Biden’s Executive Order On Surveillance Doesn’t Do Nearly Enough To Protect Privacy; Playing Word Games Doesn’t Actually Limit NSA Surveillance
Back in March, we noted that the EU and US had announced that they had come to an agreement on transatlantic data flows. This is actually a really big and important story that gets almost no attention, because transatlantic data flows" sounds boring. However, it's really, really big and matters for the future of a global internet as opposed to an extremely splintered regional set of internets. People within Facebook have suggested that this is the single biggest issue facing the future of the company, which might be slight hyperbole, but just... slight.
It's a big deal.
And, back in March when the initial agreement was announced, it seemed like the US government was going through the motions, rather than fixing the real issue. That's because for the past few years, whenever people talked about the issue with transatlantic data flows, they focused on boring claims about data protection," and kept leaving out the very thing that created these problems: the NSA spying on all sorts of internet traffic and data indiscriminately.
I know, I know this sounds boring, but stick with it and this is actually pretty interesting. Years back, the EU and the US set up a safe harbor" provision, that basically said that American internet companies could collect data on EU citizens and residents so long as the American companies took certain steps to comply with some fairly straightforward protections for the data of those EU citizens. There was a certification process (as an American company, we even went through it ourselves) to make sure that we protected the data of EU users.
However, when Ed Snowden revealed the details of the NSA's mass surveillance program, Max Schrems, a privacy advocate from Austria, noted that American companies could no longer actually claim that they were keeping data from the EU safe, because the NSA was snarfing it up. Valid point.
The way to actually fix this was for the NSA to stop all the snarfing. But that's not what happened. Instead, after the EU Court of Justice agreed with Schrems and tossed out the privacy safe harbor, the EU and the US went back to the drawing board and announced... the privacy shield." Which was basically just the privacy safe harbor with a new badass name. Schrems went back to the Court of Justice and the Court of Justice said, yo, that agreement does nothing about NSA spying." And, thus, the privacy shield was also tossed out.
So, then we get to this year, and I fully expected yet another weak agreement, based on the announcement back in March. So I'm a little surprised that the final Executive Order from President Biden actually suggests a change in strategy to NSA surveillance. That's because for years in covering the various debates about transatlantic data flows, I felt like I was one of the few people who remembered we were actually talking about NSA surveillance. It felt like politicians in both countries would just trot out bland nonsense about data protection," and proportionality," without addressing the only issue that really mattered: the NSA scooping up so much data on people in the EU.
So, at the very least, the new executive order actually is focused on NSA surveillance. And, to be sure, there's some nice language in there, like:
(ii) Signals intelligence activities shall be subject to appropriate safeguards, which shall ensure that privacy and civil liberties are integral considerations in the planning and implementation of such activities so that:
(A) signals intelligence activities shall be conducted only following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority, although signals intelligence does not have to be the sole means available or used for advancing aspects of the validated intelligence priority; and
(B) signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, with the aim of achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.
(iii) Signals intelligence activities shall be subjected to rigorous oversight in order to ensure that they comport with the principles identified above.
But this is the Intelligence Community that we're talking about, and in the more than two decades we've spent covering the IC, we've long learned that if you give them even the smallest of loopholes, including the ability to come up with their own made up definitions of common English words, then they will use those loopholes to keep on spying.
Of course, part of this new executive order is the partial revocation of a problematic Obama Presidential Policy Directive, that was an earlier weak attempt to pretend that he was somehow putting some limits on the surveillance powers of the NSA when it was yet another cover story for more surveillance.
So at the very least, the fact that rather than just putting a fresh coat of paint on a random agreement on privacy to allow data flows, it's a positive step that attempts to address the NSA and its surveillance activities.
But... that's about all the good that can be said about this. Because it doesn't actually address the underlying NSA surveillance. Instead, it's more of a pinky promise that the NSA will be better now, without putting much behind actually making that happen.
Specifically, while the new EO talks about necessary" and proportionate" surveillance (two words the EU law requires), it seems pretty clear to basically everyone that the NSA and the White House are up to the old trick where they'll say those words, but define them how they want them defined, rather than the way everyone else in the world uses them.
Max Schrems, who helped kill off the last two deals, has put out a statement highlighting how this is just words games, rather than actual change:
Bulk surveillance continues via two types of proportionality". The US highlights, that the new executive order uses the wording of EU law (necessary" and proportionate" as in Article 52 CFR) instead of the previous term as tailored as feasible" used in Section 1(d) of PPD-28. This could solve the problem, if the US would follow the same understanding and also apply the proportionality test of the CJEU.
However, despite changing these words, there is no indication that US mass surveillance will change in practice. So-called bulk surveillance" will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not proportionate" (under the European understanding of the word) twice.
How is this possible? It seems, the EU and the US agreed to copy the words necessary" and proportionate" into the Executive Order, but did not agree that it will have the same legal meaning. If it would have the same meaning, the US would have to fundamentally limit its mass surveillance systems to comply with the EU understanding of proportionate" surveillance.
So, yes, the White House is now acknowledging that the NSA surveillance is the problem, and making noises about how it's fixing it, but the reality is that it's playing word games to pretend it's fixing it, when it is not. And everyone seems to see that.
The ACLU has also called out how this is not nearly enough:
President Biden's executive order does not go far enough. It fails to adequately protect the privacy of Americans and Europeans, and it fails to ensure that people whose privacy is violated will have their claims resolved by a wholly independent decision-maker," said Ashley Gorski, senior staff attorney with the ACLU National Security Project. Although the executive order is a step in the right direction, it does not meet basic legal requirements in the EU, leaving EU-U.S. data transfers in jeopardy going forward."
[....]
The problems with the U.S. surveillance regime cannot be cured by an executive order alone," said Gorski. To protect our privacy and to put transatlantic data transfers on a sound legal footing, Congress must enact meaningful surveillance reform. Until that happens, U.S. businesses and individuals will continue to pay the price."
TACD, the Trans Atlantic Consumer Dialogue, also put out a statement saying, nice try, but not enough.
The Transatlantic Consumer Dialogue's (TACD) first analysis of the announced measures reveals that the new provisions would not adequately protect European consumers' fundamental rights to privacy and data protection, as established in the EU Charter of Fundamental Rights and the General Data Protection Regulation (GDPR), seen in the light of the CJEU's decision on Privacy Shield
For one, the measures do not seem to solve the issue of the lack of proportionality of the U.S. surveillance laws and practices - one of the main elements that render the current system incompatible with EU law, according to the CJEU. The Executive Order refers to new safeguards and includes the wording proportionate" as in Article 52 of the EU Charter of Fundamental Rights (EU Charter), but it does not establish any mechanisms to limit the U.S. mass surveillance systems in place. For another, it seems like the Executive Order still does not provide for real judicial redress to European consumers.
The Order establishes a two-step procedure that includes an officer under the Director of National Intelligence and a so-called Data Protection Review Court". However, it seems that the latter might not be a judicial body as foreseen under Article 47 of the EU Charter or the US Constitution, but a body within the US government's executive branch. The procedures before these two bodies will need to be closely analysed before a final statement can be made, but the structure currently looks closer to the Ombudsperson" position that had existed under the previous framework, Privacy Shield. The CJEU has already proclaimed such form of executive bodies as being in breach of the essence of Article 47 of the EU Charter and reiterated a need for judicial review or approval by an actual court.
The first analysis of the measures shows that the Executive Order does not provide the necessary basis for a decision that the U.S. offers effective and meaningful data protection. Together with the above shortcomings, the failure of the U.S. to have a robust overarching data protection law that ensures the privacy of its own citizens and consumers creates a barrier to any serious consideration on adequacy.
As we've been saying for almost a decade now: there is one way to fix this and that's to stop the NSA's mass surveillance program. The powers that be (Congress and the President) simply seem incapable of admitting that, and thus we go through this same dance every few years.