Published by The Lawfare Institute
in Cooperation With
Following the Court of Justice of the European Union’s (CJEU’s) decision in Data Protection Commissioner v. Facebook Ireland, Schrems (Schrems II), stakeholders are increasingly advocating for a multilateral accord on government surveillance.
Could international norms really be set in a realm where sources and methods are kept secret, which stems from a tradecraft built on deception, where legality can depend on the side of the spyglass on which one sits? It is more than a challenge, but many observers believe it is quickly becoming a necessity. To move past no-spy treaty rhetoric and Orwellian policy choices, it could be helpful to understand why stakeholders are demanding action now, what a surveillance accord could entail and how policymakers might get there.
Three immediate factors are driving calls for governments to come to the table.
First, companies (and regulators) have been handed an impossible task: rein in government surveillance without the tools to do so, and with global commerce on the line. The Schrems II decision places the onus on companies transferring personal data to assess whether foreign protections for government access are essentially equivalent to those required by E.U. law. Where those protections are not equivalent, the companies must put in place undefined safeguards to ensure the standard of protection or suspend transfers. If they fail to act, regulators must step in.
The European Data Protection Board’s efforts to define such safeguards resulted in draft (but immediately applicable) guidance that technical safeguards such as encryption—which renders the data inaccessible—may be the only fail-safe option. The board also acknowledged that, in many instances, encryption would make the data processing and transfer itself worthless, thereby implying that data localization might be the only available alternative. Shortly thereafter, a French court, the Conseil d’Etat, issued a decision assessing the sufficiency of safeguards to thwart notional foreign government efforts to compel access to data held by subsidiaries on E.U. shores, implying that even data localization is not a viable solution. E.U. and foreign companies alike now have few if any options to process data in line with these rulings.
Second, the E.U.’s existing data transfer policy framework is ill suited to solve the challenge at hand because the “adequacy” model is inherently one-sided. In 2016, the General Data Protection Regulation added government access to data in the national security realm to the list of adequacy assessment criteria. This led the European Commission to demand reforms by foreign governments, which it cannot demand of E.U. members (competence over national security is reserved for member states individually, with some exceptions carved out via recent CJEU jurisprudence, as noted below). Foreign governments are understandably wary of making commitments that are not reciprocally binding.
Third, this is a global issue. The Schrems II decision requires essential equivalence for data to move globally. Even more importantly, countries around the world are replicating the E.U.’s data transfer restrictions in privacy legislation. While most other countries have yet to create their own adequacy lists or bar commercial data flows based on foreign surveillance practices, it seems only a matter of time before such approaches become more common.
Beyond these immediate challenges, there are a number of long-term drivers for multilateral action, including broader concerns regarding the scale and scope of modern surveillance capabilities, intelligence cooperation between allies, and how their use or limits impact civil liberties and national security.
What Should Governments Discuss?
If governments come to the table together, they must decide what to prioritize. Should discussions be limited to principles related to government access to personal data held by the private sector such as compelled access, or should norms concerning direct covert surveillance also be considered? The source of concerns and the feasibility of addressing them may point in opposite directions.
On the one hand, the CJEU, the European Commission and some U.S. policymakers have raised concerns on both fronts. In the Schrems II ruling, the CJEU found that U.S. protections were lacking with regard to two legal instruments—Section 702 of the Foreign Intelligence Surveillance Act, which concerns compelled access pursuant to court-reviewed targeting procedures, and Executive Order 12333, which concerns general intelligence authorities and protections and does not involve private parties. Separately, in line with the court’s ruling, the European Commission assessed protections concerning both compelled access and direct surveillance in its recent draft U.K. adequacy determination, though it limited its assessment of direct surveillance to that with a “British Islands connection.” Around the same time, U.S. Sen. Mark Warner questioned whether the massive SolarWinds data breach was “within the bounds of acceptable espionage,” noting that “countries spy on each other, but the volume and level in terms of governmental entities and private sector enterprises … ought to be alarming to all of us.” Today, democratic nations generally agree that unfettered surveillance is neither desirable nor insightful, suggesting that both direct and compelled access are worthy of consideration.
On the other hand, if near-term progress is the goal, policymakers might be better served by focusing their efforts on the intersection of intelligence gathering and commercial operations. After all, companies must operate within the bounds of law on multiple shores, while intelligence agents sometimes operate in the alleys between. Recent CJEU action on this narrower front may also heighten E.U. member states’ interest in discussing shared principles with like-minded allies. In October 2020, the CJEU issued rulings that demonstrated its willingness to hold E.U. member states accountable to E.U. law in areas where national security authorities engage directly with commercial operators. The CJEU lacks competence over member states’ broader intelligence activities. In fact, in this narrower arena, progress is within reach. The Organization for Economic Cooperation and Development recently launched an initiative to develop trusted principles for government access to private-sector data.
How Might They Progress?
As governments gather together, their success will hinge on who comes to the table and their ability to build on shared data protection principles across a host of international agreements.
Applying privacy principles to cross-border spy craft requires a unique skill set—patience, resolve and a scalpel. But, above all, applying these principles will require knowledge of what is possible and what is at stake. As one facet of state security, intelligence activities are typically excepted from international accords on privacy or otherwise. E.U. member states recognized national security as an essential state function and carved it out of the unifying Treaty of Lisbon. While the October 2020 CJEU case noted above calls into question the scope of this exception, France’s efforts to challenge the decision’s implications demonstrate that countries do not take perceived encroachments on their authority in this space lightly. Further, privacy principles seem diametrically opposed to those underpinning intelligence operations—transparency vs. secrecy, access vs. classification. Revealing sources and methods would make intelligence operations useless. Progress in applying privacy principles demands attention from officials who know the darker lanes between nations’ legal edifices, which intersections to illuminate and where bridges and guardrails can be built. To date, intelligence officials have stayed out of the limelight, leaving the international privacy debate largely to officials representing the commercial and privacy interests challenged by current concerns. Now, recognizing their shared interests in a trusted framework for global data flows, law enforcement and intelligence authorities are coming to the table. Their knowledge of redlines, existing intelligence cooperation, current protections, and where they can be extended is pivotal.
Once governments sit down together, leveraging protections and approaches from existing accords will be the key to rapid progress. Broadly applicable multilateral instruments such as the Budapest Convention on Cybercrime, the International Covenant on Civil and Political Rights and the OECD Privacy Guidelines demonstrate how governments have embraced common privacy principles. However, each accord reveals that national security is consistently excepted from the rules. At this stage, even well-crafted exceptions will not resolve the current impasse. Instead, law enforcement and intelligence authorities should look closer to home, at bilateral agreements related to information sharing, data transfers, and protection in the law enforcement context to guide their way forward.
Three recent agreements are worth considering closely: the Umbrella Agreement, the Terrorist Finance Tracking Program Agreement, and the U.K.-U.S. Agreement under the U.S. CLOUD Act. Taken together, these arrangements include six noteworthy features. First, they incorporate commonly recognized global privacy principles. Second, they circumscribe limitations on those principles in a way well-aligned with CJEU jurisprudence. Third, they separate the standards to be met from local interpretation. Fourth, they accommodate different legal structures. Fifth, they contain mutually binding elements. And sixth, they enable data flows. Their approach to each of these elements is instructive.
The Umbrella Agreement governs personal information that U.S. and E.U. law enforcement entities share relating to the prevention, investigation, detection and prosecution of criminal offenses. The agreement is reciprocally binding and recognizes the principles of necessity, proportionality, relevance and reasonableness, as implemented by the parties in their respective legal frameworks. Its protections include commonly recognized privacy principles; administrative and judicial redress in accordance with the legal framework of the state in which relief is sought; and public independent oversight, as defined within the agreement for each party.
The Terrorist Finance Tracking Program Agreement enables the U.S. government to obtain data stored in the E.U. related to terrorism from designated providers of international financial payment messaging services and to share information with E.U. authorities upon request. The agreement recognizes the principle of proportionality, as implemented:
in the United States through reasonableness requirements derived from the United States Constitution and federal and state laws, and their interpretive jurisprudence, as well as through prohibitions on overbreadth of production orders and on arbitrary action by government officials; and in the European Union as derived from the European Convention on Human Rights and Fundamental Freedoms, its applicable jurisprudence and EU and Member State legislation.
The agreement prescribes the targeted nature of permitted processing and applies the necessity standard to production requests. It outlines common data protection principles to be applied without discrimination on the basis of nationality or country of residence. It provides individuals the right to confirm if their personal data has been processed in breach of the agreement. That right is subject to administrative and judicial redress in accordance with the laws of each party, respectively. The agreement is bound by independent oversight by officials selected by both parties.
The U.K.-U.S. Agreement was authorized under the U.S. CLOUD Act. To be eligible to sign a CLOUD Act agreement, a government must be party to the Convention on Cybercrime, or have laws consistent with its requirements, and respect the rule of law and principles of nondiscrimination and human rights, including protection from arbitrary and unlawful interference with privacy. Agencies authorized to request data must have clear legal protections covering common delineated privacy principles. Production orders must be focused on a specific person or identifier and on obtaining information relating to serious crime, including terrorism. They must also be compliant with the domestic law of each party, based on reasonable justification, subject to review by an independent authority and effective oversight under the domestic law of the issuing party. The E.U. has put forward a similar proposal.
Collectively, these three arrangements demonstrate how governments can implement privacy protections in a related realm. Establishing such protections in the intelligence arena is undoubtedly more complex. The secrecy and classification that shrouds authorities, intelligence-sharing arrangements, targets, and operations makes even discussing them with foreign officials a challenge. Still, the law enforcement arrangements above offer a starting point. They show how parlance as politically fraught as necessity and proportionality can be divorced from local subtexts and untethered from foreign jurisprudence. They provide reciprocity and nondiscrimination, require independent redress and oversight, accommodate unique legal foundations, and enable data flows and law enforcement cooperation.
These agreements show how “like-minded democracies” have erected guardrails in similar contexts, recognizing that they cannot eliminate the shadowy lanes between nations’ legal structures but can help ensure safe passage to those who stumble into their midst. As governments gather together in the OECD or elsewhere, they can draw on legal frameworks that incorporate fair information practice principles in line with the rule of law in each jurisdiction.
With the right officials at the table, governments can adjust the aperture of the spyglass to offer their citizens mutual protections.