In the United States, three pieces of legislation set the stage for government and national security agencies to access and use private information stored in electronic media. In the United Kingdom, a bill would make national security access easier. The European Union’s new privacy law is set to replace the 28-nation hodgepodge of privacy and security laws, and that new regime carries draconian fines. The three sets of laws have different emphasis and will make tripartite legal compliance often impossible for commercial vendors.
In June 2015, the USA Freedom Act replaced the Patriot Act and blocked bulk surveillance of American phone calls, but did not block communications vendors from collecting telephone metadata. Now, using court-issued warrants or subpoenas, (especially in the form of a National Security Letter), government and national security agencies can obtain telephone metadata from the vendors.
A bill called the Email Privacy Act would require law enforcement and government agencies to obtain a warrant (not a subpoena) before forcing an email service provider to produce requested emails. The email owner must be notified within a short timeframe, although in special circumstances, a notification can be delayed. The Email Privacy Act is not yet law.
The third law known as Cybersecurity Information Sharing Act (CISA) was buried as part of a 14th rider of a 2,000-page bill. CISA permits private companies to voluntarily hand over customer information to federal agencies and it protects those companies from lawsuits over privacy violation. DoD and NSA can request and use the information to address a “specific threat” of death, serious bodily harm, serious economic harm, terrorism, harm to a minor and more.
For most U.S. purposes, a court-issued warrant is a “hall-pass” for law enforcement and national security agencies to obtain data held by information and communication processing firms. CISA protects the cooperating firms from ruinous privacy violation lawsuits, but it will not relieve vendors from consumer expectations that they protect privacy. The residual protection for consumers is in the good judgement of the warrant-issuing courts. It’s not perfect because some judges have the wisdom of Solomon and some are tie-dyed anarchists. Obtaining a warrant may pose delays, but it’s probably better than a loose standard that law enforcement officers (LEOs) can interpret for themselves.
The European Union (EU) adopted a General Data Protection Regulation (GDPR), governing the use and privacy of EU citizens’ data. GDPR clarifies the quirky “right to be forgotten,” gives consumers a right to know when their data has been hacked, a right to transfer their data between providers, easier access to their own data and transparency about how their data is processed. Companies cannot reveal data received for a particular purpose without the consumer’s explicit permission. From the EU’s perspective, “any company that markets goods or services to EU residents may be viewed as subject to the GDPR, regardless of whether the company is located or uses equipment in the EU or not.” That grandiose claim of international dominance may cause commercial conflicts and reduced cooperation among LEOs.
A draft Investigatory Powers Bill accords British spies authority beyond those available in other Western countries. The draft empowers national security agencies to carry out bulk interception of communications data. Apple is concerned that the draft laws could weaken data encryption, sanction interference with its products, force non-UK companies to break the laws of their home countries, and spark similar legislation in other countries that could paralyze firms under the weight of dozens of contradictory laws. Microsoft voices similar criticism, “the legislation must avoid conflicts with the laws of other nations and contribute to a system where likeminded governments work together, not in competition, to keep people more secure.”
The laws governing European LEO and national security agencies’ access to consumer data are less clear, presumably because they will be less welcomed by the EU public. When the EU wants to make a point it considers important, it does so loudly. Fines of up to 4 percent of global revenue apply to companies that violate the new clutch of EU consumer rights.
Disparities in International privacy law and claims of sovereignty already cause trouble. For example, a U.S. LEO demanded an Irish drug dealer’s emails stored on a Microsoft email server in Ireland. Irish law would not permit handing over that private information, but after four years, Ireland graciously decided to dissolve the stalemate. The new U.S., UK, and EU privacy laws can force companies to make demonic choices – obey EU law or obey U.S. law or obey UK law. It will be sometimes impossible to obey all or even two. For example, if a U.S. court-issued warrant allows a U.S. LEO to demand U.S.-stored emails of a European citizen, compliance will likely conflict with EU law, and may trigger a hideous fine.
When the EU, UK and U.S. updated their domestic data privacy laws, it became harder to harmonize laws that yield private information for tracking criminals that flit readily from one Internet domain and nation to another. It would have been so much easier to settle how LEO cooperation should occur and then draft language that accommodates both the domestic and the shared international aims of each nation.
Alan Daley writes for The American Consumer Institute Center for Citizen Research, a nonprofit educational and research organization. For more information on the Institute, visit www.theamericanconsumer.org.