On 2 June 2015, the US Senate passed the Freedom Act, new legislation which replaced parts of the expired Patriot Act. The revision of, inter alia, those parts which dealt with telecommunication data and its surveillance, turned out to be necessary in order to restore the trust of the US public in their authorities after the Snowden revelations. According to the Freedom Act, it is prohibited for American authorities (e. g. the NSA) to collect mass data of data subjects. Against the background of the recently devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, companies may ask whether by means of the legal changes a data transfer to the US is now possible again.
What was the content of the Patriot Act?
The Patriot Act, inter alia, dealt with the collection, storing and processing of telecommunication data. This meant for instance that the length of a telephone conversation, the location, the name, the address and the invoice of the telecommunication user could be stored and processed. Once the data was collected, American authorities had access to this data for further processing without any limitations.
According to German and European law this data qualifies as personal data which is covered by data protection law. Processing of such data is, at least in Germany, only allowed if the data subject consented to it or if it is covered by a legal basis. Additionally, the country in which the data should be processed must provide for a data protection level which is comparable to the one of the EU. The latter was supposed to be the case for companies in the US which were certified under the Safe Harbor agreement. But exactly this agreement has been ruled invalid by the ECJ, in view of the lack of protection of data subjects against improper access to their data through American authorities which eventually caused the unlawfulness of data transfers to the US.
Relevant data protection changes through the Freedom Act
The question now arises if telecommunication data is better protected by the US Freedom Act (which stands for “Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act”). If this was indeed the case, probably one could argue that the required level of data protection is now in place and a new Safe Harbor agreement may be obsolete or at least easier to negotiate. But to the contrary: the Freedom Act does indeed contains changes, but these changes are not sufficient to raise the data protection standards to an acceptable level.
On a first read, the Freedom Act appears to be a positive development from a European Data Protection perspective. American authorities themselves are not allowed to store telecommunication data and they do not have a direct access to it anymore. But upon a closer look, this positive impression is soon blurred: telecommunication data is now stored directly with the provider and can be transferred to the authorities upon request. For this purpose, American authorities now at least have to demonstrate a specific cause, e.g. that a data subject is a potential threat. However, apart from that, there is no further restriction which limits the surveillance and processing of mass telecommunication data. The detour via the collection of the telecommunication data with the provider cannot limit the general concerns.
A step closer to data protection – but only one
The changes through the US Freedom Act are definitely a step in the right direction. But from a European data protection perspective, and also in view of the Safe Harbor ruling, the changes make no relevant difference. The criticism in the context of the Safe Harbor decision explicitly focussed on the mass collection and surveillance of data without any restriction for a specific purpose or the provision of legal means to appeal against an arbitrary processing of personal data. The Freedom Act does not help here. The Safe Harbor dilemma is not yet solved.
US Freedom Act vs. data retention in Germany
However, unfortunately there are similarities between the US Freedom Act and the recently introduced German Data Retention Act. One could even say that the differences are marginal. The Data Retention Act allows telecommunication providers to collect and store telecommunication data. Authorities can request access to the data through an order by a judge and subsequently process this data. In fact, only the judicial authorisation, the deadline to retain such gathered data and the existing legal means of redress are the only differences to the US legislation. Therefore, it remains open whether the new German Data Retention Act will be upheld in a judicial review. In 2010, the German Constitutional Court already once before declared a similar piece of legislation to be unconstitutional.