The Privacy Shield is Riddled with Surveillance Holes
The European Commission and the U.S. Department of Commerce have finally announced the details of the EU-U.S. Privacy Shield, an agreement designed to ensure that personal data can flow between Europe and the U.S. for commercial purposes while maintaining the privacy rights Europeans have come to love and expect. Lawmakers in the U.S. and abroad were under intense pressure to produce some sort of agreement after the European Court of Justice (CJEU) dissolved the safe harbor agreement related to transatlantic data flows last October, leaving countless international tech firms in a lurch about how to handle data. The court decision and subsequent negotiation could have been a powerful motivator for the U.S. to clean up its surveillance policies. Instead, the patchwork of concessions in the Privacy Shield leaves the door open for the digital surveillance of hundreds of millions of Europeans.
It’s unclear what, if anything, the new Privacy Shield is supposed to be shielding people from— except perhaps shielding U.S. companies from the inevitable consequences of their country’s mass surveillance program.
When the CJEU tore up the previous Safe Harbor agreement, it was in part because "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life." In other words, untargeted wholesale spying on non-U.S. persons is enough to undermine any assurances American companies have made to the EU authorities that they would comply with the EU’s data protection standards.
The Commission’s communications related to the Privacy Shield speak repeatedly about the value of U.S. written claims that there is "no indiscriminate or mass surveillance." We went back and analyzed the letter provided to European Commissions by the Office of the Director of National Intelligence related to signals intelligence. While Robert Litt, the General Counsel of ODNI, states that the intelligence community "does not engage in indiscriminate surveillance of anyone, including ordinary European citizens." We suspect that Litt's statement hinges on the idea of "indiscriminate" —he's under the impression that the data of hundreds of millions of people can be scanned by the government under broad categories, and that, somehow, this activity is discriminating. In the letter, Litt also states that U.S. intelligence activity must be "as tailored as feasible" and that "whenever practicable" surveillance should be tailored rather than in bulk.
Within the same document, Litt talks about how President Obama’s order related to signals intelligence in the wake of the Snowden revelations "recognizes that Intelligence Community elements must collect bulk signals intelligence in certain circumstances in order to identify new or emerging threats and other vital national security information." We’ve long been concerned that the National Security Agency is redefining basic words in an attempt to obfuscate their widespread surveillance activity, but with a term like “national security” the NSA doesn’t even need a clever new definition of the term: the concept is so nebulous that its edges cannot be defined.
Whatever else the Privacy Shield does, it will not prevent the collection of data on hundreds of millions of law-abiding Europeans by U.S. intelligence agencies and their partners. (We wonder what Europe’s data protection authorities made of the reports last week that President Obama has been proceeding with plans to widen the sharing of this raw, unminimized data with the FBI, CIA, and other agencies).
The announcement of the Privacy Shield also lauded the Judicial Redress Act, recently signed into law by President Obama. This law is designed to ensure that Europeans can use the U.S. court system to protect their privacy rights. However, this is an extremely limited right. The law only allows Europeans to use the U.S. court systems to sue U.S. government agencies for infringement of the Privacy Act of 1974. The Privacy Act of 1974 established a set of principles American government agencies need to follow related to collecting and maintaining personal data, such as providing individuals access to records about themselves. The Privacy Act is so riddled with exemptions as to make redress profoundly difficult for U.S. citizens, particularly if fenced off by agencies as a matter of national security. The Identity Project has gone so far as to call the Judicial Redress Act worthless.
Finally, there remains the matter of the independent oversight body making sure the Privacy Shield operates as it should. In the agreement, this role falls primarily to the Privacy Shield Ombudsman, who was announced to be embedded in the U.S. State Department. The role of ombudsman has a defined meaning in the E.U. system. As the head European Ombudsman, Emily O’Reilly, noted, the independence expected of this overseer is difficult to reconcile with their position in one of the primary executive departments, especially when that department directly benefits from advice of the intelligence agencies.
So, the Privacy Shield agreement appears to fall down on all of the requirements of the original CJEU decision. It maintains the program of mass surveillance against non-U.S. persons that so disturbed the court, it denies Europeans effective remedy against a wide range of state surveillance programs, and its proposed methods for dispute resolution are neither independent, nor reach sufficiently deeply into the intelligence agencies’ practices.
Our prediction is that this will continue to be a face-off between states regarding their citizens’ privacy. Next up will be the data protection authorities' report on the agreement, due at the end of this month. Thereafter, we can expect to see a series of challenges to this compromise among European regulators and in the courts.
In the meantime, the U.S. government still has a chance to practice substantial reform and get ahead of the criticisms of this stop-gap. With so much in privacy and commerce at state, real reform of FISAA 702, and EO12333 are more urgently needed than ever. Please speak out against mass surveillance today.