The NSA Phone Call Database: The European Perspective
posted by Francesca Bignami
Had a European government, instead of the Bush administration, created the NSA’s call database, would that government be in violation of European privacy law? I think so, for the reasons I explore below.
Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.
A more pragmatic reason for caring about the different result under European privacy law is that it could undermine transatlantic cooperation in the fight against terrorism. Some European laws forbid the transfer of public security and law enforcement data to countries without adequate privacy protection. This latest revelation just reinforces the European view that U.S. privacy laws are inadequate—and therefore could make European governments reluctant to turn over information on European citizens to the American government in the fight against terrorism.
The details of the NSA call database are murky. For purposes of my analysis, I’m assuming the following: (1) it was authorized by a secret, executive order, based on the President’s constitutional commander-in-chief powers; (2) the database contains call records—when, for how long, and to which phone numbers the calls were made–of millions of American citizens that are traceable to those citizens; (3) before the program became operative, no government officer independent of the President’s administration had the opportunity to review the program for privacy concerns and, since it has become operative, no independent officer has the power to enforce compliance with basic privacy safeguards.
In Europe, any database of electronic information that can be traced to individuals, including phone records, is considered a possible threat to the fundamental right to private life. For databases created for intelligence and law enforcement purposes, there are two Europe-wide sets of standards: Article 8 of the European Convention of Human Rights on private life and the Council of Europe’s Convention 108 on Personal Data Processing. The European Court of Human Rights has decided a number of telecommunications surveillance and data privacy cases under Article 8. A third set of standards, covering intra-European exchanges of personal information to prevent, investigate, and prosecute crime, is being negotiated in the European Union. All European countries also have their own data protection laws, which set down more precise duties and rights. The ones I’ll be referring to here are the laws of Germany, France, Italy, and the UK.
Under Article 8 of the European Convention on Human Rights, the NSA’s database would have to satisfy three conditions. First, it would have to be authorized by a law that was accessible to the public and that contained precise enough provisions to curb arbitrary government action and to put citizens on notice of possible incursions into their private sphere. Second, the purpose of the interference with privacy would have to be legitimate. Both “national security” and “public safety” count as legitimate purposes. Third, the interference with privacy would have to be proportional. Proportionality turns on two, related inquiries: Is there evidence that the government action can achieve the stated purpose? Is the government action necessary for accomplishing the stated purpose or are there alternative means of accomplishing the same purpose that will burden the right less? The burden of justification on the government, under the proportionality test, varies tremendously, depending on the right at stake and the public interest being pursued. The more important the right, the higher the burden on the government, the more important the public purpose, the lower the burden on the government.
When the privacy right at stake is data privacy, the proportionality investigation is guided by some of the more specific guarantees of Convention 108. For instance, the amount of the data processed should be no more than necessary to accomplish the purpose. Neither should the time during which the data are stored be any longer than necessary to accomplish the purpose. As a special safeguard for the burdened, privacy right, individuals should have the right to check their personal data, to make sure that it is accurate and that, in all other respects too, their personal data is being processed in accordance with the law. Most European countries have also ratified a protocol to the Convention, providing for an independent supervisory authority, and even those that have not ratified the protocol, have such a supervisory authority. In most countries, privacy authorities have advisory powers over proposed legislation, while everywhere they have oversight powers, to ensure compliance. The Convention allows for certain exceptions from its privacy guarantees, including exceptions for national security and law enforcement. However, those exceptions must themselves be based on law and be proportional.
How would the NSA’s database fare under this European privacy law? First, based on European Court of Human Rights’ case law as well as French and German data protection law, I think that the database would fail the requirement of an authorizing law. It does not appear to me that a secret, executive order based on a constitutional conferral of power to the President to serve as “commander in chief” would be good enough. (Of course, the administration’s lawyers might have in mind more precise statutory text as the authority for the database, in which case this analysis could change.) It is neither accessible to the public, nor is it specific enough to curb arbitrary exercises of power and to put citizens on notice of how their government is interfering with their basic rights. What about the Bush administration’s argument that any disclosure of the NSA call program threatens American national security? For, as I mentioned above, the Europeans allow for exceptions based on national security concerns. In my view, that argument would fail, both in the European Court of Human Rights and in national, European courts. Certainly, courts have permitted European governments to keep secret the some of the methods used in surveillance, together with the specific targets of surveillance. (Paul Schwartz has a terrific discussion of some of the German law in his article, German and U.S. Telecommunications Privacy Law, 54 Hastings L.J. 751 (2002-2003). And Verna Zöller provides an informative update in Liberty Dies by Inches, 5 German L. J. 469 (2004).) But I don’t know of any instance in which they have allowed such a massive government program, involving almost entirely national citizens, to go forward without some basis in a reasonably detailed, public law.
The good news for the NSA call program is that it would satisfy the second European legal requirement: national security is, most certainly, a legitimate purpose. Then we get to proportionality. Is a database with the calling records of tens of millions of citizens necessary for fighting terrorism? When making this kind of determination, European courts and privacy officers show considerable deference to their intelligence services. Courts and privacy officers are acutely aware of their limits in understanding how to combat terrorism, as compared to the seasoned professionals in their national intelligence services. But, in Europe, the government would have to make the case—not necessarily in public or in an ordinary court of law—that the data collection was capable of reducing the terrorist threat. The government would also have to consider other types of regulation, less invasive of the private lives of ordinary Americans–say, a database of the telephone records of al Qaeda suspects only. The government would also have to demonstrate that there were privacy-protecting safeguards in place. Again, European laws allow for exceptions based on national security concerns, but, again, I don’t think that those exceptions would apply here. Since we don’t know much about the NSA call program, we don’t know whether it is, in fact, supported by this type of reasoning. On the proportionality issue, therefore, I can’t come to any conclusion.
What about an independent privacy agency? That is certainly absent from the NSA call program. In much of Europe—including Germany (Federal Data Protection Act, section 26) and France (Law No. 78-17, article 11.4 and article 26.I)—this independent agency would have had to be consulted on the NSA program before it became operational. Many things can go wrong when a government collects information on the habits of its citizens, including phone records: phone numbers might be matched to the wrong people, leading the government to suspect ordinary citizens of being covert al Qaeda operatives; an intelligence officer who thinks that his wife is cheating on him might check her phone records; once the phone records get too old to help in the fight against terrorism, they might be passed along to tax fraud investigators or to direct marketers. Consultation of a privacy expert, when a government program is being designed, is an important way of ensuring that the necessary safeguards are in place, before any of these abuses can occur.
Moreover, in all of Europe, an independent privacy agency would have to have the power to ensure that government officers, in running the program, were complying with basic privacy safeguards. Here, even under European laws, there are exceptions for intelligence agencies. For instance, under German law, the Federal Commission for Data Protection does not have jurisdiction over telecommunications surveillance (which, under German law, includes calling records) when conducted by an intelligence agency (Federal Data Protection Act, section 24). But another independent, government body does have the power to order the government to stop illegal surveillance: a special, bi-partisan, parliamentary commission known as the G-10 Commission. Under French law, individuals do not have the right to check, directly, whether the information held on them by security agencies is lawful, but must be able to do so, indirectly, through their national privacy agency (Law 78-17, article 41). Furthermore, under European laws, these exceptions to jurisdiction do not apply to personal data used for law enforcement purposes. This is significant for the NSA program because it is unclear whether the information is being used only by intelligence officers, or by law enforcement agencies too. In sum, under European laws, the NSA program could not be exempted entirely from oversight by an independent government body with the power to investigate and to stop violations of privacy rights.
Now for the bottom line. Why does it matter that the NSA call program would be illegal under European privacy law? That, if any European government tried to do the same thing, it would be breaking the law? As I said at the beginning, I think that the different result under European law is revealing for what it says about current transformations in American law: it underscores the extent to which national security concerns are coming to dominate American law.
There is also a more pragmatic reason for taking European privacy law seriously. The National Security Agency might want information on the calls made by Europeans, in Europe. But because the way it handles private data is so out-of-line with European law, it is increasingly unlikely that the NSA will be able to get call information– or any other private information for that matter–from European governments.
Let me explain a bit further. In some European countries, private data cannot be transferred to countries without “adequate” privacy safeguards, even if that data is requested for national security purposes. This is the case in Germany, where an exception to the adequacy principle can be made only “for compelling reasons of defence or to discharge supranational or international duties in the field of crisis management or conflict prevention or for humanitarian measures.” (Federal Data Protection Act, section 4b(2)). This is also the case for France, where there is a public security exception to the adequacy principle, but that exception is still subject to a determination that the personal information will be protected in the country of destination (Law No. 78-17, article 69). Furthermore, at the European Union level, a series of laws are being negotiated that would enable police authorities, for purposes of preventing or prosecuting crimes, including terrorism, to freely exchange data like calling records and then transfer that data to their intelligence agencies. These are: the European Parliament and Council Data Retention Directive (adopted in March but not yet in force), the Council Framework Decision on the exchange of information under the principle of availability (under negotiation), and the Council Framework Decision on the protection of personal data (under negotiation). However, under the current version of the privacy part of the package, information like calling records could only be transferred to third countries that ensure “an adequate level of data protection” (Council Framework Decision on the protection of personal data, article 15.1(d)). Therefore, with one exception (article 15.6), national, European police and security agencies would have to deny an NSA request for call records. No wonder that the Americans expressed concern about this provision at a March 2-3, 2006 EU-US meeting.
Under all of these laws, even if privacy is not adequately protected in the destination country, an international agreement can stipulate privacy safeguards for the transferred data, and therefore render the transfer lawful. But the news of secret U.S. surveillance programs has made it more difficult to take this route. How are European governments to trust that an undertaking of an agency like the NSA or the FBI will not be quickly superseded by a secret order issued by the President, based on his constitutional powers? Of course, if that were to occur, European governments would have claims against the United States under international law. But given the weak enforcement mechanisms of international law and changing American surveillance practices, it is unclear whether such an undertaking could serve as a sufficient guarantee of European privacy.