BELGIAN PRIVACY AUTHORITY REQUESTS OPINION OF U.S. SURVEILLANCE LAWS UNDER SCHREMS

belgium flag

The European Court of Justice (ECJ) failed to take into account numerous changes in U.S. surveillance practices when it invalidated the Safe Harbor program in the Schrems case, according to a report by Prof. Peter Swire of the Georgia Institute of Technology and Alston & Bird LLP.

The Schrems decision reflected a “serious misunderstanding of U.S. national security law,” the report concluded. Swire finds that the U.S. legal order as related to privacy and surveillance is:

 

  • “essentially equivalent” to the EU’s,
  • that the ECJ came to the wrong conclusion regarding section 702 of the PRISM program, and
  • that the decision neglected the two dozen significant reforms the U.S. has made to its surveillance practice since 2013.

 

The Belgian Privacy Authority requested that the report answer two questions for a forum on the Schrems decision that it hosted:

 

  • 1.Is U.S. surveillance law fundamentally compatible with EU data protection law?
  • 2.What actions and reforms has the U.S. taken since Edward Snowden’s revelations of U.S. government surveillance began in June 2013?

The report criticizes Schrems’ claim that the U.S. does not have a necessary legal order for the transfer of data, arguing that the U.S. and EU Member States have a “fundamental equivalence” as constitutional democracies under the rule of law. Swire reviews the “fundamental protections” that the U.S. employs for law enforcement and national security surveillance, asserting that the “U.S. has a long tradition of … independent judges updating fundamental rights protections to adapt to changing technology,” and the national security surveillance system “features the vital principles of oversight, transparency and democratic accountability,” as illustrated by the USA Freedom Act of 2015. 

Swire next discusses the legal structure of 702 and how Upstream technology works, concluding that the National Security Agency’s acquisition of e-mail and other communications is not “pervasive.” The EU’s Fundamental Rights Agency and the Privacy and Civil Liberties Oversight Board both agree that PRISM is not bulk collection, but rather, targeted. Moreover, declassified Foreign Intelligence Surveillance Court documents illustrate that Upstream collected less than 10% as many electronic communications as PRISM in 2011, and therefore “is not pervasively acquiring electronic communications.”

Finally, Swire reviews the more than 40 changes the U.S. has made to surveillance laws, criticizing the ECJ decision and Advocate General’s (AG) opinion for not taking them into account—even though the AG insisted that U.S. practices must be analyzed “by reference to the current factual and legal context.”

 

The U.S. reforms, according to Swire, illustrate “a constitutional democracy under the rule of law, with independent judicial oversight, transparency and democratic accountability,” and demonstrate a “fundamental equivalence of the U.S. and EU Member States with respect to surveillance activities.”

 

As U.S. and EU negotiators work towards a replacement—hopefully by the end of Jan. 2016—we will find out if the EU agrees with Prof. Swire’s analysis.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.