Had a European government, instead of the Bush administration, created the NSA’s call database, would that government be in violation of European privacy law? I think so, for the reasons I explore below.
Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.
A more pragmatic reason for caring about the different result under European privacy law is that it could undermine transatlantic cooperation in the fight against terrorism. Some European laws forbid the transfer of public security and law enforcement data to countries without adequate privacy protection. This latest revelation just reinforces the European view that U.S. privacy laws are inadequate—and therefore could make European governments reluctant to turn over information on European citizens to the American government in the fight against terrorism.