A US federal appeals court has ruled that the National Security Agency’s (‘NSA’) bulk collection of certain phone call metadata is unlawful. Metadata is the “transaction information” of a call and generally concerns information such as the originating and terminating number and the duration of the call. The decision handed down in American Civil Liberties Union v. Clapper may now lay the framework for a change in how the US government balances the data privacy rights of its citizens against the gathering of information on potential terrorist threats. The case is the most recent instalment in global litigation concerning the bulk collection of information gathered by modern technology. This post considers this case and how it compares to similar litigation in Europe.

Patriot Act

The US government had maintained that its collection of metadata was permitted by section 215 of the ‘Patriot Act’. Section 215 allows for the collection of metadata of phone calls where such data was deemed “relevant” to an authorised investigation. However, the Second Circuit Court of Appeals in New York dismissed the government’s argument that it was necessary to collect data on such a scale to prevent terrorism. The Court held that such extensive collection of metadata was ‘unprecedented and unwarranted’.

Scale of surveillance

The Court carefully analysed the proportionality of the data collection. It noted that “the more metadata the government collects and analyzes, … the greater the capacity for such metadata to reveal ever more private and previously unascertainable information about individuals.” Judge Gerard E. Lynch, writing the unanimous opinion of the Court, also wrote that“it is virtually impossible for an ordinary citizen to avoid creating metadata about himself on a regular basis simply by conducting his ordinary affairs.”These views broadly reflect the decision of Europe’s highest court, the CJEU, when it declared the EU Data Retention Directive invalid last year.

All eyes on Congress

Section 215 expired on 1 June 2015 after the US Senate failed to vote for its renewal. The US Congress is currently deadlocked as to whether this controversial section of the Patriot Act will be resurrected in some other guise in the future.

In this case, the Court decided not to find section 215 to be unconstitutional. Instead, the Court found that the surveillance program that was purportedly based on Section 215 went beyond what was authorised by that provision. In other words, the question as to whether programs of this sort are constitutional was left for another day. This sends the matter back to the District Court, where the Second Circuit Court directed that ‘further proceedings consistent with this opinion’ should take place.

It is worth comparing this US decision to the CJEU’s ruling on similar facts in Digital Rights Ireland. In both cases the respective courts expressed disquiet with the manner in which modern technology allows for the large scale collection of communications records. However, the outcome in both cases was somewhat different.

In the EU case, the Court found that the arrangements violated fundamental rights and concluded that the underlying legislation (the Data Retention Directive) was invalid. In contrast, the US case left the underlying provision, Section 215 (which was due to expire in any event), untouched but concluded that the government’s action went beyond what was authorised by that statutory provision. Expect further litigation in this space.