Systematic Government Access to Private-Sector Data
Systematic Government Access to Private-Sector Data
A Comparative Analysis
Abstract and Keywords
There has been an increase worldwide in government demands for data held by the private sector. In most countries studied, the publicly accessible law provides an inadequate foundation for systematic access, both from a human rights perspective and at a practical level. Transparency about systematic access remains weak. Access for national security purposes is more sparingly regulated than is access for criminal investigation purposes. Relying on the country reports prepared for this project, this chapter develops both a descriptive framework for comparing national laws on surveillance and government access to data held by the private sector, and a normative framework based on factors derived from constitutional and human rights law. A robust, global debate is needed on the standards for government surveillance, premised on greater transparency about current practices. International human rights law provides a useful framework for that debate.
There has been an increase worldwide in government demands for data held by the private sector. In most, if not all countries studied, the publicly accessible law provides an inadequate foundation for systematic access, both from a human rights perspective and at a practical level. Transparency about systematic access remains weak. Access for national security purposes is more sparingly regulated than is access for criminal investigation purposes.
Relying on the country reports prepared for this project, this chapter develops both a descriptive framework for comparing national laws on surveillance and government access to data held by the private sector, and a normative framework based on factors derived from constitutional and human rights law.
A robust, global debate is needed on the standards for government surveillance, premised on greater transparency about current practices. International human rights law provides a useful framework for that debate.
In recent years, there has been an increase worldwide in government demands for data held by the private sector, driven by a variety of factors. This increase (p.6) includes an expansion in government requests for what we call “systematic access”: direct access by the government to private-sector databases or networks, or government access, whether direct or mediated by the company that maintains the database or network, to large volumes of data. The June 2013 disclosures by Edward Snowden about systematic access programs conducted by the United States, the United Kingdom, and other countries dramatically illustrated the issue and brought it to the forefront of international debates.
Although it seems that systematic access is growing, there are also cases—in Germany and Canada—where government proposals for expanded access have been rejected due to public and corporate concerns about privacy, cost, and the impact on innovation.
Systematic access raises hard questions for companies that face demands for government access to data they hold. They must decide whether the demand or request is lawful, though the law may be vague. Companies must also decide what information about their responses to these demands they may disclose to their customers and to the public—the “transparency” issue that has received increased attention since June 2013 as discussed below.
This chapter identifies a number of common themes in the national laws on government surveillance and access to data held by the private sector of the 13 countries surveyed at the behest of The Privacy Projects. It presents a descriptive framework for analyzing and comparing these national laws. We also develop a normative framework based on a series of factors that can be derived from the concept of “rule of law,” from constitutional principles, and from existing (although still evolving) international human rights jurisprudence.
Among our key findings are the following: First, we found that in most, if not all countries studied, existing legal structures provide an inadequate foundation for the conduct of systematic access, both from a human rights perspective and at a practical level. Transparency about systematic surveillance programs is weak, so we lack an accurate or comprehensive understanding of systematic access. Nevertheless, we found that the relevant laws are at best vague and ambiguous, and government interpretations of them are often hidden or even classified; that practices are often opaque (because it is sometimes in the interests of both governments and companies to proceed quietly, and the companies are often prohibited from public comment); and that oversight and reporting mechanisms are either absent or limited in scope when they exist, and generally do not reach voluntary data sharing. Transparency remained weak even after information about some systematic surveillance activity appeared in the press as a result of leaks of classified information by former NSA contractor Edward Snowden in June 2013 and even after changes in US law permitted companies to provide a limited amount of information about US law enforcement and national security processes.
Second, in every country we studied, even those nations with otherwise comprehensive data protection laws, access for regulatory, law enforcement, and national security purposes is often excluded from such laws; alternatively, they are treated as accepted purposes for which access is authorized under separate laws that may or may not provide adequate safeguards against possible abuses. (p.7) Moreover, almost everywhere, when it comes to data protection, access for national security purposes is more sparingly regulated than is access for law enforcement purposes.
Third, it seems overall there had been, until recently, relatively little discussion of the complex legal and political issues associated with asserting jurisdiction over data stored in other countries or relating to citizens of other countries. Also, until the Snowden revelations, discussion of the complex questions regarding extraterritorial application of human rights raised by trans-border surveillance had been lacking.
Fourth, although standards for real-time interception of communications for law enforcement purposes are high in most of the countries we surveyed (but not in India and China), standards for access to stored communications held by third parties are less consistent. When it comes to transactional data regarding communications, standards are even weaker.
Fifth, with respect to the standards for government access to communications in national security investigations, the overall picture is very complex. Almost half the countries studied do not have provisions requiring court orders for surveillance undertaken in the name of national security or for foreign intelligence gathering.
Finally, most countries handle travel and financial data under laws requiring routine, bulk reporting for specified classes of data.
This chapter proceeds as follows: Section III describes “systematic access” to data, highlighting evolving practices by governments across the globe. Section IV briefly describes the Snowden revelations. Section V considers the common themes emerging from an analysis of the law and practice of systematic access in the 13 countries the project surveyed.1 Section VI sets forth a descriptive framework that can be used to analyze national laws that set standards for governmental access to privately-held data, whereas Section VII lays out a normative framework, based on human rights principles, and offers some comparative observations. Finally, Section VIII offers preliminary recommendations and next steps in responding to the challenges of systematic government access to private-sector data.
Here is our basic conclusion: in most if not all countries, existing legal structures provide an inadequate foundation for the conduct of systematic access, both from a human rights perspective and at a practical level. At the practical level, the law provides little guidance, leaving companies to fill the gaps with their own judgments. From the human rights perspective, the systematic access that many governments obtain is not foreseeable from the text of the law, calling into question whether the laws in those countries meet evolving human rights standards.
Governments around the world have always demanded that commercial entities disclose data about their customers in connection with criminal investigations, enforcement of regulatory systems, and national security matters. Companies have always felt an obligation—and oftentimes are under legal compulsion—to cooperate, but they have also felt a business need and sense of responsibility to protect their customers’ personal data and, in most cases, have diligently sought to balance those interests.2 In recent years, there has been an increase worldwide in government demands for data held by the private sector, driven by a variety of factors. This has included an expansion in government requests for what we call “systematic access.” We use this term to encompass both direct access by the government to private-sector databases, without the mediation or interaction of an employee or agent of the entity holding the data, and government access, whether or not mediated by a company, to large volumes of private-sector data.
Here are some examples of what we mean by systematic access to stored data, covering a very wide range of data and justifications:
• In the United States, a special court ordered certain telecommunications service providers to disclose to the National Security Agency (NSA), on a daily basis, metadata (number making the call, number called, time, duration) for all telephone calls handled by the carriers to, from, and within the country. The bulk disclosure orders were renewed every 90 days from 2006 to 2015, when Congress adopted legislation ending it.
• Although most countries have long-standing systematic reporting requirements of a regulatory or administrative nature, especially in the area of financial services and employment, mandatory reporting of income data and other data related to the administration of taxes has expanded in recent years.3 In other countries, there is systematic reporting of hotel registrations or airline travel itineraries.
• In Germany, as Paul Schwartz outlines in his chapter in this volume, telecommunication providers are required to collect certain data about their customers, such as name, address, and telephone number, before the service is established. This information, termed “inventory information,” is sent to a databank of the Federal Network Agency, and other governmental agencies can make automated requests for this information from the databank.
• The Chinese government maintains almost unlimited and unfettered access to private sector data, through a variety of regulatory requirements. As Zhizheng Wang observes in his chapter on China (p.9) in this volume, “the government’s systematic access to data held by anyone will become possible and realistic with the evolution of the e-government strategy, in accordance with its vital interest of maintaining the state’s control on information and ‘preserving the stability’ of the society.”
• The Brazilian Communications Agency (ANATEL) can request metadata from service providers and also maintains the technical ability to directly access metadata.4
• In India, as Sunil Abraham explains in his chapter in this volume, the government is building a Central Monitoring System (CMS) that is intended to allow the government to engage in real-time interception of email, chats, voice calls, texting, without intervention of the service providers.5
• A 2015 French statute expanded the government’s authority to obtain user data. Among other things, the government may demand that a provider automatically analyze all metadata it processes with algorithms to identify suspicious activity.6
• In the United Kingdom, the Investigatory Powers Act of 2016 mandates data retention by telecommunications service providers and expressly authorized the issuance of “bulk personal dataset warrants.”7
We also found examples where, although the government requested records one at a time regarding particular individuals, devices, facilities, or accounts, the volume of requests was quite large. For example, in the UK, government agencies (p.10) made 500,000 requests for telephony metadata in one year.8 Paul Schwartz notes that, in Germany, where local police departments can request cell tower data about any person located in a given area during a specific time period, a Berlin newspaper reported in 2012 that the Berlin police since 2008 had made 410 “radio cell inquiries” that collected information pertaining to 4.2 million cell phone connections. In the United States, government agencies issued over 1.3 million demands to mobile carriers in 2011, covering information ranging from basic subscriber identifying data to call detail records to cell site location information to call content.9 Directly comparable information for years since 2011 is not available, because the figure of 1.3 million demands was released by US Senator Edward Markey based on data several carriers reported to him. However, the transparency reports of just three of the largest US wireless carriers for recent years indicate that the volume remains substantial. Verizon reported 289,378 law enforcement demands for customer data, and AT&T reported 287,980 US criminal and civil demands for customer data in 2015. T-Mobile reported 339,270 federal, state, and local law enforcement requests in 2014.10 The volume of requests can lead governments and private-sector entities to develop automated interfaces or other arrangements that facilitate high volume access.11
(p.11) Although it seems that systematic access is growing, we also found cases where proposals for expanded access had been rejected. In Germany, in 2011, the federal government abandoned the proposed ELENA project, which was intended to streamline the collection of a wide variety of employee data into a central databank run by a government agency, containing name, date of birth, insurance number, home address, time missing work, and “possible misbehavior.” In Canada in 2013 the government abandoned Bill C-30, which would have imposed various intercept capability and reporting requirements on communications service providers.
When this project began, it focused primarily on access to stored data held by businesses, distinct from real-time interception of communications. However, Snowden revealed information about systematic access to communications in transit such as the US government’s MYSTIC program, which is capable of intercepting and storing for 30 days all phone calls made nationwide in certain countries.12 A study for the European Parliament concluded that the practice of “upstreaming” (governmental surveillance accomplished by tapping into an entire communication stream, as opposed to receiving only particularized disclosures from communications service providers) appears to be a relatively widespread feature of surveillance by several EU Member States.13 Just as most governments have long asserted the power to demand access to stored data held by businesses about their customers, so they have also asserted the power to intercept in real-time communications passing over networks of telecommunications service providers. Sometimes such interception is conducted with the cooperation of the service provider, sometimes without. The rules and practices surrounding real-time collection can be very complex, but in certain circumstances the electronic surveillance activities of governments have long entailed large scale or systematic collection of communications for later analysis, especially for national security purposes and especially when conducted outside—or targeted at persons outside—the intercepting nation’s territory. As we discuss further below, the Snowden revelations suggest that the digital revolution has been accompanied by a growth in large-scale real-time interception. In addition, it appears that there is a growing overlap between access to stored data and real-time interception: it has been reported that the United States intercepts huge volumes of stored data in real time as it is shifted globally from server to server.14
(p.12) Systematic access as we define it also relates to concerns over data retention and design mandates. Data retention refers to legal requirements that certain service providers collect and retain specific categories of information about the users and usages of their systems for a specified period of time (often ranging from six months to two years), so that the data is available to the government upon demand. Most recently, debates over data retention have focused on government proposals that telecommunications service providers (both traditional telephone and wireless operators and ISPs) maintain subscriber identifying information or connection data (such as customer billing information and dialed number information) for a set period of time.15 Design mandates include requirements that service providers design their systems to be “wiretap ready,” that is, to be capable of facilitating real-time or near real-time interception upon request.16
Our research into actual practices, although hampered by a lack of transparency, confirmed that governments are in fact increasingly turning to the private sector for information that they see as critical in countering criminal activity, terrorism, and other threats. The Snowden revelations dramatically reinforce this conclusion, augmenting it with new information regarding extraordinary programs of systematic collection in real time. The reasons for these trends are simple enough: to begin with, private sector firms hold an increasingly large amount of data about individuals collected in the course of ordinary commercial transactions or created by users and stored on cloud platforms, supplemented in some countries by data retention mandates. The volume of digital data routinely generated, collected, and stored about individuals’ purchases, communications, relationships, movements, finances, and tastes is staggering. At least three developments have fed the growing government appetite for this information: First are concerns about new and dangerous threats to national security, demonstrated by terrorist attacks in New York, Washington, Madrid, London, Mumbai, Boston, Paris, San Bernardino, Brussels, Istanbul, Nice, and elsewhere, and compounded by the rise in militant Islamic fundamentalism. Second are more mundane interests in tax collection and other regulatory or administrative goals. The third major factor is the steadily growing ability of businesses and (p.13) governments to analyze large data sets in search of useful insights, a development often summed up with the phrase “big data.”17
Other commentators have observed that governments in the post-9/11 era are increasingly dependent on the private sector to assist them in collecting and analyzing data for national security purposes, and have applied various theories in analyzing these modes of cooperation.18 Our focus on systematic access was, until recently, almost unique. So too was our effort to explore the issue not only from the perspective of the governments’ needs or the countervailing civil liberties and human rights values but also from that of companies that are responding to governmental demands in numerous countries and are, therefore, caught in the middle between competing interests.19 They must often make judgments about how to respond to demands for systematic access when the law governing access is vague and susceptible to many interpretations. Legal requirements, business concerns, licensing schemes, the views of their customers, and the need to be perceived as cooperative in matters involving public safety or national security all play a role.
IV. Revelations of Systematic Surveillance Activities
On June 5, 2013, The Guardian began publishing information regarding surveillance activities of the US National Security Agency, based upon the leaking of classified documents by former contract employee Edward Snowden. Further disclosures by The Guardian and other major news outlets followed, along with official US government releases of previously classified documents in response to FOIA litigation and public demands for transparency.
One of the surveillance programs described in these disclosures involved systematic access of exactly the kind this project has been concerned with: the ongoing, bulk collection by the NSA of metadata on a large percentage of telephone calls to, from, and within the United States. The program operated under Section 215 of the USA PATRIOT Act, which authorized the government to seek a court order for the production of records relevant to a foreign intelligence investigation.20 Such orders required major telecommunications companies to (p.14) disclose to the NSA call detail records on all calls by all of their customers and included originating and terminating telephone number and time and duration of call but not the substantive content of any communications.21 In 2015, the US Congress outlawed the program in the USA FREEDOM Act.22 It did this by requiring that all collection of call detail records under Section 215 of the USA PATRIOT Act be based on a “specific selection term” such as a phone number. It established a procedure for intelligence authorities to provide those terms to major telecommunications companies, which then search their customer information for “hits” on those terms.
It was also revealed that the NSA conducted for many years a program of systematic collection of Internet metadata. That program was discontinued in 2011 due to an assessment by the NSA that it was ineffective as a counterterrorism tool.23 The USA FREEDOM Act outlawed such programs by extending a specific selection term requirement to all of the authorities in which metadata can be collected for intelligence purposes in the United States, rendering illegal the bulk collection of communications metadata in domestic intelligence surveillance.
Snowden also disclosed documents describing activities of the US government, conducted under Section 702 of FISA, as adopted by the FISA Amendments Act of 2008 (FAA), involving the collection of the contents of communications.24 Section 702 authorizes the collection from service providers inside the United States of foreign intelligence about persons reasonably believed to be outside the United States. Initial reports about a program referred to as PRISM cited a government PowerPoint presentation saying that the government was collecting “direct from the servers” of leading communications service providers.25 The government and the companies involved have denied that there is any direct access to service provider (p.15) computers.26 However, another program conducted under Section 702 has some elements of systematic access, in real time. According to a report by the US Privacy and Civil Liberties Oversight Board, the NSA’s UPSTREAM program acquires communications as they transit circuits that facilitate communications over the “Internet backbone.”27 Communications that contain a selector such as an email address and that are not domestic communications are ingested into government databases.28
Snowden also leaked documents disclosing systematic surveillance programs in the UK, including one called “Mastering the Internet” and another called “Global Telecoms Exploitation.” According to The Guardian, Britain’s “GCHQ [the UK’s signals intelligence agency] has secretly gained access to the network of cables which carry the world’s phone calls and internet traffic and has started to process vast streams of sensitive personal information.”29 In an operation code named TEMPORA, GCHQ stores large volumes of data drawn from fiber optic cables for up to 30 days so that it can be sifted and analyzed.30 According to The Guardian, GCHQ is able to “survey about 1,500 of the 1,600 or so high-capacity cables in and out of the UK at any one time” and was capable of extracting and collecting information (both content and metadata) from 200 of those cables at a time.31 According to The Guardian, citing official documents, as of 2011 GCHQ recorded 39 billion separate pieces of information during a single day. According to another document cited by The Guardian, GCHQ “produces larger amounts of metadata collection than the NSA.” The tapping operations within Britain were done under agreements with the commercial companies that own the fiber optic cables.
The controversy surrounding the Snowden leaks prompted journalists and activists to write about similar programs in a number of countries. Press reports have revealed the following:
• Germany’s foreign intelligence agency, the BND, was monitoring communications at a Frankfurt communications hub that handles (p.16) international traffic to, from, and through Germany, presumably using the strategic monitoring authority described by Paul Schwartz in his chapter, and the BND is seeking to significantly extend its capabilities.32
• France runs a vast electronic spying operation using NSA-style methods, reportedly with even fewer legal controls.33 A 2015 statute expanded the government’s surveillance powers. Among other things, it authorizes the government to require service providers to apply algorithms to all metadata they process in order to identify suspicious activity, and also to make that data available to the government.34
V. Common Themes from the Country Reports
The 13 countries surveyed for this project were chosen based on a variety of factors that included availability of English language materials, scholars, and practitioners to analyze national law, and the size of the country in terms of economy and population. But caution should be exercised in extrapolating from this survey: among other limitations, the survey included not a single country in Africa or the Middle East (apart from Israel). Moreover, by being heavily weighted to democracies and to European democracies in general, with India and China as outliers, it may suggest more commonality of legal norms than would be found in a broader survey. With those significant caveats, the country reports analyzing (p.17) the law and practice of systematic access identified a number of common themes about the countries examined:
• Lack of Transparency: Even after the Snowden leaks, systematic access is difficult to assess.
• The relevant laws are at best vague and ambiguous, and government interpretations of them are often hidden or even classified.
• Practices are often opaque; it is sometimes in the interests of both governments and companies to proceed quietly, and the companies are often prohibited from public comment.
• Oversight and reporting mechanisms are either absent or limited in scope when they exist, and generally do not reach voluntary data sharing.
In the United States, the Snowden revelations altered this imbalance in a profound way by publicizing the legal and technical details of several highly classified surveillance programs. The same is true to a lesser extent in the UK. The Snowden leaks also led to some further revelations about surveillance programs in other countries.
But leaking is by its nature episodic and incomplete; even the most extensive leaks of classified documents can be misleading and are no substitute for structural and ongoing transparency mechanisms rooted in constitutional, legal, and political norms and supporting vigorous democratic oversight and debate. Outside the United States and the UK, the picture still remains very murky, although it is clear that systematic access occurs in many countries.35
The shock expressed not only by civil society but also by government officials at the scope of systematic access as revealed by the Snowden revelations demonstrates how deeply these programs and legal interpretations were hidden from public scrutiny and democratic debate.36 In the United States at least, the revelations accelerated an already growing corporate movement to demand transparency, that is, greater legal authority to disclose at least the number and type of government demands received and complied (p.18) with, and companies also started taking steps to make surveillance without their consent more difficult.37
• Significant Commonality across Laws: Although differences abound, and can be significant, there is some commonality across most of the countries we surveyed:
• Almost all have privatized their telecoms and thus recognize some arm’s length relationship between the government and the network operators.
• Almost all recognize the right to privacy.
• However, most of the countries surveyed either exempt data collection for law enforcement and national security purposes from general data protection laws or treat government access as a permissible use, subject to separate, varying restrictions.38
• Most countries impose a variety of limits and controls on government access and surveillance requests, whether by courts, senior government officials, or committees or oversight bodies established for this purpose.
A major question, of course, is whether those control and review mechanisms are strong enough in the face of technological change, the continuing trend of individuals storing more and more of their digital persona in cloud-based computing models, and more aggressive government demands.
Finally, with the exception of mandatory reporting laws, the applicable laws and regulations in the countries surveyed generally focus on defining standards for requests for data regarding specific persons, and they seem to presume a world of limited and particularized access rather than systematic government access. (The UK’s Investigatory Powers Act and Germany’s G-10 law specifically (p.19) authorize non-particularized interception of communications to or from persons abroad.) The Snowden revelations show how one of these laws (Section 215) had been interpreted in secret to authorize bulk, ongoing disclosures.
China and India stand out due to almost total lack of protection and oversight in both law enforcement and national security. At the opposite extreme, Japan and Brazil are notable for the severe limits they impose on interceptions undertaken for foreign intelligence security purposes.
• Inconsistency between Published Law and Practice: In many countries, the published law appears to say something different from what governments are reportedly doing. Even after the Snowden revelations, we lack an accurate or comprehensive understanding of systematic access because both its legal basis and actual practice are hidden from public view.
As the disclosures about the US government’s telephony metadata program show, governments may be operating under secret interpretations of the applicable laws. In other cases, they may be operating “in the interstices of national regulation,” obtaining access that is not specifically authorized but also not specifically prohibited.39 In the United States and in other democracies (especially Israel), the inconsistencies between publicly available laws and reported practice suggest areas of struggle or tension between legal requirements and perceived national security necessities. In light of these responsibilities to protect the nation against external and internal threats, the executive branch does not so much ignore existing law as rely on executive orders, secret court opinions, and other nontransparent means to interpret the law in the pursuit of the executive branch’s objectives.40 Additionally, after 9/11, several countries—notably Canada, Germany, the United States, and the UK—modified their antiterrorist statutes, hereby granting intelligence agencies more expansive surveillance powers.
Again, China and India are different: the former explicitly carves out broad exceptions for national security from both the constitution and relevant security and surveillance laws, whereas privacy protections under Indian law are weak, ambiguous, or non-existent.
• National Security and Law Enforcement: In every country we studied, even those nations with otherwise comprehensive data protection laws, (p.20) regulatory, law enforcement, and national security access are often excluded from such laws, or treated as accepted purposes for which such access is authorized under separate laws that may or may not provide adequate safeguards against possible abuses.41 Moreover, almost everywhere, national security access is more sparingly regulated for data protection purposes than requests for law enforcement purposes.
• The Declining “Wall” between National Security and Other Uses: Prior to the terrorist attacks of 9/11, many of the countries we studied maintained a “wall” that prevented law enforcement and other government agencies from obtaining and using data collected by intelligence or national security agencies under relaxed data protection standards. In many countries, this wall has been dismantled, with the result that intelligence agencies may now, at least as a matter of legal authority, pass information to law enforcement officials, while data collected for law enforcement and other purposes may be shared with intelligence agencies. This is certainly the case in the United States post-9/11; in Canada, where antiterrorism policy explicitly calls out the importance of information sharing among law enforcement and intelligence agencies;42 and (more surprisingly) in Germany, where, as Paul Schwartz notes, recent laws have eroded the wall somewhat, thereby permitting the creation of an “anti-terrorist database.”
• “Systematic Volunteerism:” In some of the countries studied, the government obtains systematic access to private sector information through voluntary arrangements. In Brazil, for example, as Bruno Magrani notes in his chapter in this volume, many companies such as Mercado Livre include in their terms of service permission to voluntarily disclose information to law enforcement. Companies establishing such arrangements appear motivated by a variety of factors, Magrani states, including “patriotism, a desire for good relations with government agencies (both for regulatory and sales purposes), a lack of understanding that national law does not require compliance with such requests, fear of reprisals if they do not cooperate, and the ability to generate revenue by selling the government access to the data they possess.” In China, notes Zhizheng Wang, “private-sector entities might provide government officials with voluntary broad access to data in seeking favorable policy or government investment.” An additional (p.21) motivating factor for bulk disclosure may be efficiency (easing the administrative burden of processing many individualized requests). In the United States, by contrast, it seems that concerns about liability discourage voluntary cooperation.
• Importance of Trans-border Access and Sharing: Although most of the countries appear to consider multinational access and sharing essential to national security and law enforcement activities, these arrangements received relatively little attention in the chapters commissioned. Difficult jurisdictional issues cut across a wide spectrum of areas in the globalized information society. The Snowden leaks have drawn major attention to the fact that, with the emergence of globalized services, access in one country can easily affect large numbers of people outside that country. Increasingly, governments are exploring mechanisms that would permit law enforcement officials in one country to gain access in some circumstances to data stored in another country without triggering the host country’s legal processes. For example, the United States and the UK are negotiating an agreement that would permit such access, with limitations,43 and the US Department of Justice has proposed legislation that would clear the way for such agreements.44 Separately, even before the Snowden leaks, several authors duly noted the existence of the UK-US agreement (which also extends to Australia, Canada, and New Zealand) to share information obtained by electronic surveillance, and recent leaks have exposed further details about this and other sharing and cooperation agreements.45
This chapter now presents a more detailed comparative analysis, proposing a set of descriptive and normative frameworks that might help governments, the private sector, privacy advocates, and other stakeholders confront the issues associated with government access to privately-held data in general and the issue of systematic access in particular. We approach this assessment with considerable humility. Comparative legal analysis is always difficult without an in-depth knowledge of the systems at issue, and in the context of systematic government access the task is made more difficult by the ambiguity in laws and lack of transparency in practices that we have repeatedly mentioned. Nevertheless, in the spirit of contributing to a more nuanced international dialogue around standards for systematic government access, we offer some comparative observations.
We first offer a descriptive framework for government access laws. Using this framework, we have attempted to summarize the laws of the 12 of the 13 countries surveyed by TPP.
In Section VII, we offer a normative framework, drawing on widely-accepted understandings of “the rule of law” and on the case law of the European Court of Human Rights, which represents a comprehensive transnational body of law on government surveillance.
A. The Descriptive Framework
In researching governmental access rules and practices, we found that most legal systems had addressed separately the questions of government access to communications and metadata associated with communications, and to business records of various types. The laws relating to access to communications and communications metadata seem to have grown out of an almost universal recognition of two competing propositions: that communications privacy is an essential right, and that the ability to intercept communications in real time or to access communications and associated data in storage is an important investigative technique for both criminal investigations and the protection of national security interests. Accordingly, most countries seem to have laws addressing communications privacy and governmental access to communications. Whether those laws have kept pace with technological development is another question. However, we found that certain basic issues presented themselves time and again across different legal systems. For example: Are there separate rules for law enforcement and national security access? Is judicial or senior level executive approval required for access? Are companies subject to data retention or network design mandates?
As a framework for cross-border comparisons of government laws regulating access to communications and associated metadata, we identified nine recurring (p.23) factors. Table 1.1 outlines nine factors to consider in describing a country’s legal system for government access to private-sector data:
Table 1.1. The Descriptive Framework
Of course, as we noted above, government demands for access to data, including for systematic access, are directed at many other sectors, particularly financial services and travel. Accordingly, we sought to analyze laws and practices in the 13 countries we surveyed in terms of standards for government access to other types of business records. This task proved much more difficult, because in many countries, even those with otherwise comprehensive privacy laws, rules on government access to data and on systematic reporting may differ sector by sector. Table 1.2 lists 14 factors that constitute a normative framework for assessing national laws and practices concerning access to personal data held by the private sector.
Table 1.2. Government Access to Business Records
B. The Descriptive Analysis: Comparative Observations
The following section highlights the similarities and differences in the government access rules in the countries studied. The discussion touches on both standards for real-time access and standards for access to stored data, and focuses mostly on communications content and metadata, in part because of the ongoing intensive governmental, public, civil society, and media focus on these matters, rather than on other forms of business records, where the issues are also important and inherently transnational. Unless otherwise noted, the descriptions of each country’s law are drawn from the country reports that follow in subsequent chapters of this volume.
1. Source of Authority, Standards and Limits
a. Constitutional Authority
The majority of countries surveyed recognize the right to privacy in their national constitutions, with the exception of Australia and the UK. Whereas the constitutions of some countries include an explicit privacy provision, in other countries, courts have inferred a right to privacy from other constitutional provisions. Both the United States and Canada apply a “reasonable expectation of privacy” test to define the scope of that right vis-à-vis the government. In Germany and Israel, the constitutional basis of information privacy is especially strong. Germany recognizes a constitutionally based “right of informational self-determination,” and a highly engaged German public and press ensure that such rights are taken very seriously. In Germany, for example, intrusions on privacy require a valid basis in law and must satisfy a principle of proportionality. Similarly, privacy in Israel is a constitutional right subject to a “limitation clause,” with the result that government access must be expressly authorized and pass constitutional muster, including a proportionality test.
(p.25) However, in all of the countries studied, the application of constitutional standards is by no means an absolute bar against government access to private sector data. To the contrary, governments enjoy substantial powers to collect or intercept data, under a variety of laws and programs. In the United States, a major exception to the right to privacy is the third-party doctrine (discussed below), which leaves business records outside the Constitution’s protection. In Germany and Israel, access laws have been upheld even after the courts applied balancing tests that heavily weigh the fundamental right to privacy. As noted above, article 8 of the European Convention tolerates secret surveillance in signatory states (Germany, the UK, France, and Italy) provided that national laws provide adequate safeguards against potential abuse. In Brazil, however, at least one judicial decision suggests, as Magrani explains, that article 5, item XII of the Constitution (secrecy of correspondence, telegraphic data, and telephone communications) protects the flow of data even against judicially authorized wiretapping.
In sharp contrast, China stands out among the 13 countries surveyed in two fundamental respects: first, it is the only non-democratic country; second, its constitution (and laws) grant extensive surveillance powers to the state for purposes of national and public security. Thus, the government has extensive authorities and “generous room for flexibility” in accessing private data in the name of maintaining state security and the social order.46 In India, too, although India is a democracy, the constitution imposes few meaningful limits on the government’s broad surveillance powers.
b. Statutory Authority
Australia, Canada, Israel, Japan, South Korea, and all of the European counties have comprehensive national privacy statutes. The United States has no omnibus privacy law, but rather follows a sector-specific approach, with separate laws protecting communications data, financial data, health data, and other categories. In addition, international treaties can also be an overlapping source of legal authority for privacy, including Article 8 of the European Convention on Human Rights and Article 11 of the Inter-American Convention on Human Rights.
However, in all the countries surveyed, whether the nation has a comprehensive privacy statute or sectoral laws, those statutes have exceptions permitting government surveillance of communications and government access to stored records. Real-time surveillance is addressed in the majority of countries (other than China and India) in surveillance laws whose principles and concepts generally fit within the descriptive and normative frameworks outlined above.
Against this commonality of approach, China and India stand out among the 13 countries surveyed. In China, it is very easy to override existing statutory restrictions on national security or public order grounds. Thus, Chinese law explicitly authorizes governmental access to privately held data and/or lacks explicit (p.26) limitations on such access. Indeed, Chinese national security law allows for the inspection of electronic communication instruments belonging to “any organisation or individual” for purposes of state security with few if any limitations.47
Indian surveillance laws also have very limited or very weak restrictions on government access. Although a 1997 decision established certain safeguards under India’s long-standing Telegraph Act of 1885 governing telephone interception, the Information Technology Act of 2008 substantially weakened existing standards. It permits interception of electronic communications to prevent “incitement” of any cognizable offense related to public emergency, public safety, and public order, or for investigation of any offense as well as for a range of cyber security purposes. Under the relevant rules, intermediaries must provide a high degree of assistance to law enforcement, agencies can freely share data, and the rules relating to the collection of traffic data also permit extensive monitoring for cyber security matters. India’s ISP licensing system also permits extremely broad government access rights while neglecting well-established international safeguards such as requiring a court order, internal agency restrictions on access to intercepted materials, and individual redress.
Among the countries we studied, Israel faces unique national security concerns.48 Both the courts and the attorney general (which in Israel is a non-political and highly autonomous function) play a key role in interpreting a set of laws that deal with surveillance by both the police and by the various intelligence services (military intelligence, internal security (GSS), and foreign intelligence (Mossad). The Israeli intelligence services enjoy far more leeway than the police in conducting surveillance. For example, as Omer Tene explains, the Wiretap Act allows military intelligence and GSS to obtain wiretap permission from a very senior official without judicial oversight. The Communications Data Act regulates access to traffic data by the police under multiple tracks, some of which require judicial oversight and some of which do not. In contrast, GSS (which is regulated by a separate law) has much broader access without judicial scrutiny. This includes a requirement that fixed line and cell operators must transfer to GSS certain categories of communications data as determined by the prime minister.49 Although concerns about law enforcement access have sometimes (p.27) spawned government inquires and public outcry, the press and the public seem more acquiescent with regard to access for internal security purposes. On the other hand, Tene notes, the law regulating GSS imposes certain accountability and transparency requirements.
c. Law Enforcement versus National Security
The majority of countries have enacted separate laws or separate procedures addressing access in the domestic law enforcement context as opposed to national security (or foreign intelligence) activity. In the UK and other countries, the rules for both arenas are set out in a single law (now the Investigatory Powers Act of 2016), whereas the United States applies quite different standards in the two arenas through separate statutes—the Wiretap Act and the Stored Communications Act for law enforcement and FISA for foreign intelligence. In India, there is no clear distinction between law enforcement and national security access, whereas China distinguishes them but imposes few if any restrictions on the latter. Although Australia,50 Canada, and the United States apply special, arguably more lenient rules to national security access, these rules remain subject to constitutional limitations.
At the opposite extreme is Japan, where the government’s statutory authority to engage in surveillance either for law enforcement or intelligence purposes is very limited as compared with all of the other countries studied. Although Japan enacted its first wiretap law in 1999, Japanese society strongly disfavors the use of wiretaps and the number of communications intercepts is miniscule. Moreover, Japanese law lacks any statutory basis for authorizing wiretaps for counterterrorism purposes. Similarly, the Brazilian constitution only authorizes interception of communications for criminal investigations, and although Brazil maintains an intelligence apparatus, the lead intelligence agency lacks both investigative and surveillance powers.
2. Content/Non-content Distinction
A number of countries (Australia, Brazil, Canada, Germany, Italy, Israel, South Korea, the UK, and the US) draw a legal distinction between the content of communications and various types of non-content,51 establishing higher standards for government access to the former and lower standards for access to the (p.28) latter. For example, Brazilian courts have ruled that “judicial authorisation is not required for the Police or the Public Prosecutor’s Office to have access to subscriber-identifying data from companies,” on the grounds that anonymous speech is constitutionally prohibited. British law imposes very few controls on access to non-content data (both communications attributes and subscriber data), which are easily accessible by a very large number of central and local officials, simply requiring that a senior official make a request. There were over half a million such requests in 2010.52 Similarly, non-content requests are subject to lower standards in Australia, Brazil, Israel, Italy, South Korea, and the United States. On the other hand, it appears that neither India nor Japan distinguishes between content and non-content requests.
3. Technology/Business Model Neutrality
Most of the countries studied apply the same standards for real-time interception of content (voice communications, text messages, email, and so on) regardless of the technology on which the content is transmitted or the business model of the service provider, with three exceptions. China has enacted multiple, Internet-related laws regulating very specific services (e.g., traditional ISPs, telecoms, content providers, data centers, messaging services, news services, etc.). Germany follows a “layer model” that draws complex distinctions between the content of online communication, the services provided on the Internet, and the “levels” at which data transfer takes place, all of which are regulated under different laws. Finally, the United States distinguishes between communications in real time and in storage and protects them differently.53
4. Third Party Doctrine
In the United States, there is long-standing precedent that the Constitution’s Fourth Amendment, which protects against unreasonable searches and seizures, does not apply to records held by third parties.54 Accordingly, in the United States, privacy protection for business records mainly flows from statute.55 The (p.29) United States is more or less unique in affording no constitutional protection to third-party data, although a few other countries also handle third-party data somewhat differently. For example, in Canada, a reasonable expectation of privacy does not attach to information held by a third party with no obligation to maintain confidentiality.56 China, on the other hand, seems to accord higher protection to data stored in the cloud, apparently in an effort to attract international investors who might otherwise be wary of the “golden shield” projects (discussed below).
5. Use, Retention, Disclosure Limits
The European countries in the survey have all implemented the 1995 EU Data Protection Directive,57 which limits collection, retention, and disclosure of personal data by the public and private sectors. However, the Directive expressly does not apply to processing of data for law enforcement or national security purposes. Israel also has a comprehensive privacy law but it too does not apply to the activities of the police or internal or external security services. Canada and the United States have Privacy Acts that regulate the collection, use, and retention of personal data by federal governmental entities; those Acts apply to law enforcement and intelligence agencies, but the US law allows many exceptions for law enforcement and intelligence databases. Key provisions of South Korea’s comprehensive data protection law do not apply to data collected for national security purposes. In 2014, Brazil enacted the Marco Civil law, which allows the government to require companies to retain connection records for Internet applications for one year, and other Internet connection records for six months.58 A draft data protection law has been under consideration in India, (p.30) whereas the Chinese legislature in 2013 passed a data protection resolution. Although that Chinese law contains “significant and far-reaching requirements applicable to the collection and processing of electronic personal information via the Internet,”59 it obviously does not impose any meaningful limits on government access for security purposes.
6. Oversight Mechanisms
Each country except China has some process of independent oversight of surveillance and government access. However, standards vary widely. In India, courts play a very limited role. Although older laws required a court order for access to letters and telegrams, Sunil Abraham finds that these safeguards are “no longer relevant in today’s information society.” More recent enactments in India offer much weaker protections and seem to minimize the role of courts in authorizing wiretaps, access to non-content data, and access for national security reasons. In particular, the Information Technology Act of 2008 dispenses with case-by-case authorizations for access to data in favor of blanket authorizations, and permits the use of such data for broad and generic purposes. India also suffers from problems with corruption, and there are reports that “law enforcement officials abuse their positions to dilute data access safeguards.” In Germany, prior judicial approval is required for wiretapping by the police in criminal cases, but interception for intelligence purposes is conducted upon the approval of the Interior Minister and a commission appointed by Parliament.60 Germany’s Constitutional Court has played a key role in overseeing the surveillance activities of Germany’s foreign intelligence agency, the BND, forcing several amendments to the G-10 statute that regulates so-called “strategic surveillance” for intelligence purposes. In the United States, prior court approval is required for both law enforcement and foreign intelligence surveillance conducted inside the United States, with one exception that has loomed large after the Snowden leaks: when surveillance conducted inside the United States targets noncitizens who are believed to be outside the United States at the time of the access, the courts approve only the broad outlines of the surveillance program, and individual targeting decisions are made by the NSA.
7. Design Mandates
As far as we know based on the country chapters and additional research, only a few of the countries studied have explicit design mandates. For example, Israel, Australia, Germany, and the United States have enacted laws authorizing (p.31) government officials to seek changes to the design of telecom equipment, facilities, and services to ensure that they have built-in surveillance capabilities. In the UK, the government may impose obligations on public telecom services to ensure that they maintain interception capability.61 China and India have sought to control network design without explicit statutory authority. Although China has undoubtedly succeeded, the results in India are more ambiguous.62 In other countries, the issue has not surfaced in public debate, perhaps due to the close relationship between government authorities and service providers, with the latter voluntarily taking steps to ensure that their facilities are wiretap-ready.
8. Retention Mandates
A few of the countries studied have imposed data retention mandates on telephone companies, ISPs and other service providers. The UK, France, Italy, and Germany enacted data retention laws as required by the EU Data Retention Directive, but in 2014 the Court of Justice of the European Union invalidated the Data Retention Directive, finding it inconsistent with the European Charter of Fundamental Rights.63 In 2016, the Court invalidated the specific data retention laws of the UK and Sweden. The German statute required telecommunication providers to store specific kinds of traffic and location data for a period of six months. In 2010, the German Constitutional Court struck down the statute. However, Germany in 2015 enacted a new law that requires the retention of phone and Internet metadata for 10 weeks.64 China imposes extensive mandatory data retention on telecoms, ISPs, and content providers. In Brazil, companies must retain connection records for Internet applications for one year, and other Internet connection records for six months.65 Our research indicated that Canada, Japan, and the United States lack generalized data retention mandates.
A. The Normative Framework
In this section, we turn from a description of government access rules to the normative question of how national rules measure up against the standards for surveillance identified by the European Court of Human Rights.
Government surveillance demands, whether for access to one account at a time or for systematic access, and whether for regulatory, law enforcement, or national security purposes, do not arise in a normative vacuum. A series of factors for assessing governmental demands can be derived from the concept of “rule of law” and from existing (although still evolving) international human rights jurisprudence.
The “rule of law” is an internationally recognized concept encompassing, at a minimum, principles of transparency, limits on the discretion of government officials, and accountability.66 A leading legal philosopher, Joseph Raz, identified eight key principles of the rule of law, of which six are especially relevant to questions of government surveillance and access to data held by the private sector:
1. Laws should be prospective, open, and clear;
2. Laws should be relatively stable;
3. The rules for making particular laws should be open, stable, clear, and general;
4. The judiciary should be independent;
5. Courts shall have review power over all other principles; and
6. “The discretion of the crime-preventing agencies should not be allowed to pervert the law.”67
These principles have been embodied in major international human rights instruments. In addition, major human rights instruments protect the right to privacy.68 Of greatest relevance, because it has generated the largest body of (p.33) interpretative case law setting out standards of global relevance, is Article 8 of the European Convention on Human Rights (1950), which states in relevant part:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.69
The Convention is in effect binding on EU Member States, as Article 6(3) of the Treaty on European Union states, “Fundamental rights, as guaranteed by the European Convention for the Protection of Rights and Fundamental Freedoms … shall constitute general principles of the Union’s law.”70 The European Court of Human Rights (Strasbourg Court), whose decisions are binding on the 47 Member States of the Council of Europe, has issued multiple rulings on the applicability of Article 8 to secret systems of surveillance.71 Although the Convention preceded the Internet by many years and does not explicitly contemplate modern means of communication, the Strasbourg Court has successively applied Article 8-1 to telephone conversations,72 telephone numbers,73 computers,74 and the Internet and email.75 The Court has held that the existence of legislation that allows a system of secret monitoring entails a threat (p.34) of surveillance for all those to whom the legislation may be applied, and that this threat itself amounts to an interference with rights under Article 8, allowing persons to invoke the Court’s jurisdiction even if they cannot prove that they themselves have been subjected to surveillance.76 In addition, the Court has held that the sharing of data with other government agencies, which enlarges the group of persons with knowledge of the personal data intercepted and can lead to investigations being instituted against the persons concerned, constitutes a further separate interference with Article 8 rights.77
Once it is determined that surveillance of a given form of communication constitutes interference with the rights guaranteed by Article 8-1, the Court next considers whether the interference is justified under Article 8-2 by assessing it in light of three tests: First, is it “in accordance with the law”? Second, is it pursued with one or more legitimate aims (including national security) in mind? And, third, is it “necessary in a democratic society”? The Court’s decisions have enumerated specific criteria for applying these standards.
A very clear statement of these criteria is found in the Weber and Saravia case,78 which examined “strategic surveillance” under Germany’s G-10 Act.79 In deciding that the G-10 Act did not violate Article 8, the Strasbourg Court first reiterated that the expression “in accordance with the law” has two elements: It requires (1) “that the impugned measure should have some basis in domestic law.” It also refers, the Court said, to (2) “the quality of the law in question, requiring that it should be accessible to the person concerned, who must, moreover, be able to foresee its consequences for him, and compatible with the rule of law.”80
In Weber and Saravia, the Court found that the German law readily satisfied the “basis in law” requirement. As to the foreseeability requirement, the Court said that, in the context of surveillance, this does not require any self-defeating form of notification that would allow an individual to adapt his conduct accordingly to avoid interception of his communications. Rather, the Court said, in view of the risks of the arbitrary exercise of secret powers, it is essential to have detailed rules that are clear enough to give citizens “an adequate indication” as to (p.35) the circumstances and conditions under which government agencies are allowed to resort to surveillance measures.81 The Court went on to specify certain minimum safeguards that must be set out by statute for surveillance laws such as the G-10 Act to avoid abuses of power and satisfy the “in accordance with law” standard. Specifically, a statute must specify:
… the nature of the offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed.82
In another case, the Court made it clear that the requirement that conduct be prescribed by law also applies to the treatment of material after it has been obtained, meaning that the law must specify the “procedure to be followed for selecting for examination, sharing, storing and destroying intercepted material.”83
Next in Weber and Saravia, the Court turned to the purpose and necessity tests. As the aim of the G-10 Act is to safeguard national security and/or prevent crime, its purposes squarely fit within the terms of Article 8(2). As to whether the interferences permitted by the G-10 Act are “necessary in a democratic society,” the Court relied on a balancing test that weighs “all the circumstances of the case, such as the nature, scope and duration of the possible measures, the grounds required for ordering them, the authorities competent to authorise, carry out and supervise them, and the kind of remedy provided by the national law.”84 Under this balancing test, the Court concluded that although national authorities retain a degree of discretion over how best to structure a system of surveillance in response to terrorism and related threats, domestic surveillance laws may not grant unfettered power to law enforcement or intelligence agencies.
Based on the tests developed in earlier cases and reiterated in the Weber and Saravia case, the Strasbourg Court has developed fairly detailed guidelines for assessing national surveillance law.85 For example, in Weber and Saravia itself, (p.36) the Court found that an amended version of the G-10 Act authorizing strategic interception of international communications was consistent with Article 8 because the statute contained the following elements: The search terms had to be listed in the monitoring order, which also had to set out detailed rules on storing and destroying any data obtained using these search terms, and the authorities storing the data had to verify every six months whether the data was still necessary to achieve the purpose for which they had been obtained by or transmitted to them. If that was not the case, they had to be destroyed or deleted from the files, or access to them had to be blocked, and all of these steps had to be recorded and, in some cases, supervised by a senior official.86
In the Klass case, which concerned the targeted surveillance provisions of the German G-10 Act (distinct from those at issue in Weber and Saravia), the Court identified a series of limiting factors in the Act that led it to find those targeted surveillance provisions also to be in conformity with Article 8: the Act required a factual indication of suspicion; exhaustion of less intrusive means; particularity as to a specific suspect and his presumed contacts (hence “exploratory or general surveillance” is not permitted); a written application for a surveillance order from a senior official; decision by a senior official; limited duration of no more than three months; implementation by a an official qualified for judicial office; and oversight by an independent entity.87
More recently, in a unanimous Grand Chamber decision, the Court in Zakharov found serious and widespread faults with the Russian legislation regulating the surveillance of mobile communications. Among the more glaring defects in the Russian law were the fact that although the law requires prior judicial authorization for interception measures, Russian judges in practice only apply purely formal criteria in deciding whether to grant an authorization and “do not verify whether there is a ‘reasonable suspicion’ against the person concerned and do not apply the ‘necessity’ and ‘proportionality’ test”;88 and that Russian “courts sometimes grant interception authorisations which do not mention a specific person or telephone number to be tapped, but authorise interception of all telephone communications in the area where a criminal offence has been committed.”89 Additionally, the Court observed the security services and the police had the technical means to circumvent the authorization procedure and to intercept any communications without obtaining prior judicial authorization.90
Table 1.3. The Normative Framework
B. The Normative Analysis: Comparative Observations
With respect to the standards for real-time surveillance in criminal investigations, the laws in all of the countries we surveyed (except China and India) are broadly consistent with the normative factors set forth in Table 1.3. That is, the countries generally have statutes expressly authorizing (“in accordance with law”) real-time interception of communications content only for the investigation of serious offenses and only upon the approval of both a senior executive branch official and an independent judicial officer. Such statutes generally place limits on the duration of the surveillance and the use of information obtained. The statutes seem to be premised on the principle of particularity—that is, they only authorize surveillance targeted at a specified person, device, or account. Also, almost half the countries studied do not have provisions expressly limiting the scope of the content that can be recorded (by requiring that government agencies not record irrelevant data or, if they do, that they do not retain such data) and almost the same number lack laws requiring notice of surveillance to the target of surveillance or other persons whose communications are intercepted. China meets none of the 14 standards identified in our normative framework, and India meets only one of the 14 (approval of a senior officer required) and somewhat addresses another standard (loosely tying surveillance to suspicion of criminal conduct by requiring that the surveillance be “necessary or expedient” for the investigation of an offense).
Although standards for real-time interception of communications are uniformly high, standards for access to stored communications held by third parties are less consistent. In France, for example, stored documents can be accessed in some circumstances by the judicial police or customs authorities and in other cases upon the approval of the public prosecutor. In the United States, the Electronic Communications Privacy Act (ECPA) provides that service providers can be forced to disclose stored content with a subpoena, issued without judicial approval, although an appellate court has held that process to be in violation of the Constitution, and service providers and the Justice Department now seem to agree that a judicial warrant is needed to compel third-party disclosure of (p.39) content. To the extent that any laws expressly address stored content, it is not clear whether any of them give attention to the questions of scope or minimization; that is, although real-time interception is normally approved for periods of limited duration and some laws limit the recording of irrelevant information, it is not clear whether orders for disclosure of stored communications contain any temporal scoping limitations, and it is not clear how rules on minimization of irrelevant data would be applied in the case of disclosure of stored data.91 In Europe, however, under Article 8 of the Convention, acquisition of stored content might be subject to a requirement that the law authorizing the collection must specify the procedure to be followed for selecting the material to be collected.92
When it comes to transactional data regarding communications, standards are even weaker. In the UK, traffic data can be obtained upon the demand of a very wide range of government officials, including in non-criminal matters. In the United States, stored telephone metadata is available without a court order (but not cell site location information), whereas access to Internet metadata and real-time interception of telephone or Internet metadata require a court order. In Australia, the law permits voluntary disclosure of communications metadata to law enforcement and intelligence agencies while also providing for mandatory disclosure upon request. In South Korea, although it is clear that the government must obtain a court order to require a telecommunications service provider to disclose transactional data (“communications confirmation data”), the vagueness of the provisions seemed to allow ISPs to voluntarily disclose such data to the government without a court order and such voluntary disclosures used to be customary. However, a major court ruling in 2012 cast doubt on the legitimacy of voluntary disclosures.
With respect to the standards for government access to communications in national security investigations, the overall picture is very complex. For example, whereas most countries surveyed (again, leaving aside China and India) require a court order for surveillance in criminal investigations, almost half the countries studied do not have provisions requiring court orders for surveillance undertaken in the name of national security or for foreign intelligence gathering. Likewise, at least half do not pose limits on the scope of national security requests, or require notice to targets.
Although laws setting standards for interception in criminal cases generally require targeted surveillance, the rules for national security are much less consistent in imposing a particularity requirement. The statutes in Germany and the UK expressly allow large-scale, untargeted collection of communications with one leg originating outside the country. The US and French laws distinguish between communications carried by wire (including fiber) and communications transmitted over radio waves (including satellite transmission); in both (p.40) countries, the relevant statutes permit non-targeted surveillance of radio communications where one end of the communication originates abroad. Canada and Australia have long collaborated with the United States and the UK in bulk collection programs.
In addition, it is worth noting the diversity of oversight mechanisms in both criminal and national security investigations. They include annual reports on the number of intercepts and other information, which are delivered either to senior government officials or to legislative committees; reviews by appointed oversight commissions; audits; and legislative investigations. The United States has multiple oversight mechanisms. Even warrantless surveillance under the now notorious PRISM program is overseen by the Foreign Intelligence Surveillance Court, which approves the targeting and minimization procedures and monitors implementation of the program. The Privacy and Civil Liberties Oversight Board is an independent agency established by Congress to review and analyze executive branch antiterrorism efforts and ensure both that they are balanced with the need to protect privacy and civil liberties and that liberty concerns are considered in the formulation of related law and policies.93 As Paul Schwartz has suggested, however, many such formal oversight mechanisms are quite ineffective and amount to little more than what he calls “privacy theater.”94 In countries with an independent press and/or strong laws protecting the freedom of speech, informal oversight mechanisms, though raising their own complications under criminal and national security laws, also play an oversight role. The efforts of the press, advocacy groups, government watchdog groups, and various dissenters encourage public debate and enhance government accountability.95
In terms of location data, most of the countries studied permit location tracking subject to a weak standard. For example, location data may be tracked without a warrant in Australia, China, Germany, India, Israel, and the United Kingdom. In the United States, however, the relevant doctrine is more complex thanks to a recent Supreme Court decision, United States v Jones,96 announcing a new, (p.41) trespass-based test for what counts as a search under the Fourth Amendment. Although Jones applied the trespass test to find that the installation of a GPS device on a vehicle with the intent to use it was a search, the exact circumstances under which the use of such a device requires a warrant are not yet clear. The standards under which government agencies can compel disclosure of cell site location information are less settled. ECPA requires, at a minimum, a court order, and a majority of courts have held that a warrant is needed for real-time tracking, whereas a majority of courts have held that a full warrant is not necessary to compel disclosure of stored location records.
Most countries handle travel and financial data under laws requiring routine, bulk reporting for specified classes of data. For example, most countries require passenger data reporting for air travel (Australia, Brazil, Canada, China, Israel, South Korea, the UK, and the United States). International arrangements for sharing passenger data are more controversial.97 All 13 countries also require anti-money-laundering reporting under generally similar national laws (under which large financial transactions must be reported). Italy and others require certain entities to notify the tax authorities of various other transactions; in Italy, this is a direct response to the high level of tax fraud and evasion.98
With respect to the normative standards for government access to business records, the results are more difficult to summarize. In Australia, for example, a police officer seeking documents (including in electronic form) may make an application to a federal magistrate for a “notice to produce” order. To grant such an order, the magistrate must be satisfied, on the balance of probabilities, by information on oath or by affirmation, that: (1) the person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious offense; and (2) giving the person a notice under this section is reasonably necessary, and (p.42) reasonably appropriate and adapted, for the purpose of investigating the offense. However, if an authorized police officer considers on reasonable grounds that a person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious terrorism offense, no prior court approval is required. Similarly, in the UK, Section 19 of the Counter-Terrorism Act provides that “A person may disclose information to any of the intelligence services for the purposes of the exercise by that service of any of its functions.”99 Most countries, with the exception of China and India, observe some limits on use, retention, and disclosure; provide oversight and redress mechanisms (ranging from complaints to a Privacy Commissioner to civil actions), and must satisfy various reporting requirements. However, limits on use and disclosure often have many exceptions. In Australia, for example, information obtained by one agency for a specific purpose may be available to a range of other agencies for quite different purposes. In Europe, the European Court of Human Rights has explicitly held that a transmission of data to and their use by other authorities constitutes “a further separate interference” with the right to privacy under Article 8 of the Convention. Such disclosures are not flatly prohibited but must be subject to the same principles of legality and necessity; in Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, the Court expressly declared Bulgaria’s intelligence surveillance law to be inconsistent with the Convention because it did not place adequate limits on disclosure and use.
Of all the countries surveyed, Germany has most expressly addressed the issues associated with systematic access to business records and the application to those records of analytic techniques for law enforcement purposes. On the one hand, as Paul Schwartz noted, data mining is an established law enforcement technique in Germany. (The German term for the practice is “screening search.”) On the other hand, the German Constitutional Court has set limits on the use of the technique. In Germany, laws at the federal and state levels distinguish between the use of “data screening” to (1) investigate past crimes, or (2) permit a preventive response to potential crimes. Data screening to investigate past crimes is regulated by various state laws and at the federal level by Section 98a of the Criminal Procedural Code. The federal statute permits screening searches only where there are “sufficient factual indications to show that a criminal offense of significant importance has been committed.” However, there are state statutes that permit a preventive use of data screening. In 2006, the German Federal Constitutional Court established significant limits on such law enforcement use of this practice. In its Data Screening opinion, the Constitutional Court used a proportionality standard to find that data screening for preventative purposes was constitutionally permissible only when the police had concrete facts indicating that a serious crime was being planned. Further study of the use of screening searches in Germany since the Constitutional Court’s decision may yield useful lessons.
Our research into systematic access, augmented by the Snowden revelations, suggests at least four conclusions, each posing unresolved challenges.
First, technological developments associated with the digital revolution make it easier than ever for governments to collect, store, and process information on massive scale, and governments seem to be exploiting those developments—and responding to pressing threats such as terrorism—by demanding more and more information. At the same time, ongoing developments in the ability to analyze large data sets are leading governments to assert that they can extract crucial but otherwise unobtainable insights from big data. For example, in the context of defending its telephony metadata program, the US government has expressly argued that, in order to find “the needle in the haystack,” it needs to acquire the entire haystack. Though governments have long required corporate entities to systematically report certain data, such as currency transactions over certain thresholds, that information used to remain “stovepiped.” Government agencies today are under information-sharing imperatives, and modern analytic techniques are seen as offering increasingly powerful abilities to draw from data meanings that are unrelated to the purposes for which it was initially collected.
• Policy implications: The trend toward systematic collection poses challenges to the existing legal frameworks because many of the statutes regulating government access and data usage were premised on particularized or targeted collection, minimization, and prohibitions on information sharing and secondary use.100
Second, as Internet-based services have become globalized, trans-border surveillance—surveillance in one country affecting persons in another—has flourished. Gone are the days when intelligence agencies had to acquire data from a point within the country where the data originated (or with an antenna aimed at the targeted country). Now, in many instances, communications to or from people in one country pass through or are stored in other countries, where they are available to those governments. The United States is perceived as having unique advantages in this respect, both because a large percentage of the world’s communications pass through or are stored in the United States and (p.44) because the United States has invested vast resources in collection capabilities, but the United States is not alone in exploiting global data flows. Moreover, the global flow of data and the popularity of US-based services not only means that the United States has access, inside the United States, to the communications of those living and working outside the United States, but it also means that the United States has access outside the United States to communications of persons living and working inside the United States, for those communications to and from people in the United States can be captured as they move among servers outside the United States.
• Policy implications: The rise in trans-border surveillance raises complex questions. To begin with, statutory frameworks for surveillance tend to be geographically focused and draw distinctions between communications that are wholly domestic and communications with one or both communicants on foreign soil. Moreover, statutory frameworks, as far as we can tell, often draw a distinction between the collection activities that an intelligence service performs on its own soil and the activities that it conducts extraterritorially. This is certainly true of the United States: the Wiretap Act and the Foreign Intelligence Surveillance Act do not regulate the conduct of the United States outside US territory (with a minor exception for intelligence surveillance outside the United States targeting US persons outside the United States). Lowered standards for trans-border surveillance have a substantial impact on companies that offer global communications services and want to be able to assure their customers worldwide that their communications are secure. It also raises human rights questions about the existence and scope of state duties to protect and respect privacy and free expression of people outside the state’s territorial boundaries; although privacy is universally recognized as a human right, some governments (including the US) assert that their human rights obligations have a territorial limit.101
Third, national security legal authorities such as Section 12 of the Counter-Terrorism Act of 2008 have become increasingly powerful since 9/11 in the UK and some European countries, the United States, and globally. It has long been (p.45) the case that governments have claimed greater powers to collect data in the name of national security than in ordinary criminal law enforcement cases.
• Policy implications: In the post 9/11 world, at precisely the time that technological capabilities are increasing, and at precisely the same time that global data flows are expanding exponentially, national security powers have been getting stronger, raising new questions relating to the trust that citizens, customers, and users vest in governments and corporations alike.
Fourth, this expansion in powers has been supported by extreme secrecy. In the United States, for example, a provision in the PATRIOT Act that seemed to authorize particularized disclosures had been interpreted by secret court order to authorize ongoing bulk collection. Moreover, judicial doctrines in the United States (and probably elsewhere) make it very difficult to obtain an effective remedy for possible violations of privacy, speech, and association rights.102
• Policy implications: The lack of transparency makes it very difficult to have a rational debate about governmental powers and concordant checks and balances. And the lack of openness is leading to proposals such as requiring local storage of data that could fragment the Internet, harming both innovation and access to information.
What we need, globally, is a robust debate about what the standards should be for government surveillance. That debate should be premised on much greater transparency about current practices and about the legal underpinnings of those practices. (Ironically, as a result of the Snowden leaks and of changes in the law, the United States may now have more transparency on its practices and rules than any other country in the world.)
Perhaps a useful framework for making progress on these issues can be found within the context of international human rights law.103 As we explain above, the most fully developed body of international law on government surveillance and privacy is that of the European Court of Human Rights, which over the years has issued multiple decisions on wiretapping, including national security surveillance. The court has never suggested that secret surveillance is per se a violation of human rights. Instead, it has identified a set of checks and balances that could offer sufficient guarantees against the risk of abuse.
• How can we give meaning to privacy in an era of systematic collection and trans-border surveillance?
• If bulk collection is an inevitable reality of the digital age, how can we apply human rights principles such as necessity and proportionality to claims that it is necessary to collect all the data to serve certain compelling governmental needs?
• Given the widely held view that privacy is a universal right and the equally universal rule that governments have broad powers to protect themselves and their peoples from foreign threats, how should we regulate trans-border surveillance?
In a networked word, the standards for government access may be judged not so much in the context of a debate between EU and US laws but rather on the basis of international human rights standards. To at least some extent, there is underway today a movement toward global standards of digital privacy based on international human rights standards. The US government may argue that the PRISM standards actually comport with international law, but that will be an illuminating debate, in which Europeans must explain and defend their own laws by the same standards. If they can have this debate, then government officials in Europe and the United States can work with human rights institutions, civil society, and the Internet industry at large to move the rest of the world toward a set of principles based on transparency, proportionality, and accountability.
(*) The authors wish to thank Jake Laperruque and Christine Galvagna for their assistance in preparing this chapter for publication. Mr. Lee took no part in the preparation of any portions of this chapter referring to US government activities and programs.
(1.) Over its lifetime, the project surveyed 13 countries. Twelve of those surveys are published in this volume, most of them updated to reflect recent developments. Because the UK law was completely rewritten late in 2016, there was insufficient time to update the UK chapter, and therefore there is no UK report in this volume.
(2.) “Personal data” generally refers to any data that relates or is linkable to an identifiable individual, and may include aggregations of data.
(3.) See, for example, Giorgio Resta’s chapter on Italy in this volume.
(4.) Dennys Antonialli and Jacqueline de Souza Abreu, “State Surveillance of Communications in Brazil and the Protection of Fundamental Rights,” Electronic Frontier Foundation (March 2016), at p. 37, https://necessaryandproportionate.org/files/brazil-en-march2016.pdf (“In performing its supervisory duties (article 8, Law no. 9472/97), ANATEL may access billing documents, which contain account information and call records, by requesting them from service providers. At present, there is infrastructure in place allowing direct and unlimited online access, pursuant to article 38, Resolução no. 596/12.”); ibid., at 10.
(5.) Sneha Johari, “Govt’s Central Monitoring System Already Live in Delhi & Mumbai,” Medianama (May 11, 2016), http://www.medianama.com/2016/05/223-india-central-monitoring-system-live-in-delhi-mumbai/. See also Shalini Singh, “India’s Surveillance Project May Be as Lethal as PRISM,” The Hindu (June 21, 2013); Bharti Jain, “Govt Tightens Control for Phone Tapping,” The Times of India (June 18, 2013); Anjani Trivedi, “In India, Prism-Like Surveillance Slips Under the Radar,” Time (June 30, 2013), http://world.time.com/2013/06/30/in-india-prism-like-surveillance-slips-under-the-radar/.
(6.) Olivier Le Bot, “France under Mass-Surveillance? The French Constitutional Council and the Limits on the Intelligence Service’s Powers,” ConstitutionNet (Sept. 29, 2015), http://www.constitutionnet.org/news/france-under-mass-surveillance-french-constitutional-council-and-limits-intelligence-services.
(7.) Investigatory Powers Act, Parts 4 and 7, http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted.
(8.) Ian Brown, “Government Access to Private-Sector Data in the United Kingdom” (2012) 2/4 International Data Privacy Law 230–38. For statistics on the volume of requests for retained transactional data in other European countries, see European Commission, Report from the Commission to the Council and the European Parliament Evaluation Report on the Data Retention Directive (Directive 2006/24/EC) (2011), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0225:FIN:en:PDF.
(9.) Eric Lichtblau, “More Demands on Cell Carriers in Surveillance,” New York Times (July 8, 2012) (the figure of 1.3 million understated the volume as one major carrier did not disclose the number of requests it had received).
(10.) See AT&T Transparency Report (2016), http://about.att.com/content/dam/csr/Transparency%20Reports/ATT_Transparency%20Report_Jan%202016.pdf; Verizon United States Report (last visited April 27, 2017), http://www.verizon.com/about/portal/transparency-report/us-report/; T-Mobile Transparency Report for 2013 and 2014, https://newsroom.t-mobile.com/content/1020/files/NewTransparencyReport.pdf.
(11.) For example, it has been reported that one mobile operator in the United States established an online interface to allow law enforcement agencies to “ping” cell phones for location data. Kim Zetter, “Feds ‘Pinged’Sprint GPS Data 8 Million Times over a Year,” Wired (December 1, 2009). As Stephanie Pell notes in her chapter in this volume, the Department of Justice Inspector General reported several years ago that major telephone companies had placed their employees, with access to phone company databases, inside FBI offices in order to respond more quickly to FBI requests for metadata records. In 2013, the New York Times reported that AT&T was placing its employees “in drug-fighting units around the country. Those employees sit alongside Drug Enforcement Administration agents and local detectives and supply them with the phone data from as far back as 1987.” See Scott Shane and Colin Moynihan, “Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.’s,” New York Times (September 1, 2013), http://www.nytimes.com/2013/09/02/us/drug-agents-use-vast-phone-trove-eclipsing-nsas.html?_r=0.
(12.) Barton Gellman and Ashkan Soltani, “NSA Surveillance Program Reaches Into the Past to Retrieve, Replay Phone Calls,” Washington Post (March 18, 2014), https://www.washingtonpost.com/world/national-security/nsa-surveillance-programme-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html.
(13.) European Parliament Study, National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law (October 2013), http://www.statewatch.org/news/2013/oct/ep-study-national-law-on-surveillance.pdf.
(14.) Barton Gellman and Ashkan Soltani, “NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say,” Washington Post (October 30, 2013), https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html.
(15.) Center for Democracy and Technology, Data Retention Mandates: A Threat to Privacy, Free Expression and Business Development (October 2011), https://www.cdt.org/files/pdfs/CDT_Data_Retention_Long_Paper.pdf.
(16.) In the United States, see Communications Assistance for Law Enforcement Act (CALEA), Pub L No 103-404, 108 Stat 4279, 4280–81, codified at 47 U.S.C. § 1002 (2000); in the UK, see Investigatory Powers Act 2016, § 253; see also Andrei Solatov, “Lawful Interception: The Russian Approach,” Privacy International (March 5, 2013), https://www.privacyinternational.org/blog/lawful-interception-the-russian-approach (describing “SORM,” Russia’s nationwide system of automated and remote legal interception).
(17.) See Fred H. Cate, James X. Dempsey, and Ira S. Rubinstein, “Systematic Government Access to Private-Sector Data” (2012) 2 International Data Privacy Law 195.
(18.) See, for example, Michael D. Birnhack and Niva Elkin-Koren, “The Invisible Handshake: The Reemergence of the State in the Digital Environment,” 8 Virginia Journal of Law & Technology 6 (2003); Jack M. Balkin, “The Constitution in the National Surveillance State,” 93 Minnesota Law Review 1 (2008); Jon D. Michaels, “All the President’s Spies: Private-Public Intelligence Partnerships in the War on Terror,” 96 California Law Review 901 (2008); Jon D Michaels, “Deputizing Homeland Security,” 88 Texas Law Review 1435 (2010).
(19.) See Albert Gidari, Jr., “Companies Caught in the Middle: Legal Responses to Government Requests for Customer Information,” 41 Univ. of San Francisco L. Rev. 535 (2007).
(20.) 50 U.S.C. § 1861 (2010).
(21.) Foreign Intelligence Surveillance Court, Primary Order (July 19, 2013), http://www.uscourts.gov/uscourts/courts/fisc/br13-09-primary-order.pdf. See also Office of the Director of National Intelligence, DNI Statement on Recent Unauthorized Disclosures of Classified Information (June 6, 2013), http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-disclosures-of-classified-information [hereinafter “DNI June 2013 Statement”].
(22.) USA FREEDOM Act of 2015, Pub. L. No. 114-23, June 2, 2015, Title I.
(23.) See Siobhan Gorman and Jennifer Valentino-Devries, “Details Emerge on NSA’s Now-Ended Internet Program,” Wall Street Journal (June 27, 2013), http://online.wsj.com/article/SB10001424127887323689204578572063855498882.html.
(24.) Barton Gellman and Laura Poitras, “US, British Intelligence Mining Data from Nine US Internet Companies in Broad Secret Program,” Washington Post (June 6, 2013), http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-programme/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html. See “NSA Slides Explain the PRISM Data-Collection Program,” Washington Post (June 6, 2013), http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/.
(26.) Declan McCullagh, “No Evidence of NSA’s ‘Direct Access’ to Tech Companies,” CNet (June 7, 2013), http://news.cnet.com/8301-13578_3-57588337-38/no-evidence-of-nsas-direct-access-to-tech-companies/.
(27.) Privacy and Civil Liberties Oversight Board [hereinafter “PCLOB”], Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014), p. 37, https://www.pclob.gov/library/702-Report.pdf.
(29.) Ewen MacAskill, “GCHQ Taps Fibre-Optic Cables for Secret Access to World’s Communications,” The Guardian (June 21, 2013), http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa.
(30.) Ewen MacAskill, “Mastering the Internet: How CGHQ Set Out to Spy on the World Wide Web,” The Guardian (June 21, 2013), http://www.theguardian.com/uk/2013/jun/21/gchq-mastering-the-internet.
(31.) Ewen MacAskill, “How Does GCHQ’s Internet Surveillance Work,” The Guardian (June 21, 2013), http://www.theguardian.com/uk/2013/jun/21/how-does-gchq-internet-surveillance-work.
(32.) Staff, “The German Prism: Berlin Wants to Spy Too,” Spiegel Online (June 17, 2013), http://www.spiegel.de/international/germany/berlin-profits-from-us-spying-programme-and-is-planning-its-own-a-906129-2.html; “German Intelligence Admits to Frankfurt E-Mail Tap,” Wall Street Journal (October 9, 2013), http://blogs.wsj.com/digits/2013/10/09/german-intelligence-admits-to-frankfurt-e-mail-tap/ (“the German weekly Der Spiegel reported in this week’s issue that the German intelligence service … has been tapping the giant De-Cix exchange point in order to spy on foreign targets for at least two years”). The program was ended after the Snowden revelations become public. Von D. Liedtke, W. Löer, U. Rauss, and O. Schröm, “BND-Chef verschwieg lange Operation Monkeyshoulder,” Stern (June 2, 2015), http://www.stern.de/investigativ/operation-monkeyshoulder—bnd-chef-verschwieg-umstrittenes-ausspaehprojekt-vor-kanzleramt-6206512.html.
(33.) Jacques Follorou and Franck Johannès, “Révélations sur le Big Brother français,” Le Monde (July 4, 2013), http://www.lemonde.fr/societe/article/2013/07/04/revelations-sur-le-big-brother-francais_3441973_3224.html; Angelique Chrisafis, “France ‘Runs Vast Electronic Spying Operation Using NSA-Style Methods,’ ” The Guardian (July 4, 2013), http://www.guardian.co.uk/world/2013/jul/04/france-electronic-spying-operation-nsa.
(34.) Amar Toor, “France’s Sweeping Surveillance Law Goes into Effect,” The Verge (July 24, 2015), http://www.theverge.com/2015/7/24/9030851/france-surveillance-law-charlie-hebdo-constitutional-court.
(35.) European Parliament Study, National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law (October 2013), http://www.statewatch.org/news/2013/oct/ep-study-national-law-on-surveillance.pdf.
(36.) Justin Sink, “Patriot Act author “extremely troubled” by NSA phone tracking,” The Hill (June 6, 2013), http://thehill.com/blogs/hillicon-valley/technology/303937-patriot-act-author-extremely-troubled-by-nsa-phone-tracking; Letter from Congressman F. James Sensenbrenner to Attorney General Eric H. Holder, Jr. (June 6, 2013), http://www.scribd.com/doc/146169288/Sensenbrenner-Letter-to-Attorney-General-Eric-Holder-RE-NSA-and-Verizon.
(37.) Claire Cain Miller, “Angry over US Surveillance, Tech Giants Bolster Defenses,” New York Times (October 31, 2013), http://www.nytimes.com/2013/11/01/technology/angry-over-us-surveillance-tech-giants-bolster-defenses.html.
(38.) The sole binding international treaty on data protection is the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, CETS No. 108 (1981), http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm. Convention 108 also permits states to enact laws that derogate from data protection responsibilities the Convention would otherwise impose. According to Article 9 of the Convention, such laws must be both necessary in a democratic society and be in the interest of protecting national security, public safety, the monetary interests of the state, or for suppressing crime. Accordingly, the European Court of Human Rights has used the Data Protection Convention to address criminal matters including collection and use of biometric identifiers of arrestees (S. and Marper v. The United Kingdom, Application nos. 30562/04 and 30566/04, Judgment of 4 December 2008)), and retention and disclosure of records of crime (Gardel v. France, Application no. 16428/05, Judgment of 17 December 2009, and M.M. v. The United Kingdom, Application no. 24029/07, Judgment of 13 November 2012).
(40.) One of the documents leaked by Snowden indicates that, starting in 2004, the executive branch in the United States began to seek and obtain court approval for its bulk collection programs, bringing them under statutory authority, but based entirely on secret interpretations of those statutes. See “Draft NSA Inspector General Report on Email and Internet Data Collection, Dated 24 Mar. 2009,” The Guardian (June 27, 2013), http://www.theguardian.com/world/interactive/2013/jun/27/nsa-inspector-general-report-document-data-collection.
(41.) Although national law often excludes national security and law enforcement from the scope of data protection laws, regional human rights instruments such as the European Convention on Human Rights do cover, and constrain, such activities. Adequate standards based on human rights instruments are discussed below in Section VI(B).
(42.) See Jane Bailey and Sara Shayan’s chapter in this volume.
(43.) See Ellen Nakashima and Andrea Peterson, “The British Want to Come to America—with Wiretap Orders and Search Warrants,” Washington Post (February 4, 2016), https://www.washingtonpost.com/world/national-security/the-british-want-to-come-to-america—with-wiretap-orders-and-search-warrants/2016/02/04/b351ce9e-ca86-11e5-a7b2-5a2f824b02c9_story.html.
(44.) See letter from Peter J. Kadzik, Assistant Attorney General, to Hon. Joseph R. Biden, President of the US Senate, conveying proposed legislation that would amend US law to permit foreign governments to make surveillance demands directly on US providers for communications content (July 15, 2016), https://www.documentcloud.org/documents/2994379-2016-7-15-US-UK-Biden-With-Enclosures.html#document/p11.
(45.) See Peter Beaumont, “NSA Leaks: US and Britain Team Up on Mass Surveillance,” The Guardian (June 22, 2013), http://www.theguardian.com/world/2013/jun/22/nsa-leaks-britain-us-surveillance; Linton Besser, “Telstra Storing Data on Behalf of US Government,” Sydney Morning Herald (July 16, 2013), http://www.smh.com.au/it-pro/security-it/telstra-storing-data-on-behalf-of-us-government-20130716-hv0w4.html; Glenn Greenwald, Laura Poitras, and Ewen MacAskill, “NSA Shares Raw Intelligence including Americans’ Data with Israel,” The Guardian (September 11, 2013), http://www.theguardian.com/world/2013/sep/11/nsa-americans-personal-data-israel-documents.
(46.) As Zhizheng Wang explains, in his chapter in this volume, Chinese government access to private sector data is further strengthened by the Chinese Communist Party’s “absolute control over the law” and the absence of an independent judiciary.
(47.) Although security officials must follow their own internal procedures, these procedures are largely secret and give rise to no due process rights.
(48.) We agree with Omer Tene, who notes in his chapter in this volume that his account must be qualified by two distinctions: first, it concerns only “Israel proper” and not the occupied territories, which are subject to a military regime; second, Israel has been in a near constant state of war or armed conflict since its beginnings as an independent state, and therefore national security considerations “have a profound impact on Israeli constitutional and legal discourse.”
(49.) These transfers to the GSS are subject to certain “secret annexes” setting out detailed procedures and protocols. Omer Tene notes in his chapter in this volume that, after examining the secret annexes in camera, a court denied a public records request seeking their release on the grounds that they “do not provide the GSS with surveillance powers, but rather set forth technical specifications for operating the ‘pipe’ through which the data are channeled strictly where access to data is authorised by law.”
(50.) For example, federal police are entitled to obtain documents that are “relevant to, and will assist in, investigations of serious terrorism offenses,” without any court order. Similarly, the Australian Security Intelligence Organization (ASIO) may obtain computer access by requesting the Minister to issue a warrant.
(51.) “Non-content” data, also referred to as “transactional,” “connection,” or “envelope” data, includes both (a) communications attributes such as the time, duration, and medium of communication; the technical parameters of the relevant transmission devices and software; and the identities and physical locations of the parties, and their electronic addresses; and (b) subscriber data such as name, address, phone number, and/or credit card information.
(53.) A campaign is underway in the United States to reform ECPA by extending to stored communications content many of the protections that apply to content in transit. See Dustin Volz, “U.S. House Passes Bill Requiring Warrant to Search Old Emails,” Reuters (February 6, 2017), http://www.reuters.com/article/us-usa-congress-emails-idUSKBN15L2N3.
(54.) Fourth Amendment protections are unavailable both for financial records, see United States v. Miller, 425 U.S. 435 (1976), and transactional information held by third parties that is associated with either phone calls or email, see Smith v. Maryland, 442 U.S. 735 (1979).
(55.) In 2010, a federal appeals court (covering four states) held that the Constitution does in fact protect the content of stored communications. See United States v. Warshak, 631 F. 3d 266 (6th Cir. 2010). In 2013, the US Department of Justice stated to Congress that it followed the Warshak rule nationwide, obtaining a warrant under the Constitution in order to compel a service provider to disclose the contents of stored communications. In a 2011 decision, the US Supreme Court rejected the absolute claim that a person loses all constitutional interest in whatever is disclosed to a third party, see United States v. Jones, 565 U.S. 400 (2012); however, the majority’s holding was much narrower and the third party doctrine is still being applied in full force to non-content data.
(57.) Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT. On January 25, 2012, the European Commission proposed a comprehensive reform of the data protection rules, to account for globalization, cloud computing, and other advances in communications technology. After four years of drafting and negotiation, the European Parliament voted to adopt the new General Data Protection Regulation [hereinafter “GDPR”] on April 14, 2016, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN. The GDPR entered into force on May 25, 2016, and will become directly applicable in all EU Member States two years after this date, on May 25, 2018.
(58.) Marco Civil da Internet (Law No. 12.965), Articles 13 and 15 (April 23, 2014); Diego Spinola, “Brazil Leads the Efforts in Internet Governance with Its Recently Enacted ‘Marco Civil da Internet’. What’s in It for Intermediary Liability?,” The Center for Internet and Society (April 30, 2014), http://cyberlaw.stanford.edu/blog/2014/04/brazil-leads-efforts-internet-governance-its-recently-enacted-marco-civil-da-internet.
(59.) See “Chinese Legislature Passes Data Privacy Resolution,” (January 2, 2013), Privacy and Information Security Law Blog, http://www.huntonprivacyblog.com/?s=china (also noting that “one provision … could actually erode the protection of personal privacy: ISPs must require that customers provide their real names on agreements for the provision of access- or information-related services”).
(60.) § 3, § 5 Artikel 10-Gesetz, http://www.gesetze-im-internet.de/bundesrecht/g10_2001/gesamt.pdf.
(61.) The British design mandates are part of the Investigatory Powers Act 2016, which has broad surveillance provisions, a design mandate akin to CALEA, and a data retention requirement.
(62.) India, as well as the United Arab Emirates and Saudi Arabia, threatened to block Blackberry enterprise service because the service uses encryption that thwarts communications monitoring. Barry Meier and Robert F. Worth, “Emirates to Cut Data Services of BlackBerry,” New York Times (August 1, 2010), http://www.nytimes.com/2010/08/02/business/global/02berry.html?pagewanted=all&_r=0. In response, BlackBerry (then operating as Research In Motion, or RIM) established a facility in Mumbai to coordinate with the government on surveillance demands relating to BlackBerry devices. Amol Sharma, “RIM Facility Helps India in Surveillance Efforts,” Wall Street Journal (October 28, 2011), http://online.wsj.com/news/articles/SB10001424052970204505304577001592335138870.
(63.) Digital Rights Ireland v. Minister for Communications, Joined Cases C-293/12 and C-594/12, Judgment of 8 Apr. 2014, http://curia.europa.eu/juris/document/document.jsf?docid=150642&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=593504.
(65.) Marco Civil da Internet (Law No. 12.965), Articles 13 and 15 (April 23, 2014).
(66.) For a classic statement of these principles, see Lon Fuller, The Morality of Law, revised edition (1969).
(67.) Joseph Raz, ‘The Rule of Law and Its Virtue,’ in The Authority of Law: Essays on Law and Morality (1979). Raz’s other two principles address the need for making courts easily accessible to all and the necessity of observing principles of natural justice.
(68.) In 2013, the UN General Assembly passed a resolution reaffirming the human right to privacy as provided in Article 17 of the International Covenant on Civil and Political Rights, and requesting the UN High Commissioner for Human Rights to present a report on the protection of privacy regarding “domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data, including on a mass scale.” The right to privacy in the digital age, G.A. Res. 68/167, U.N. Doc. A/RES/68/167 (Dec. 18, 2013), http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/68/167. Data Protection officials meeting at a major conference in Warsaw, Poland, adopted a resolution calling for governments to adopt an additional protocol to Article 17 to create global standards for data protection. See https://privacyconference2013.org/web/pageFiles/kcfinder/files/5%20International%20law%20resolution%20EN%281%29.pdf.
(69.) Article 8, European Convention for the Protection of Human Rights and Fundamental Freedoms [hereinafter the “Convention”], http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm. Article 7 of the EU Charter reproduces but slightly updates the wording of article 8(1): “Everyone has the right to respect for his or her private and family life, home and communications.” See Charter of Fundamental Rights of the European Union of the European Parliament, Dec. 7, 2000, O.J., No. C 364, 20000, p. 1 et seq.
(70.) Consolidated Version of the Treaty on European Union, art. 6(3), October 26, 2012, 2012 O.J. (C 326) 19.
(71.) For an overview, see R. White and C. Ovey, Jacobs, White and Ovey: The European Convention on Human Rights 365–71 (2010).
(72.) Klass and others v. Germany, Application no. 5029/71, Judgment of 6 Sept. 1978, § 41.
(73.) Malone v. United Kingdom, Application no. 8691/79, Judgment of 2 Aug., 1984, § 84; Copland v. the United Kingdom, Application no. 62617/00, Judgment of 3 Apr., 2007, § 43.
(74.) Leander v. Sweden, Application no. 9248/81, Judgment of 26 Mar., 1987, § 48; Rotaru v. Romania, Application no. 28341/95, Judgment of 4 May, 2000, § 42–43.
(76.) Roman Zakharov v. Russia, Application no. 47143/06, Judgment of 4 Dec., 2015, § 171. Such interference is conditioned on an individual being able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures and that no effective remedies are available at the national level. See also Association for European Integration and Human Rights and Ekimdzhiev) v. Bulgaria, Application no. 62540/00, Judgment of 27 June, 2007 (examining the adequacy of Bulgaria’s “Special Surveillance Means Act” (SSMA) and concluding that it violated Article 8 because it provided neither sufficient guarantees against the risk of abuse inherent in any system of secret surveillance nor effective remedies against the use of such special means).
(77.) See Weber and Saravia v. Germany, Application no. 54934/00, Judgment of 29 June 2006, §§ 78–79.
(78.) Weber and Saravia, Ibid.
(79.) See Paul Schwartz’s chapter in this volume, at 66–68, 79–80.
(81.) Ibid., § 93.
(82.) Ibid., § 95.
(83.) Liberty and others v. U,K, Application no. 58243/00, Judgment of 1 Jul. 2008, § 69.
(85.) These guidelines have also influenced Council of Europe recommendations regarding law enforcement, including Guidelines for the Cooperation between Law Enforcement and Internet Service Providers against Cybercrime (2008), http://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/cy_activity_interface2008/567_prov-d-guidelines_provisional2_3april2008_en.pdf and the European Code of Police Ethics (2001), http://polis.osce.org/library/f/2687/500/CoE-FRA-RPT-2687-EN-500. For example, Paragraph 41 of the Code of Police Ethics permits the police to interfere with privacy only when strictly necessary to obtain a legitimate objective, and Paragraph 42 advises that collection, storage, and use of personal data by the police must be limited to the extent necessary for the performance of lawful, legitimate, and specific purposes.
(89.) Ibid., § 265.
(90.) Ibid., § 270.
(91.) See Orin Kerr, “The Next Generation Communications Privacy Act,” 162 University of Pennsylvania Law Review 373 (2013) (noting the absence of any scoping or minimization limits in ECPA, the US law regulating access to stored communications).
(93.) For an overview of the Privacy and Civil Liberties Oversight Board (PCLOB), see http://www.pclob.gov/. On January 23, 2014, the Board released a comprehensive report assessing government bulk collection activities pursuant to Section 215 of the PATRIOT Act and the operations of the Foreign Intelligence Surveillance Report. See PCLOB Report, n. 35. The Board released a report focused on global surveillance and the US government’s use of Section 702 of FISA, on July 2, 2014, https://www.pclob.gov/library/702-Report.pdf.
(94.) Paul M. Schwartz, “Reviving Telecommunications Surveillance Law,” 75 University of Chicago Law Review 287, 310–12 (2008).
(95.) See Jack L. Goldsmith, Power and Constraint: The Accountable Presidency after 9/11 205–43 (2012) (arguing that the executive branch is forced to account for its actions by the constant gaze of “courts, Members of Congress and their staff, human rights activists, journalists and their collaborators, and lawyers and watchdogs inside and outside the executive branch” who together constitute a highly effective “presidential synopticon”). The Snowden revelations would seem to confirm this insight yet it remains highly debatable whether such informal mechanisms suffice.
(96.) 565 U.S. 400 (2012).
(97.) In 2012, the European Parliament approved a passenger name record (PNR) agreement with the United States, under which US authorities are permitted access to EU citizens’ airline records. See Kirsten Fieldler, “EU Parliament Agrees to EU-US PNR Agreement,” EDRI (April 25, 2012), http://www.edri.org/edrigram/number10.8/ep-agrees-us-eu-pnr. A year later, the European Parliament rejected a proposal to create a pan-European system for sharing and storing passengers’ phone numbers, addresses, and credit card details whenever they entered or departed the 27-country European Union, on the grounds that it breached citizens’ fundamental rights; see Tedd Nykiel, “European Lawmakers Reject Passenger-Data Scheme,” Reuters (April 24, 2013), http://uk.reuters.com/article/2013/04/24/uk-eu-data-idUKBRE93N0U020130424. However, in April 2016, following gun and bomb attacks by the Islamic State in Paris in 2015 and in Brussels in March 2016, the European Parliament and the European Council enacted a similar PNR directive, establishing detailed rules for EU national authorities to access PNR data collected by airlines for passengers on all flights to, from, and within the European Union. Estefania Narrillos, “EU Passenger Name Record (PNR) Directive: An Overview,” European Parliament News (January 6, 2016), http://www.europarl.europa.eu/news/cs/news-room/20150123BKG12902/EU-Passenger-Name-Record-(PNR)-directive-an-overview.
(98.) Additionally, Italian hotels automatically report the identity of all hotel clients to the police.
(100.) A cornerstone of the privacy framework that has guided privacy laws globally for the past 30 years is the principle that data collected for one purpose should not be used for another purpose, yet big data analytics explicitly promises to find unanticipated meanings in data. Big data equally challenges other core privacy principles. Ira Rubinstein, “Big Data: The End of Privacy or a New Beginning?,” International Data Privacy Law (2013) vol. 3, no. 2 pp. 74–87 (“when this advancing wave arrives, it will … overwhelm the core privacy principles of informed choice and data minimization”). See generally Christopher Kuner, Fred H. Cate, Christopher Millard, and Dan Jerker B. Svantesson, “The Challenge of ‘Big Data”’ for Data Protection,” International Data Privacy Law (2012) vol. 2, no. 2 pp. 47–49.
(101.) As Frank La Rue, Special Rapporteur on the Promotion and Protection of the Right to Freedom of Expression, noted, there is “serious concern with regard to the extraterritorial commission of human rights violations and the inability of individuals to know they might be subject to foreign surveillance, challenge decisions with respect to foreign surveillance or seek remedies.” Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank LaRue, to the Human Rights Council, at 64 (April 17, 2013), http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf.
(102.) Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 185 L. Ed. 2d 264 (2013).
(103.) See, for example, The Right to Privacy in the Digital Age, Report of the Office of the United Nations High Commissioner for Human Rights, U.N. Doc. A/HRC/27/37 (June 30, 2014), http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf (The High Commissioner discusses the principles of legality, necessity, and proportionality, as well as procedural safeguards and remedies).