In October, the European Court of Justice and its Advocate General struck down as unlawful the EU/US Safe Harbor, which since 2000 has been a major way that US-based businesses could comply with the relatively strict EU privacy laws. Concerns about the weak protections in the US surveillance system were a major basis for striking down the Safe Harbor.
This decision was based on an incomplete, and in some respects badly mistaken, view of US law. Last week the Belgian Privacy Authority hosted a Forum on the Schrems Safe Harbor case, and I was asked to comment on two questions:
1. Is US surveillance law fundamentally compatible with E.U. data protection law?
2. What actions and reforms has the US taken since the Snowden revelations began in June 2013?
The answers to these questions could have a major impact on ongoing negotiations for a revised Safe Harbor, as well as whether any legal structure currently exists that clearly complies with European data protection law. The Future of Privacy Forum has now published my 40-page white paper that provides clear answers, with copious footnotes, to these important questions. The paper has three chapters.
First, there is a fundamental equivalence of the United States and EU member States as constitutional democracies under the rule of law. In the Schrems decision, the US was criticized for failing to ensure “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” This chapter critiques that finding, instead showing that the United States has strict rule of law, separation of powers, and judicial oversight of law enforcement and national security surveillance, which together make the US legal order “essentially equivalent” to the EU legal order.
Second, the Section 702 PRISM and Upstream programs are reasonable and lawful responses to changing technology. The Advocate General’s opinion in the Schrems case said that the PRISM program gave the NSA “unrestricted access to mass data” stored in the US, and that Section 702 enabled NSA access “in a generalised manner” for “all persons and all means of electronic communications.” This chapter refutes those claims, which appear to be based in part on incorrect stories in the press. Although I do not agree with every detail of the law, the Section 702 programs operate with judicial supervision and subject to numerous safeguards and limitations. They examine the communications only of targeted individuals, and only for listed foreign intelligence purposes. The total number of individuals targeted under Section 702 in 2013 was 92,707, a tiny fraction of Internet users in the EU or globally.
Third, the US Congress and executive branch have instituted two dozen significant reforms to surveillance law and practice since 2013. The Schrems opinion said that US privacy protections must be evaluated in the “current factual and legal context,” but did not address the numerous changes put in place since 2013. This chapter provides a readable explanation of each of these actions, which together constitute the biggest set of pro-privacy actions in US surveillance law since creation of the Foreign Intelligence Surveillance Act in 1978.
From my years of writing about EU data protection law, I know that it is often complex and confusing, including for many Americans. The same is true about US surveillance law. The White Paper attempts to bring these two divergent areas of law together in a readable form. An accurate understanding of the law and facts is essential to achieving the best possible outcome for Safe Harbor 2.0, and for the many ongoing issues that will arise in subsequent legal proceedings and implementation of the General Data Protection Regulation. I hope this White Paper can help clarify these discusions, and I welcome comments and corrections.