Organizational Accountability, Government Use of Private-Sector Data, National Security, and Individual Privacy
Organizational Accountability, Government Use of Private-Sector Data, National Security, and Individual Privacy
Abstract and Keywords
Companies that collect personal data in the course of their business must be accountable for the safe and fair management of that data. The accountability of companies as data stewards extends to processing by their vendors and partners to whom data is disclosed, in a chain of accountability that can extend through multiple links. However, when a government entity demands that a company disclose data in its possession or control, the chain of accountability can be broken if government itself, shielded by secrecy, is not accountable. This chapter examines what companies can do to remain accountable in the face of government disclosure demands. In addition, it concludes that the principles and practices of accountability developed around the handling of personal information in commercial contexts are applicable within government agencies, including when demanding disclosure of data held by the private sector.
Companies that collect personal data in the course of their business must be accountable for the safe and fair management of that data. The accountability of companies as data stewards extends both to their own processing of data and to processing by their vendors and partners to whom data is disclosed, thus prompting companies to use contract and other means to ensure that entities to whom they disclose data will likewise be responsible, in a chain of accountability that can extend through multiple links. This accountability principle has now been widely incorporated into national and international data protection standards. However, when a government entity demands that a company disclose data in its possession or control, the chain of accountability can be broken if government itself, shielded by secrecy, is not accountable. This chapter examines what companies can do to remain accountable in the face of government disclosure demands. In addition, it concludes that the principles and practices of accountability that have been developed around corporate handling of personal information collected in commercial contexts are directly applicable to data governance within police and intelligence agencies and are especially relevant when those agencies demand disclosure of data held by the private sector.
Under the now well-accepted principle of information accountability, companies that collect personal data in the course of their business must be accountable for the safe and fair management of that data. The accountability of companies as data stewards extends both to their own processing of data and to processing by their vendors and partners to whom data is disclosed. A commitment to the concept of accountability leads companies both to carefully structure their own data collection, use, and retention practices and to use contract and other means to ensure that the entities to which they disclose data will likewise be responsible, in a chain of accountability that can extend through multiple links.
What happens, however, to accountability when a government entity demands that a company disclose data in its possession or control? How can a company follow through on its accountability commitments when the fact of the government’s demands and the government’s uses of data are cloaked in secrecy? Before the Snowden leaks and other related disclosures, there was a quiet concern among many private-sector entities that government demands were growing.1 After the Snowden leaks, it became apparent that many countries around the world were demanding disclosure of large quantities of data directly from companies or were seizing it as it moved over communications links between data centers.2
In 2015, in Schrems v. Data Protection Commissioner, the issue came to a head. For years, the EU-US Safe Harbor agreement had allowed companies to transfer data to the United States if they promised to adhere to privacy standards at least equivalent to those that would have applied to the data had it remained in Europe. However, the data stored in the United States became subject to US government disclosure demands. In Schrems, the Court of Justice of the European Union declared the Safe Harbor invalid because it had been adopted without sufficient findings about the rules limiting those US government demands or the availability of any redress for abuse. In essence, the Court found, the accountability chain was broken: companies transferring data to the United States were required to comply with government demands with no assurance that such demands were appropriately limited in purpose and scope.
(p.309) While invalidating the Safe Harbor, the Schrems decision left key questions unanswered: What are the minimum standards for government demands? What is the responsibility of the accountable corporation when data is requested by government entities? But as Schrems confirmed the threat that government access poses to the accountability framework, its disruption of trans-Atlantic data flows created an urgent need for solutions. And it appears that the accountability framework itself offers part of that solution: elements of the accountability framework can be extended to governmental demands for and uses of data. In approving the Privacy Shield as a suitable improvement over the Safe Harbor, the EU gave some initial indication of what types of internal and external oversight are sufficient to extend the chain of accountability to the government agency demanding access to data held by the private sector. It also indicated how the transparency element of accountability could be satisfied when both the fact of disclosure and the government’s uses of the data once obtained must be kept secret.
Accountability in the face of government demands implicates the interests of at least four sets of stakeholders: the companies that collect and process data in the course of providing the vast range of services that characterize the information society; the data protection regulators that enforce privacy laws; the law enforcement and national security agencies that require information about individuals and that rely on the cooperation of the private sector to carry out their vital responsibilities; and consumers, represented by policymakers, regulators, and civil society organizations.
Accountability is inextricably linked to, but nevertheless distinct from, the substantive criteria for data processing. In Schrems, the CJEU was concerned both with the criteria limiting government access and use and with the mechanisms by which “persons whose personal data is concerned have sufficient guarantees enabling their data to be sufficiently protected against the risk of abuse.” Other chapters in this volume discuss the substantive criteria for access, centered on the principles of necessity and proportionality. These include rules as to permissible purposes of data collection and other processing, the factual threshold that must be met to initiate such actions, the scope and duration of surveillance, and retention periods. Accountability focuses on the question of how, once those rules are established, an entity can ensure that they are followed. In the context of governmental access, accountability turns on the question of how a corporation can assure itself that a government entity demanding data is accountable for the further processing of that data.
III. The Information Accountability Framework
The effort to develop accountability principles for data governance began in 2009 as a dialogue among privacy enforcement agencies, governments, civil society, and business, co-facilitated by the Office of the Privacy Commissioner of Ireland and the Centre for Information Policy Leadership at Hunton & Williams LLP. The project published “Data Protection Accountability: The Essential Elements” (p.310) in October 2009, describing five essential elements that are the structural building blocks for accountability-based privacy governance.3 The five elements are:
1. Organizational commitment to accountability and adoption of internal policies consistent with external criteria.
2. Mechanisms to put privacy policies into effect, including tools, training, and education.
3. Systems for internal ongoing oversight and assurance reviews and external verification.
4. Transparency and mechanisms for individual participation.
5. Means for remediation and external enforcement.
These essential elements articulate the conditions that must exist in order for an organization to establish, demonstrate, and test its accountability with respect to the personal data that it processes. One has to look at all five essential elements of accountability to determine whether an organization is fully accountable. For private-sector organizations to be fully accountable, they must have mechanisms to assure the obligations that are attached to data (no matter the application) travel with the data. This requires different mechanisms in different situations. Sometimes contracts are enough. In other situations, there needs to be assurance reviews or audits. No matter the due diligence a company might do, a company cannot be fully accountable unless the entities it provides data to are accountable as well.
The principle of accountability was featured prominently in the Madrid Resolution, adopted by the International Conference of Data Protection and Privacy Commissioners in October 2009. Another important milestone was reached in July 2010 when the Article 29 Working Party issued an Opinion on the principle of accountability, proposing a requirement that data controllers put in place appropriate and effective measures to ensure that privacy rules are complied with and to demonstrate compliance to supervisory authorities. In 2012, the Federal Privacy Commissioner of Canada and the Information Commissioners of Alberta and British Columbia released a document articulating what data protection authorities would expect of organizations under an accountability approach.4 In 2013, when the Organisation for Economic Co-operation and (p.311) Development revised its highly influential privacy framework, it noted that “the principle of accountability [has] received renewed attention as a means to promote and define organisational responsibility for privacy protection.” Building on this experience, the new Part Three of the OECD Guidelines (“Implementing Accountability”) introduced the concept of a privacy management program and articulated its essential elements.5 The Asia-Pacific Economic Cooperation forum’s Cross-Border Privacy Rules adopted an accountability-based code of conduct.
Since then, the concept has increasingly come to be incorporated in national data protection systems. In January 2015, for example, the French data protection authority (CNIL) issued a data governance standard that specified 25 requirements for an accountable organization, starting with the existence of both internal and outward-facing privacy policies defining the various permitted uses of data within the company.6 Ten elements of the French standard focus specifically on the appointment and role of a chief privacy officer inside a company, whereas others address the need for a compliance assessment process and the establishment of procedures by which data subjects can exercise their rights. In 2015, the Colombian Data Protection Authority issued its own accountability guidelines, as did Hong Kong and Australia.
With the 2016 adoption of the European Union’s new General Data Protection Regulation, accountability has reached its fullest implementation in law. Article 5 of the GDPR expressly states that “the controller shall be responsible for, and be able to demonstrate compliance with,” the core principles relating to the processing of personal information (an obligation that the Regulation expressly refers to as “accountability”). Article 24 further specifies the controller’s responsibility:
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Essentially identical language appears in the equally important but often overlooked directive on personal data processing in the police and judicial area, also adopted in 2016, thereby expressly extending the accountability principle to law enforcement agencies.7
(p.312) As the European Data Protection Supervisor has noted, although accountability is not a new concept, “[w]ith the GPDR, however, comes a quantum shift in emphasis: controllers are responsible.” Accountability, the EDPS emphasizes, “goes beyond compliance with the rules—it implies culture change.”8
IV. Reconciling Accountability and Government Access
This brings us, then, to our challenge: if a national security agency obtaining data from a private-sector company is itself not accountable, the company providing the data has a gap in its accountability framework, even if the company provides the data under compulsion. What steps can be taken to fill this gap by companies, regulators, and agencies demanding data from the private sector?
The issue of accountability and government access to private-sector data has at least four elements:
• How should accountable companies review and limit requests for disclosure?
• How might those requests be parsed beyond what is legal to what is appropriate?
• How might accountable companies be transparent about both requests for data and how they are parsed?
• How might the concept of accountability extend to the governmental entities that are the recipients of the data?
The first three of these questions have been explored by individual companies and on a multi-stakeholder basis by the Global Network Initiative (GNI) and (p.313) others.9 The fourth question—how to extend the principles of accountability to the practices of government itself—is receiving increasing attention as some governments bring their surveillance practices into the light and strengthen their oversight mechanisms. The Privacy Shield agreement between the United States and the EU provided some answers to the fourth question, although it remains to be seen whether the agreement survives the inevitable challenges it will face.
V. What Can Companies Do to Remain Accountable in the Face of Government Demands?
Major companies have addressed some aspects of this challenge, committing to review requests from government agencies, including national security agencies, and challenge overbroad ones. Under the GNI implementation guidelines, it is not sufficient for companies merely to say, “We only comply with lawful demands.”10 The GNI implementation guidelines specify that companies should have in place procedures to carefully assess not only whether a government demand is lawful but also whether it is overbroad or inconsistent with international human rights standards. The guidelines specifiy that, when required to provide personal information to governmental authorities, participating companies will:
• Narrowly interpret and implement government demands that compromise privacy.
• Seek clarification or modification from authorized officials when government demands appear overbroad, unlawful, not required by applicable law or inconsistent with international human rights laws and standards on privacy.
• Request clear communications, preferably in writing, that explain the legal basis for government demands for personal information, including the name of the requesting government entity and the name, title and signature of the authorized official.
• Require that governments follow established domestic legal processes when they are seeking access to personal information.
• Adopt policies and procedures to address how the company will respond when government demands do not include a written directive or fail to adhere to established legal procedure. These policies and (p.314) procedures shall include a consideration of when to challenge such government demands.
• Narrowly interpret the governmental authority’s jurisdiction to access personal information, such as limiting compliance to users within that country.
• Challenge the government in domestic courts or seek the assistance of relevant authorities, international human rights bodies or non-governmental organizations when faced with a government demand that appears inconsistent with domestic law or procedures or international human rights laws and standards on privacy.11
Some companies have sought to increase transparency around government requests as another key aspect of accountability. Transparency in this context concerns both legal authorities and the scope of the government’s exercise of those authorities: What types of information are being disclosed to government agencies, and under what legal authorities and for what purposes; and how much data, affecting how many customers, is disclosed? Companies are largely at the mercy of national laws and government policy in terms of what they can disclose, but some have pushed to the full extent of those boundaries. Even before the Snowden leaks, companies in the United States, starting first with Google, began issuing transparency reports in which they publish statistical information about the number of government disclosure demands they receive and/or the number of accounts affected. Since 2013, this practice has expanded in the United States. The USA FREEDOM Act, adopted by Congress in 2015, clarified and expanded the ability of companies to disclose information about the number of government demands they had received and the number of customer accounts that were specifically targeted by those demands.12 Still, US companies remain constrained by some government-imposed limits.
Outside the United States, there has also been movement toward corporate transparency. A 2015 report found that, for the first time a small handful of Canadian carriers had begun issuing their own Transparency Reports.13 There have also been some positive changes, especially in Europe. A major (p.315) development occurred in 2014, when Vodafone issued a transparency report on law enforcement demands it faced in 29 countries.14
Other European-based companies followed suit, including Orange, Deutsche Telekom, and Teliasonera, as did the Australian Telstra. These reports are limited to law enforcement requests. Vodafone’s reports are by far the most detailed outside the United States. As Deniz Duru Aydin of Access Now noted in July 2015, “Whole continents, such as Latin America and Asia, remain dark, as neither telecoms nor governments reveal their handover of user data.”
A third component of corporate accountability with respect to government access concerns whether the company maintains control over its own network. Vodafone’s 2014 report contained an extraordinary acknowledgment that in some countries authorities had unmediated access to the company’s communications network:
However, in a small number of countries the law dictates that specific agencies and authorities must have direct access to an operator’s network, bypassing any form of operational control over lawful interception on the part of the operator. In those countries, Vodafone will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link.
Vodafone made it clear that it was opposed to these requirements of direct access and that it preferred instead to follow the lawful interception technical standards set down by the European Telecommunications Standards Institute (ETSI), which define the separation required between a government monitoring center and the operator’s network. As Vodafone explained:
The ETSI standards are globally applicable across fixed-line, mobile, broadcast and internet technologies, and include a formal handover interface to ensure that agencies and authorities do not have direct or uncontrolled access to the operators’ networks as a whole. We continuously encourage agencies and authorities in our countries of operation to allow operators to conform to ETSI technical standards when mandating the implementation of lawful interception functionality within operators’ networks.
VI. What Can Governments Do to Respect Accountability?
Although the GNI principles encourage companies to challenge government demands that appear inconsistent with domestic law or procedures or international human rights laws and standards on privacy, companies are limited (p.316) in what they can do. Prior to the Snowden leaks, there had been some attention to the principle of government accountability with respect to acquisition of private-sector data, especially in the jurisprudence of the European Court of Human Rights (in cases such as Weber and Saravia v. Germany and Liberty v. UK), as well as in the prescient report of Frank La Rue, the UN special rapporteur. In the United States, intense debates around the PATRIOT Act and related governmental powers led to the creation of the independent Privacy and Civil Liberties Oversight Board and to the creation of Privacy Officers within federal law enforcement and intelligence agencies. Following the Snowden leaks, there were extensive calls on both sides of the Atlantic for greater governmental accountability. The Schrems decision, in striking down the Safe Harbor, affirmed those calls and prompted a more granular focus on US practices.
In 2014, in response to the Snowden leaks, the Article 29 Working Party adopted an opinion on surveillance15 in which it made specific recommendations for governments that map to two key components of accountability: transparency and oversight. On transparency, the Working Party said that Member States should be “transparent to the greatest extent possible about their involvement in intelligence data collection and sharing programmes, preferably in public, but if necessary at least with their national parliaments and the competent supervisory authorities.”16 This includes transparency as to legal authorities: “these programmes have to be based in clear, specific, and accessible legislation.” Effective and independent oversight of the intelligence services is of the “highest importance,” the Working Party said. It identified specific elements of oversight that it found to be best practices drawn from the mechanisms in place in Member States:
• Strong internal checks for compliance with the national legal framework;
• Effective parliamentary scrutiny; and
• Effective, robust, and independent external oversight, “performed either by a dedicated body with the involvement of the data protection authorities or by the data protection authority itself.”17
In June 2014, the Office of the High Commissioner for Human Rights (OHCHR) issued a report on the right to privacy in the digital age. The OHCHR specifically noted the importance of procedural safeguards and effective oversight, stating that the right to the protection of the law against unlawful or arbitrary (p.317) interference or attacks on privacy “must be given life through effective procedural safeguards, including effective, adequately resourced institutional arrangements.”18 The OHCHR went on to state:
Internal safeguards without independent, external monitoring in particular have proven ineffective against unlawful or arbitrary surveillance methods. While these safeguards may take a variety of forms, the involvement of all branches of government in the oversight of surveillance programmes, as well as of an independent civilian oversight agency, is essential to ensure the effective protection of the law.19
And the OHCHR called out the right to an effective remedy, noting that Article 2 of the ICCPR states in paragraph 3 (b) that States parties to the Covenant undertake “to ensure that any person claiming such a remedy shall have his right thereto determined by competent judicial, administrative or legislative authorities, or by any other competent authority provided for by the legal system of the State, and to develop the possibilities of judicial remedy.”20 Effective remedies, the OHCHR stated, can come in a variety of judicial, legislative, or administrative forms, but they typically share certain characteristics. First, those remedies must be known and accessible to anyone with an arguable claim that his or her rights have been violated. Notice (that either a general surveillance regime or specific surveillance measures are in place) and standing (to challenge such measures) thus become critical issues in determining access to an effective remedy. Second, effective remedies will involve prompt, thorough, and impartial investigation of alleged violations. Third, for remedies to be effective, they must be capable of ending ongoing violations. Fourth, he stated, where human rights violations rise to the level of gross violations, nonjudicial remedies will not be adequate, as criminal prosecution will be required.
Companies, too, in the wake of the Snowden revelations called for greater governmental accountability, to restore trust. Under the banner of “Reform Government Surveillance,” a group of US-based companies recommended that accountability elements be built into government surveillance practices, including those of the US government. The companies’ recommendations specifically highlighted transparency and oversight.21
Individual companies also called for greater government transparency. For example, when Verizon released its 2014 transparency report, in which it published data on National Security Letters, the company noted that it was still (p.318) limited in what it could publish, and it called on the US government to itself be more open: “We once again call on all governments to make public the number of demands they make for customer data from such companies, because that is the only way to provide the public with an accurate data set.”22
Although several chapters in this volume find that national governments have in recent years extended their surveillance powers, some national governments have at the same time improved their accountability mechanisms.
It is undeniable, for example, that the United States is more transparent than it was before the Snowden leaks. The 2015 USA FREEDOM Act, as noted above, expanded somewhat the ability of companies to disclose information about government requests they received. The Office of the Director of National Intelligence has a website, IC on the Record,23 which publishes information of a scope and depth that would have been inconceivable before the Snowden leaks, including opinions of the special court that authorizes surveillance inside the United States, procedures for exercising various authorities, statistics on the use of those authorities, and compliance reports. The National Security Agency and the Central Intelligence Agency have both appointed senior officials devoted solely to the privacy and civil liberties portfolio. Likewise, the UK in 2015 published what it promised would be an annual transparency report on investigatory powers.24 Also in the UK, an independent Interception of Communications Commissioner publishes detailed reports on the authorities exercised by the government, including both descriptions of the legal standards and statistical data on the frequency of their use. (In both the United States and the UK, the statistics provide only a partial picture of the scope of government surveillance.)
In 2014, US president Barack Obama issued a policy directive making certain commitments as to how the US government will handle data collected through signals intelligence in the national security context.25 Substantively, the directive specified that signal intelligence activities of the United States “shall be as tailored as feasible,” but it went on to acknowledge that the US government did (p.319) engage in bulk collection of communications and information about communications. The directive spoke specifically to accountability:
[T]he policies and procedures of IC [Intelligence Community] elements, and departments and agencies containing IC elements, shall include appropriate measures to facilitate oversight over the implementation of safeguards protecting personal information, to include periodic auditing … .
The policies and procedures shall also recognize and facilitate the performance of oversight by the Inspectors General of IC elements … and other relevant oversight entities, as appropriate and consistent with their responsibilities.
As Sarah St.Vincent notes in her chapter in this volume, cases pending before the European Court of Human Rights challenging the UK’s surveillance practices may produce further limits on government data collection and use, as did the recent CJEU case on data retention. Already, the cases of the ECtHR constitute perhaps the fullest body of international law on government surveillance, analyzed by Ira Rubinstein, Greg Nojeim, and Ron Lee in their chapter in this volume. Certain basic criteria that the ECtHR has articulated in assessing government access programs provide reference points in assessing government accountability:
• “In accordance with law.” Under the jurisprudence of the ECtHR, surveillance standards must be spelled out in a public law or regulation precisely enough to protect against arbitrary application and to inform the public of which entities can conduct surveillance and under what criteria. Such laws must specify not only the standards for collecting data but also the limits on examining, using, and storing it.
• Oversight by independent entity. An independent body (judicial, executive, legislative) must oversee the actual implementation of surveillance procedures to protect against abuse.
• Redress (remedy). Individuals must be able to obtain redress for violations of the established standards.26
One of the fullest discussions to date of government accountability can be found in the decision of the European Commission on the adequacy of the US commitments that constitute the Privacy Shield.27 The Commission focused on both (p.320) the substantive rules limiting US surveillance as well as on the accountability mechanisms intended to assure compliance with those rules. The Commission found that the US intelligence agencies are subject to oversight by both internal and external bodies, congressional committees, and, to some extent, judicial supervision. Within the executive branch, the Commission found that “[m]ultiple oversight layers have been put in place, including civil liberties or privacy officers, Inspector Generals, the ODNI [Office of the Director of National Intelligence] Civil Liberties and Privacy Office, the PCLOB [Privacy and Civil Liberties Oversight Board], and the President’s Intelligence Oversight Board.”28 These oversight entities are supported, the Commission said, by compliance staff in all the agencies. The Commission further noted that intelligence agencies are encouraged (but not required) to design information systems to allow for auditing of queries or other searches of personal information.There are extensive reporting requirements, the Commission stated, with respect to noncompliance. In addition to oversight mechanisms within the executive branch, the Commission noted, congressional committees have oversight responsibilities regarding all US foreign intelligence activities. Third, the Commission noted, data acquisition in the United States is overseen by a Foreign Intelligence Surveillance Court, an independent tribunal.
The Commission stated that a number of avenues were available under US law to EU data subjects concerned about whether their personal data had been processed by the US intelligence community. However, the Commission noted these avenues were limited by exceptions, including doctrines restricting judicial access. In order to address these concerns, the US government committed to creating a new oversight mechanism, the Privacy Shield Ombudsman, independent of the intelligence agencies, to receive and investigate complaints. Moreover, the United States agreed that, unlike plaintiffs in ordinary judicial cases in the United States, an individual complaining to the Ombudsman would not have to demonstrate that his/her personal data have in fact been accessed by the US government in order to have a complaint heard. The US government made a commitment that individuals will receive from the Ombudsman independent confirmation that US laws have been complied with or, in a case of violation, the noncompliance has been remedied.
It remains to be seen whether the Privacy Shield commitments of the US government are borne out in practice and whether they are upheld against the seemingly inevitable challenges they will face at the national and EU level. But they represent perhaps the fullest commitment to date of any country to establish a system of accountability for data acquired from the private sector.
Applying the broad concept of accountability to intelligence services is not new.29 Government officials, institutions such as the Geneva Centre for the Democratic Control of Armed Forces (DCAF), human rights advocates, and scholars around the world have for decades been developing and commenting upon best practices for intelligence oversight.30 The special insight we are proposing here is that the principles and practices of accountability that have been developed around corporate handling of personal information collected in commercial contexts are directly applicable to data governance within police and intelligence agencies and are especially relevant when those agencies demand disclosure of data held by the private sector.
As expressed elsewhere in the volume, governments and human rights institutions are continuing to define the standards for government demands of access to data held by the private sector. Our point in this chapter is that the protection of privacy does not end when data is transferred pursuant to criteria meeting human rights standards. The transfer of private-sector data to the government for law enforcement or national security purposes starts a new accountability chain.
Accountability, especially in the national security context, is difficult to maintain. Any and all of the elements of an effective oversight system may fail or be frustrated, at least for a time. In the United States, from 2006 through 2013, the Foreign Intelligence Surveillance Court repeatedly, without written analysis, stretched a statute beyond recognition to authorize a bulk telephone metadata program (now ended). In 2016, in Germany, the Data Protection Commissioner found that the foreign intelligence agency had illegally and massively restricted her supervision authority on several occasions, “making comprehensive and efficient control not possible.”31 Moreover, accountability, as noted above, is only as effective in protecting rights as the substantive rules that the system enforces.32 Nevertheless, it is increasingly apparent that the five essential elements of (p.322) accountability can and must be transposed into the governmental context. We conclude with the following observations:
A. Organization Commitment to Accountability and Adoption of Internal Policies Consistent with External Criteria
Accountability for any surveillance program begins with the criteria laid down in a public law. The ECtHR has made it clear that a law must describe a governmental power precisely enough to protect against arbitrary application and to inform the public of which entities can conduct surveillance and under what criteria. However, translating the necessarily broad and often generic criteria of statue into internal operating procedures is not easy, especially in more complex systems where multiple kinds of data may be collected through various means. Nevertheless, the externally stated rules and the internal practices must be consistent.
B. Mechanisms to Put Privacy Policies into Effect, including Tools, Training and Education
“Tools” may include audit trails, documentation, and permissioning systems for internal access and query. Tools may also include privacy impact assessments, formal internal processes that assess the risks to individuals associated with new processing (including collection). Of course, to make the assessment process meaningful, mitigating those risks must be part of the final processing plan. Such privacy by design practices should be part of an agency’s comprehensive privacy program. Training should start with an understanding of privacy and data protection, since the terms, although widely used, are often misunderstood.
C. Systems for Internal Ongoing Oversight and Assurance Reviews and External Verification
Nico van Eijk, in his chapter in this volume, identifies the seven key characteristics of effective oversight:
• Oversight must be comprehensive, in three respects: (a) The government (the executive branch), the legislature, the judiciary, and a specialized (non-parliamentary, independent) commission should all play a role. (b) Oversight should include prior oversight, ongoing oversight, and oversight after the fact. (c) The oversight bodies’ mandate should encompass review of both lawfulness and effectiveness.
• Oversight should encompass all stages of the intelligence cycle, including collection, storage, querying, and analysis of data.
• Oversight should take place prior to the imposition of a measure. Although prior judicial oversight is strongly preferred, van Eijk states that a system of ministerial orders combined with prior oversight by an independent, specialized commission; after-the-fact oversight on the overall functioning of the system of surveillance by a parliamentary committee; and the possibility for individuals to complain before an independent body could also be compliant with human rights standards.
• Oversight bodies should be able to declare a measure unlawful and to provide for redress.
• Oversight should incorporate the adversary principle.
• Oversight bodies should have sufficient resources to perform effectively.
D. Transparency and Mechanisms for Individual Participation
Transparency means both public awareness of what the law actually authorizes as well as numerical reporting to indicate the scope of government access. As the Article 29 Working Party stated: “Some form of general reporting on surveillance activities should be in place.”33 The systems of the United States and the UK, although not perfect, offer important templates for transparency. Individual participation, on the other hand, remains the most underdeveloped element of the accountability system.34
E. Means for Remediation and External Enforcement
In its most robust form, remediation is normally equated to judicial redress. However, in approving the Privacy Shield, the EU Commission found that a “composite structure” that included the Ombudsman Mechanism guaranteed individual redress. The key point is that some independent entity must have the ability to insist on remedial action, and the security services must commit to respect that judgment. (p.324)
(*) Jennifer Stoddart, Privacy Commissioner of Canada from 2003 to 2013, participated in the systematic access project and chaired meetings in Montreal and London that focused on the concept and practice of accountability. The authors gratefully acknowledge her guidance and insight.
(1.) We recognize that there is a difference between an enforceable or compulsory “demand” and a “request” that could, under applicable law, be complied with on a permissive or voluntary basis. This chapter concerns both mandatory and permissive disclosures, and we use the words “demand” and “request” interchangeably.
(2.) For example, a study for the European Parliament found that “[p]ractices of so-called ‘upstreaming’ (tapping directly into the communications infrastructure as a means to intercept data) characterize the surveillance programmes” of four out of five of the EU Member States selected for the study. “National Programmes for Mass Surveillance of Personal Data in EU Member States and Their Compatibility with EU Law,” a study for the Directorate General for Internal Policies (2013), http://info.publicintelligence.net/EU-MassSurveillance.pdf.
(3.) http://tiaf01.ipower.com/wp-content/uploads/2013/09/The-Essential-Elements-of-Accountability.pdf. The elements of accountability have been fleshed out in a series of guides and tools. See http://www.huntonfiles.com/files/webupload/CIPL_Accountability_Phase_II_Paris_Project.PDF and http://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Accountability_Chart_Phase_IV.pdf. Additional materials on accountability are complied at: http://www.informationpolicycentre.com/resources/.
(4.) Office of the Privacy Commissioner of Canada (OPC) and Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia, Getting Accountability Right with a Privacy Management Program (2012), https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.asp.
(5.) The OECD Privacy Framework (2013), http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.
(6.) CNIL, Privacy Seals on Privacy Governance Procedures (2014), https://www.cnil.fr/sites/default/files/typo/document/CNIL_Privacy_Seal-Governance-EN.pdf.
(7.) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 Apr. 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, Article 19, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0680&from=en.
(8.) EDPS, “EDPS launches Accountability Initiative” (2016), https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Accountability/16-06-07_Accountability_factsheet_EN.pdf. The EDPS uses the following formulation of accountability:
Accountability in personal data processing involves:
(1.) Transparent internal data protection and privacy policies, approved and endorsed by the highest level of the organisation’s management;
(2.) Informing and training all people in the organisation on how to implement the policies;
(3.) Responsibility at the highest level for monitoring this implementation, assessing and demonstrating to external stakeholders and supervisory authorities the quality of the implementation;
(4.) Procedures for redressing poor compliance and data breaches.
(9.) The Global Network Initiative is a multi-stakeholder collaboration of companies, human rights advocates, investors, and others, working to help Internet companies meet their human rights obligations with respect to privacy and free expression when responding to government demands to disclose customer information or take down or block content. https://www.globalnetworkinitiative.org/.
(10.) Global Network Initiative, Implementation Guidelines for the Principles on Freedom of Expression and Privacy, http://globalnetworkinitiative.org/implementationguidelines/index.php (last visited on April 27, 2017).
(12.) The law does not permit companies to disclose the number of customers affected by demands, so if a company receives one request affecting millions of customers, it cannot use the numbers to indicate that. Other parts of the USA FREEDOM Act prohibited the issuance of bulk demands.
(13.) Andrew Clement & Jonathan A. Obar, Keeping Internet Users in the Know or in the Dark: A Report on the Data Privacy Transparency of Canadian Internet Carriers (March 12, 2015) at p. 5, https://ixmaps.ca/docs/DataPrivacyTransparencyofCanadianCarriers-2014.pdf. The report went on to state, “While the details in these reports are typically scanty, and not up to the standards being established by large US service providers, this is a good sign that Canadian carriers are beginning to respond to public pressure for greater transparency.” Ibid.
(14.) Vodafone, Law Enforcement Disclosure Report (last visited April 27, 2017), https://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html#csctag.
(15.) Article 29 Data Protection Working Party, Opinion 04/2014 on Surveillance of Electronic Communications for Intelligence and National Security Purposes (adopted on April 10, 2014), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp215_en.pdf.
(18.) Office of the United Nations High Commissioner for Human Rights, The Right to Privacy in the Digital Age (June 30, 2014) at 12 http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A.HRC.27.37_en.pdf.
(22.) Verizon, “Updates to Our 2013 Transparency Report,” Verizon News (March 3, 2014), https://www.verizon.com/about/news/updates-to-our-2013-transparency-report. Verizon provides service in 18 countries in addition to the United States. In all but Germany, it is prohibited from reporting information about the interception of content. See Verizon, International Report http://www.verizon.com/about/portal/transparency-report/international-report/ (last visited April 27, 2017).
(24.) HM Government Transparency Report 2015: Disruptive and Investigatory Powers, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473603/51973_Cm_9151_Transparency_Accessible.pdf.
(25.) Presidential Policy Directive 28—Signals Intelligence Activities (January 17, 2014), http://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities.
(26.) See D. Korff, “Note on European and International Law on Transnational Surveillance prepared for the Civil Liberties Committee of the European Parliament” (August 23, 2013), http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/note_korff_/note_korff_en.pdf.
(27.) European Commission, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, available at http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm.
(29.) See, for example, Hans Born and Ian Leigh, Making Intelligence Accountable: Legal Standards and Best Practice for Oversight of Intelligence Agencies (2005).
(30.) See Zachary K. Goldman and Samuel J. Rascoff, Global Intelligence Oversight: Governing Security in the Twenty-First Century (2016).
(31.) Andre Meister, “Secret Report: German Federal Intelligence Service BND Violates Laws and Constitution by the Dozen,” Netzpolitik.org (September 2, 2016), at https://netzpolitik.org/2016/secret-report-german-federal-intelligence-service-bnd-violates-laws-by-the-dozen/.
(32.) “Even if perfect compliance could be achieved, however, it is too paltry a goal. A good oversight system needs its institutions not just to support and enforce compliance but to design good rules.” Margo Schlanger, “Intelligence Legalism and the National Security Agency’s Civil Liberties Gap,” 6 Harvard National Security Journal 112 (2015).
(33.) The Working Party cited the decision of the ECtHR in Youth Initiative for Human Rights v. Serbia (June 25, 2013).
(34.) See Rebecca Richards, Civil Liberties and Privacy Office, NSA, “Defining Privacy” (November 12, 2014), https://www.nsa.gov/about/civil-liberties/resources/assets/files/PCLOB_Remarks_20141112.pdf.