The US should reform its surveillance legislation as a matter of urgency if the EU and US are to reach an agreement on transatlantic data-sharing, according to a study for an influential European parliamentary committee.
A study commissioned by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) warns that without substantive changes to US surveillance practices, it will not be possible for the EU and the US to reach an agreement.
The study, written by data protection and security specialist Ian Brown, Douwe Korf emeritus professor of international law, calls for the US to limit its bulk collection of phone and internet data, set stronger standards to justify surveillance targets, and provide EU citizens with effective legal redress in the US.
The reforms are part of a package of recommendations designed to pave the way for the EU and the US to replace the Privacy Shield data-sharing agreement, which was struck down by the European Court of Justice in 2020, with an agreement that safeguards the privacy of EU citizens.
The European court found two fundamental flaws in US laws that govern the surveillance of non-US citizens. First, US surveillance law did not meet European requirements that intrusions on privacy are necessary and proportionate. Second, it found that EU citizens have no effective right of redress before an independent body if their privacy rights are breached
Brown, visiting CyberBRICS professor at FGV Law School in Brazil, said: “Those two things need to be reformed in US law before any kind of successor to the Privacy Shield has a chance of standing up to a further court case in Europe.”
Section 702 of the Foreign Intelligence Surveillance Act (FISA), along with Executive Order 12333, allows US intelligence agencies to collect data from internet service providers and cloud computing providers relating to non-US citizens.
Although former US president Barack Obama placed limits on how bulk intelligence can be used with Presidential Policy Directive 28 (PPD 28) in 2014, the European court has not accepted that it ensures that US surveillance is necessary and proportionate.
Impact of surveillance on EU citizens
Because such operations are highly classified, EU citizens who are subject US surveillance cannot know whether their communications have been intercepted.
But EU citizens could be impacted in practical ways, said Brown. For example, they might find it difficult to obtain an ESTA visa waiver or may be stopped at the US border.
“You could imagine that European businesses, particularly if they are competing for large contracts with US companies, might wonder sometimes if information about their bids have been shared with US competitors – there have been allegations of that over the years,” he said.
Last month, there was an outcry in Germany when it emerged that Denmark’s secret service had helped the US National Security Agency to spy on German politicians, including chancellor Angela Merkel.
Brown said: “I take it for granted that whenever I talk to members of the European Parliament or their staff or officials, and the European Commission, that unless their communications are well protected by encryption, they would come under this kind of targeting.”
The practice in the US of using secret opinions to interpret surveillance laws is particularly problematic for EU law, which requires surveillance laws to be published, legally binding, clear and “foreseeable” in the way that they are used, according to the LIBE report.
US surveillance law, and the FISA law in particular, does not require surveillance measures to serve a “legitimate purpose” in a democratic society because it allows espionage for political and economic purposes.
“They do not in themselves define the scope and application of the relevant surveillance measures – but rather, leave many matters to executive discretion,” says the report. “Nor do they require that any specific measures imposed in a specific context be ‘necessary’ and ‘proportionate’.
“In sum, secret or excessively vague rules, or rules that grant unfettered discretion, do not constitute ‘law’ in the European human rights sense.”
US authorities consistently argue that the “mere” collection and retaining of personal data does not interfere with privacy as long as no official has looked at it, even though the data might be subject to automatic filtering, says the study.
There are no serious safeguards to ensure that sharing of data between the US and intelligence agencies in different countries does not undermine privacy protections granted under EU law, it says.
“It is clear US surveillance laws manifestly fail to meet the standards adduced in the case-law of the European Court of Human Rights and the Court of Justice of the EU,” the report says.
The study argues that the US should be urged to reform its surveillance legislation urgently by introducing a raft of measures, including increasing transparency about surveillance measures and granting EU citizens the right to seek judicial review from the Foreign Intelligence Surveillance Court (FISC).
It cites the US Open Technology Institute, which has recommended that the US government limits the collection of bulk communications and adopts binding rules ensuring that bulk surveillance is necessary and proportionate.
Its report, co-authored by Sharon Bradford Franklin, former executive director of the Privacy and Civil Liberties Oversight Board (PCLOB), also calls for stronger standards to be set to justify surveillance targets and independent reviews of the necessity and proportionality of targeting decisions.
The American Civil Liberties Union has gone further, calling for the banning of bulk collection under EO 12333 and for surveillance targets to be notified once investigations are complete.
Right for EU citizens to appeal to FISA court
Under the LIBE proposals, Europeans would be able to complain to US government departments and have their complaints investigated without the need to pay for US lawyers.
If they are unhappy with the outcome, they could go on to complain to the Foreign Intelligence Surveillance Court and have the decision appealed by an independent body.
“The Foreign Intelligence Surveillance Court would need to be able to issue binding judgments, which could stop the agencies doing something which they had done and to change what they’re doing with surveillance materials,” said Brown.
“It could not be clearer that people should get a remedy before an impartial tribunal if their rights are breached, and that’s not currently the case.”
The EU and the European Parliament should demand that EU member states and other countries bring their intelligence practices into line with human rights laws, the report argues.
The starting point should be the development of “mini-lateral” treaties between the 30 EU/EEA states and the “Five Eyes” countries – the USA, the UK, Australia, Canada and New Zealand.
These countries should agree not to spy on each other’s citizens without notification and the agreement of the citizens’ home state.
“The idea of this treaty would be for those countries to initially agree standards that would meet their own national requirements,” said Brown. “It would not be easy, but if they could do that, it would very significantly reduce the difficulty of allowing Privacy Shield agreements to work in future.”
Other recommendations include setting up an enhanced self-certification scheme for US corporations to comply with the EU’s General Data Protection Regulation (GDPR), backed with stronger enforcement powers.
The study proposes that the US Federal Trade Commission is given powers to police the scheme, which would have to meet all “substantive requirements” of GDPR.
EU should allow class actions over data breaches
The EU should offer the US and other countries the ability to take part in class action litigation when their rights are violated under GDPR, the study says.
This would overcome concerns that EU data subjects’ interests are not often effectively enforced by data protection regulators, and that the costs of court actions can be prohibitive.
“The US class action system in this regard does work better, so this might be a way to make it easier for Europeans in Europe, as well as potentially Americans, to get better enforcement of their rights,” said Brown.
If these recommendations are implemented, EU-US data transfers could be reintroduced without the risk that a new adequacy decision would be invalidated by the European court.
“We don’t think this is a lost cause,” said Brown. “We can have an agreement with the US on this, if the US can make reasonable reforms. They are significant reforms. We are not saying they are straightforward, or will not face potentially significant opposition in Congress. But we do think it is possible.”
Until that time, transfers of personal data from the EU to the US will require safeguards, including standard contractual clauses (SCCs) and binding corporate rules.
They will need to be accompanied with supplementary measures, such as strong encryption to prevent data being accessed by the US intelligence agencies.
Audits, logs and reporting mechanisms could be used to protect non-sensitive data that is not of interest to the intelligence services.
But the study warns that effective supplementary measures have yet to be identified that could protect sensitive data, such as communications data, financial data and travel data, sent to the US in non-encrypted form.
“The issues therefore need to be addressed urgently,” says the study.