“What a revoltin’ development this is!” This exclamation is from the 1950’s sitcom, “The Life of Riley.” Today it is a great description of the general state of the data protection profession. In the “The Life of Riley,” Chester Riley’s classic tag line, “What a revoltin’ development this is,” described the endless rough spots in his and his family’s life. Pretty much like most of the dilemma we face where robust data use is conducted among a set of conflicting economic imperatives, security issues, and societal values. Schrems II is the current dilemma. I believe Omer Tene framed it best in his commentary last Friday, “The Show Must Go On.”
I have spent the last two weeks preparing for an IAF policy call on July 23 on the pathway forward after Schrems II. The Court decision did not surprise me at all. I have been working on data transfer issues from Europe since 1995 when the EU Directive was enacted. Back then the issues purely related to commercial data use. That was a simpler time. 9-11 changed that forever. The desire for government use of private sector data for national security purposes became and remain an imperative.
Every country uses data pertaining to people for safety reasons in a world where threats are asymmetrical. Much of that data will come not directly from individuals but from opportunities to observe people, where that observation often is by private sector players. Every country will create safeguards consistent with its political culture and societal values. Every society has a prejudice for their values, and we, as people, judge those values based on our own situational lens. The Lisbon Treaty made the Charter of Fundamental Rights the keystone for the European Union. People must have “actionable rights” whenever their data is used. The bottom-line is that every transfer must provide those actionable rights. In its public statement last week, the EDPS said that individual actionable rights are not just a “European” fundamental right but a fundamental right widely recognized around the globe. I agree with this statement. However, the how and when is different from country to country. The General Data Protection Regulation provides European regulators with the obligation and authority to evaluate whether data exports will be protected in the importing location, unless the importing location has been found adequate by the EU Commission. Schrems II first and foremost reminds exporters and regulators of their obligation and authority.
Schrems II was specifically about the United States. From this non-legal practitioner’s perspective, the court isolated on two issues. The first issue related to the necessity of bulk collections and whether those collections are proportional. On that issue, private sector players can conduct risk assessments and put in place additional safeguards and supplemental measures. The second issue, whether non-U.S. citizens, particularly European nationals, have standing for redress, from my perspective, is more difficult. If the answer to the second issue is no, is the question of likelihood even relevant? If the question is a matter of right to redress that would be required by European law when data is exported, I am not sure likelihood of collection is relevant.
The question of government data collection for national security has been festering since the September 11 attacks in 2001 and was the topic of a massive investigation by professors Fred Cate and Jim Dempsey, “Bulk Collection: Systematic Government Collection Access to Private Sector Data” that included participation by academics from almost all regions. That investigation concluded that this bulk collection is a problem almost everywhere. At the end of the day, companies, even the most ethical ones, cannot stop governments’ interest in private sector data.
While an international treaty is almost inconceivable, it is time to envision such a treaty. In May 2014, Jennifer Stoddart and I joined Fred Cate and Jim Dempsey in organizing a dialog on corporate accountability and government use of data. The orientation paper may be found here. The paper suggested a reframing of the essential elements of accountability for governments:
Can the five essential elements of accountability be transposed into the governmental context? Without trying to be comprehensive now, here are some thoughts:
1. Organization commitment to accountability and adoption of internal policies consistent with external criteria. When applied to a government data processing program, this element may pose squarely the question of how adequate are the external criteria (that is, the law authorizing government demands)? The formulation used by the ECtHR is that a law must describe a governmental power precisely enough to protect against arbitrary application and to inform the public of which entities can conduct surveillance and under what criteria.
2. Mechanisms to put privacy policies into effect, including tools, training and education. “Tools” suggests use of audit trails, documentation, and permissioning systems for internal access and query. Further elaboration on the essential elements conducted in Paris, Madrid, Brussels, Warsaw, and Toronto suggests processes that assess the risks to individuals associated with new processing (including collection), and that mitigating those risks be part of the final processing plan. Such privacy by design practices should be part of an agency’s comprehensive privacy program. Training should probably start with an understanding of privacy and data protection, since the terms, although widely used, are often misunderstood.
3. Systems for internal ongoing oversight and assurance reviews and external verification. The Article 29 Working Party has specifically called for more meaningful oversight of intelligence agency programs involving collection and use of personal data. It said in its April opinion that the following good practices from the various oversight mechanisms currently in place in Member States should be part of the oversight mechanisms in all Member States: • Strong internal checks for compliance with the national legal framework in order to ensure accountability and transparency; • Effective parliamentary scrutiny; and • Effective, robust, and independent external oversight, performed either by a dedicated body with the involvement of the data protection authorities or by the data protection authority itself, having power to access data and other relevant documentation as well as an obligation to inspect following complaints. http://
4. Transparency and mechanisms for individual participation. As discussed above, transparency means both public awareness of what data is being accessed as well as numerical reporting to indicate the scope of government access. The Article 29 Working Party stated: “Some form of general reporting on surveillance activities should be in place.”
5. Means for remediation and external enforcement. Remediation can mean judicial redress. In the US, the legal (and constitutionally based) doctrine of “standing” and the states secret doctrine make it very hard to challenge national security surveillance in court. The ECtHR has a much broader definition of standing, which might be a model.
These five elements should be the starting place for a discussion of an international agreement that allows all governments to use private sector data for national security purposes but gives actionable rights to all people. By starting the discussion with these five elements, such an international treaty will address how governments act responsibly with respect to this type of data, how they demonstrate their actions and how people can obtain redress if governments fail to act responsibly. These steps put the responsibility back where the accountability lies and gives people actionable rights to hold governments responsible.