The American people should be able to sleep a little easier tonight after the Obama administration set new limits on how the National Security Agency and other parts of the intelligence community collect personal data.  While the new policy does not put an end to the bulk collection program revealed by former National Security Agency contractor Edward Snowden, it does limit the situations and time period that intelligence agencies may collect bulk data.

The new policy, announced on February 3, 2015 by the Office of the Director of National Intelligence, identifies six situations in which intelligence agencies can collect bulk data: (1) to counter foreign spying, (2) thwart terrorism, (3) prevent nuclear proliferation, (4) safeguard cyberspace, (5) detect threats to U.S. and allied armed forces, and (6) combat transnational criminal threats.  Additionally, the new policy requires intelligence agencies to delete data on foreigners after five years if it is not relevant to any on-going investigation.  Similarly, data on American citizens must be deleted if it lacks foreign intelligence value.

The new data collection rules evolve in part from one of the largest security breaches in recent history when Edward Snowden revealed that the U.S. government was conducting mass surveillance on Americans and foreigners.  In June 2013, Edward Snowden, a former system administrator for the Central Intelligence Agency and a counterintelligence trainer at the Defense Intelligence Agency (DIA), disclosed to several media outlets thousands of classified documents that he acquired while working as an NSA contractor for Dell, and Booz Allen Hamilton inside the NSA center in Hawaii.  Snowden’s leaked documents revealed numerous global surveillance programs, U.S. military capabilities, operations, tactics, techniques and procedures.

For the American people, who are no strangers to personal data breaches after millions of Americans were affected by the Home Depot, Target and other data breaches in 2014, the new policy will end of bulk collection of communications and communications metadata about people who have no connection to terrorism or other crimes.

The new policy also addresses the need for new training, oversight, and compliance requirements for handling personal data, including mandatory training programs to ensure that intelligence officers know and understand their responsibility to protect the personal information of all people.

Privacy advocates have characterized the changes as modest, but a step in the right direction.