Yale Symposium: Unpacking NSA's Global Problem

On Sunday, the Yale Information Society Project held an excellent symposium on the international policy implications of “Big Data.” I took part in the event (see livestream here), which touched on many topics of interest, including (unsurprisingly enough) the adverse reaction to the Snowden revelations.  One symposium participant, UC Davis’s Anupam Chander, explained that in some countries, widespread anger at the NSA has accelerated a turn towards data localization---whereby states mandate the storage of data within their own borders. But, as Chander also pointed out, the trend offers little in the way of increased privacy protections and actually stands to impair consumers’ access to information. Something similar might be said of the broader European policy response to controversial NSA programs. At Yale, Hogan Lovells’ Chris Wolf and NYU’s Joris van Hoboken cited March’s approval, by the European Parliament (EP), of a comprehensive resolution on surveillance policy. The resolution was based on a report submitted by the EP’s Committee on Civil Liberties, which had called for “immediate suspension” of the voluntary Safe Harbor privacy standards that govern non-EU firms’ transfer of EU citizens’ personal data to the US.  During the event, the Electronic Frontier Foundation’s April Glaser applauded the EP’s stance.  However, Wolf was more skeptical.  In a demonstration of the law of unintended consequences, suspension of the Safe Harbor standards might actually harm privacy, by diminishing the Federal Trade Commission’s authority over the privacy practices of US companies doing business with the EU. The EP report also sought to pause the Terrorist Finance Tracking Program (TFTP or “Swift”), a valuable aid in tracing the tangled web of terrorists’ financial dealings. The EP Resolution reinforces Article 43a of the proposed EU Data Protection Regulation (the so-called "anti-FISA clause").  Article 43a bars firms from sharing EU citizens’ personal data pursuant to a court order (such as a FISC order) absent a mutual legal assistance treaty (MLAT) or other international agreement. MLATs require an array of official clearances prior to releasing data; a company that sought such clearances likely would be unable to comply with time limits imposed by the FISC. This provision had earlier been removed because of arguments that it would whipsaw companies between US law and EU privacy rules; but the Snowden disclosures have given Article 43a a new lease on life.  There’s some irony here, too---for as I’ve suggested in a recent paper on human rights and surveillance and Symposium participant Chris Wolf observed in a white paper, US surveillance rules, including President Obama’s recent guidance, differ from the EU’s regime more in emphasis than in substance.  (Update: The European Court of Justice’s April 8 decision in Digital Rights Ireland striking down EU metadata retention rules on proportionality grounds raises the stakes even further in this debate.) Absent provisions that temper Article 43a’s impact, the provision could drastically curtail joint US-EU counterterrorism efforts.  Like data localization, Article 43a would undermine UN Security Council Resolution 1373’s mandate for global cooperation.  As noted on Sunday by Arnold & Porter’s Ron Lee, a former NSA General Counsel, “This is a fine mess.”  If Sunday’s discussion is any guide, policymakers will have to be creative on both sides of the Atlantic---and fashion solutions that at once vindicate European privacy concerns and maintain effective counterterrorism programs.