An International Path Forward on National Security Access to Personal Data
Published by The Lawfare Institute
in Cooperation With
Editor’s Note: An expanded version of this article, titled “Government Access to Personal Data and Transnational Interoperability: An Accountability Perspective,” is now available in the Oslo Law Journal.
For four decades, European courts have elaborated how governments must respect individual rights when their national security agencies obtain personal data for national security purposes. Jurisprudence from the European Court of Human Rights in Strasbourg developed first and continues to be influential. Over the past decade, the Court of Justice of the European Union (CJEU) in Luxembourg has added its voice, in part through the Schrems I and II judgments, which invalidated the adequacy decisions based on the Safe Harbor Framework and then the Privacy Shield—the successive legal frameworks for regulating transatlantic exchanges of personal data for commercial purposes.
In 2023, the United States and the European Union concluded the Data Privacy Framework (DPF), successor to the Privacy Shield, for which the European Commission has likewise issued an adequacy decision. Washington, for its part, put in place a bolstered set of safeguards for national security data collection, outlined in Executive Order 14086. These safeguards also included the implementation of new intelligence community procedures on data handling and oversight, and an attorney general regulation establishing a Data Protection Review Court (DPRC), which created new and more robust institutional protections. One legal challenge has already been filed before the CJEU, and another is likely, raising the question whether the new DPF satisfies the standards for “necessity and proportionality” of data collection and for independent oversight and redress laid down in the EU’s Charter of Fundamental Rights (EU Charter).
While the CJEU’s assessment of the DPF is unlikely to be issued in 2024, the agreement can have another, shorter-term benefit: It can serve as an important precedent for the international community of an accountable system that may well satisfy EU standards.
Accountability Is a Rosetta Stone Between the Intelligence and Data Protection Communities
In essence, the U.S. reforms strengthen accountability within its intelligence community for the data on individuals that they obtain from electronic service providers. Accountability goes beyond compliance and enforcement—it represents a proactive and demonstrable commitment by the leaders and members of an organization to respect the legal framework. Accountability is also one of the fundamental innovations of modern data protection law, playing a role in legal instruments developed by the Asia-Pacific Economic Cooperation (APEC Cross-Border Privacy Rules), Council of Europe (Convention 108+), and Organization for Economic Cooperation and Development (OECD) (Privacy Guidelines). In the European Union, CJEU President Koen Lenaerts has described accountability as the “central theme” of the General Data Protection Regulation, the EU’s law controlling how personal data is to be handled. Because accountability already is so familiar worldwide, it offers great promise for facilitating greater interoperability among democratic states.
However, much less attention has been paid to how accountability also may serve as a means of reconciling privacy and security imperatives. In fact, it is a “Rosetta Stone” for mutual comprehension between these two communities.
Accountability is not only a data privacy principle applied in the commercial sector across the globe. It is equally familiar to national security privacy officers and offers practical guidelines for mapping data holdings, assessing risks, auditing outcomes, conducting oversight, and providing transparency. Accountability tools include privacy by design, record keeping, security measures, and privacy impact assessments. In practice, the use of these tools leads to compliance with data privacy principles, for example, by strictly defining the purposes for which national security agencies may collect and use data, and minimizing how much personal data may be retained and for how long.
The CJEU, through its Schrems I and II judgments, has already provided significant pointers on how the principle of accountability can help reconcile the twin realities of vast international commercial data transfers and national security agencies’ selective access to those transmissions. Since individuals are almost never informed that their personal data has been acquired by intelligence agencies, independent supervisory authorities must instead exercise vigilance on their behalf. Governments can promote the public’s general awareness of the general legal framework for surveillance by publishing laws and regulations, even as specific intelligence operations must remain confidential.
The EU-U.S. Data Privacy Framework Is Accountability in Action
The United States, through the DPF, is now implementing a sophisticated system designed to demonstrate to the European Union how it is applying accountability measures in its national security data practices. Executive Order 14086, for example, and its implementing regulation and procedures, document the legal basis for compromising individuals’ privacy. These instruments ensure necessity and proportionality by requiring targeted collection of personal data transferred to the United States and by prioritizing targeted collection of data outside the United States. They specify that bulk data may be collected only where targeted collection is an insufficient means to achieve a validated intelligence objective, and only to the extent and in a manner that is proportionate to that objective.
The United States also has erected an elaborate system for overseeing its electronic collection activities. It begins with data privacy officers within each intelligence agency, whose decisions are reviewed by the civil liberties and privacy officer at the Office of the Director for National Intelligence. The Privacy and Civil Liberties Oversight Board, an independent federal agency, also plays a role in reviewing intelligence agency compliance with the new requirements of the executive order. Collectively, these protections make a detailed case that the United States has satisfied the CJEU standard for independent supervision of intelligence agencies.
The DPF also addresses the requirement of an effective remedy before a tribunal set down in the EU Charter. Independence of the tribunal is the key criterion, meaning, at a minimum, that it enjoys legally guaranteed independence from the executive and has the power to adopt decisions binding the intelligence services. The DPRC is an administrative tribunal, part of the U.S. Department of Justice, but the executive order guarantees the independence of its newly appointed judges.
There is a strong case to be made that this novel administrative construct meets the exacting standard of the CJEU jurisprudence. Indeed, these provisions of the DPF represent a real opportunity for the CJEU to give effect to the concept of “essential”—as opposed to absolute—equivalence between foreign and EU data protection rules, the standard of comparison articulated by the CJEU in Schrems I.
Accountability as a Way Forward
In the decade since Edward Snowden’s disclosures brought global attention to the dragnet of U.S. national security data collection, there have been repeated calls for a legally binding multilateral treaty addressing government access, by data protection authorities and the Council of Europe, among others. The response from governments has been silence. It is difficult at the moment to discern any political will for such an exercise.
Less ambitious initiatives have emerged, however. Most notably, in 2022 the OECD’s 38 governments announced agreement on a Declaration on Government Access to Personal Data Held by Private Sector Entities. The declaration, reached with the participation of officials from both the data protection and intelligence communities, sets forth a set of principles similar to those developed separately by data protection authorities worldwide and in the EU. They mirror the key components of the EU-U.S. Data Privacy Framework: a legal basis for data collection, a legislative framework applying to government access, necessity and proportionality standards, and independent oversight and redress.
The OECD declaration is a “soft law” instrument rather than a binding set of international obligations. It describes the kinds of safeguards that OECD governments already apply to their government access practices, without rising to the prescriptive level of an international convention. The OECD is considering further work on government access, spurred by a new mandate to take forward the G7 Data Free Flow with Trust initiative.
Existing accountability mechanisms for commercial flows of personal data offer an instructive precedent for placing bounds on government access to such data. For example, the multilateral APEC Cross-Border Privacy Rules establish a system under which companies transferring data internationally agree to guarantee that they are meeting data protection standards established by APEC governments and independent audits ensure compliance.
A counterpart accountability mechanism for government access to personal data could emerge from a variety of sources—an ad hoc group of experts or stakeholders or a working group of an international organization. Since the ingredients are, at this point, already established in soft law instruments like the OECD declaration, it would not be especially difficult for such a grouping to elaborate an international code of conduct.
To take advantage of such a code, a state would have to have in place, or adopt, a legal framework implementing the agreed principles and accountability-based procedures and safeguards, and to officially state its adherence to these principles. The credibility of the national legal framework would depend, of course, on creating an external, independent means of checking adherence. In this fashion, voluntary commitments to an international code could be grounded on binding provisions under national law. The U.S. implementation of the DPF shows how such an accountability-based system can work.
The groundwork for such an operational initiative now exists. A voluntary but binding international code of conduct based on the accountability of state actors is the approach most readily achievable in the short term. The United States and the European Union—on the strength of their painful iterative struggles to reconcile data protection and government access—are well positioned to play leading roles in this effort. It’s time for them to move beyond a bilateral rapprochement and to show the way globally.