How intensely are American authorities using their right to inspect personal data collected by companies? In the face of the recent devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, this question again arises. Indeed the Tribunal brought forward as an important argument the mass and uncontrollable surveillance activities of US-American authorities. According to the ECJ, this is not in compliance with the EU´s data protection regulations. As recent publications show, the Tribunal in its reasoning for the judgment was closer to reality than suspected.
Surveillance through the Patriot Act (now Freedom Act)
Following the attacks of 9/11, the Patriot Act (now superseded by the Freedom Act) gave permission to US authorities to obtain information from companies which could be of national interest for the US. This also covered information about persons outside the US since the US did not recognize the territoriality principle in the context of this surveillance activity.
The right to access such information can be exercised by the authorities independently, so without any further, e. g. judicial, authorisation. In the context of the Safe Harbor ruling of the ECJ, inter alia this circumstance had been challenged as disproportionate because it opened the door to an uncontrolled surveillance of personal data without any purpose limitation. The judges of the ECJ were right on spot with their assessment.
Data surveillance as per “National Security Letter”
Meanwhile it has transpired that American authorities have sent out many so-called “National Security Letters” for their surveillance activities. By means of these letters in form of written requests, companies are forced to provide information on their customers. Even a multinational company like Microsoft failed to challenge these requests as being unlawful in front of a court.
Most interestingly, the “National Security Letters” also request that companies concerned are not allowed to inform their customers of the information requests. It does not come by surprise that in English speaking countries these requests are called “Gag Orders”.
What is enquired by a “National Security Letter”
It is of specific interest for the European public that one of such “National Security Letters” which had been submitted to a small internet service provider has been published after a long judicial dispute in the US. The content of the letter shows the dimension of the surveillance activities. In the specific case, the authority had requested the following data:
- DSL account information
- Radius log
- subscriber name and related subscriber information
- Account number
- Date the account opened or closed
- Addresses associated with the account
- Subscriber day/evening telephone numbers
- Screen names or other on-line names associated with the account
- order forms
- Records relating to merchandise orders/shipping information for the last 180 days
- All billing related to the account
- Internet service provider (ISP)
- All e-mail addresses associated with Internet Protocol (IP) addresses assigned to the account
- All website information registered to the account
- Uniform resource locator (URL) address assigned to the account
and, most interestingly,
- Any other information which you consider to be an electronic communication transactional record.
It should not be left unmentioned that the published “National Security Letter” dates back to the year 2004. It is not known what kind of information on top of that is requested by authorities nowadays. However, it is a fact that between 2003 and 2005 alone approximately 140.000 of such letters were sent to companies.
Conclusion: Quo vadis international data flow?
Of course, the information requested by the letters was only personal data. According to EU provisions and also according to the German Federal Data Protection Act, such data must only be processed under the principle of purpose limitation and processing must be proportionate. Additionally, the permission to access such data collected by an Internet Service Provider (without the consent of the data subject) is subject to a judicial order by a judge.
Inter alia because of the dimension and the uncontrollability of accessing personal data, the ECJ ruled the Safe Harbor agreement invalid. The now published “National Security Letter” illustrates which kind of data American authorities request. In the face of the pure amount – both of the data and the submitted “National Security Letters” – the ECJ is indeed right with its ruling.
At the moment, the European Commission strives to agree on a revised agreement with the US in order to allow the data flow into the US. According to the latest statements by the EU Commissioner for Justice, Věra Jourová, the new agreement is scheduled to be put in place already in January 2016. Needless to say, from a European data protection perspective, the circumstances concerning the “National Security Letters” are hopefully taken into account in the negotiations.
[av_icon_box position=’top’ boxed=” icon=’ue835′ font=’entypo-fontello’ title=’Our data protection services’ link=’manually,https://www.activemind.de/en/data-protection/’ linktarget=” linkelement=’both’ font_color=” custom_title=” custom_content=” color=” custom_bg=” custom_font=” custom_border=”]Cross border data flows are always subject of concern for companies. The experts of activeMind AG remain at your disposal for an individual consultation. [/av_icon_box]