Redress for NSA Surveillance: The Devil Is in the Details

For years, European officials have been asking for the United States to make available to citizens of the European Union some form of redress for privacy harms. To address this concern, one idea has been to amend the Privacy Act to allow foreign citizens the right to challenge how the US government handles their data. Officials in the US and Europe share an interest in pretending this proposal would do something for EU citizens who fear surveillance by the NSA. We should drop the pretense: the Privacy Act does nothing to provide meaningful redress for NSA targets.

The devil is in the details. In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union (CJEU) ruled that US law allows the NSA to access the personal data of EU citizens without sufficient privacy safeguards. The CJEU expressed two concerns – (1) that US law does not provide specific enough criteria for collection, thus allowing “generalised” surveillance, and (2) that US law does not provide meaningful redress for EU citizens whose data is collected by the NSA. In a previous post, I explained how the law could be reformed to respond to the first concern, by focusing on specific security threats.

What about the CJEU’s second concern? The court said that the “fundamental right to effective judicial protection” requires that a person have “legal remedies in order to have access to personal data relating to him,” and the ability “to obtain the rectification or erasure of such data . . . .” ¶ 95.

US officials will be tempted to argue that this concern could be addressed with a simple fix to the Privacy Act. The Privacy Act provides access and correction rights for data held by government agencies, but the law applies only to US persons –American citizens and permanent residents. Successive US administrations have struggled with how respond to longstanding European concerns about this aspect of the Privacy Act.

During the Bush years, the chief privacy officer for the Department of Homeland Security was my old friend and colleague Hugo Teufel. In German, “Teufel” means “devil.” Germans may have been alarmed when DHS put the devil in charge of privacy – but in 2007, this devil put in place a privacy-friendly departmental policy that remains in effect. Teufel’s policy extended Privacy Act rights to non-US persons whose information was in “mixed” DHS systems – systems with both US and non-US person data.

More recently, the President’s Review Group – established by President Obama in the wake of the Snowden revelations – recommended in its report in 2013 that Congress amend the Privacy Act to provide rights for foreign citizens. In response, the administration has worked with Congress to develop the “Judicial Redress Act,” H.R. 1428. The bill would provide limited Privacy Act rights to citizens of countries designated by the Attorney General, with the concurrence of the secretaries of State, Treasury, and Homeland Security.

The Judicial Redress Act has the strong support of technology companies who are concerned about restoring trust in the global market. Privacy groups such as the Center for Democracy and Technology have welcomed the bill as a limited first step, while observing with some dismay that it provides more limited rights to foreign citizens than to Americans. The Electronic Privacy Information Center has urged broader reforms. In September, the House Judiciary Committee approved H.R. 1428 by voice vote, so prospects for passage seem good.

The problem is that Europeans are likely to notice that the Privacy Act provides no meaningful redress to targets of NSA surveillance. Agencies can exempt themselves from the Privacy Act’s access and redress provisions on grounds of national security. 5 U.S.C. § 552a(k). The NSA has taken full advantage of this section. 32 C.F.R. § 322.7(a). Nor would the broader reforms to the Privacy Act that are advocated by privacy groups do anything to change this. Indeed, in its letter on the Judicial Redress Act, EPIC relies on these exemptions to explain why extending broader Privacy Act rights to non-US citizens would not compromise national security.

It is hard to see how it could be otherwise. The exemptions are there for a reason. To state the obvious, if the NSA obtains data belonging to a terrorist who is in Paris and may be planning an attack, it should not have to provide the target with access to his files and the ability to correct them. The Bill of Rights is not a suicide pact (hat tip: Justice Robert Jackson), and neither is the Privacy Act.

Yes, the targets of NSA surveillance go well beyond terrorists. There is considerable room for debate about how broad or narrow the criteria for surveillance should be. Still, it makes no sense, if the US and the EU ever manage to agree that a given set of criteria is legitimate, to undermine that decision by granting targets of legitimate surveillance activities access to their files.

Pretending that providing Privacy Act rights to EU citizens responds to European concerns about redress for targets of PRISM and other intelligence programs is not going to fool anyone. It will take more fundamental – and much more difficult – changes to surveillance law to address the EU’s concerns about redress. Whether this is possible will be the subject of my next post.