Privacy Paradox

The US-UK Deal Is Actually Quite Good

By Paul Rosenzweig
Wednesday, July 19, 2017, 8:30 AM

Earlier this month Scarlet Kim and Mailyn Fidler posted an extended critique of the proposed US-UK agreement for cross-border law enforcement data requests.  The critique was troubling, especially because I have long thought that some form of bilateral or multilateral agreement on cross-border data exchange is necessary to regularize the process and prevent the balkanization of the network. [Full disclosure:  I have, in the past, worked on and written on these issues for private sector clients].  As a consequence, the critique seemed to me worthy of extended consideration.  After reviewing the matter, I think their critique is overbroad and misstates a bit of the argument – hence this response.

Overbroad and Lacking Particularity -- Kim and Fidler’s first argument is that UK warrants (to which American companies would be responding) are “overbroad” and “lack particularity.”  In support of this argument they rely on the provision of the recently-adopted Investigatory Powers Act (IP Act) which permits UK authorities to seek bulk warrants. 

This critique misunderstands, however, how the proposed DOJ legislation implementing the US-UK agreement would actually work (and the DOJ legislative proposal is, of course, the most relevant statutory requirement since it would be, if adopted by Congress, the binding law in America).  The mistake Kim and Fidler make is that they equate what is possible under UK law with what would be possible under the proposed legislation. 

This is a category mistake.  While UK law does permit the UK authorities to seek warrants for the bulk collection of data (as does US law, in some cases), the DOJ proposed legislation makes clear that this would not be possible under the Agreement. Under the DOJ legislative proposal only agreements that meet the conditions specified in the legislation would be approved.  The relevant statutory requirement is that an Agreement is only effective as to “[o]rders issued by the foreign government [that] identify a specific person, account, address, or personal device or other specific identifier as the subject of the Order.”  Hence, pursuant to agreements adopted by the US under this legislation, no foreign government would be able to use an Agreement to seek bulk data from a US tech company.  Or more accurately, if a foreign government like the UK did seek bulk data in this way then that request would not be consistent with the legislation authorizing the agreement and the blocking statute in ECPA (which generally prohibits disclosure unless authorized) would continue to apply and prevent a US company from responding with a bulk volume of data.   

This type of process is not unusual in a world where inconsistent legal systems interact.  Indeed, it is very much akin to how the rest of the world treats, for example, the American penchant for the death penalty.  Most of our extradition treaties with other nations prohibit extradition to the US if the death penalty will result – and as a consequence in seeking extradition in cases where the law permits the imposition of the death penalty, the US government (or the State, as the case may be) foreswears the full application of law.  Even though US law permits the penalty, the extradition treaty acts as a barrier.  In much the same way as here, where even if UK law permits the request, the US-UK Agreement and US law would act as a barrier.

Put simply, it doesn’t matter what UK law allows – what matters is what US law allows under the Agreement. Thus, the statements of Paddy McGuinness, the U.K.’s deputy national security, far from being ambiguous are, I think, wholly accurate and precise.  Legislation implementing the U.S.-U.K. agreement would “[l]imit access to targeted orders for data (i.e. a specific individual, phone number, email address or other identifier), and not bulk access to data.”

Inadequate Judicial Scrutiny -- The proposed DOJ implementing legislation says that disclosure orders authorized under the Agreement must “be subject to review or oversight by a court, judge, magistrate, or other independent authority.”  Kim and Fidler argue that the UK does not meet the judicial scrutiny requirement of the DOJ legislation because the judicial commissioner appointed under the IP Act is not really independent; can only apply a procedural review of warrants; and cannot examine the merits of an application.  I think this assessment is wrong.  It is also vaguely insulting to the UK and smacks of American legal imperialism.

To begin with Lord Justice Adrian Fulford has been appointed the first Investigatory Powers Commissioner.  He is one of the UK’s most respected and senior judges.  And, the overall impact of the IP Act is not a diminution of judicial power.  Rather, the IP Act increases the independence and power of the judicial oversight role by providing increased powers, more resources, and greater technical expertise to the judiciary, allowing it to hold the UK Government better to account. Lord Justice Fulford’s appointment was recommended by the Lord Chief Justice – the most senior judge in England and Wales - and, as per British legal process, was approved by the Prime Minister in a procedural and non-political role.

I confess to not being an expert in how the UK legal system functions, but the idea that the commissioners are not independent seems almost nonsensical.  I do know that the principle of judicial independence is deeply ingrained and upheld by the British judiciary. British judges are entirely non-political, unlike the American system.

More to the point, it is simply incorrect to say that the “judicial review” standard under the IP Act is a low, exclusively procedural standard.  The standard articulated in the IP Act is one that is well understood and commonly used by the British judiciary in reviewing government actions.  It is understood to allow the Judicial Commissioner to review whether a decision has been lawful, rational and fairly made.  The standard introduced by the IP Act ensures that, ultimately an interception warrant will not come in to force until a Judicial Commissioner has approved it and is satisfied that the Secretary of State’s decision meets this requirement of lawfulness, rationality and fairness.  In this context, I do not think that the judicial review is merely procedural; nor is it a rubber stamp.

For example, the Judicial Commissioner is required under the IP Act to consider whether the Secretary of State was correct in determining that the warrant was necessary and whether the conduct authorised by the warrant is “necessary” and “proportionate” to what it seeks to achieve [section 23 of the IP Act].   In addition, the Commissioner is required to take into account the factors (what the UK calls “duties”) identified in the privacy clause of the Act [section 2 of the IP Act].  These include, inter alia, whether the order could be achieved by any other means; the public interest and integrity and security of telecommunications systems; and any other privacy issues, including any of the rights enshrined in the European Convention of Human Rights.  On may think that the factors are insufficient.  One may doubt that the review will be implemented as described.  One can disagree with particular results.  But it is inaccurate to argue that the UK law limits consideration to procedural matters -- it clearly permits, and requires, a substantive review of the warrant both as to its necessity, its proportionality and its impact on privacy.  In UK law, as in the US, these are not procedural questions – they are a substantive inquiry.

Whenever I opine on foreign law, I worry I might be in error.  I am comforted that my assessment of the IP Act is accurate by the writings of, David Pannick, a leading UK barrister specialising in public policy and human rights law.  According to an article he wrote in The Times during the consideration of the bill, the judicial review standard adopted was appropriate. [The Times is behind a firewall – I am happy to provide a hard copy of the article to anyone who asks].  He concluded, quoting guidance from the Court of Appeal, that “judges applying a judicial review test must themselves consider the merits and decide whether the measure is indeed necessary and proportionate.”  [Emphasis supplied]. The “merits” inquiry then, is not merely a procedural review.

Intercept Evidence Inadmissible in Court -- Kim and Fidler’s third argument is that since intercept evidence cannot be used in court the use of Investigatory Powers cannot effectively be challenged in the UK.  This critique is both puzzling to me, and I think 180 degrees in error.

Many observers, including me, regard the UK’s bar on using intercept evidence in court as a privacy protection that is superior to that afforded in the US. This prohibition removes the ability of the UK Government to conduct surveillance of someone without their knowledge and then prosecute them using the fruits of that surveillance.  That seems to me a positive, rather than a negative, aspect of the IP Act from a privacy perspective (and a negative one from a security perspective).

But the broader point is that the critique is actually incomplete and therefore not well taken.  The IP Act establishes mechanisms for individuals to challenge the use of Investigatory Powers.  An individual who thinks that the surveillance powers have been used against them unlawfully may seek review of their case and ask the Investigatory Powers Commissioner to investigate any errors [section 231 of the IP Act].  In addition to the oversight by the Investigatory Powers Commissioner an individual can also apply to the Investigatory Powers Tribunal for review. [The IPT was created by the UK to meet its obligations under the European Convention on Human Rights.  It investigates and determines complaints which allege that public have unlawfully used covert techniques and infringed the right to privacy or breaches of human rights]. The Tribunal can and does rule against the British Government.

The Big Picture

Two final points are, to my mind also worth making, though they don’t go directly to Kim and Fidler’s arguments – the value of humility and the necessity of action.

On the question of humility, it behoves Americans (and UK citizens) to act with a bit of respect for operation of other democratic governments.  While I certainly cannot say that the IP Act is consistent with how I might have legislated, I can say without hesitation that it was the product of the considered judgment of the UK government and deserves our deference as equivalent in intent and scope to broad Western values.

The IP Act received an unprecedented level of scrutiny in Parliament and the UK Government consulted widely before publishing the draft Bill.  The Bill was drafted in response to three independent reports. Collectively the three reviews proposed important changes to the way investigatory powers were overseen, and recommended the introduction of consistent safeguards and greater openness.

The draft Bill was then considered by three separate Parliamentary committees (a specially convened Joint Committee of the Lords and Commons, the Science and Technology Committee, and the Intelligence and Security Committee). It underwent 8 months of Parliamentary scrutiny, during which time a further independent report on the Act was produced and with Parliament considering over 1,700 amendments to the Act.

The IP Act was ultimately passed on an overwhelming bipartisan basis.  [444 Members of Parliament voted for the legislation and only 69 against]. In short, the British people, through their representatives, have decided, in an open and democratic way, what the right combination of powers, oversight, review and transparency is for the British people.

Given that the US-UK agreement applies only with respect to cases which, in good faith, the UK believes involve only UK citizens it seems a bit of hubris for Kim and Fidler to nonetheless say that the UK system doesn’t meet American standards.  As Jen Daskal has noted at Just Security where a particular criminal activity poses such a risk to the UK that it justifies an interception warrant, and where there is no good faith reason to think there is link to a US person in the US or overseas, it is logical that the basis for that request should be in British law, not American law.

I believe it should be the British Parliament that decides what is permissible in British law for British citizens, not the US courts or Congress.  The same respect, of course, is what Americans demand when confronted with the critique of other nations.

To think of a useful analogy, the French legal system does not have jury trials.  Yet we recognize that the system of criminal justice in France is fundamentally fair and worthy of our respect even though it lacks a component we consider Constitutionally mandatory.  The same is true of privacy protections – the UK has slightly different ways of approaching the problem and may even get to a different place in particular cases, but their law is roughly equivalent to America’s and respects the same fundamental values we do.

Finally, let me turn to the necessity for action. We are faced today with a slowly disintegrating cyber network that is becoming increasingly balkanized as countries adopt data localization requirements.  In response, other countries (including the US) seek to apply their law enforcement data collection authority extraterritorially.  The two trends are going to come into inevitable conflict unless some resolution can be found … and the US-UK agreement is a pretty good starting point for that resolution, premised on the assumption of mutual respect and rough equivalence.

Kim and Fidler conclude that finalising an Agreement with the UK would disincentivise countries from raising privacy standards.  The available evidence suggests otherwise.  Prior to the adoption of the IP Act, there was no judicial review of intercept warrants in the UK. The judicial review provision was, at least according to several people who seem to have a good sense of the matter, supported by the UK Home Office in significant part because the UK knew that it needed such a provision in order to take advantage of any potential US-UK deal.  In other words, the US is using its leverage in exactly the way Kim and Fidler urge.

If they can’t accept the idea of rough equivalence then, taken at their word, Kim and Fidler are effectively saying that only countries with the exact same standards as the US’ should be able to get data from a US company even when that data has nothing to do with the US.  If that is truly the standard then this is the same as saying no country will ever be able to get such data.

The consequences of this continued state of affairs have been spelled out by government and industry alike and they are unacceptable. Look, for example, a the recent Google proposal launched by their General Counsel, Kent Walker and at the written testimony from Brad Smith of Microsoft and Rick Salgado, also of Google. 

There is a wide consensus that the current conflict of laws situation is bad for public safety and bad for US tech companies.  Those who argue for the status quo are arguing for law enforcement to continue to be unable to get data they need to stop horrific crimes including terrorism; incentives to Governments to localise data; to take action against company representatives; use more intrusive (and less privacy protective methods) to access the data that they need; and so on.

Is the US-UK agreement perfect?  Probably not.  But it is actually quite good and deserves support.