by Franziska Boehm (Prof. Dr.,University of Münster, Institute for Information, Telecommunication and Media Law, Germany)
NOTA BENE THIS STUDY COMPLEMENT ANOTHER PREVIOUS STUDY ON THE SAME SUBJECT (Bignami, The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens)
THE FULL VERSION OF THE NEW STUDY FOR THE EP CIVIL LIBERTIES COMMITEE IS ACCESSIBLE HERE.
EXECUTIVE SUMMARY : This study compares EU and US data protection guarantees in the field of law enforcement. The legal approaches to regulate data protection guarantees in law enforcement, in both the EU and the US legal order, vary from their very outset, leading to structural, legal and in particular constitutional differences.
Generally, it can be concluded that the EU data protection framework in the law enforcement sector is shaped by comprehensive data protection guarantees, which are codified in EU primary and secondary law and are accompanied by EU and ECtHR case law. In contrast, US data protection guarantees in the law enforcement and national security contexts are sector specific and are therefore contained within the specific instruments which empower US agencies to process personal data. They vary according to the instruments in place and are far less comprehensive.
Above all, constitutional protection is limited. US citizens may invoke protection through the Fourth Amendment and the Privacy Act, but the data protection rights granted in the law enforcement sector are limitedly interpreted with a general tendency to privilege law enforcement and national security interests. Moreover, restrictions to data protection in the law enforcement sector are typically not restricted by proportionality considerations, reinforcing the structural and regular preference of law enforcement and national security interests over the interests of individuals. Regarding the scope and applicability of rights, non-US persons are usually not protected by the existing, already narrowly interpreted, guarantees. The same is true with regards to other US law. When data protection guarantees do exist in federal law, they usually do not include protection for non-US persons.
A majority of the EU data protection standards cannot be found in US law. For instance, rules limiting inter-agency data exchange, exchanges with other third parties, completely independent oversight, strict proportionality rules and effective judicial review possibilities and information requirements for non-US persons on surveillance or data breaches or effective access, and correction and deletion rights simply do not exist at all or are, at best, very limited. These shortcomings are also visible regarding existing data exchange agreements between the US and the EU, such as, for instance, the Safe Harbor regime. Its principles do not necessarily comply with the current EU data protection standards.
In particular, the approach to data sharing is fundamentally different. Whereas in EU law every transfer of data to other agencies interferes with fundamental rights and requires specific justification, data sharing in the US between law enforcement authorities and the intelligence community seems to be the rule rather than the exception.
Recently introduced US laws such as the Draft Judicial Redress Act or the FREEDOM Act do not fundamentally alter these findings. Whilst the Draft Judicial Redress Act is limited in scope and requires some clarification, the FREEDOM Act is mainly designed to improve the protection of US citizens in the framework of intelligence collection activities. Furthermore, only three out of the four remedies of the Privacy Act are available to EU individuals in the framework of the Draft Judicial Review Act, leaving an individual with no judicial review possibilities in case an agency fails to provide an accurate, relevant, timely and complete treatment of the individual’s data. (EMPHASIS ADDED EDC)
Nonetheless, the introduction of stricter access requirements in the FREEDOM Act using a specific selection term for the collection of tangible things and metadata for foreign intelligence purposes is an improvement compared to the former provisions. Regrettably, this newly introduced restriction does not affect Section 702 of the FISA Amendment Act or Executive Order 12333, which still authorize far-reaching surveillance of foreign intelligence information, including the accessing of communications, content, metadata or other records by governmental agencies. A future instrument regulating EU-US data exchange should address the mentioned issues, as serious concerns about their compatibility with EU fundamental rights arise.
It can be also deduced, from the comparison, that even if all existing US data protection guarantees in the law enforcement and national security framework were applicable to EU citizens, there would still remain a considerable shortcoming regarding the level of privacy and personal data protection compared to the protection through EU law. Recent proposals and changes through the Draft Judicial Redress Act of 2015 and the FREEDOM Act only partially improve the current situation. The recently initialized “Umbrella Agreement” could lead to changes with regards to data protection guarantees in the law enforcement and national security sectors, but it remains to be seen which specific material rights and guarantees will be included in such an agreement. A leaked version of the Umbrella Agreement was published after the finalization of this study. A brief analysis of the agreement’s text is therefore added in the end.
(EMPHASIS ADDED – EDC)
CONTINUE READING FROM PAGE 9…