Focusing PRISM: An Answer to European Privacy Concerns?

In my last post, I argued that surveillance reform is the only way to ensure continued data flows between the US and the European Union. In this post, I will begin to explore whether there is a practical way to amend US surveillance law that might satisfy the concerns expressed by the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner.

I believe there is, but the US intelligence community will have to focus PRISM, the program at issue in Schrems, on specific security threats, which means it will have to sacrifice using it for general foreign intelligence collection.

Dystopian visions of a great firewall blocking European data from the US have not yet been realized. Nevertheless, companies are facing substantial legal uncertainty. The only certain result of the CJEU’s decision is a need for smart lawyers who are experts in privacy law. (Silicon Valley: I’m easy to find. Don’t be a stranger!) In the long run, however, trying to get around the CJEU decision through clever lawyering is not the right answer for either the United States or the European Union.

The CJEU’s main problem with US surveillance law, as it was described to it by the European Commission, was that it allowed “the public authorities to have access on a generalised basis to the content of electronic communications . . . .” The court says this “must be regarded as compromising the essence of the fundamental right to respect for private life.” ¶ 94.

This characterization of section 702 of FISA is sloppy at best. Peter Swire – a member of President Obama’s independent review group, established after the Snowden revelations to review NSA programs – objects strongly to the idea that section 702 can be seen as “mass surveillance.” As Swire points out, section 702 requires that NSA identify specific targets through the use of strong selectors, such as a telephone number or e-mail address.

The European Commission also refused to take account of reforms implemented since 2013. Cameron Kerry, former general counsel of the US Department of Commerce, notes the robust oversight mechanisms that apply to the US intelligence community. All these points are valid, and go a long way towards satisfying the CJEU’s concerns about proportionality and “appropriate and verifiable safeguards.” ¶¶ 34, 90.

Still, I do not believe that section 702, even understood correctly, satisfies the standards for privacy and data protection the CJEU lays out in Schrems. True, section 702 does not authorize bulk collection. It requires targets. However, the law allows the NSA to select targets who are non-U.S. persons located outside the United States on the basis of very broad criteria.

Section 702 permits the NSA to obtain “foreign intelligence information.” The definition of “foreign intelligence” in FISA encompasses information not only about international terrorism, espionage, and other specific threats, but also about broader US national defense and foreign affairs concerns. See FISA § 101(e), 50 U.S.C. § 1801(e).

The CJEU decision requires an “objective criterion” that limits surveillance to “purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail . . . .” ¶ 93. A broad authorization to obtain “foreign intelligence information,” like the one contained in section 702 of FISA, does not meet this standard.

Again, the effect of the CJEU’s decision – protecting data by keeping it away from the United States – is not without considerable irony. The standard that the intelligence community uses to obtain data inside the United States under FISA is actually narrower than the standard it uses for foreign data, provided in Executive Order 12,333. E.O. 12,333’s definition of “foreign intelligence,” if read literally, is almost boundless. It includes information about the “capabilities, intentions, or activities” of foreign governments, organizations, terrorists – and even ordinary “foreign persons.” See id. at § 3.5(e). If Max Schrems succeeds in keeping his data outside the US, it may or may not be more difficult for the NSA to obtain it as a practical matter. That will depend on the NSA’s ability to access it, which in turn depends on its partnerships and its operational effectiveness. It will be far easier to do so as a legal matter. Perhaps Schrems doesn’t mind very much – after all, he has said he is “not a big privacy person.”

Getting back to the CJEU decision. . . How would a reformed section 702 satisfy the ECJ’s standard for an “objective criterion” for surveillance? One way would be to start with the six criteria for bulk collection of signals intelligence contained in Presidential Policy Directive 28 (PPD-28). They are espionage, terrorism, proliferation of weapons of mass destruction, cybersecurity threats, threats to US or allied military forces, and transnational crime. See id. at § 2.

These are all certainly “legitimate objectives,” ¶ 88, that are “based on considerations of national security or the prevention of crime . . . .” ¶ 34. They should satisfy the CJEU. Adopting these criteria to narrow section 702 would require that both sides give something up. Privacy advocates would have to accept an agreement for data transfer that would continue to allow the NSA to access European data, under a narrow set of criteria. The US intelligence community would sacrifice its ability to use FISA section 702 for foreign affairs surveillance.

The CJEU also expresses concerns about the lack of meaningful redress for Europeans under US law. In my next post, I will explore whether there are practical ways to address this concern.