By Christopher Kuner
The recent revelations concerning widespread US government access to electronic communications data (including the PRISM system apparently run by the National Security Agency) leave many questions unanswered, and new facts are constantly emerging. Thoughtful commentators should be hesitant to make detailed pronouncements before it is clear what is actually going on.
Nevertheless, given the potential of these developments to fundamentally reshape the data protection and privacy landscape, I cannot resist drawing a few high-level, preliminary conclusions, from a European perspective:
Legal protection without political commitment is insufficient to protect privacy. In the regulation of data flows across national borders, trying to resolve conflicts between privacy regulation and government access requirements solely through legal means puts more pressure on the law than it can bear. In addition to strong legal measures, we need greater commitment to privacy protection at the political level, which unfortunately is lacking in many countries.
Government access to personal data is a global issue. International Data Privacy Law recently published a detailed legal analysis last year of systematic government access to private-sector data in nine countries (Australia, Canada, China, Germany, India, Israel, Japan, the UK, and the US), and concluded that a lack of adequate transparency and clear legal standards in this area is a global problem. Revelations about the US programs should not distract attention from issues regarding government access to data in other countries.
There should be more transparency around government data access. Governments have yet to learn one of the main lessons from data breach cases, namely that they need to be dealt with openly and transparently. It would have been preferable if there had been a reasoned public discussion about these law enforcement programs over the last few years, rather than having them explode in the press like a bombshell.
Penalizing discussion of the possibility of government data access is counterproductive. Laws that prohibit discussing the existence of government data access programs should be changed. How can we judge whether access is necessary and legally justified if we can’t even mention the fact that it is occurring? And I can’t believe that many terrorists nowadays are ignorant of the fact that their electronic communications may be subject to government surveillance.
The debate about the legality of these programs so far has been simplistic. Since news of these surveillance programs broke, some commentators have argued that all law enforcement surveillance is illegitimate, while others maintain that it is presumptively permissible as long as it is useful. Such a black-or-white approach is incorrect and unsatisfying. There is a need for a more sophisticated analysis, which could be based on well-established European legal concepts such as whether a particular surveillance program is proportionate, and whether it is necessary in a democratic society.
These revelations will cause embarrassment to European governments as well to the United States. The legal and political fallout will not be limited to the US. It is well-known that the US shares a good deal of intelligence with European countries, and awkward questions are already being raised about the extent to which European intelligence services may have accessed data collected by the US under PRISM and similar programs.
Distinguishing between privacy protection for nationals and foreigners is indefensible. On 7 June, President Obama attempted to reassure the American public by saying that access to Internet and e-mail data “does not apply to U.S. citizens, and it does not apply to people living in the United States”. Such statements will only cause concern among the billions of Internet users outside the US. Having stressed the need for a global system of privacy protection in its February 2012 report on “Consumer Data Privacy in a Networked World”, it is inconsistent for the White House imply that US citizens should be given a higher level of privacy protection than non-citizens.
These developments will have major consequences for data protection and privacy law. The long-term effect of these developments on data protection and privacy law cannot yet be foreseen, but some consequences are already apparent. For instance, the EU General Data Protection Regulation proposed in 2012 by the European Commission, final approval of which has been hampered by political disagreement, may receive new impetus from the recent revelations, while the proposed EU-US Free Trade Agreement may suffer.
The effectiveness of data protection and privacy regulation is ultimately dependent on individuals having confidence in how their data are processed. This confidence has been severely shaken in recent days; it is important for both governments and the private sector to take steps to strengthen it, before it is too late.
Dr. Christopher Kuner is editor-in-chief of the journal International Data Privacy Law. He is author of European Data Protection Law: Corporate Compliance and Regulation, and the new book Transborder Data Flow Regulation and Data Privacy Law in which he elaborates some of the topics discussed here. Dr. Kuner is Senior Of Counsel at Wilson Sonsini Goodrich & Rosati in Brussels, and an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge.