Nearly two years ago, Edward Snowden, a contractor working with the U.S. National Security Agency (“NSA”), revealed startling details of widespread surveillance practices by the U.S. government into telephone and Internet communications of U.S. and foreign citizens. The ensuing debate regarding the competing interests in national security and data privacy continues today, as these practices come under increased pressure in anticipation of two important developments coming in June 2015.
On June 1, 2015, Section 215 of the U.S. PATRIOT Act (50 U.S.C. § 1861) (“Section 215”) is set to expire. Section 215 is the authority that allows the NSA, with assistance from the Federal Bureau of Investigation (“FBI”), to collect “metadata” of every phone call that originated or terminated in the United States. Some of the first documents revealed by Edward Snowden were orders by the U.S. Foreign Intelligence Surveillance Court (“FISC”) (the court that entertains applications submitted by the U.S. government for electronic surveillance for foreign intelligence purposes) requiring Verizon, Sprint and AT&T to hand over such metadata. The FBI obtained these orders for the benefit of the NSA.
Previous attempts to reform the bulk collection of telephone metadata, most notably the USA FREEDOM Act originally proposed in October 2013, have been unsuccessful. On March 23, 2015, the National Security Council of the White House confirmed that such collection will end on June 1, 2015, unless Congress takes action.
In response, a coalition of privacy advocates, human rights organizations, and technology companies issued an open letter dated March 25, 2015, calling on the government for meaningful reform of surveillance laws. The letter, sign by the American Civil Liberties Union, the Electronic Frontier Foundation, and the Wikimedia Foundation, among others, requests “a clear, strong, and effective end to bulk collection practices under the USA PATRIOT Act” as well as “an appropriate declassification regime for Foreign Intelligence Surveillance Court decisions.”
On March 27, 2015, the President issued a statement supporting reform and specifically proposing the following changes:
- The government should not collect or hold telephony metadata in bulk.
- The data should remain at the telephone companies for the length of time it currently does today.
- The government would obtain the data pursuant to individual orders from the FISC approving the use of specific numbers for such queries, if a judge agrees, based on national security concerns.
While the President pushes for this reform, he also directed the Department of Justice to seek a 90-day reauthorization of the existing Section 215 program, “given the importance of maintaining this capability.”
In the meantime, on June 24, 2015, the Court of Justice of the European Union (“CJEU”), its highest court, is expected to render an opinion in a case that questions the effectiveness of the Safe Harbor Framework.
The Safe Harbor Framework is a key exception to EU’s Data Protection Directive, which prohibits any transfer of personal data to countries outside the EU that do not meet the EU’s “adequacy” standard for privacy protection. As an exception for U.S. companies operating in the EU, the Safe Harbor Framework allows U.S. organizations to self-certify their compliance with the adequacy provision when they transfer EU personal data back to the U.S.
The case in the CJEU was referred to it by the Irish High Court against the backdrop of Snowden’s revelation of the PRISM Program, which allows the NSA and other U.S. intelligence agencies access to user data held by some of the largest Internet companies in the U.S. It has been argued that such access means there can be no real compliance with the Safe Harbor Framework by these U.S. companies.
In a CJEU hearing for this case on March 24, 2015, an attorney for the European Commission reportedly acknowledged that the Commission cannot guarantee “adequate” protection of EU citizen’s data at the moment and suggested that if the judge hearing the case is concerned with the surveillance activities, he should close his Facebook account.
If it is ultimately found that the PRISM Program bars U.S. companies from self-certifying their compliance under the Safe Harbor Framework, it may become more difficult for U.S. companies to retrieve data from the EU, and they may have to make additional investments in secure data centers and data processing capability in Europe.