Views on Global Surveillance Laws From Lothar Determann of Baker & McKenzie

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

The proliferation of surveillance laws around the world have placed multinational companies between the demands of privacy-conscious consumers and increasing data access requests from governments, leaving them to figure out how to comply.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor George R. Lynch posed a series of questions to Lothar Determann, a partner in the Global Privacy & Information Management Working Group at Baker & McKenzie LLP in Palo Alto, Calif. on global surveillance laws and how multinational companies should navigate the maze.

Bloomberg BNA:

Should multinationals be concerned about surveillance laws around the globe?

Lothar Determann:

Yes. Companies should be concerned and they are. Companies in all countries are regularly caught in the middle between government requests for data and customer requests for privacy. Multinational businesses face particularly tough challenges, because they are subject to data access requests and privacy requirements in numerous jurisdictions, which often do not agree on what is required or permissible in a particular situation.

For example, a few years ago, airlines were required to share certain passenger data with U.S. authorities under U.S. laws while European Union laws prohibited such sharing. Now, a German company may be compelled to locally store telecommunications metadata under Germany’s new data retention and residency law to enable better access to German law enforcement authorities and intelligence agencies regardless of whether privacy laws of the U.S. or other countries prohibit such local storage or disclosures.

Bloomberg BNA:

Does the apparent EU resistance to the proposed EU-U.S. Privacy Shield make sense in the context of the growth of surveillance laws in the EU?

Determann:

No. The EU is trying to hold the U.S. to much higher privacy standards than the EU holds its own member states or other countries that the European Commission has found “adequate” in formal decisions. The EU declared Argentina, Canada, Israel, New Zealand and Uruguay “adequate” without any requirements for companies in these jurisdictions to register for “safe harbors” or “shields.” At the same time, the EU has not been able to harmonize surveillance laws in its own member states and recent studies by EU institutions acknowledge significant privacy gaps.

It would be a pity if unrelated political agendas regarding government surveillance cause the Safe Harbor and Privacy Shield programs to fail—they represent unique opportunities to further international interoperability of national privacy laws.

The European Commission and the U.S. Commerce Department worked hard to address the concerns raised by the Court of Justice of the EU in its judgment of Oct. 6, 2015 concerning the U.S. Safe Harbor Program. But, there is only so much the Commission and Commerce Department can do—neither institution controls surveillance measures of its respective governments. In connection with the negotiations, the U.S. side was able to produce a letter from the Director of National Intelligence with very concrete privacy commitments in an 18 page undertaking. Separately, the U.S. President and U.S. courts had significantly reigned in National Security Agency (NSA) programs since Edward Snowden's revelations in 2013 and the U.S. Congress recently strengthened privacy protections in the Judicial Redress Act and the USA Freedom Act.

It is hard to imagine that the U.S. can do much more to alleviate remaining European data protection authority concerns regarding surveillance, particularly given the fact that European governments are at the same time relaxing their own privacy laws to allow more surveillance and they are asking for more cooperation and data sharing with U.S. intelligence services after recent terror attacks in Paris and Brussels. The German government recently enacted a data residency requirement for telecommunication metadata to provide better access to such data for the German government.

We illustrated recently in our global surveillance survey that the U.S. is not an outlier when compared to other countries.

It would be a pity for companies and commerce if unrelated political agendas regarding government surveillance cause the Safe Harbor and Privacy Shield programs to fail, because they represent very unique institutions and opportunities to further international interoperability of national privacy laws. If anything, the programs should be extended to apply both ways, i.e., also require European companies to comply with U.S. privacy laws, which have been more effectively enforced over the years and are much more up to date (while EU data protection laws remain largely at a 1995 level until the new regulation becomes effective in May 2018).

Bloomberg BNA:

Is the U.S. an outlier in its approach to authorizing government surveillance?

Determann:

No. Each country takes a slightly different approach, but the U.S. is not an outlier when compared to other countries. We illustrated this recently in our "global surveillance survey" that a global team of Baker & McKenzie attorneys and a few correspondent firms worked on together. We delivered our findings with easily accessible heat maps and an interactive Q&A on a dynamic publisher site where you can compare some or all countries covered on selected questions. Check out the 2016 Global Surveillance Law Comparison Guide and Heat Maps online—the site is open to anyone.

The reason why the U.S. is singled out the public debate—even though it is not an outlier by any means—has a number of reasons:


1. people can speak out freely in the U.S. about and against government surveillance; in many other countries, dissidents are simply silenced
2. the U.S. government is much more transparent than most other governments, where secret services are truly secret and citizens cannot sue the government in court and demand discovery
3. the U.S. reacted to 9/11 in 2001 and ramped up its defenses against terror attacks much earlier than most European countries; France and Belgium reacted actually quite similarly, but more recently, and that is not yet being acknowledged in the public discussion
4. the sheer size of the NSA's program and budget dwarfs the programs of many other countries, particularly Western European countries that have been heavily relying on the U.S. to guarantee military security for the last 70 years
5. the U.S. has relatively stringent constitutional safeguards, compared to many other jurisdictions (which the U.S. president and courts have found the NSA overstepped)
6. Snowden happened to have happened to the NSA—other intelligence agencies in the U.S. and elsewhere seem to have been more successful in preventing leaks and security compromises; Snowden's strategically launched series of limited leaks over two years or so kept awareness regarding the NSA programs front and center in the public debate, whereas other countries' programs remained in relative obscurity.

 

Even the fact that intelligence services in other countries extensively share data with the U.S. authorities is often overlooked, particularly the four other countries in the “Five Eyes Alliance,” Australia, Canada, New Zealand and the U.K., i.e., one EU member state and two countries that enjoy unlimited “adequacy” findings by the EU freely exchange surveillance intelligence with the U.S. This means that data going to any of these countries can be picked up by the NSA regardless of any EU data protection laws, safe harbors or privacy shields.

Surveillance and surveillance laws mean different things to different people’s privacy. Most laws involve some gain and some loss.

Bloomberg BNA:

Given the recent changes in the legal landscape, do you still believe that surveillance laws don’t necessarily mean the loss of privacy?

Determann:

Surveillance and surveillance laws mean different things to different people's privacy. Most laws involve some gain and some loss.

To a terrorist, cyber-criminal or innocent person suspected of crimes, government surveillance usually means a loss of privacy. This is particularly true when law enforcement conducts surveillance, because the resulting data is often used in courts and in public. Surveillance by intelligence agencies does not usually result in noticeable intrusions of privacy, because individuals do not usually even find out when they are spied upon by intelligence agencies. But, some people subjectively consider the mere possibility of surveillance by intelligence agencies a loss of privacy.

To the majority of the population, government surveillance means protection from other harms, including terror attacks, cybercrimes and privacy invasions. Law enforcement conducts investigations and surveillance to pursue and prevent crimes, including crimes against privacy (such as identity theft, e-mail interception, phishing, data theft, computer fraud, hacking, etc.). National intelligence agencies conduct surveillance to protect national security—and by extension: national privacy—against foreign government surveillance. With surveillance and other measures, our government invades and protects individual privacy.

Bloomberg BNA:

What’s the biggest challenge you face in representing clients who have to navigate a patchwork of international surveillance laws?

Determann:

Companies struggle with actual data access requests from foreign governments: How to respond? What paperwork to ask for? What is required or permitted? Companies also face challenges regarding preparing and positioning themselves for data access requests at the planning phase of their international business expansion: Where can or should we set up foreign presences? How should data storage and access be framed within the company?

Surveillance laws are a very difficult and complex topic. In most countries, government agencies have to comply with many different agency-internal guidelines, a variety of state and federal statutes and on top constitutional provisions, which tend to be framed conceptually and open for interpretation. Many countries apply their law relatively strictly to surveillance on their own territory (by their own government agencies and foreign agencies), but leave more discretion to their intelligence agencies with respect to surveillance of other countries. Court decisions and files are often sealed or obscured by redaction due to national security concerns. Also, even if legal commentary is available, it is often unclear what the various government agencies are exactly doing to gather intelligence. Because individuals are usually not notified of surveillance, and intelligence agencies keep their findings secret, in the interest of national security, surveillance activities remain usually obscure and it remains unclear how the law applies to them. Therefore, surveillance laws and practices tend to be a rather obscure field and hence a challenge for multinationals.

Companies struggle with actual data access requests from foreign governments: How to respond? What paperwork to ask for? What is required or permitted?

Legal scholars and government institutions have already published a number of interesting studies in the last couple of years that compare particular aspects of surveillance laws in different countries. Given the complexities of such research, most studies focused on only a few jurisdiction or particular aspects of surveillance laws. Most studies are fairly complex and detailed. All note how much is yet unclear.

What has been missing from the public discussion was an easily accessible overview with broad geographic scope. That is what we wanted to contribute. Our firm, Baker & McKenzie, seemed uniquely qualified to put such an overview together, given our large geographic reach: we have 77 offices in 47 jurisdictions. Volunteers in most of our offices and a number of correspondent firms contributed to our aforementioned "global surveillance survey" and we hope that it advances the international public debate and helps clarify the situation for companies. Please check it out on our website and let me know what you think.

For More Information

Baker & McKenzie's “2016 Global Surveillance Law Comparison Guide and Heat Maps” is available athttp://www.bakermckenzie.com/QRGGlobalSurveillanceLawApr16/.