Data protection related “gag orders” by US authorities

How intensely are American authorities using their right to inspect personal data collected by companies? In the face of the recent devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, this question again arises. Indeed the Tribunal brought forward as an important argument the mass and uncontrollable surveillance activities of US-American authorities. According to the ECJ, this is not in compliance with the EU´s data protection regulations. As recent publications show, the Tribunal in its reasoning for the judgment was closer to reality than suspected.

Surveillance through the Patriot Act (now Freedom Act)

Following the attacks of 9/11, the Patriot Act (now superseded by the Freedom Act) gave permission to US authorities to obtain information from companies which could be of national interest for the US. This also covered information about persons outside the US since the US did not recognize the territoriality principle in the context of this surveillance activity.

The right to access such information can be exercised by the authorities independently, so without any further, e. g. judicial, authorisation. In the context of the Safe Harbor ruling of the ECJ, inter alia this circumstance had been challenged as disproportionate because it opened the door to an uncontrolled surveillance of personal data without any purpose limitation. The judges of the ECJ were right on spot with their assessment.

Data surveillance as per “National Security Letter”

Meanwhile it has transpired that American authorities have sent out many so-called “National Security Letters” for their surveillance activities. By means of these letters in form of written requests, companies are forced to provide information on their customers. Even a multinational company like Microsoft failed to challenge these requests as being unlawful in front of a court.

Most interestingly, the “National Security Letters” also request that companies concerned are not allowed to inform their customers of the information requests. It does not come by surprise that in English speaking countries these requests are called “Gag Orders”.

What is enquired by a “National Security Letter”

It is of specific interest for the European public that one of such “National Security Letters” which had been submitted to a small internet service provider has been published after a long judicial dispute in the US. The content of the letter shows the dimension of the surveillance activities. In the specific case, the authority had requested the following data:

  • DSL account information
  • Radius log
  • subscriber name and related subscriber information
  • Account number
  • Date the account opened or closed
  • Addresses associated with the account
  • Subscriber day/evening telephone numbers
  • Screen names or other on-line names associated with the account
  • order forms
  • Records relating to merchandise orders/shipping information for the last 180 days
  • All billing related to the account
  • Internet service provider (ISP)
  • All e-mail addresses associated with Internet Protocol (IP) addresses assigned to the account
  • All website information registered to the account
  • Uniform resource locator (URL) address assigned to the account

and, most interestingly,

  • Any other information which you consider to be an electronic communication transactional record.

It should not be left unmentioned that the published “National Security Letter” dates back to the year 2004. It is not known what kind of information on top of that is requested by authorities nowadays. However, it is a fact that between 2003 and 2005 alone approximately 140.000 of such letters were sent to companies.

Conclusion: Quo vadis international data flow?

Of course, the information requested by the letters was only personal data. According to EU provisions and also according to the German Federal Data Protection Act, such data must only be processed under the principle of purpose limitation and processing must be proportionate. Additionally, the permission to access such data collected by an Internet Service Provider (without the consent of the data subject) is subject to a judicial order by a judge.

Inter alia because of the dimension and the uncontrollability of accessing personal data, the ECJ ruled the Safe Harbor agreement invalid. The now published “National Security Letter” illustrates which kind of data American authorities request. In the face of the pure amount – both of the data and the submitted “National Security Letters” – the ECJ is indeed right with its ruling.

At the moment, the European Commission strives to agree on a revised agreement with the US in order to allow the data flow into the US. According to the latest statements by the EU Commissioner for Justice, Věra Jourová, the new agreement is scheduled to be put in place already in January 2016. Needless to say, from a European data protection perspective, the circumstances concerning the “National Security Letters” are hopefully taken into account in the negotiations.

[av_sidebar widget_area=’bewertungssterne’]

[av_icon_box position=’top’ boxed=” icon=’ue835′ font=’entypo-fontello’ title=’Our data protection services’ link=’manually,’ linktarget=” linkelement=’both’ font_color=” custom_title=” custom_content=” color=” custom_bg=” custom_font=” custom_border=”]Cross border data flows are always subject of concern for companies. The experts of activeMind AG remain at your disposal for an individual consultation. [/av_icon_box]

From the Patriot Act to the Freedom Act – data protection in the United States

On 2 June 2015, the US Senate passed the Freedom Act, new legislation which replaced parts of the expired Patriot Act. The revision of, inter alia, those parts which dealt with telecommunication data and its surveillance, turned out to be necessary in order to restore the trust of the US public in their authorities after the Snowden revelations. According to the Freedom Act, it is prohibited for American authorities (e. g. the NSA) to collect mass data of data subjects. Against the background of the recently devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, companies may ask whether by means of the legal changes a data transfer to the US is now possible again.

What was the content of the Patriot Act?

The Patriot Act, inter alia, dealt with the collection, storing and processing of telecommunication data. This meant for instance that the length of a telephone conversation, the location, the name, the address and the invoice of the telecommunication user could be stored and processed. Once the data was collected, American authorities had access to this data for further processing without any limitations.

According to German and European law this data qualifies as personal data which is covered by data protection law. Processing of such data is, at least in Germany, only allowed if the data subject consented to it or if it is covered by a legal basis. Additionally, the country in which the data should be processed must provide for a data protection level which is comparable to the one of the EU. The latter was supposed to be the case for companies in the US which were certified under the Safe Harbor agreement. But exactly this agreement has been ruled invalid by the ECJ, in view of the lack of protection of data subjects against improper access to their data through American authorities which eventually caused the unlawfulness of data transfers to the US.

Relevant data protection changes through the Freedom Act

The question now arises if telecommunication data is better protected by the US Freedom Act (which stands for “Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act”). If this was indeed the case, probably one could argue that the required level of data protection is now in place and a new Safe Harbor agreement may be obsolete or at least easier to negotiate. But to the contrary: the Freedom Act does indeed contains changes, but these changes are not sufficient to raise the data protection standards to an acceptable level.

On a first read, the Freedom Act appears to be a positive development from a European Data Protection perspective. American authorities themselves are not allowed to store telecommunication data and they do not have a direct access to it anymore. But upon a closer look, this positive impression is soon blurred: telecommunication data is now stored directly with the provider and can be transferred to the authorities upon request. For this purpose, American authorities now at least have to demonstrate a specific cause, e.g. that a data subject is a potential threat. However, apart from that, there is no further restriction which limits the surveillance and processing of mass telecommunication data. The detour via the collection of the telecommunication data with the provider cannot limit the general concerns.

A step closer to data protection – but only one

The changes through the US Freedom Act are definitely a step in the right direction. But from a European data protection perspective, and also in view of the Safe Harbor ruling, the changes make no relevant difference. The criticism in the context of the Safe Harbor decision explicitly focussed on the mass collection and surveillance of data without any restriction for a specific purpose or the provision of legal means to appeal against an arbitrary processing of personal data. The Freedom Act does not help here. The Safe Harbor dilemma is not yet solved.

US Freedom Act vs. data retention in Germany

However, unfortunately there are similarities between the US Freedom Act and the recently introduced German Data Retention Act. One could even say that the differences are marginal. The Data Retention Act allows telecommunication providers to collect and store telecommunication data. Authorities can request access to the data through an order by a judge and subsequently process this data. In fact, only the judicial authorisation, the deadline to retain such gathered data and the existing legal means of redress are the only differences to the US legislation. Therefore, it remains open whether the new German Data Retention Act will be upheld in a judicial review. In 2010, the German Constitutional Court already once before declared a similar piece of legislation to be unconstitutional.

[av_sidebar widget_area=’bewertungssterne’]