheless “modify” or “waive” EO 1233 and PPD-28 without providing any public notice. The US Department of Justice’s Office of Legal Counsel (OLC) regularly issues classified legal opinions on national security matters which are binding on the executive. Such opinions were used under the George W Bush administration to justify US torture and warrantless surveillance.
Former attorney-general Jack Goldsmith observed that OLC lawyers dealt with FISA in the way they dealt with other laws they did not like. “They blew through them in secret, based on flimsy legal opinions that they guarded closely, so no one could question the legal basis for the operations,” he said.
In once case, the FISA court interpreted the Patriot Act to find that almost every American’s phone records were “relevant” to a terrorism investigation. Between 25 and 30 of the most significant classified orders and opinions pre-dating Snowden have not been disclosed.