New US spy law could reignite Safe Harbour debate

New US legislation allowing intelligence agencies unprecedented access to personal information could see the issue of transatlantic data transfer policies flare up in Europe once again.

Jamie Davies

January 13, 2017

4 Min Read
data spy security hack

New US legislation allowing intelligence agencies unprecedented access to personal information could see the issue of transatlantic data transfer policies flare up in Europe once again.

In what could be one of the final acts of President Obama before he leaves the White House, the NSA has now been given permission to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections. While this might be perceived as legitimate practice in the US, the move may attract criticism from the more privacy-sensitive European nations, restarting the data protection dispute.

In reality, the Safe Harbour/Privacy Shield saga was never truly put to bed, as objections to the new mechanism were heard but merely ignored. While the European Commission (hereafter known as the Gaggle of Red-tapers) were unusually efficient in replacing the now-defunct Safe Harbour mechanism, the European Data Protection Supervisor, the influential Article 29 Working Group and several industry commentators found issues in its successor.

The main issue here is surrounding access which intelligence agencies have to personal information. In the US, said agencies are given a longer leash and less oversight to intercept data than in the European Union. As many European businesses are counting as customers of American cloud companies, there is an argument the data held by Google for instance falls into US jurisdiction, and therefore into the net of its intelligence agencies. Safe Harbour was supposed to be a mechanism to maintain European data protection rights and principles, irrelevant as to where the data resides.

Unfortunately, the agreement was not robust enough to keep the US intelligence agencies at bay, and was subsequently shot down by the European Court of Justice in 2015. It’s replacement, EU-US Privacy Shield in theory provided adequate protection, though some have found faults.

European Data Protection Supervisor, Giovanni Buttarelli, outlined his concerns stating the pact would not be robust enough to stand up under European data protection rights. Article 29 found issue on the grounds of mass surveillance and oversight. Max Schrems, who is credited with initiating the Safe Harbour downfall, stated Privacy Shield was essentially the same mechanism with a new paint-job. The issues were never truly addressed as the Gaggle of Red-tapers moved forward irrelevant of feedback, though the latest move from the US could see the embers of debate reignited.

The new law essentially relaxes rules which dictated what the largely-unregulated NSA could do the information which it collects from satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches. The NSA can now share the raw information with a host of other agencies prior to apply any privacy protections. These agencies include the CIA, Department of Energy, Homeland Security, the DEA and FBI.

Prior to the introduction of this law, the NSA was still able to pass on information which it deemed necessary to national and international security to other agencies, though the identities of innocent people, as well as irrelevant personal information was removed. The handing over of raw information with no regard to the privacy rights of citizens is likely to attract attention of privacy advocates around the world.

The information can be retained for a period of up to five years, and the new rules certainly give intelligence agencies a wide-berth to snoop. Take for instance this clause:

“Domestic communications inadvertently retrieved during the collection of foreign communications will be promptly destroyed upon recognition unless the Attorney General determines that the contents indicate a threat of death or serious harm to any person.”

Firstly, the clause does not state the information has to be destroyed immediately; promptly can be interpreted as a range of different times by different people. There doesn’t seem to be a time-limit on how long this information can be retained. Secondly, the clause gives permission for the intelligence agencies to snoop on innocent by-standers to determine whether there is a cause to destroy the information itself.

It’s a nice little grey area which will further enhance the ability of US intelligence agencies to pry into personal communications. This clause is specific to US citizens, though there is also one for the rest of us.

The immediate ripples of the new law are not evident as of yet, though considering the shaky ground on which the current EU-US Privacy Shield mechanism currently stands, there is the potential for the debate to be restarted. Whether Buttarelli, Article 29 and Schrems will want to strengthen their opposition to the policy could further strain the already tenuous data transmission relationship which exists between the EU and the US.

Another interesting ripple could be seen in the UK. The Information Commissioners Office (ICO) has been doing its best to cosy up to the Gaggle of Red-tapers to ensure Brexit does not have too much of an impact on the relationship with Europe’s single market, but it’s complicated bromance with the US is also an important one. In the Snoopers Charter, the UK has shown its thoughts are more aligned to the US on the matters of national security and privacy, but is this stance more important than a trading relationship with the EU? A compromise needs to be made somewhere.

Subscribe and receive the latest news from the industry.
Join 56,000+ members. Yes it's completely free.

You May Also Like