US law reform post-Schrems II

This @ProppKen/@peterswire article is really useful on the individual remedy aspect of #SchremsII. As they say, they don’t address the other main aspect, of proportionality. This I think is where a European Convention on Human Rights-based analysis could be useful.

The European Court of Human Rights (ECtHR) has a much richer case law on mass, or as they have sometimes called it, “strategic” surveillance (with elements going back to at least 1978 and the Klass case!) Here’s the @coe’s 2018 fact sheet on mass surveillance jurisprudence of the Court, which could now do with an update, following Big Brother Watch and others v UK, and other judgments 🙂

As @TC_IntLaw noted in 2018, the ECtHR seems more willing than the EU Court of Justice (CJEU) to accept large-scale surveillance, as long as there are correspondingly protective safeguards. @bricksilk made similar points in his A Question of Trust UK review. The extent to which these jurisprudences will converge over time is an important one. The EU is continuing its efforts to accede to the Convention, as required by the Lisbon Treaty.

I know @MartinScheinin has long been arguing elements of mass surveillance (as the intelligence agencies hate us calling it) contravene the “essence” of the data protection and privacy rights in the EU’s Charter of Fundamental Rights. We should soon see from the @privacyint case if the CJEU will continue in this direction.

So, a grand challenge for human rights lawyers on both continents is to find a baseline of protection that will satisfy US, the EU, its member states, and broader @coe membership on the extent to which mass surveillance is allowed, under which conditions and safeguards. Then turn it into a treaty, as we suggested 🙂 Easy! ?

Here are my initial thoughts about what the US could do before such a treaty, addressing the rule of law and proportionality issues in §§60-64 of Schrems II. I’d be very interested to hear from US lawyers as to their practicality, in legal and policy terms!

1. Executive Orders are not “law” in the European sense — precise, foreseeable, democratically agreed. Does there need to be a controlling statute, particularly with regard to executive branch decisions on the necessity and proportionality of intrusion upon rights?

2. The US Foreign Intelligence Surveillance Act (FISA) s.702 requires the Foreign Intelligence Surveillance Court (FISC) to approve surveillance of non-US persons to obtain ‘foreign intelligence information’. FISC is a US Constitution Article III court with life-tenured, independent judges, which obviously meets European standards for independent judicial control. Can necessity and proportionality tests be applied here (as by the UK’s @IPCOffice)?

Those standards would clearly have to be higher than those that led FISC to grant the order shown above, requiring Verizon (and other major US telcos) to hand over all their call records to the National Security Agency on an ongoing basis for analysis.

3. The CJEU was particularly alarmed about the NSA’s UPSTREAM surveillance of Internet backbone infrastructure, outside FISA. Can s.702 be extended to control that and similar programmes? Can FISC thereby be required to approve them, and their necessity and proportionality? @IPCOffice approves the UK equivalent actions, under the Investigatory Powers Act.

It seems particularly egregious, and damaging to the credibility of US organisational compliance with EU data protection standards (whether by an updated PrivacyShield agreement, Standard Contractual Clauses, Binding Corporate Rules, or other mechanism), that NSA by Executive Order 12333 can sweep up data from cables that would be available under FISA in the US.

4. The US Presidential Policy Directive-28 is “lawless” like EO 12333. Can it similarly be brought under (some) statutory control?

5. As a much longer-term project, can the US constitution be amended to provide protections to non-US persons, as European human rights laws do for non-Europeans (where those persons come under the jurisdiction of European states)? I’ll leave that one to @davidakaye 😉