The feasibility of transatlantic privacy-protective standards for surveillance
- ↵* Associate Director, Oxford University Cyber Security Centre; Professor of Information Security and Privacy, Oxford Internet Institute. E-mail: ian.brown@oii.ox.ac.uk.
Abstract
This article analyses the feasibility of
the adoption of specific, international human rights law-compliant,
transatlantic
standards on foreign surveillance, in the context
of Edward Snowden’s revelations of large-scale surveillance programmes
operated
by the US National Security Agency (NSA) and
selected European intelligence services. The article describes examples
of current
good State practice, and options for setting
standards for transatlantic data sharing, control of state interception
and data
monitoring capabilities, and oversight of
intelligence agencies. It identifies relevant principles developed by
civil society
and industry groups that are leading political
campaigns for reform, and the conditions under which these efforts are
likely
to succeed. It concludes by discussing the key
intergovernmental forums where these standards could be considered.
Key words
- privacy
- surveillance
- interception
- European Convention on Human Rights
- Article 8
- International Convention on Civil and Political Rights
- Article 17
1. RELEVANT LEGAL AND POLITICAL DEVELOPMENTS: A BRIEF OVERVIEW
While the Guardian, Washington Post and Der Spiegel continue to publish new information from the documents leaked by former NSA contractor Edward Snowden, the key facts revealed
to date are as follows.
The US and UK’s signals intelligence
agencies, National Security Agency (NSA) and Government Communications
Headquarters (GCHQ),
have gained access to very large volumes of
Internet communications and data, for extremely broad ‘foreign
intelligence’ purposes.
A declassified 2011 US court order shows that NSA
was already accessing more than 250 million ‘Internet communications’
each
year.1
GCHQ is recording 3 days of international Internet traffic transiting
the UK and 30 days of ‘metadata’ about these communications,2 and has gained access to ‘the majority’ of European Internet and telephone communications.3
NSA and GCHQ ‘collection’ of data is via intercepts of Internet traffic
flowing through international fibre optic cables
operated by telecommunications companies, and
through automated searches carried out by Internet companies such as
Microsoft,
Apple, Google and Facebook on their internal
systems, as well as the provision of complete records of all US
telephone calls
by AT&T, Verizon and others. NSA Director Keith
Alexander asked his staff in 2008: ‘Why can’t we collect all the
signals all
the time?’—and they have set out to implement this
vision.4
The US and UK laws compel this cooperation by telecommunications and Internet companies (including ‘cloud computing’ providers
that increasingly provide the infrastructure for Internet services).5
Other European governments cooperate with the
USA–UK–Canada–Australia–New Zealand ‘Five Eyes’ intelligence alliance,
notably
an additional four countries in a ‘9-Eyes’ group
(France, The Netherlands, Norway and Denmark) and a further five
(Germany,
Sweden, Spain, Belgium and Italy) in a ‘14-Eyes’
configuration.6
NSA has further bugged EU offices and
computer networks in Washington DC and New York, and gained access to UN
internal videoconferencing
systems. It has interception equipment and staff
(jointly with the CIA) at 80 US embassies.7
NSA has compromised at least 85,000
‘strategically chosen’ machines in computer networks around the world;
each device ‘in
some cases … opens the door to hundreds or
thousands of others.’ A new automated system is capable of managing
‘potentially
millions’ of compromised machines for intelligence
gathering and ‘active attack’. NSA conducted 231 ‘offensive operations’
in 2011, which represents ‘an evolution in policy,
which in the past sought to preserve an international norm against acts
of aggression in cyberspace, in part because U.S.
economic and military power depend so heavily on computers’.8
NSA is spending $250 million each year to sabotage security standards
and systems so that it can maintain access to encrypted
data. GCHQ has developed methods to access
encrypted data communications to Hotmail, Google, Facebook and Yahoo!9
US Non-Governmental Organisations (Electronic Frontier Foundation, Electronic Privacy Information Center, and American Civil
Liberties Union) have filed lawsuits questioning the constitutionality of these provisions,10
whereas European Non-Governmental Organisations (such as Privacy
International) have begun actions regarding their compatibility
with the European Convention on Human Rights.11 But to date, the US government in particular has relied upon ‘a confusing and soft admixture of International Humanitarian
Law, jus ad bellum, and International Human Rights Law to frame operations that do not, ultimately, seem bound by international law—at least
not by any conception of international law recognizable to international lawyers’.12
2. PRIVACY STANDARDS FOR SURVEILLANCE IN INTERNATIONAL HUMAN RIGHTS LAW
The US and European states are all parties
to the UN’s International Covenant on Civil and Political Rights
(ICCPR), which
protects privacy and correspondence under Article
17, whereas the regional European Convention on Human Rights (ECHR)
Article
8 has been interpreted in a robust way by the
European Court of Human Rights to restrict governmental surveillance.
The European
Union’s Data Protection Directive (95/46/EC) and
Charter of Fundamental Rights both apply additional strong privacy
protections—although
not in the area of national security, which is a
competence reserved to the Member States.13
This section describes privacy standards
developed from these instruments by civil society, political bodies and
courts, covering
international sharing of personal data, controls on
government surveillance activities and oversight of intelligence
agencies.
2.1 Standards for transatlantic data sharing and access
There are several US–EU agreements
allowing bulk data sharing of air passenger and financial transaction
records, and a Mutual
Legal Assistance Treaty (MLAT) allowing a
case-by-case sharing of law enforcement information. The two parties
have been attempting
to negotiate an overarching data protection
agreement, as urged by the European Parliament, but have so far found
their differences
insurmountable.
The USA and EU agreed in 2004 to allow EU-based air carriers to supply the US Department of Homeland Security with Passenger
Name Record (PNR) data on passengers flying to the US, as required by US law.14
Without this agreement, airlines would have been in breach of EU data
protection law if they supplied the data. A second
agreement was reached in 2007, after the
European Court of Justice found that the EU concluded the first
agreement on the
wrong legal basis. A third agreement15 was made in 2011 following the Lisbon Treaty, which gives the European Parliament greater power over justice and home affairs
issues, and requires its consent for treaties.16
Serious political controversy resulted
from the revelation in June 2006 that the Belgium-based SWIFT global
inter-bank payment
service was providing the US Treasury with
access to its transaction database in USA, containing all transaction
instructions.17 The European Data Protection Supervisor criticized the European Central Bank, as a SWIFT oversight group member, for allowing
this,18 whereas the Belgian data protection authority found that SWIFT had broken European data protection law.19
In response, SWIFT redesigned its
computing system so that, from 2010, intra-European bank instructions
were not automatically
copied to the US processing centre. The EU and
USA concluded an agreement allowing targeted access to European
instructions.20
However, that agreement does not require a judicial ruling for data
transfer; contains a broad definition of terrorism; and
provides EU citizens with no legal redress in US
courts. There are allegations that the US Treasury is still receiving
up
to 25% of all SWIFT transactions—billions each
year—since SWIFT is only able technically to provide bulk access to
data.21 Controls are in place on searches of these data, with data mining banned, and regular reviews by an EU team.22
Following allegations that NSA has anyway gained unauthorized access to SWIFT’s data systems, the European Parliament resolved
that the agreement should be suspended, and reiterated its call for
‘any data sharing agreement with the US [to be based on] on a coherent legal data protection framework offering legally binding personal data protection standards, including with regard to purpose limitation, data minimisation, information, access, correction, erasure and redress’.23
The EU–US Mutual Legal Assistance Treaty24
was agreed in 2003, but not concluded until November 2009. It allows
the use of shared data for the purpose of criminal investigations
and proceedings, and for preventing an
‘immediate and serious threat to … public security’. Both NGOs and
industry have called
for all future US foreign data collection to
take place through such MLATs, and that USA ‘desist from any and all
data collection
measures which are not targeted and not based on
concrete suspicions’.25 Industry groups have also called on the US Congress to fully fund the Department of Justice’s processing of MLAT requests,26 given that they can currently take up to 18 months—far too long for law enforcement agencies’ needs.
Additionally, a joint set of principles endorsed by over 200 NGOs argues:
‘Where States seek assistance for law enforcement purposes, the principle of dual criminality should be applied. States may not use mutual legal assistance processes and foreign requests for protected information to circumvent domestic legal restrictions on communications surveillance. Mutual legal assistance processes and other agreements should be clearly documented, publicly available, and subject to guarantees of procedural fairness.’27
Europol and Eurojust have signed
agreements with USA on policing (dated 6 December 2001) and judicial
cooperation (dated 6
November 2006). Transfer of data to third
countries is addressed in the EU Council Framework Decision on the
protection of
personal data processed in the framework of
police and judicial cooperation in criminal matters,28 which is currently being revised by the European Parliament.29
Since 2006, the European Commission
has been negotiating an overarching agreement with USA on information
sharing and privacy,
initially in an informal High-Level Contact
Group, and since 2011 with a formal negotiating mandate. The mandate is
confidential,
but a draft was leaked and is likely to be
substantively similar.30
The intention is for this to be a binding instrument that sets data
protection standards without itself authorizing specific
data sharing, which would be done in specific
further instruments. After 3 years, the privacy standards would apply to
existing
EU and member state agreements, including the
PNR and SWIFT agreements, unless they are brought into conformity in
that time.
In response to the final report from
the High-Level Contact Group, the European Data Protection Supervisor
suggested a number
of principles that should guide an EU–US sharing
agreement. Most are at least partially included in the European
Commission
negotiating mandate, but some remain
controversial with the US government31:
-
‘Clarification as to the nature of the instrument, which should be legally binding in order to provide sufficient legal certainty;
-
A thorough adequacy finding, based on essential requirements addressing the substance, specificity and oversight aspects of the scheme. The EDPS considers that the adequacy of the general instrument could only be acknowledged if combined with adequate specific agreements on a case by case basis.
-
A circumscribed scope of application, with a clear and common definition of law enforcement purposes at stake;
-
Precisions as to the modalities according to which private entities might be involved in data transfer schemes;
-
Compliance with the proportionality principle, implying exchange of data on a case by case basis where there is a concrete need;
-
Strong oversight mechanisms, and redress mechanisms available to data subjects, including administrative and judicial remedies;
-
Effective measures guaranteeing the exercise of their rights to all data subjects, irrespective of their nationality;
-
Involvement of independent data protection authorities, in relation especially to oversight and assistance to data subjects.’
2.2 Standards for controls on surveillance activities
As nation states jealously guard their
sovereignty over ‘national security’ issues, it will be more difficult
to impose international
standards on surveillance by intelligence
agencies. Taking lawsuits through Europe’s national courts to the
European Court
of Human Rights is one possible mechanism. NGOs
Privacy International and Liberty have commenced actions in the UK
Investigatory
Powers Tribunal (IPT), which has exclusive
competence to hear complaints on intelligence matters, while a Paris
court has
opened an investigation following complaints
from the International Federation of Human Rights and the French League
of Human
Rights.32
Big Brother Watch, the Open Rights Group and English PEN have made an
application directly to the European Court of Human
Rights, claiming that English law cannot provide
a remedy for breaches of Article 8 because of the limited capacity of
the
IPT.33
While Canada, Australia and New
Zealand are also members of the ‘Five Eyes’ intelligence alliance, the
USA and UK governments
are the most important actors in Snowden’s
leaks. A number of bills have already been proposed in Congress to
constrain the
NSA’s domestic surveillance,34
and key existing powers (such as the Patriot Act section 215, which NSA
has used to gather records of all US telephone calls)
must be renewed between 2015 and 2017. EFF, ACLU
and EPIC have taken a number of court actions in an attempt to uncover
and
restrain NSA surveillance activities.35 However, the privacy rights of non-US persons are negligible under the US Constitution36 and Privacy Act of 1974, which has received very little US political attention—although US Attorney General Eric Holder has
agreed with the European Commission to address the latter issue.37
There is growing international consensus that the ICCPR requires States Parties to protect the privacy rights of all those
within their jurisdiction—including those spied upon internationally38—but
this would require significant legislative or policy changes in USA;
USA is reluctant to accept limitations on its abilities
to monitor data and communications relating to
non-US persons that physically transit US territory—which NSA Director
Keith
Alexander has called a huge ‘home-field
advantage’.39
However, as a party to the ICCPR and
the Council of Europe Cybercrime Convention, civil society has argued
that USA is bound
‘to extend privacy protection to non-US citizens
and to observe the principles of legality, necessity and
proportionality … in
their surveillance activities’.40 EPIC has previously made detailed proposals for an update to the Privacy Act.41
North American and European advocates have also called on the US
government to support high EU standards for data protection;
reform Patriot and FISA Amendments Act
provisions, enact the Consumer Privacy Bill of Rights, stop lobbying
against the EU
Data Protection Regulation, and to ratify the
Council of Europe’s Convention 108 on data protection.42 President Obama took some steps towards greater privacy protections for non-US persons with a directive to the US intelligence
community in January 2014.43
Internationally, civil society groups have identified some key features of a more human rights-compliant legal framework,
and produced a joint set of principles that have been endorsed by over 200 organizations.44 These include:
-
Intelligence agencies should only have targeted, limited access to data. EFF suggests ‘a specific person or specific identifier (like a phone number or email address) or a reasonable, small and well-cabined category (like a group on the terrorist list or member of a foreign spy service)’.45 EDRi suggests a ban on ‘all data collection measures which are not targeted and not based on concrete suspicions’.46
-
Agency access should be to specific records and communications. They should not be authorized to undertake ‘bulk’, ‘pervasive or systematic monitoring, [which] has the capacity to reveal private information far in excess of its constituent parts’47—such as the submarine cable taps that give NSA and GCHQ access to vast quantities of data, which they then winnow down in secret, or be given access to all telephone records. Any data access should trigger legal protections—this should not come only when data are picked out of a large datastream already collected by an agency.
-
Data collected using special national security powers should be completely blocked from use for other government purposes, including law enforcement. It should be retained for limited periods, and deleted once no longer required.
-
‘Metadata’/‘communications data’ can be extremely revealing about individuals’ lives, and currently receives very low levels of legal protection. This was highlighted by the EU Court of Justice in its judgment invalidating the Data Retention Directive, which required the storage of such data for a period of up to 2 years.48 EFF has called for a requirement for a probable cause warrant for agencies to access previously non-public information, eg revealing identity, websites/info accessed, who with/where/when people communicate.
-
Strict limits on intrusion into freedom of association by network analysis (the creation of very large datasets linking people through several communication hops—previously three in the NSA’s case, which can intrude on the privacy of millions of people, and has since been limited to two hops49).
-
The incorporation of privacy-protective technologies and limitations within surveillance systems. As President Obama has observed:
‘[T]echnology itself may provide us some additional safeguards. So for example, if people don't have confidence that the law, the checks and balances of the court and Congress, are sufficient to give us confidence that government's not snooping, well, maybe we can embed technologies in there that prevent the snooping regardless of what government wants to do.’50 EFF has campaigned against the extension of interception capability requirements to social networking sites and other Internet services, while the joint NGO principles say: ‘States should not compel service providers or hardware or software vendors to build surveillance or monitoring capability into their systems, or to collect or retain particular information purely for State surveillance purposes … and refrain from compelling the identification of users as a precondition for service provision.’51
-
Illegal surveillance should be criminalized, with effective remedies when individuals’ rights are breached. Illegally gathered material should be inadmissible as evidence, while whistleblowers should be protected for revealing illegal behaviour. EDRi has demanded ‘that any foreign data collection measures include provisions giving all affected individuals, at the very least, equal rights to US citizens at all stages of an investigation and, to avoid “jurisdiction-shopping”, rights that are not significantly lower than any democratically approved safeguards in their country of residence’.52 The European Commission is pushing for this in their negotiations with USA over a data sharing privacy agreement.
2.3 Standards for oversight and control of intelligence services
Finally, stronger oversight of
intelligence agencies can reduce the likelihood that they misuse their
surveillance powers.
All democracies acknowledge the necessity of
this oversight (especially to protect against the risk of their abuse
against
political opponents of the government): agencies
have very intrusive powers and wide discretion in their use, but the
secrecy
they operate under severely hinders the scrutiny
measures applied to the rest of government. Oversight can also improve
agency
effectiveness, by challenging waste and poor
performance.53
All of the European and North American democracies have special bodies appointed by the legislature and/or executive to oversee
intelligence agency’s activity.54
Key features of effective oversight include the active participation of
opposition parties, the resourcing of expert investigators
and advisers, and full access to agency
documents. The joint NGO principles state:
‘Oversight mechanisms should have the authority to access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information; to assess whether the State is making legitimate use of its lawful capabilities; to evaluate whether the State has been transparently and accurately publishing information about the use and scope of communications surveillance techniques and powers; and to publish periodic reports and other information relevant to communications surveillance.’55
Many countries also have specific
officials responsible for oversight, including the NSA Inspector General
and a to-be-appointed
Privacy and Civil Liberties Officer, and the
UK’s Interception of Communications Commissioner and independent
reviewer of
terrorism legislation. In the light of the
Snowden revelations, the impact of the US and UK oversight bodies and
officials
has clearly been limited. A broader membership
of oversight panels could be one way to improve their ability to
challenge
disproportionate surveillance—in particular
including individuals with the technical expertise required to
understand complex
surveillance systems, which it seems has been a
severe challenge for the Foreign Intelligence Surveillance Court.
Requirements
for individuals to undergo highly intrusive
security vetting before participating in oversight activities will
reduce the
diversity of those willing to do so. The
European Parliament has stated that
oversight of intelligence services’ activities should be based on both democratic legitimacy (strong legal framework, ex ante authorisation and ex post verification) and adequate technical capability and expertise, the majority of current EU and US oversight bodies dramatically lack both, in particular the technical capabilities.56
NGOs are campaigning for greater
transparency of surveillance activities, with publication of details of
all surveillance
programmes, allowing the media, civil society
and individuals to understand and if necessary criticize agency’s
activity.
Industry groups are also attempting to persuade
the US government to allow them to publish more detailed statistics on
access
to their customer data, with Microsoft and
Google taking legal action to uphold their ‘clear right under the U.S.
Constitution
to share more information with the public’.57
The NGO joint surveillance principles
further require notification of surveillance targets once investigations
have concluded;
publication of aggregate information on the
number of requests approved and rejected or contested by courts
(including the
number of users affected), with a disaggregation
of the requests by service provider and by investigation type and
purpose;
and the removal of confidentiality requirements
that block Internet companies from publishing details of the procedures
they
apply when they receive surveillance orders.58
NGOs have also suggested that secret
procedures used to authorize surveillance should feature a ‘privacy
advocate’ making
a case against the government request. President
Obama has already conceded that such an advocate should appear in
appropriate
cases at the US Foreign Intelligence
Surveillance Court. EFF suggests that such an advocate needs full access
to case materials,
with the ‘independence and protections that
public defenders enjoy’.59
3. VENUES FOR STANDARD-SETTING
The two main forums providing an
opportunity to improve human rights compliance in US–EU surveillance
standards are the negotiations
over the Transatlantic Trade and Investment
Partnership (TTIP), and the ongoing negotiations between USA and
European Commission
over an information sharing and privacy agreement.
Other significant venues are the Council of Europe, United Nations, and
the bilateral and multilateral negotiations of
intelligence-sharing agreements.
3.1 Transatlantic trade and investment partnership
The first round of the EU–US TTIP free
trade negotiations took place in Washington DC in July 2013; the second
round took
place in Brussels in October 2013. The European
Commission originally expected negotiations to conclude by summer 2014,
and
if successful forecast an annual boost to the EU
economy of 0.5% of GDP.60 The talks have, however, been more contentious and taken longer than expected.
The negotiations aim to both reduce
tariffs and reduce non-tariff barriers, particularly by harmonizing
technical regulations,
standards and certification. They are taking
place between the US Trade Representative and the European Commission,
which
has promised to provide regular updates to the
EU Member States and Parliament—an issue of acute sensitivity, following
the
European Parliament’s rejection of the
Anti-Counterfeiting Trade Agreement (ACTA) in July 2012, mainly due to
the lack of
transparency and participation in the
negotiation of that agreement.61
TTIP is a narrow, commercial forum.
However, it presents two possible mechanisms for imposing new
surveillance standards.
The first is in enhanced privacy protections for
personal data agreed in any TTIP mechanism built on the existing Safe
Harbour
agreement, which allows the transfer of
Europeans’ personal data to US companies that have committed to a set of
privacy standards
the European Commission has judged to provide
‘adequate’ protection under the Data Protection Directive.62 The second is promises made in the conduct of the negotiations themselves.
The Trans Atlantic Consumer Dialogue (TACD) has stated:
We are very sceptical that a trade partnership built around regulatory convergence will serve consumer interests, and we will vigorously oppose a deal that dismantles existing EU and US consumer protection … Comprehensive legislative data protection reforms are ongoing in the EU, and more privacy-friendly mechanisms are being developed in the US, therefore data flows and data protection must not be included in free trade negotiations.63
EDRi has argued that higher privacy standards can be the basis for European success in trustworthy cloud services, estimated
to be a €45 billion market in the EU by 2020.
However, industry groups are lobbying heavily for data flows to be included. TTIP has planned to contain an ongoing review
mechanism,64 meaning that data flows could be reconsidered in future even if excluded from an initial agreement. The European Parliament
has called on the Commission to ensure that TTIP does not weaken European privacy standards,65
and has threatened to veto any agreement unless it ‘fully respects,
inter alia, the fundamental rights recognised by the
EU Charter, and provided the protection of the
privacy of individuals in relation to the processing and dissemination
of personal
data remain governed by Article XIV of the
GATS’. The Parliament also called for a review of the Safe Harbour
agreement, and
the suspension of the Commission’s finding that
the agreement provides ‘adequate’ protection for the purposes of the
Data
Protection Directive.66 The Commission published 13 recommendations for US action to protect Safe Harbour in November 2013, and will make a final
decision on the agreement in late 2014.67
Transparency and the opportunity for
civil society participation will be important for the legitimacy of the
TTIP negotiations,
and the European Commission has already
‘committed to providing a maximum of information possible for the
public, the media,
and the many stakeholders’.68
TACD has called for negotiating texts to be published after each round,
with structured opportunities for public comment,
and for a TTIP consumer advisory committee to be
created. The European Parliament played an ‘ambiguous role’ with ACTA
transparency,
‘by demanding disclosure and by disclosing
documents, but also, in some instances, by actively withholding public
information.’69
The process of the negotiations is
also an opportunity for civil society to campaign for higher
surveillance standards. The
EU institutions reacted strongly to the
revelation of NSA bugging of EU networks and premises, with Commissioner
Reding stating:
‘We cannot negotiate on a giant transatlantic
market when there is even the slightest suspicion that our partners are
spying
the offices of the negotiators’. The European
Parliament resolved that it
Strongly condemns the spying on EU representations as, should the information available up to now be confirmed, it would imply a serious violation of the Vienna Convention on Diplomatic Relations, in addition to its potential impact on transatlantic relations; [and] calls for immediate clarification from the US authorities on the matter.70
3.2 Draft data sharing privacy agreement between the EU and USA
The opportunities for achieving higher
human rights standards for surveillance in the EU–US data sharing
privacy agreement
share some similarities with the TTIP
negotiations. Improved transparency and participation would make it
easier for civil
society to be involved. The leaked draft
negotiating mandate given to the European Commission by the Council of
Ministers
supported this, stating: ‘In line with Article
218 paragraph 10 of the TFEU, the European Parliament should be
immediately
and fully informed at ail [sic] stages of the
procedure’. Two further key demands for improved privacy standards are
contained
in the mandate: ‘The Agreement shall explicitly
State that it creates enforceable rights for data subjects … [and]
cannot
be the legal basis for any transfers of personal
data’.71
The 2011 US–EU agreement on the
transfer of PNR flight data included improved privacy protections
resulting from pressure
by the European Parliament, particularly its
Civil Liberties committee, and is one example of the role the Parliament
could
play in setting better standards for
communications surveillance. The law enforcement Data Protection
Directive is another
instrument that could be used to improve
transatlantic privacy protections, alongside a strong General Data
Protection Regulation
that includes provisions (such as the ‘anti-NSA’
article 42)—as long as a weak ‘consistency mechanism’ does not allow
companies
to take advantage of lax enforcement by data
protection regulators in Ireland and the UK.
The European Parliament could put
stronger pressure on the Commission by threatening new political and
judicial action against
the PNR and SWIFT agreements. NGOs made digital
rights a high-profile issue in the 2014 parliamentary elections, so the
2014–19
Parliament is more likely to put pressure on the
Commission for a strong agreement—and ultimately to reject a weak
agreement
if that is the result of negotiations. The
political climate has led to the election of more radical MEPs from the
southern
EU countries suffering from austerity, and more
conservative MEPs from the northern EU countries, which will make it
easier
for civil society to persuade the Parliament to
reject treaties—but harder to achieve more constructive change.
A non-secret treaty basis for
exchanging information, approved by the US Congress and EU Parliament
and meeting European Convention
on Human Rights standards, is the best long-term
enabler of bringing intelligence data collection and sharing within a
transparent
and genuinely human rights-compatible framework.
European Justice Commissioner Viviane Reding stated that ‘a meaningful
agreement
has to ensure that law enforcement authorities
access data through lawful channels of cooperation which do exist
between the
EU and the U.S.’.72 The International Chamber of Commerce also recommended that improved MLATs should replace cross-border surveillance.73
The greatest area of US–EU
disagreement is over the remedies available to non-US citizens and
permanent residents when their
privacy rights are breached. Commissioner Reding
has stated: ‘A meaningful agreement has to ensure the full equal
treatment
of EU and U.S. citizens. A meaningful agreement
has to give European citizens concrete and effective rights like access
to
justice.’74
The US Department of Homeland Security as a matter of policy applies
the protections in the US Privacy Act of 1974 to both
citizens/permanent residents and visitors,
giving everyone the right to access and correct their own personal data.75 However, because the Privacy Act’s definition of ‘individual’ applies only to the former, the latter has no right of judicial
review. Obtaining this is a key goal of the EU, and has been promised by the US Administration.76
3.3 Other venues
The other main venue for improved
transatlantic standards is the Council of Europe—particularly in its
work on Internet governance77 and cybercrime,78 as well as the investigation into the Snowden revelations called for by 23 members of its parliamentary assembly and supported
by an NGO coalition.79 The cybercrime work to date has often been criticized by civil society groups as too heavily reflecting the interests of
law enforcement agencies.80
Existing Council of Europe standards (such as Convention 108 on data
protection, currently under revision, and Recommendation
No R(87)15 regulating the use of personal data
in the police sector) could also be further developed to cover
large-scale
surveillance. The EU and civil society have been
trying to persuade81
USA to ratify Convention 108, although the Senate’s approval of a
treaty that required broad limits on private sector processing
of personal data seems unlikely in the medium
term.
The most difficult venues for new
standards are the secret bilateral and multilateral negotiations between
governments on
intelligence sharing agreements. The United
Kingdom-United States of America (UKUSA) agreement is the basis for NSA
and GCHQ
cooperation,82 while there are hints that NATO facilitated a number of intelligence-sharing agreements following the post-9/11 invocation
of its Article 5 mutual defence procedure.83
It is difficult but not impossible for
governments to be persuaded to reveal details and even modify these
agreements—after
64 years of secrecy, freedom of information
requests led to the publication of an early version of the UKUSA
agreement. Unless
these agreements are transparent, the impact of
other international agreements on surveillance standards is
limited—especially
when data are leaking from national security
programmes into other government activities, such as law enforcement and
tax
investigations, as has been happening in USA.84
Germany’s demands for a no-spying
agreement with USA could be an example for other countries and the
EU—although those that
are not already parties to the UKUSA agreement
will find this more difficult to achieve, since Germany’s aim is
apparently
to upgrade their status within that arrangement,
although so far USA has only been willing to concede informal ‘guiding
principles’
on intelligence cooperation.85
The ‘Five Eyes’ partners have limited ‘understandings’ not to target
each other, although this doubtless is flexible when
significant national interests are at stake. The
European Parliament has stated that ‘the EU principle of sincere
cooperation
requires that Member States refrain from
conducting intelligence activities in other Member States' territory’
and asked ‘the
Council to inform Parliament on developments by
Member States on an EU-wide mutual no-spy arrangement’.86
Clearly, there are a number of wider
international forums that can be used to address surveillance standards.
The most important
are at the UN—specifically, the Internet
Governance Forum, Human Rights Council, Office of the High Commissioner
on Human
Rights,87 International Telecommunication Union and Office on Drugs and Crime. UN Special Rapporteur Frank La Rue has published a report
on the impact of state surveillance on privacy and the freedom of opinion and expression,88
whereas the German government has called for a new ICCPR Optional
Protocol addressing national security issues. Civil society
has called on the Human Rights Council to
support the special rapporteur’s suggestion that the Human Rights
Committee, in
a multistakeholder process, develop a new
General Comment 16 on the right to privacy in light of technological
advancements
and request a report from the High Commissioner.89
Industry could be a supporter of civil society activity related to the UN, especially in light of the UN Guiding Principles
on Business and Human Rights90—possibly through multistakeholder forums such as the Global Network Initiative. International telecommunications companies
might be encouraged to pay greater attention to corporate social responsibility issues.91
One important limitation of the UN
approach is that USA has not ratified the ICCPR First Optional Protocol
that allows individuals
to bring complaints to the Human Rights
Committee, and has made several important reservations to its
ratification of the
Covenant, limiting the ability for ICCPR rights
to be enforced in USA. Only an inter-state complaint would allow the
Human
Rights Committee to make a determination on the
specific facts of the NSA revelations; no government has been willing to
take
this step.
In its 2006 US review, the Human Rights Committee noted
with concern the restrictive interpretation made by the State party of its obligations under the Covenant, as a result in particular of (a) its position that the Covenant does not apply with respect to individuals under its jurisdiction but outside its territory … (b) its failure to take fully into consideration its obligation under the Covenant not only to respect, but also to ensure the rights prescribed by the Covenant; and (c) its restrictive approach to some substantive provisions of the Covenant.Of immediate relevance is the Committee’s statement that:
[the Patriot Act’s] section 215 regarding access to individuals’ personal records and belongings; and section 505, relating to the issuance of national security letters, still raise issues of concern in relation to article 17 of the Covenant. In particular, the Committee is concerned about the restricted possibilities for the concerned persons to be informed about such measures and to effectively challenge them. Furthermore, the Committee is concerned that the State Party, including through the National Security Agency (NSA), has monitored and still monitors phone, email, and fax communications of individuals both within and outside the U.S., without any judicial or other independent oversight.92The Human Rights Committee repeated these concerns in its 2014 review, concluding that USA should:93
(a) Take all necessary measures to ensure that its surveillance activities, both within and outside the United States, conform to its obligations under the Covenant, including article 17; in particular, measures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under direct surveillance;
(b) Ensure that any interference with the right to privacy, family, home or correspondence is authorized by laws that: (i) are publicly accessible; (ii) contain provisions that ensure that collection of, access to and use of communication s data are tailored to specific legitimate aims; (iii) are sufficiently precise and specify in detail the precise circumstances in which any such interference may be permitted, the procedures for authorization, the categories of persons who may be placed under surveillance, the limit on the duration of surveillance; procedures for the use and storage of data collected; and (iv) provide for effective safeguards against abuse;
(c) Reform the current oversight system of surveillance activities to ensure its effectiveness including by providing for judicial involvement in the authorization or monitoring of surveillance measures, and considering the establishment of strong and independent oversight mandates with a view to preventing abuses;
(d) Refrain from imposing mandatory retention of data by third parties;
(e) Ensure that affected persons have access to effective remedies in cases of abuse.
More likely to force US policy change
is the impact the Snowden revelations will have on global Internet
governance debates.
Without significant concessions, it seems
unlikely that the current loose multistakeholder governance model can
persist, with
critical Internet resources run by ICANN under
contract to the US government. The USA has already started the process
of relinquishing
its contractual control over the so-called ‘IANA
function’.
Potentially important also is the World Trade Organisation (WTO), where USA has taken the first steps towards action against
Chinese Internet censorship as a restriction on free trade.94
Other states could raise questions at the WTO about economic espionage
by USA and the UK—the latter’s Regulation of Investigatory
Powers Act 2000 s. 5(3)(c) allows interception
‘for the purpose of safeguarding the economic well-being of the United
Kingdom’.
This issue could also be raised in the World
Intellectual Property Organisation. While the ‘Doha’ round of WTO
negotiations
has stalled, other countries could in these and
other free trade negotiations (such as the Trans-Pacific Partnership)
demand
the reinforcement of the Vienna Convention on
Diplomatic Relations prohibition on foreign government spying on
diplomatic
missions, correspondence and documents—as GCHQ
was found to be circumventing during the G20 meeting in London.95
Finally, the Organisation for Economic
Cooperation and Development as well as UNESCO and the annual
international conference
of data protection and privacy commissioners
continue to have extensive civil society input through the Public Voice
coalition,
which has developed a Madrid Declaration on
Global Privacy Standards for a Global World.96
Cybersecurity policy debates at the UN, the London/Budapest/Seoul
‘cyber’ conference series, and elsewhere, present both
a risk of greater intergovernmental agreement on
surveillance as a prerequisite of Internet security, and an opportunity
for
the incorporation of human rights standards into
resulting agreements.
4. CONCLUSION
A range of potential transatlantic
privacy standards for surveillance have been developed by civil society
groups, courts
and watchdogs such as the European Data Protection
Supervisor. These cover data sharing, surveillance activities and
oversight
of intelligence agencies. The principal
opportunities for implementing them are in EU–US negotiations over a
data sharing
privacy agreement and the Transatlantic Trade and
Investment Partnership. The Council of Europe and state–state
negotiations
over intelligence sharing are also possible venues.
Beyond this, there are opportunities to
introduce new standards through the Council of Europe’s data protection
convention,
and encourage ratification by non-European states,
as well as introducing new privacy protections in the Cybercrime
Convention.
More difficult will be efforts to make
intergovernmental intelligence-sharing agreements transparent. Outside
the USA and
EU, forums at the UN, OECD, Privacy Commissioners’
Conference, WTO and WIPO could also play a role, although they present
challenges of scope and enforcement.
Following a review by an independent
panel appointed by President Obama, the US executive branch has recently
made significant
changes to improve the compliance of its foreign
intelligence practices with international human rights law. These
include
more specific definitions of the purposes for which
surveillance can be undertaken, and—significantly—greater protections
for non-US citizens and residents.97 There remains an opportunity for democratic states to further improve and entrench human rights protections for their citizens
through the implementation of the standards described in this article.
Acknowledgments
Thanks to Axel Arnback, Joris van
Hoboken, Douwe Korff and the anonymous reviewers for their suggestions
and comments on a
draft of this article. This research was supported
by the Open Society Foundations and EPSRC grant EP/L00416X/1.
Footnotes
-
↵1 US Foreign Intelligence Surveillance Court, Memorandum Opinion, 3 October 2011 <https://www.eff.org/document/october-3-2011-fisc-opinion-holding-nsa-surveillance-unconstitutional> accessed 6 August 2014
-
↵2 E MacAskill, J Borger, N Hopkins, N Davies and J Ball, ‘Mastering the Internet: How GCHQ Set Out to Spy on the World Wide Web’ The Guardian (21 June 2013).
-
↵3 L Poitras, M Rosenbach, F Schmid, H Stark and J Stock, ‘How the NSA Targets Germany and Europe’ Der Spiegel (1 July 2013) <http://www.spiegel.de/international/world/secret-documents-nsa-targeted-germany-and-eu-buildings-a-908609.html> accessed 6 August 2014.
-
↵4 ibid.
-
↵5 D Bigo, G Boulet, C Bowden, S Carrera, J Jeandesbox and A Scherrer, Fighting Cyber crime and Protecting Privacy in the Cloud, European Parliament, PE 462.509, October 2012.
-
↵6 J Cremer, ‘Denmark is one of the NSA's ‘9-Eyes'’ The Copenhagen Post (4 November 2013) <http://cphpost.dk/news/denmark-is-one-of-the-nsas-9-eyes.7611.html> accessed 6 August 2014.
-
↵7 L Poitras, M Rosenbach and H Stark, ‘Codename ‘Apalachee': How America Spies on Europe and the UN’ Der Spiegel (26 August 2013) <http://www.spiegel.de/international/world/secret-nsa-documents-show-how-the-us-spies-on-europe-and-the-un-a-918625.html> accessed 6 August 2014.
-
↵8 B Gellman and E Nakashima, ‘U.S. Spy Agencies Mounted 231 Offensive Cyber-Operations in 2011, Documents Show’ Washington Post (31 August 2013) <http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html> accessed 6 August 2014.
-
↵9 J Ball, J Borger and G Greenwald, ‘Revealed: how US and UK spy agencies defeat internet privacy and security’ The Guardian (6 September 2013) <http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security> accessed 6 August 2014.
-
↵10 Including Jewel v NSA, 673 F.3d 902 (2011), ACLU v NSA, 493 F.3d 644 (2007) and In re EPIC, SC No. 13-58 (2013).
-
↵11 Big Brother Watch, Open Rights Group, English PEN, and Dr. Constanze Kurz v. the United Kingdom, Application No. 58170/13 to the European Court of Human Rights (still pending awaiting a decision on admissibility from the Court); Liberty and Others v GCHQ, UK Investigatory Powers Tribunal, directions hearing report by Naomi Colvin, 14 February 2014 <https://auerfeld.wordpress.com/2014/02/14/liberty-and-others-v-gchq/>
-
↵12 NK Modirzadeh, ‘Folk International Law: 9/11 Lawyering and the Transformation of the Law of Armed Conflict to Human Rights Policy and Human Rights Law to War Governance’ (2014) 5 Harvard Natl Secur J 225.
-
↵13 Treaty on European Union s 4.2.
-
↵14 Aviation and Transportation Security Act of 2001, Pub. L. No. 107-71, 19 November 2001.
-
↵15 Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ L 215, 11 August 2012, 5–14.
-
↵16 Art 218(6), Treaty on the Functioning of the European Union, OJ C 115, 9 May 2008, 1–388.
-
↵17 Art 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), 22 November 2006.
-
↵18 European Data Protection Supervisor opinion on the role of the European Central Bank in the SWIFT case, 1 February 2007.
-
↵19 Commission de la Protection de la Vie Privee, Avis 37/2006, 27 September 2006.
-
↵20 Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, OJ L 195, 27 July 2010, 5–14.
-
↵21 SWIFT Agreement Adopted By The European Parliament, EDRi-gram 8.14, 14 July 2010.
-
↵22 European Commission, Report on the second joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program (TFTP), SWD (2012) 454 final, 14 December 2012.
-
↵23 European Parliament resolution of 23 October 2013 on the suspension of the TFTP agreement as a result of US National Security Agency surveillance (2013/2831(RSP)).
-
↵24 Agreement on mutual legal assistance between the European Union and the United States of America, OJ L 181, 19 July 2003, 34–42.
-
↵25 Reform Government Surveillance campaign Principles <https://www.reformgovernmentsurveillance.com> accessed 6 August 2014 and EDRi Letter To The US Embassy On PRISM, 19 June 2013 <http://www.edri.org/edrigram/number11.12/edri-letter-on-prism> accessed 6 August 2014
-
↵26 Technology trade associations letter to chairs and ranking members of US Senate and House of Representatives committees on appropriations, 31 March 2014 <http://internetassociation.org/wp-content/uploads/2014/04/TechnologyTradeAssoclettertoCJSApprops33114-1.pdf> accessed 6 August 2014.
-
↵27 International Principles on the Application of Human Rights to Communications Surveillance, 10 July 2013 <https://en.necessaryandproportionate.org/text> accessed 6 August 2014.
-
↵28 OJ L 350, 30 December 2008, 60–71.
-
↵29 Personal data protection: processing of data for the purposes of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, and free movement of data. Procedure file 2012/0010(COD).
-
↵30 European Commission, Explanatory Document, COM(2010) 252/2 <http://www.statewatch.org/news/2010/aug/eu-usa-dp-general-em.pdf> accessed 6 August 2014.
-
↵31 Opinion of the European Data Protection Supervisor on the Final Report by the EU-US High Level Contact Group on information sharing and privacy and personal data protection, 8 November 2011.
-
↵32 D MacGuill, ‘France ‘opens probe' into US spy program PRISM’ The Local (28 August 2013).
-
↵33 Application No: 58170/13, 27 September 2013.
-
↵34 See eg S. 1452 (the Surveillance Transparency Act of 2013) and H.R. 3035 (the Surveillance Order Reporting Act of 2013).
-
↵35 See n 10.
-
↵36 O Kerr, ‘The Fourth Amendment and the Global Internet’ (2015) 67 Stanford Law Review.
-
↵37 E MacAskill, ‘US to Extend Privacy Protection Rights to EU Citizens’ The Guardian (25 June 2014) <http://www.theguardian.com/world/2014/jun/25/us-privacy-protection-rights-europe> accessed 6 August 2014.
-
↵38 I Brown and D Korff, ‘Foreign Surveillance: Law and Practice in a Global Digital Environment’ (2014) 3 Eur Human Rights LR 243; B Van Schaack, ‘The United States’ Position on the Extraterritorial Application of Human Rights Obligations: Now is the Time for Change’ (2014) 90 Int LStud 20; M Milanovic, ‘Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age’ Harvard Int LJ (forthcoming); Office of the High Commissioner for Human Rights, The right to privacy in the digital age, A/HRC/27/37, 30 June 2014.
-
↵39 G Greenwald and E MacAskill, ‘NSA Prism Program Taps in to User Data of Apple, Google and Others’ The Guardian (7 June 2013).
-
↵40 ibid.
-
↵41 Supplemental letter from Electronic Privacy Information Center to Senator Daniel Akaka on S. 1732, 14 May 2012 <https://epic.org/privacy/1974act/EPIC-Supp-S1732-Priv-Act-Modernization.pdf> accessed 6 August 2014.
-
↵42 The Washington Statement – In Support Of Data Protection, 3 July 2013 <http://www.edri.org/edrigram/number11.13/washington-statement-data-protection> accessed 6 August 2014.
-
↵43 US Presidential Policy Directive 28 – Signals Intelligence Activities, 17 January 2014.
-
↵44 See n 27.
-
↵45 C Cohn and T Timm, ‘What Should, and Should Not, Be in NSA Surveillance Reform Legislation’, 5 August 2013 <https://www.eff.org/deeplinks/2013/08/what-should-and-should-not-be-nsa-surveillance-reform-legislation> accessed 6 August 2014.
-
↵46 See n 25.
-
↵47 See n 44.
-
↵48 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Ors C-293/12 and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others, C-594/12.
-
↵49 The White House, ‘FACT SHEET: The Administration’s Proposal for Ending the Section 215 Bulk Telephony Metadata Program’, 27 March 2014 <http://www.whitehouse.gov/the-press-office/2014/03/27/fact-sheet-administration-s-proposal-ending-section-215-bulk-telephony-m> accessed 6 August 2014
-
↵50 ‘Transcript of President Obama’s August 9, 2013, news conference at the White House’ Washington Post. Washington Post Staff, 9 August 2013, Washington, D.C.
-
↵51 See n 44.
-
↵52 See n 25.
-
↵53 A Wills and M Vermeulen, Parliamentary Oversight of Security and Intelligence Agencies in the European Union, European Parliament, PE 453.207, June 2011, 85–6.
-
↵54 ibid 92–5.
-
↵55 See n 27.
-
↵56 European Parliament, Resolution on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ privacy (2013/2682(RSP)), 2 July 2013.
-
↵57 Microsoft Corporation, In re Motion to Disclose Aggregate Data Regarding FISA Orders, US Foreign Intelligence Surveillance Court Case No. MISC. 13-04, and similar motions by LinkedIn Corporation, Facebook, Inc., Yahoo! Inc. and Google Inc.
-
↵58 See n 27.
-
↵59 See n 45.
-
↵60 European Commission DG Trade, Transatlantic Trade and Investment Partnership (TTIP) — The biggest trade deal in the world, undated <http://ec.europa.eu/trade/policy/in-focus/ttip/> accessed 6 August 2014.
-
↵61 BBC News, Acta: Controversial anti-piracy agreement rejected by EU, 4 July 2012.
-
↵62 Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.
-
↵63 Transatlantic Consumer Dialogue, EU and US consumer groups’ initial reaction to the announcement of a Transatlantic Trade and Investment Partnership (TTIP), 5 March 2013.
-
↵64 European Commission, Trade Cross-cutting disciplines and Institutional provisions, July 2013.
-
↵65 European Parliament, Resolution of 4 July 2013 on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' privacy (2013/2682(RSP)).
-
↵66 European Parliament, Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)), 21 February 2104.
-
↵67 Communication from the Commission to the European parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM(2013) 847 final.
-
↵68 European Commission, EU publishes initial TTIP Position Papers, 16 July 2013 <http://trade.ec.europa.eu/doclib/press/index.cfm?id=943> accessed 6 August 2014.
-
↵69 Total Transparency On Anti-Counterfeiting Trade Agreement And Trans-Atlantic Free Trade Agreement Documents, EDRi-gram 11.5, 13 March 2013.
-
↵70 See n 56.
-
↵71 Proposal for a Council Recommendation authorizing the opening of negotiations of an agreement between the European Union and the United States of America on the protection of personal data upon transfer and their treatment for prevention, investigation and detection of crime including terrorism, in the context of police and judicial cooperation in criminal matters, COM(2010) 252/2 <http://www.statewatch.org/news/2010/aug/eu-usa-dp-general-em.pdf> accessed 6 August 2014
-
↵72 PRISM scandal: The data protection rights of EU citizens are non-negotiable, 14 June 2013, SPEECH/13/536.
-
↵73 International Chamber of Commerce, Using Mutual Legal Assistance Treaties (MLATs) To Improve Cross-Border Lawful Intercept Procedures, Document No. 373/512, 12 September 2012.
-
↵74 See n 72.
-
↵75 US Department of Homeland Security, Privacy Policy Guidance Memorandum 2007-1, as amended.
-
↵76 See n 30.
-
↵77 Internet governance – Council of Europe strategy 2012-2015, CM(2011)175 final, 15 March 2012.
-
↵78 See the agenda of the CoE ‘Octopus Conference’ on cooperation against cybercrime, held in Strasbourg 4–6 December 2013 <http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_octopus2013/2571_octo13_outline_v4.pdf> accessed 6 August 2014.
-
↵79 Open Rights Group, ORG joins call on Council of Europe to support resolution against mass eavesdropping, 29 August 2013 <https://www.openrightsgroup.org/ourwork/letters/org-joins-call-on-council-of-europe-to-support-resolution-agains-mass-eaversdropping> accessed 6 August 2014.
-
↵80 Cf Electronic Privacy Information Center, ‘Statement on Council of Europe Cybercrime Convention, Treaty 108-11’, 26 July 2005 <https://epic.org/privacy/intl/senateletter-072605.pdf>
-
↵81 Letter from the EPIC Advisory Council to Secretary of State Hillary Rodham Clinton, 28 January 2013 <http://epic.org/privacy/intl/EPIC_Clinton_ltr_1-10.pdf>
-
↵82 National Security Agency/Central Security Service, ‘UKUSA Agreement Release 1940–1956’, 24 June 2013 <http://www.nsa.gov/public_info/declass/ukusa.shtml> accessed 6 August 2014.
-
↵83 Cf Senator Richard Lugar, NATO After 9/11: Crisis or Opportunity? Remarks to the Council on Foreign Relations, Washington DC, 4 March 2002.
-
↵84 Reuters, U.S. directs agents to cover up program used to investigate Americans, 5 August 2013.
-
↵85 David Ignatius, ‘The U.S. and Germany are Rebuilding a Spy Partnership’ The Washington Post (22 July 2014) <http://www.washingtonpost.com/opinions/david-ignatius-the-us-and-germany-are-rebuilding-a-spy-partnership/2014/07/22/b0bdc7e0-11e2-11e4-8936-26932bcfd6ed_story.html> accessed 6 August 2014.
-
↵86 See n 56.
-
↵87 See the recent HCHR report The right to privacy in the digital age, A/HRC/27/37, 30 June 2014.
-
↵88 A/HRC/23/40, 17 April 2013.
-
↵89 Civil Society Statement to the Human Rights Council on the impact of State Surveillance on Human Rights addressing the PRISM/NSA case, 10 June 2013.
-
↵90 A/HRC/RES/17/4, 6 July 2011.
-
↵91 Cf the ‘Telecommunications Industry Dialogue’ that is now working with the Global Network Initiative.
-
↵92 CCPR/C/USA/CO/3/Rev.1, 18 December 2006.
-
↵93 CCPR/C/USA/CO/4, s.22, 23 April 2014.
-
↵94 US Trade Representative, United States Seeks Detailed Information on China’s Internet Restrictions, October 2011.
-
↵95 E MacAskill, N Davies, N Hopkins, J Borger and J Ball, ‘GCHQ intercepted foreign politicians' communications at G20 summits’ The Guardian (17 June 2013).
-
↵96 The Public Voice, Madrid Privacy Declaration, 3 November 2009 <http://thepublicvoice.org/madrid-declaration/> accessed 6 August 2014.
-
↵97 See n 43.
- © The Author (2014). Published by Oxford University Press.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly
cited.
No comments:
Post a Comment