Rethinking NSA’s Surveillance Authority: The European Experience

The recent negative attention surrounding current U.S. homeland security intelligence efforts has led to several legislative proposals designed to significantly restrict NSA’s surveillance authority. One such piece of legislation was passed by the United State House of Representatives on May 22, 2014. If approved later this year by the Senate, the bill, known as H.R. 3361, would amend the Foreign Intelligence Surveillance Act (FISA) through the creation of the USA Freedom Act. The new Act would include provisions specifically intended to curb the U.S. government’s bulk collection of telecommunications data, commonly referred to as the NSA Call Database.

The NSA Call Database is designed to electronically capture, store, search, and analyze raw telecommunications data from virtually all cell phone communications coming into or originating from U.S. territory. The program was created and put in place to serve as an early warning system, designed to aid in uncovering terrorists and preventing another catastrophic terrorist attack from taking place in the U.S. It collects and stores bulk phone records, known as metadata, from all customers, foreign and domestic, using the services of various U.S.- based telecommunications companies. The program maintains a record of the phone number that was dialed from, the phone number that was dialed to, the date, and duration of each call. It is this program that has generated the most controversy and many Americans remain suspicious regarding the necessity of the NSA to capture bulk data relating to general domestic communications of literally millions of American citizens, arguing that a more focused phone records collection effort would have equal effect, while infringing far less on the privacy rights of law abiding U.S. Citizens.

According to proponents of H.R. 3361, the Act would end the dragnet collection of bulk metadata by the NSA and increase transparency and oversight relating to NSA’s surveillance authority. Critics of the bill, however, argue that, due to a series of last minute changes, the bill does not go far enough and will do little to protect U.S. citizens against the unfettered mass collection of private information. Significant eleventh-hour modifications included the amendment of several definitions relating to what types of records can be targeted, leaving open the possibility of continued mass surveillance. Also deleted was a section of the bill that would have provided for the special FISA court privacy advocate. The removal of these provisions has angered many once supportive privacy advocacy groups who are now arguing that the legislation provides no real improvement over the current situation.

In the face of such important legislation, members of Senate should use caution and diligence when considering whether to pass H.R. 3361 in its current form. It is important that the correct balance be stuck between the protection of privacy, transparency, and civil liberties and the ability of our intelligence communities to effectively fulfill their counter-terrorism mission. To this end, and given the success that our European allies have enjoyed in this area, the European perspective on privacy and national security may be worth considering.

It is common knowledge that privacy, both in the free-market and the government domain, is afforded less importance and fewer protections in the United States than in Europe. This is most especially true for the countries of Germany and France. Perhaps the clearest example of this is in the public sector is the NSA’s controversial and, until recently secrete, database of private call records, which was created for the purposes of identifying potential terrorists. Meta-databases of this nature, while presumably permissible under current U.S. law, would clearly be prohibited under European law. In fact, in most countries in Europe, a program of this nature would have to be expressly authorized by a public law and it would have to be reviewed, in advance, by an independent privacy agency before it could be considered.

In the unlikely event such a program were to be legally sanctioned, the data collected could be held on a relatively short-term basis and mined only for certain statutorily prescribed serious threats and then only where an imminent and specific endangerment could be effectively illustrated. An independent agency would again have enforcement and oversight powers to ensure that the program as a whole was being run in strict accordance with the law. Finally, with relatively few exceptions, individuals subjected to having their personal data collected would have the right to notification and to check on their personal data in order to see that it was being used lawfully. None of these regulations and/or protections are currently present within the U.S. system, which allows for the “secret” collection and mining of large volumes of private phone records by government agencies for homeland security purposes absent a public law permitting such, without the benefit of independent review and oversight, and with no provisions for consumer notification.

The above revelations again make it strikingly clear that privacy, as it relates to government intrusions, is generally protected more in Europe than in the U.S. The German Federal Data Protection Act was originally enacted in 1977, and significantly amended in both 1990 and 2001. The Act covers both private bodies, such as the telecommunications companies themselves, as well as government agencies, like law enforcement and federal intelligence groups. Germany also maintains an independent agency, known as the Federal Data Protection Commission, which is responsible for enforcing federal data protection laws as well as a second oversight commission to deal specifically with telecommunications surveillance engaged in by government entities. This body is known as the “G10 Commission” and is appointed by the parliamentary committee that is directly responsible for overseeing Germany’s various intelligence services, reviewing individual surveillance requests, and establishing administrative rules governing communications surveillance.

The French have a similar, albeit simpler, data protection scheme. The French Law on Data Processing, Data Files and Individual Liberties was enacted in 1978, a year after the German Federal Data Protection Act. Like the German law, it has been significantly amended over the years and regulates data collection and processing procedures within both the private and public sector, including law enforcement and national security agencies. Similar to the German oversight system, the French law also includes an independent agency, known as the Commission Nationale de Information et des Libertes (CNIL). The CNIL is changed with authorizing data processing operations, promulgating interpretive regulations, inspecting and imposing administrative sanctions, and advising the government on legislative and regulatory measures affecting privacy. Much like its German counterpart, the CNIL has extensive civil and criminal enforcement powers.

In both Germany and France, a secret government call database and data-mining program would clearly be illegal. For starters, government data mining, even for national security purposes, would have to be specifically authorized by a public law that specified the purposes of the personal data processing and provided strict limits on who, what, when, why, and how the data is to be collected, stored, and processed. Next, before such a law could be enacted, an independent government body would have to be consulted and, while the program was in operation, that same government body would have complete oversight, including legal enforcement powers, over the program and its operatives in order to minimize the government’s interference with individual privacies. Also, unlike the American NSA call database program, any such European data collection program would have to be limited and narrow in its focus, with retention limitations ranging from 6 months to 2-years. All of these limitations are absent from the NSA’s American data mining process.

Additionally, under German law, before the government may engage in data mining there must be a showing of “imminent and specific endangerment” or international terrorism, rather than the vague and general threat the NSA database is predicated upon. As such, a German intelligence agency would only be allowed to pass specific telecommunications information on to law enforcement agencies if the individuals involved were themselves suspected of having been responsible for, or about to commit, an act of terrorism. The intelligence agency would be required to demonstrate sufficient and articulable reasons justifying such suspicion. In Europe, individualized suspicion of wrongdoing is always reviewed before communications data may be intercepted, analyzed, or transferred by the government. The one exception to this requirement is in Germany, where specific German foreign intelligence surveillance legislation, contemplates both individualized and “strategic” surveillance. German strategic surveillance is similar to the NSA’s data mining program in that large numbers of telephone calls and other types of communications are intercepted, without reasonable suspicion to believe specific pieces of data relate to specific illegal acts, and then, like the NSA database, screened using certain search terms. Unlike the NSA data-mining program, however, this strategic surveillance is only permitted for communications with foreign nations and then only to prevent threats to national security. Domestic phone calls are strictly off-limits.

In summary, privacy relating to personal information, including telecommunications, is considered a fundamental right in most European societies. It is generally protected by the provisions of the ECHR, and by specific legislation relating to the privacy of communications in most EU countries, including Germany and France. In these countries, all personal information is considered deserving of privacy and, if a government wishes to infringe on that privacy, it must do so pursuant to a specific “public” law that contains transparent provisions precise enough to curb arbitrary government action and under very strict oversight by an independent government agency.

The European stance on personal privacy and data collection appear to represent an appropriate balance between security and privacy. By focusing narrowly on target groups and individuals, rather than generally on entire populations, these countries are able to collect the information needed to address national security needs, without overly infringing on the ever important rights of their citizens. Unfortunately, these sort of limitations are absent from the NSA’s American data mining process and the scales appear to be unreasonably tipped in favor of security. This creates significant divergence in privacy protections between the U.S. and its European counterparts and has been the subject of heated debate, making it worthwhile to explore the possibility of applying the European legal perspective to U.S. surveillance laws.

While the wholesale transplanting of foreign laws into the American legal system would clearly be misguided, expanding the realm of legal possibilities through comparisons would serve as a useful tool when considering legal reform at home. Exploring how our national, political, and social systems might be improved through the perspectives of other similarly situated societies can provide a range of legal solutions. The U.S. and Europe share a common heritage and privacy is valued by both Europeans and Americans alike. Can it really be true that the U.S. government is less committed to liberty than Europe? If not, than immediate action to reform U.S. privacy laws, particularly those related to the NSA’s Call Database, must be undertaken.

It is also important to point out that the differences between European and American privacy law have several ramifications. Not only have the legal differences strained relations between Europe and the U.S., negatively effecting international cooperation in the fight against terrorism and compromising national security, but perceived government abuses and arbitrary invasions of privacy have severely angered the U.S. public, contributing to a loss of confidence in our American system of government. A few key changes to the FISC, based on the European experience, could greatly aid in fixing these problems, restoring international trust and advancing the cause of information privacy for U.S. citizens.

Further, with the exception of the proposal for establishing an independent privacy agency, the recommendations offered here are fairly modest. Focusing heavily on Germany and France, the recommendations draw on the European experience, while still recognizing the unique characteristics of our United State of America. These include (1) recognizing that privacy is a fundamental human right and requiring that any government infringements on privacy be specifically authorized by public law; (2) that any laws passed limiting privacy be accessible to the public and contain specific provisions designed to limit privacy intrusions and government discretion; and (3) requiring the appointment of an independent government privacy agency to provide day to day oversight over governmental data collection programs.

Even the creation of an independent privacy agency is consistent with current trends in American law. Not only has a case been made for inclusions of this nature in historical legal debate relating to previous privacy legislation, a number of special-purpose privacy oversight groups have already been created by Congress to address post 9/11 civil liberty concerns. These include the Chief Privacy Office in the Department of Homeland Security, the Privacy and Civil Liberties Board in the Executive Office of the President, and the Civil Liberties Protection Office of the National Intelligence Director. Still, a single, independent, privacy agency, such as those contained within the German and French legal systems, would better serve the civil liberty and privacy concerns of our nation. Such an agency would have powers spanning the whole of the federal government, while independent from the various government agencies it is entrusted to regulate. If would have full civil and criminal enforcement capabilities and the necessary capacity to ensure legal compliance and prevent government abuses relating to privacy.

In summary, amending the Foreign Intelligence Surveillance Act using the aforementioned European principles has the potential to increase the transparency in U.S. intelligence agency activities, enhance the public debate on the privacy costs of such government programs, place responsible limits on the government’s use of personal data and infringement of privacy, and improve internal government oversight and enforcement. The European experience not only sheds light on what has worked well for our friends and allies, it has a great deal of applicability and value when contemplating reforms needed to restore a balance between American national security and privacy priorities.