Friday, July 3, 2015

The feasibility of transatlantic privacy-protective standards for surveillance

The feasibility of transatlantic privacy-protective standards for surveillance

  1. Ian Brown*
  1. * Associate Director, Oxford University Cyber Security Centre; Professor of Information Security and Privacy, Oxford Internet Institute. E-mail:


This article analyses the feasibility of the adoption of specific, international human rights law-compliant, transatlantic standards on foreign surveillance, in the context of Edward Snowden’s revelations of large-scale surveillance programmes operated by the US National Security Agency (NSA) and selected European intelligence services. The article describes examples of current good State practice, and options for setting standards for transatlantic data sharing, control of state interception and data monitoring capabilities, and oversight of intelligence agencies. It identifies relevant principles developed by civil society and industry groups that are leading political campaigns for reform, and the conditions under which these efforts are likely to succeed. It concludes by discussing the key intergovernmental forums where these standards could be considered.

Key words


While the Guardian, Washington Post and Der Spiegel continue to publish new information from the documents leaked by former NSA contractor Edward Snowden, the key facts revealed to date are as follows.
The US and UK’s signals intelligence agencies, National Security Agency (NSA) and Government Communications Headquarters (GCHQ), have gained access to very large volumes of Internet communications and data, for extremely broad ‘foreign intelligence’ purposes. A declassified 2011 US court order shows that NSA was already accessing more than 250 million ‘Internet communications’ each year.1 GCHQ is recording 3 days of international Internet traffic transiting the UK and 30 days of ‘metadata’ about these communications,2 and has gained access to ‘the majority’ of European Internet and telephone communications.3 NSA and GCHQ ‘collection’ of data is via intercepts of Internet traffic flowing through international fibre optic cables operated by telecommunications companies, and through automated searches carried out by Internet companies such as Microsoft, Apple, Google and Facebook on their internal systems, as well as the provision of complete records of all US telephone calls by AT&T, Verizon and others. NSA Director Keith Alexander asked his staff in 2008: ‘Why can’t we collect all the signals all the time?’—and they have set out to implement this vision.4
The US and UK laws compel this cooperation by telecommunications and Internet companies (including ‘cloud computing’ providers that increasingly provide the infrastructure for Internet services).5 Other European governments cooperate with the USA–UK–Canada–Australia–New Zealand ‘Five Eyes’ intelligence alliance, notably an additional four countries in a ‘9-Eyes’ group (France, The Netherlands, Norway and Denmark) and a further five (Germany, Sweden, Spain, Belgium and Italy) in a ‘14-Eyes’ configuration.6
NSA has further bugged EU offices and computer networks in Washington DC and New York, and gained access to UN internal videoconferencing systems. It has interception equipment and staff (jointly with the CIA) at 80 US embassies.7
NSA has compromised at least 85,000 ‘strategically chosen’ machines in computer networks around the world; each device ‘in some cases … opens the door to hundreds or thousands of others.’ A new automated system is capable of managing ‘potentially millions’ of compromised machines for intelligence gathering and ‘active attack’. NSA conducted 231 ‘offensive operations’ in 2011, which represents ‘an evolution in policy, which in the past sought to preserve an international norm against acts of aggression in cyberspace, in part because U.S. economic and military power depend so heavily on computers’.8 NSA is spending $250 million each year to sabotage security standards and systems so that it can maintain access to encrypted data. GCHQ has developed methods to access encrypted data communications to Hotmail, Google, Facebook and Yahoo!9
US Non-Governmental Organisations (Electronic Frontier Foundation, Electronic Privacy Information Center, and American Civil Liberties Union) have filed lawsuits questioning the constitutionality of these provisions,10 whereas European Non-Governmental Organisations (such as Privacy International) have begun actions regarding their compatibility with the European Convention on Human Rights.11 But to date, the US government in particular has relied upon ‘a confusing and soft admixture of International Humanitarian Law, jus ad bellum, and International Human Rights Law to frame operations that do not, ultimately, seem bound by international law—at least not by any conception of international law recognizable to international lawyers’.12


The US and European states are all parties to the UN’s International Covenant on Civil and Political Rights (ICCPR), which protects privacy and correspondence under Article 17, whereas the regional European Convention on Human Rights (ECHR) Article 8 has been interpreted in a robust way by the European Court of Human Rights to restrict governmental surveillance. The European Union’s Data Protection Directive (95/46/EC) and Charter of Fundamental Rights both apply additional strong privacy protections—although not in the area of national security, which is a competence reserved to the Member States.13
This section describes privacy standards developed from these instruments by civil society, political bodies and courts, covering international sharing of personal data, controls on government surveillance activities and oversight of intelligence agencies.

2.1 Standards for transatlantic data sharing and access

There are several US–EU agreements allowing bulk data sharing of air passenger and financial transaction records, and a Mutual Legal Assistance Treaty (MLAT) allowing a case-by-case sharing of law enforcement information. The two parties have been attempting to negotiate an overarching data protection agreement, as urged by the European Parliament, but have so far found their differences insurmountable.
The USA and EU agreed in 2004 to allow EU-based air carriers to supply the US Department of Homeland Security with Passenger Name Record (PNR) data on passengers flying to the US, as required by US law.14 Without this agreement, airlines would have been in breach of EU data protection law if they supplied the data. A second agreement was reached in 2007, after the European Court of Justice found that the EU concluded the first agreement on the wrong legal basis. A third agreement15 was made in 2011 following the Lisbon Treaty, which gives the European Parliament greater power over justice and home affairs issues, and requires its consent for treaties.16
Serious political controversy resulted from the revelation in June 2006 that the Belgium-based SWIFT global inter-bank payment service was providing the US Treasury with access to its transaction database in USA, containing all transaction instructions.17 The European Data Protection Supervisor criticized the European Central Bank, as a SWIFT oversight group member, for allowing this,18 whereas the Belgian data protection authority found that SWIFT had broken European data protection law.19
In response, SWIFT redesigned its computing system so that, from 2010, intra-European bank instructions were not automatically copied to the US processing centre. The EU and USA concluded an agreement allowing targeted access to European instructions.20 However, that agreement does not require a judicial ruling for data transfer; contains a broad definition of terrorism; and provides EU citizens with no legal redress in US courts. There are allegations that the US Treasury is still receiving up to 25% of all SWIFT transactions—billions each year—since SWIFT is only able technically to provide bulk access to data.21 Controls are in place on searches of these data, with data mining banned, and regular reviews by an EU team.22
Following allegations that NSA has anyway gained unauthorized access to SWIFT’s data systems, the European Parliament resolved that the agreement should be suspended, and reiterated its call for ‘any data sharing agreement with the US [to be based on] on a coherent legal data protection framework offering legally binding personal data protection standards, including with regard to purpose limitation, data minimisation, information, access, correction, erasure and redress’.23
The EU–US Mutual Legal Assistance Treaty24 was agreed in 2003, but not concluded until November 2009. It allows the use of shared data for the purpose of criminal investigations and proceedings, and for preventing an ‘immediate and serious threat to … public security’. Both NGOs and industry have called for all future US foreign data collection to take place through such MLATs, and that USA ‘desist from any and all data collection measures which are not targeted and not based on concrete suspicions’.25 Industry groups have also called on the US Congress to fully fund the Department of Justice’s processing of MLAT requests,26 given that they can currently take up to 18 months—far too long for law enforcement agencies’ needs.
Additionally, a joint set of principles endorsed by over 200 NGOs argues: ‘Where States seek assistance for law enforcement purposes, the principle of dual criminality should be applied. States may not use mutual legal assistance processes and foreign requests for protected information to circumvent domestic legal restrictions on communications surveillance. Mutual legal assistance processes and other agreements should be clearly documented, publicly available, and subject to guarantees of procedural fairness.’27
Europol and Eurojust have signed agreements with USA on policing (dated 6 December 2001) and judicial cooperation (dated 6 November 2006). Transfer of data to third countries is addressed in the EU Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters,28 which is currently being revised by the European Parliament.29
Since 2006, the European Commission has been negotiating an overarching agreement with USA on information sharing and privacy, initially in an informal High-Level Contact Group, and since 2011 with a formal negotiating mandate. The mandate is confidential, but a draft was leaked and is likely to be substantively similar.30 The intention is for this to be a binding instrument that sets data protection standards without itself authorizing specific data sharing, which would be done in specific further instruments. After 3 years, the privacy standards would apply to existing EU and member state agreements, including the PNR and SWIFT agreements, unless they are brought into conformity in that time.
In response to the final report from the High-Level Contact Group, the European Data Protection Supervisor suggested a number of principles that should guide an EU–US sharing agreement. Most are at least partially included in the European Commission negotiating mandate, but some remain controversial with the US government31:
  • ‘Clarification as to the nature of the instrument, which should be legally binding in order to provide sufficient legal certainty;
  • A thorough adequacy finding, based on essential requirements addressing the substance, specificity and oversight aspects of the scheme. The EDPS considers that the adequacy of the general instrument could only be acknowledged if combined with adequate specific agreements on a case by case basis.
  • A circumscribed scope of application, with a clear and common definition of law enforcement purposes at stake;
  • Precisions as to the modalities according to which private entities might be involved in data transfer schemes;
  • Compliance with the proportionality principle, implying exchange of data on a case by case basis where there is a concrete need;
  • Strong oversight mechanisms, and redress mechanisms available to data subjects, including administrative and judicial remedies;
  • Effective measures guaranteeing the exercise of their rights to all data subjects, irrespective of their nationality;
  • Involvement of independent data protection authorities, in relation especially to oversight and assistance to data subjects.’

2.2 Standards for controls on surveillance activities

As nation states jealously guard their sovereignty over ‘national security’ issues, it will be more difficult to impose international standards on surveillance by intelligence agencies. Taking lawsuits through Europe’s national courts to the European Court of Human Rights is one possible mechanism. NGOs Privacy International and Liberty have commenced actions in the UK Investigatory Powers Tribunal (IPT), which has exclusive competence to hear complaints on intelligence matters, while a Paris court has opened an investigation following complaints from the International Federation of Human Rights and the French League of Human Rights.32 Big Brother Watch, the Open Rights Group and English PEN have made an application directly to the European Court of Human Rights, claiming that English law cannot provide a remedy for breaches of Article 8 because of the limited capacity of the IPT.33
While Canada, Australia and New Zealand are also members of the ‘Five Eyes’ intelligence alliance, the USA and UK governments are the most important actors in Snowden’s leaks. A number of bills have already been proposed in Congress to constrain the NSA’s domestic surveillance,34 and key existing powers (such as the Patriot Act section 215, which NSA has used to gather records of all US telephone calls) must be renewed between 2015 and 2017. EFF, ACLU and EPIC have taken a number of court actions in an attempt to uncover and restrain NSA surveillance activities.35 However, the privacy rights of non-US persons are negligible under the US Constitution36 and Privacy Act of 1974, which has received very little US political attention—although US Attorney General Eric Holder has agreed with the European Commission to address the latter issue.37
There is growing international consensus that the ICCPR requires States Parties to protect the privacy rights of all those within their jurisdiction—including those spied upon internationally38—but this would require significant legislative or policy changes in USA; USA is reluctant to accept limitations on its abilities to monitor data and communications relating to non-US persons that physically transit US territory—which NSA Director Keith Alexander has called a huge ‘home-field advantage’.39
However, as a party to the ICCPR and the Council of Europe Cybercrime Convention, civil society has argued that USA is bound ‘to extend privacy protection to non-US citizens and to observe the principles of legality, necessity and proportionality … in their surveillance activities’.40 EPIC has previously made detailed proposals for an update to the Privacy Act.41 North American and European advocates have also called on the US government to support high EU standards for data protection; reform Patriot and FISA Amendments Act provisions, enact the Consumer Privacy Bill of Rights, stop lobbying against the EU Data Protection Regulation, and to ratify the Council of Europe’s Convention 108 on data protection.42 President Obama took some steps towards greater privacy protections for non-US persons with a directive to the US intelligence community in January 2014.43
Internationally, civil society groups have identified some key features of a more human rights-compliant legal framework, and produced a joint set of principles that have been endorsed by over 200 organizations.44 These include:
  • Intelligence agencies should only have targeted, limited access to data. EFF suggests ‘a specific person or specific identifier (like a phone number or email address) or a reasonable, small and well-cabined category (like a group on the terrorist list or member of a foreign spy service)’.45 EDRi suggests a ban on ‘all data collection measures which are not targeted and not based on concrete suspicions’.46
  • Agency access should be to specific records and communications. They should not be authorized to undertake ‘bulk’, ‘pervasive or systematic monitoring, [which] has the capacity to reveal private information far in excess of its constituent parts’47—such as the submarine cable taps that give NSA and GCHQ access to vast quantities of data, which they then winnow down in secret, or be given access to all telephone records. Any data access should trigger legal protections—this should not come only when data are picked out of a large datastream already collected by an agency.
  • Data collected using special national security powers should be completely blocked from use for other government purposes, including law enforcement. It should be retained for limited periods, and deleted once no longer required.
  • ‘Metadata’/‘communications data’ can be extremely revealing about individuals’ lives, and currently receives very low levels of legal protection. This was highlighted by the EU Court of Justice in its judgment invalidating the Data Retention Directive, which required the storage of such data for a period of up to 2 years.48 EFF has called for a requirement for a probable cause warrant for agencies to access previously non-public information, eg revealing identity, websites/info accessed, who with/where/when people communicate.
  • Strict limits on intrusion into freedom of association by network analysis (the creation of very large datasets linking people through several communication hops—previously three in the NSA’s case, which can intrude on the privacy of millions of people, and has since been limited to two hops49).
  • The incorporation of privacy-protective technologies and limitations within surveillance systems. As President Obama has observed: ‘[T]echnology itself may provide us some additional safeguards. So for example, if people don't have confidence that the law, the checks and balances of the court and Congress, are sufficient to give us confidence that government's not snooping, well, maybe we can embed technologies in there that prevent the snooping regardless of what government wants to do.’50 EFF has campaigned against the extension of interception capability requirements to social networking sites and other Internet services, while the joint NGO principles say: ‘States should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems, or to collect or retain particular information purely for State surveillance purposes … and refrain from compelling the identification of users as a precondition for service provision.’51
  • Illegal surveillance should be criminalized, with effective remedies when individuals’ rights are breached. Illegally gathered material should be inadmissible as evidence, while whistleblowers should be protected for revealing illegal behaviour. EDRi has demanded ‘that any foreign data collection measures include provisions giving all affected individuals, at the very least, equal rights to US citizens at all stages of an investigation and, to avoid “jurisdiction-shopping”, rights that are not significantly lower than any democratically approved safeguards in their country of residence’.52 The European Commission is pushing for this in their negotiations with USA over a data sharing privacy agreement.

2.3 Standards for oversight and control of intelligence services

Finally, stronger oversight of intelligence agencies can reduce the likelihood that they misuse their surveillance powers. All democracies acknowledge the necessity of this oversight (especially to protect against the risk of their abuse against political opponents of the government): agencies have very intrusive powers and wide discretion in their use, but the secrecy they operate under severely hinders the scrutiny measures applied to the rest of government. Oversight can also improve agency effectiveness, by challenging waste and poor performance.53
All of the European and North American democracies have special bodies appointed by the legislature and/or executive to oversee intelligence agency’s activity.54 Key features of effective oversight include the active participation of opposition parties, the resourcing of expert investigators and advisers, and full access to agency documents. The joint NGO principles state: ‘Oversight mechanisms should have the authority to access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information; to assess whether the State is making legitimate use of its lawful capabilities; to evaluate whether the State has been transparently and accurately publishing information about the use and scope of communications surveillance techniques and powers; and to publish periodic reports and other information relevant to communications surveillance.’55
Many countries also have specific officials responsible for oversight, including the NSA Inspector General and a to-be-appointed Privacy and Civil Liberties Officer, and the UK’s Interception of Communications Commissioner and independent reviewer of terrorism legislation. In the light of the Snowden revelations, the impact of the US and UK oversight bodies and officials has clearly been limited. A broader membership of oversight panels could be one way to improve their ability to challenge disproportionate surveillance—in particular including individuals with the technical expertise required to understand complex surveillance systems, which it seems has been a severe challenge for the Foreign Intelligence Surveillance Court. Requirements for individuals to undergo highly intrusive security vetting before participating in oversight activities will reduce the diversity of those willing to do so. The European Parliament has stated that oversight of intelligence services’ activities should be based on both democratic legitimacy (strong legal framework, ex ante authorisation and ex post verification) and adequate technical capability and expertise, the majority of current EU and US oversight bodies dramatically lack both, in particular the technical capabilities.56
NGOs are campaigning for greater transparency of surveillance activities, with publication of details of all surveillance programmes, allowing the media, civil society and individuals to understand and if necessary criticize agency’s activity. Industry groups are also attempting to persuade the US government to allow them to publish more detailed statistics on access to their customer data, with Microsoft and Google taking legal action to uphold their ‘clear right under the U.S. Constitution to share more information with the public’.57
The NGO joint surveillance principles further require notification of surveillance targets once investigations have concluded; publication of aggregate information on the number of requests approved and rejected or contested by courts (including the number of users affected), with a disaggregation of the requests by service provider and by investigation type and purpose; and the removal of confidentiality requirements that block Internet companies from publishing details of the procedures they apply when they receive surveillance orders.58
NGOs have also suggested that secret procedures used to authorize surveillance should feature a ‘privacy advocate’ making a case against the government request. President Obama has already conceded that such an advocate should appear in appropriate cases at the US Foreign Intelligence Surveillance Court. EFF suggests that such an advocate needs full access to case materials, with the ‘independence and protections that public defenders enjoy’.59


The two main forums providing an opportunity to improve human rights compliance in US–EU surveillance standards are the negotiations over the Transatlantic Trade and Investment Partnership (TTIP), and the ongoing negotiations between USA and European Commission over an information sharing and privacy agreement. Other significant venues are the Council of Europe, United Nations, and the bilateral and multilateral negotiations of intelligence-sharing agreements.

3.1 Transatlantic trade and investment partnership

The first round of the EU–US TTIP free trade negotiations took place in Washington DC in July 2013; the second round took place in Brussels in October 2013. The European Commission originally expected negotiations to conclude by summer 2014, and if successful forecast an annual boost to the EU economy of 0.5% of GDP.60 The talks have, however, been more contentious and taken longer than expected.
The negotiations aim to both reduce tariffs and reduce non-tariff barriers, particularly by harmonizing technical regulations, standards and certification. They are taking place between the US Trade Representative and the European Commission, which has promised to provide regular updates to the EU Member States and Parliament—an issue of acute sensitivity, following the European Parliament’s rejection of the Anti-Counterfeiting Trade Agreement (ACTA) in July 2012, mainly due to the lack of transparency and participation in the negotiation of that agreement.61
TTIP is a narrow, commercial forum. However, it presents two possible mechanisms for imposing new surveillance standards. The first is in enhanced privacy protections for personal data agreed in any TTIP mechanism built on the existing Safe Harbour agreement, which allows the transfer of Europeans’ personal data to US companies that have committed to a set of privacy standards the European Commission has judged to provide ‘adequate’ protection under the Data Protection Directive.62 The second is promises made in the conduct of the negotiations themselves.
The Trans Atlantic Consumer Dialogue (TACD) has stated: We are very sceptical that a trade partnership built around regulatory convergence will serve consumer interests, and we will vigorously oppose a deal that dismantles existing EU and US consumer protection … Comprehensive legislative data protection reforms are ongoing in the EU, and more privacy-friendly mechanisms are being developed in the US, therefore data flows and data protection must not be included in free trade negotiations.63
EDRi has argued that higher privacy standards can be the basis for European success in trustworthy cloud services, estimated to be a €45 billion market in the EU by 2020.
However, industry groups are lobbying heavily for data flows to be included. TTIP has planned to contain an ongoing review mechanism,64 meaning that data flows could be reconsidered in future even if excluded from an initial agreement. The European Parliament has called on the Commission to ensure that TTIP does not weaken European privacy standards,65 and has threatened to veto any agreement unless it ‘fully respects, inter alia, the fundamental rights recognised by the EU Charter, and provided the protection of the privacy of individuals in relation to the processing and dissemination of personal data remain governed by Article XIV of the GATS’. The Parliament also called for a review of the Safe Harbour agreement, and the suspension of the Commission’s finding that the agreement provides ‘adequate’ protection for the purposes of the Data Protection Directive.66 The Commission published 13 recommendations for US action to protect Safe Harbour in November 2013, and will make a final decision on the agreement in late 2014.67
Transparency and the opportunity for civil society participation will be important for the legitimacy of the TTIP negotiations, and the European Commission has already ‘committed to providing a maximum of information possible for the public, the media, and the many stakeholders’.68 TACD has called for negotiating texts to be published after each round, with structured opportunities for public comment, and for a TTIP consumer advisory committee to be created. The European Parliament played an ‘ambiguous role’ with ACTA transparency, ‘by demanding disclosure and by disclosing documents, but also, in some instances, by actively withholding public information.’69
The process of the negotiations is also an opportunity for civil society to campaign for higher surveillance standards. The EU institutions reacted strongly to the revelation of NSA bugging of EU networks and premises, with Commissioner Reding stating: ‘We cannot negotiate on a giant transatlantic market when there is even the slightest suspicion that our partners are spying the offices of the negotiators’. The European Parliament resolved that it Strongly condemns the spying on EU representations as, should the information available up to now be confirmed, it would imply a serious violation of the Vienna Convention on Diplomatic Relations, in addition to its potential impact on transatlantic relations; [and] calls for immediate clarification from the US authorities on the matter.70

3.2 Draft data sharing privacy agreement between the EU and USA

The opportunities for achieving higher human rights standards for surveillance in the EU–US data sharing privacy agreement share some similarities with the TTIP negotiations. Improved transparency and participation would make it easier for civil society to be involved. The leaked draft negotiating mandate given to the European Commission by the Council of Ministers supported this, stating: ‘In line with Article 218 paragraph 10 of the TFEU, the European Parliament should be immediately and fully informed at ail [sic] stages of the procedure’. Two further key demands for improved privacy standards are contained in the mandate: ‘The Agreement shall explicitly State that it creates enforceable rights for data subjects … [and] cannot be the legal basis for any transfers of personal data’.71
The 2011 US–EU agreement on the transfer of PNR flight data included improved privacy protections resulting from pressure by the European Parliament, particularly its Civil Liberties committee, and is one example of the role the Parliament could play in setting better standards for communications surveillance. The law enforcement Data Protection Directive is another instrument that could be used to improve transatlantic privacy protections, alongside a strong General Data Protection Regulation that includes provisions (such as the ‘anti-NSA’ article 42)—as long as a weak ‘consistency mechanism’ does not allow companies to take advantage of lax enforcement by data protection regulators in Ireland and the UK.
The European Parliament could put stronger pressure on the Commission by threatening new political and judicial action against the PNR and SWIFT agreements. NGOs made digital rights a high-profile issue in the 2014 parliamentary elections, so the 2014–19 Parliament is more likely to put pressure on the Commission for a strong agreement—and ultimately to reject a weak agreement if that is the result of negotiations. The political climate has led to the election of more radical MEPs from the southern EU countries suffering from austerity, and more conservative MEPs from the northern EU countries, which will make it easier for civil society to persuade the Parliament to reject treaties—but harder to achieve more constructive change.
A non-secret treaty basis for exchanging information, approved by the US Congress and EU Parliament and meeting European Convention on Human Rights standards, is the best long-term enabler of bringing intelligence data collection and sharing within a transparent and genuinely human rights-compatible framework. European Justice Commissioner Viviane Reding stated that ‘a meaningful agreement has to ensure that law enforcement authorities access data through lawful channels of cooperation which do exist between the EU and the U.S.’.72 The International Chamber of Commerce also recommended that improved MLATs should replace cross-border surveillance.73
The greatest area of US–EU disagreement is over the remedies available to non-US citizens and permanent residents when their privacy rights are breached. Commissioner Reding has stated: ‘A meaningful agreement has to ensure the full equal treatment of EU and U.S. citizens. A meaningful agreement has to give European citizens concrete and effective rights like access to justice.’74 The US Department of Homeland Security as a matter of policy applies the protections in the US Privacy Act of 1974 to both citizens/permanent residents and visitors, giving everyone the right to access and correct their own personal data.75 However, because the Privacy Act’s definition of ‘individual’ applies only to the former, the latter has no right of judicial review. Obtaining this is a key goal of the EU, and has been promised by the US Administration.76

3.3 Other venues

The other main venue for improved transatlantic standards is the Council of Europe—particularly in its work on Internet governance77 and cybercrime,78 as well as the investigation into the Snowden revelations called for by 23 members of its parliamentary assembly and supported by an NGO coalition.79 The cybercrime work to date has often been criticized by civil society groups as too heavily reflecting the interests of law enforcement agencies.80 Existing Council of Europe standards (such as Convention 108 on data protection, currently under revision, and Recommendation No R(87)15 regulating the use of personal data in the police sector) could also be further developed to cover large-scale surveillance. The EU and civil society have been trying to persuade81 USA to ratify Convention 108, although the Senate’s approval of a treaty that required broad limits on private sector processing of personal data seems unlikely in the medium term.
The most difficult venues for new standards are the secret bilateral and multilateral negotiations between governments on intelligence sharing agreements. The United Kingdom-United States of America (UKUSA) agreement is the basis for NSA and GCHQ cooperation,82 while there are hints that NATO facilitated a number of intelligence-sharing agreements following the post-9/11 invocation of its Article 5 mutual defence procedure.83
It is difficult but not impossible for governments to be persuaded to reveal details and even modify these agreements—after 64 years of secrecy, freedom of information requests led to the publication of an early version of the UKUSA agreement. Unless these agreements are transparent, the impact of other international agreements on surveillance standards is limited—especially when data are leaking from national security programmes into other government activities, such as law enforcement and tax investigations, as has been happening in USA.84
Germany’s demands for a no-spying agreement with USA could be an example for other countries and the EU—although those that are not already parties to the UKUSA agreement will find this more difficult to achieve, since Germany’s aim is apparently to upgrade their status within that arrangement, although so far USA has only been willing to concede informal ‘guiding principles’ on intelligence cooperation.85 The ‘Five Eyes’ partners have limited ‘understandings’ not to target each other, although this doubtless is flexible when significant national interests are at stake. The European Parliament has stated that ‘the EU principle of sincere cooperation requires that Member States refrain from conducting intelligence activities in other Member States' territory’ and asked ‘the Council to inform Parliament on developments by Member States on an EU-wide mutual no-spy arrangement’.86
Clearly, there are a number of wider international forums that can be used to address surveillance standards. The most important are at the UN—specifically, the Internet Governance Forum, Human Rights Council, Office of the High Commissioner on Human Rights,87 International Telecommunication Union and Office on Drugs and Crime. UN Special Rapporteur Frank La Rue has published a report on the impact of state surveillance on privacy and the freedom of opinion and expression,88 whereas the German government has called for a new ICCPR Optional Protocol addressing national security issues. Civil society has called on the Human Rights Council to support the special rapporteur’s suggestion that the Human Rights Committee, in a multistakeholder process, develop a new General Comment 16 on the right to privacy in light of technological advancements and request a report from the High Commissioner.89
Industry could be a supporter of civil society activity related to the UN, especially in light of the UN Guiding Principles on Business and Human Rights90—possibly through multistakeholder forums such as the Global Network Initiative. International telecommunications companies might be encouraged to pay greater attention to corporate social responsibility issues.91
One important limitation of the UN approach is that USA has not ratified the ICCPR First Optional Protocol that allows individuals to bring complaints to the Human Rights Committee, and has made several important reservations to its ratification of the Covenant, limiting the ability for ICCPR rights to be enforced in USA. Only an inter-state complaint would allow the Human Rights Committee to make a determination on the specific facts of the NSA revelations; no government has been willing to take this step.
In its 2006 US review, the Human Rights Committee noted with concern the restrictive interpretation made by the State party of its obligations under the Covenant, as a result in particular of (a) its position that the Covenant does not apply with respect to individuals under its jurisdiction but outside its territory … (b) its failure to take fully into consideration its obligation under the Covenant not only to respect, but also to ensure the rights prescribed by the Covenant; and (c) its restrictive approach to some substantive provisions of the Covenant.Of immediate relevance is the Committee’s statement that: [the Patriot Act’s] section 215 regarding access to individuals’ personal records and belongings; and section 505, relating to the issuance of national security letters, still raise issues of concern in relation to article 17 of the Covenant. In particular, the Committee is concerned about the restricted possibilities for the concerned persons to be informed about such measures and to effectively challenge them. Furthermore, the Committee is concerned that the State Party, including through the National Security Agency (NSA), has monitored and still monitors phone, email, and fax communications of individuals both within and outside the U.S., without any judicial or other independent oversight.92The Human Rights Committee repeated these concerns in its 2014 review, concluding that USA should:93 (a) Take all necessary measures to ensure that its surveillance activities, both within and outside the United States, conform to its obligations under the Covenant, including article 17; in particular, measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under direct surveillance; (b) Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that: (i) are publicly accessible; (ii) contain provisions that ensure that collection of, access to and use of communication s data are tailored to specific legitimate aims; (iii) are sufficiently precise and specify in detail the precise circumstances in which any such interference may be permitted, the procedures for authorization, the categories of persons who may be placed under surveillance, the limit on the duration of surveillance; procedures for the use and storage of data collected; and (iv) provide for effective safeguards against abuse; (c) Reform the current oversight system of surveillance activities to ensure its effectiveness including by providing for judicial involvement in the authorization or monitoring of surveillance measures, and considering the establishment of strong and independent oversight mandates with a view to preventing abuses; (d) Refrain from imposing mandatory retention of data by third parties; (e) Ensure that affected persons have access to effective remedies in cases of abuse.
More likely to force US policy change is the impact the Snowden revelations will have on global Internet governance debates. Without significant concessions, it seems unlikely that the current loose multistakeholder governance model can persist, with critical Internet resources run by ICANN under contract to the US government. The USA has already started the process of relinquishing its contractual control over the so-called ‘IANA function’.
Potentially important also is the World Trade Organisation (WTO), where USA has taken the first steps towards action against Chinese Internet censorship as a restriction on free trade.94 Other states could raise questions at the WTO about economic espionage by USA and the UK—the latter’s Regulation of Investigatory Powers Act 2000 s. 5(3)(c) allows interception ‘for the purpose of safeguarding the economic well-being of the United Kingdom’. This issue could also be raised in the World Intellectual Property Organisation. While the ‘Doha’ round of WTO negotiations has stalled, other countries could in these and other free trade negotiations (such as the Trans-Pacific Partnership) demand the reinforcement of the Vienna Convention on Diplomatic Relations prohibition on foreign government spying on diplomatic missions, correspondence and documents—as GCHQ was found to be circumventing during the G20 meeting in London.95
Finally, the Organisation for Economic Cooperation and Development as well as UNESCO and the annual international conference of data protection and privacy commissioners continue to have extensive civil society input through the Public Voice coalition, which has developed a Madrid Declaration on Global Privacy Standards for a Global World.96 Cybersecurity policy debates at the UN, the London/Budapest/Seoul ‘cyber’ conference series, and elsewhere, present both a risk of greater intergovernmental agreement on surveillance as a prerequisite of Internet security, and an opportunity for the incorporation of human rights standards into resulting agreements.


A range of potential transatlantic privacy standards for surveillance have been developed by civil society groups, courts and watchdogs such as the European Data Protection Supervisor. These cover data sharing, surveillance activities and oversight of intelligence agencies. The principal opportunities for implementing them are in EU–US negotiations over a data sharing privacy agreement and the Transatlantic Trade and Investment Partnership. The Council of Europe and state–state negotiations over intelligence sharing are also possible venues.
Beyond this, there are opportunities to introduce new standards through the Council of Europe’s data protection convention, and encourage ratification by non-European states, as well as introducing new privacy protections in the Cybercrime Convention. More difficult will be efforts to make intergovernmental intelligence-sharing agreements transparent. Outside the USA and EU, forums at the UN, OECD, Privacy Commissioners’ Conference, WTO and WIPO could also play a role, although they present challenges of scope and enforcement.
Following a review by an independent panel appointed by President Obama, the US executive branch has recently made significant changes to improve the compliance of its foreign intelligence practices with international human rights law. These include more specific definitions of the purposes for which surveillance can be undertaken, and—significantly—greater protections for non-US citizens and residents.97 There remains an opportunity for democratic states to further improve and entrench human rights protections for their citizens through the implementation of the standards described in this article.


Thanks to Axel Arnback, Joris van Hoboken, Douwe Korff and the anonymous reviewers for their suggestions and comments on a draft of this article. This research was supported by the Open Society Foundations and EPSRC grant EP/L00416X/1.


  • 1 US Foreign Intelligence Surveillance Court, Memorandum Opinion, 3 October 2011 <> accessed 6 August 2014
  • 2 E MacAskill, J Borger, N Hopkins, N Davies and J Ball, ‘Mastering the Internet: How GCHQ Set Out to Spy on the World Wide Web’ The Guardian (21 June 2013).
  • 3 L Poitras, M Rosenbach, F Schmid, H Stark and J Stock, ‘How the NSA Targets Germany and Europe’ Der Spiegel (1 July 2013) <> accessed 6 August 2014.
  • 4 ibid.
  • 5 D Bigo, G Boulet, C Bowden, S Carrera, J Jeandesbox and A Scherrer, Fighting Cyber crime and Protecting Privacy in the Cloud, European Parliament, PE 462.509, October 2012.
  • 6 J Cremer, ‘Denmark is one of the NSA's ‘9-Eyes'’ The Copenhagen Post (4 November 2013) <> accessed 6 August 2014.
  • 7 L Poitras, M Rosenbach and H Stark, ‘Codename ‘Apalachee': How America Spies on Europe and the UN’ Der Spiegel (26 August 2013) <> accessed 6 August 2014.
  • 8 B Gellman and E Nakashima, ‘U.S. Spy Agencies Mounted 231 Offensive Cyber-Operations in 2011, Documents Show’ Washington Post (31 August 2013) <> accessed 6 August 2014.
  • 9 J Ball, J Borger and G Greenwald, ‘Revealed: how US and UK spy agencies defeat internet privacy and security’ The Guardian (6 September 2013) <> accessed 6 August 2014.
  • 10 Including Jewel v NSA, 673 F.3d 902 (2011), ACLU v NSA, 493 F.3d 644 (2007) and In re EPIC, SC No. 13-58 (2013).
  • 11 Big Brother Watch, Open Rights Group, English PEN, and Dr. Constanze Kurz v. the United Kingdom, Application No. 58170/13 to the European Court of Human Rights (still pending awaiting a decision on admissibility from the Court); Liberty and Others v GCHQ, UK Investigatory Powers Tribunal, directions hearing report by Naomi Colvin, 14 February 2014 <>
  • 12 NK Modirzadeh, ‘Folk International Law: 9/11 Lawyering and the Transformation of the Law of Armed Conflict to Human Rights Policy and Human Rights Law to War Governance’ (2014) 5 Harvard Natl Secur J 225.
  • 13 Treaty on European Union s 4.2.
  • 14 Aviation and Transportation Security Act of 2001, Pub. L. No. 107-71, 19 November 2001.
  • 15 Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ L 215, 11 August 2012, 5–14.
  • 16 Art 218(6), Treaty on the Functioning of the European Union, OJ C 115, 9 May 2008, 1–388.
  • 17 Art 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), 22 November 2006.
  • 18 European Data Protection Supervisor opinion on the role of the European Central Bank in the SWIFT case, 1 February 2007.
  • 19 Commission de la Protection de la Vie Privee, Avis 37/2006, 27 September 2006.
  • 20 Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, OJ L 195, 27 July 2010, 5–14.
  • 21 SWIFT Agreement Adopted By The European Parliament, EDRi-gram 8.14, 14 July 2010.
  • 22 European Commission, Report on the second joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program (TFTP), SWD (2012) 454 final, 14 December 2012.
  • 23 European Parliament resolution of 23 October 2013 on the suspension of the TFTP agreement as a result of US National Security Agency surveillance (2013/2831(RSP)).
  • 24 Agreement on mutual legal assistance between the European Union and the United States of America, OJ L 181, 19 July 2003, 34–42.
  • 25 Reform Government Surveillance campaign Principles <> accessed 6 August 2014 and EDRi Letter To The US Embassy On PRISM, 19 June 2013 <> accessed 6 August 2014
  • 26 Technology trade associations letter to chairs and ranking members of US Senate and House of Representatives committees on appropriations, 31 March 2014 <> accessed 6 August 2014.
  • 27 International Principles on the Application of Human Rights to Communications Surveillance, 10 July 2013 <> accessed 6 August 2014.
  • 28 OJ L 350, 30 December 2008, 60–71.
  • 29 Personal data protection: processing of data for the purposes of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, and free movement of data. Procedure file 2012/0010(COD).
  • 30 European Commission, Explanatory Document, COM(2010) 252/2 <> accessed 6 August 2014.
  • 31 Opinion of the European Data Protection Supervisor on the Final Report by the EU-US High Level Contact Group on information sharing and privacy and personal data protection, 8 November 2011.
  • 32 D MacGuill, ‘France ‘opens probe' into US spy program PRISM’ The Local (28 August 2013).
  • 33 Application No: 58170/13, 27 September 2013.
  • 34 See eg S. 1452 (the Surveillance Transparency Act of 2013) and H.R. 3035 (the Surveillance Order Reporting Act of 2013).
  • 35 See n 10.
  • 36 O Kerr, ‘The Fourth Amendment and the Global Internet’ (2015) 67 Stanford Law Review.
  • 37 E MacAskill, ‘US to Extend Privacy Protection Rights to EU Citizens’ The Guardian (25 June 2014) <> accessed 6 August 2014.
  • 38 I Brown and D Korff, ‘Foreign Surveillance: Law and Practice in a Global Digital Environment’ (2014) 3 Eur Human Rights LR 243; B Van Schaack, ‘The United States’ Position on the Extraterritorial Application of Human Rights Obligations: Now is the Time for Change’ (2014) 90 Int LStud 20; M Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ Harvard Int LJ (forthcoming); Office of the High Commissioner for Human Rights, The right to privacy in the digital age, A/HRC/27/37, 30 June 2014.
  • 39 G Greenwald and E MacAskill, ‘NSA Prism Program Taps in to User Data of Apple, Google and Others’ The Guardian (7 June 2013).
  • 40 ibid.
  • 41 Supplemental letter from Electronic Privacy Information Center to Senator Daniel Akaka on S. 1732, 14 May 2012 <> accessed 6 August 2014.
  • 42 The Washington Statement – In Support Of Data Protection, 3 July 2013 <> accessed 6 August 2014.
  • 43 US Presidential Policy Directive 28 – Signals Intelligence Activities, 17 January 2014.
  • 44 See n 27.
  • 45 C Cohn and T Timm, ‘What Should, and Should Not, Be in NSA Surveillance Reform Legislation’, 5 August 2013 <> accessed 6 August 2014.
  • 46 See n 25.
  • 47 See n 44.
  • 48 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors C-293/12 and K√§rntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, C-594/12.
  • 49 The White House, ‘FACT SHEET: The Administration’s Proposal for Ending the Section 215 Bulk Telephony Metadata Program’, 27 March 2014 <> accessed 6 August 2014
  • 50 ‘Transcript of President Obama’s August 9, 2013, news conference at the White House’ Washington Post. Washington Post Staff, 9 August 2013, Washington, D.C.
  • 51 See n 44.
  • 52 See n 25.
  • 53 A Wills and M Vermeulen, Parliamentary Oversight of Security and Intelligence Agencies in the European Union, European Parliament, PE 453.207, June 2011, 85–6.
  • 54 ibid 92–5.
  • 55 See n 27.
  • 56 European Parliament, Resolution on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ privacy (2013/2682(RSP)), 2 July 2013.
  • 57 Microsoft Corporation, In re Motion to Disclose Aggregate Data Regarding FISA Orders, US Foreign Intelligence Surveillance Court Case No. MISC. 13-04, and similar motions by LinkedIn Corporation, Facebook, Inc., Yahoo! Inc. and Google Inc.
  • 58 See n 27.
  • 59 See n 45.
  • 60 European Commission DG Trade, Transatlantic Trade and Investment Partnership (TTIP) — The biggest trade deal in the world, undated <> accessed 6 August 2014.
  • 61 BBC News, Acta: Controversial anti-piracy agreement rejected by EU, 4 July 2012.
  • 62 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.
  • 63 Transatlantic Consumer Dialogue, EU and US consumer groups’ initial reaction to the announcement of a Transatlantic Trade and Investment Partnership (TTIP), 5 March 2013.
  • 64 European Commission, Trade Cross-cutting disciplines and Institutional provisions, July 2013.
  • 65 European Parliament, Resolution of 4 July 2013 on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' privacy (2013/2682(RSP)).
  • 66 European Parliament, Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)), 21 February 2104.
  • 67 Communication from the Commission to the European parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM(2013) 847 final.
  • 68 European Commission, EU publishes initial TTIP Position Papers, 16 July 2013 <> accessed 6 August 2014.
  • 69 Total Transparency On Anti-Counterfeiting Trade Agreement And Trans-Atlantic Free Trade Agreement Documents, EDRi-gram 11.5, 13 March 2013.
  • 70 See n 56.
  • 71 Proposal for a Council Recommendation authorizing the opening of negotiations of an agreement between the European Union and the United States of America on the protection of personal data upon transfer and their treatment for prevention, investigation and detection of crime including terrorism, in the context of police and judicial cooperation in criminal matters, COM(2010) 252/2 <> accessed 6 August 2014
  • 72 PRISM scandal: The data protection rights of EU citizens are non-negotiable, 14 June 2013, SPEECH/13/536.
  • 73 International Chamber of Commerce, Using Mutual Legal Assistance Treaties (MLATs) To Improve Cross-Border Lawful Intercept Procedures, Document No. 373/512, 12 September 2012.
  • 74 See n 72.
  • 75 US Department of Homeland Security, Privacy Policy Guidance Memorandum 2007-1, as amended.
  • 76 See n 30.
  • 77 Internet governance – Council of Europe strategy 2012-2015, CM(2011)175 final, 15 March 2012.
  • 78 See the agenda of the CoE ‘Octopus Conference’ on cooperation against cybercrime, held in Strasbourg 4–6 December 2013 <> accessed 6 August 2014.
  • 79 Open Rights Group, ORG joins call on Council of Europe to support resolution against mass eavesdropping, 29 August 2013 <> accessed 6 August 2014.
  • 80 Cf Electronic Privacy Information Center, ‘Statement on Council of Europe Cybercrime Convention, Treaty 108-11’, 26 July 2005 <>
  • 81 Letter from the EPIC Advisory Council to Secretary of State Hillary Rodham Clinton, 28 January 2013 <>
  • 82 National Security Agency/Central Security Service, ‘UKUSA Agreement Release 1940–1956’, 24 June 2013 <> accessed 6 August 2014.
  • 83 Cf Senator Richard Lugar, NATO After 9/11: Crisis or Opportunity? Remarks to the Council on Foreign Relations, Washington DC, 4 March 2002.
  • 84 Reuters, U.S. directs agents to cover up program used to investigate Americans, 5 August 2013.
  • 85 David Ignatius, ‘The U.S. and Germany are Rebuilding a Spy Partnership’ The Washington Post (22 July 2014) <> accessed 6 August 2014.
  • 86 See n 56.
  • 87 See the recent HCHR report The right to privacy in the digital age, A/HRC/27/37, 30 June 2014.
  • 88 A/HRC/23/40, 17 April 2013.
  • 89 Civil Society Statement to the Human Rights Council on the impact of State Surveillance on Human Rights addressing the PRISM/NSA case, 10 June 2013.
  • 90 A/HRC/RES/17/4, 6 July 2011.
  • 91 Cf the ‘Telecommunications Industry Dialogue’ that is now working with the Global Network Initiative.
  • 92 CCPR/C/USA/CO/3/Rev.1, 18 December 2006.
  • 93 CCPR/C/USA/CO/4, s.22, 23 April 2014.
  • 94 US Trade Representative, United States Seeks Detailed Information on China’s Internet Restrictions, October 2011.
  • 95 E MacAskill, N Davies, N Hopkins, J Borger and J Ball, ‘GCHQ intercepted foreign politicians' communications at G20 summits’ The Guardian (17 June 2013).
  • 96 The Public Voice, Madrid Privacy Declaration, 3 November 2009 <> accessed 6 August 2014.
  • 97 See n 43.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (, which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.

No comments:

Post a Comment