The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens


by Francesca BIGNAMI (*)

In US law, there are a number of different legal sources that govern data protection in the field of federal law enforcement. This study first considers the two most important sources of data protection law^the Fourth Amendment to the US Constitution and the Privacy Act of 1974. It then turns to the most significant methods of information collection that are available for ordinary criminal investigations and national security investigations and the data protection guarantees set down under the laws authorizing and regulating such information collection.

The Fourth Amendment prohibits “unreasonable searches and seizures” by the government. Reasonableness is established if the search or seizure is conducted pursuant to a valid warrant, that is, a judicial order based on a showing of probable cause and on a particular description of the property to be searched and the items to be seized. Reasonableness can also be established if one of the exceptions to the warrant requirements exists. In the data protection context, however, the application of the Fourth Amendment is relatively limited because of the third-party records doctrine which holds that individuals do not have an expectation of privacy in personal data that they voluntarily turn over to third parties like financial institutions and communications providers. With regard to EU citizens, the Supreme Court has held that foreign citizens resident abroad are not covered by the Fourth Amendment.

Among U.S. laws, the Privacy Act of 1974 is the closest analogue to a European data protection law in that it seeks to regulate comprehensively personal data processing, albeit only with respect to federal government departments and agencies. It regulates the collection, use, and disclosure of all types of personal information, by all types of federal agencies, including law enforcement agencies. At a general level, the Privacy Act contains most of the elements of the EU right to personal data protection. However, it only protects US citizens and permanent residents, not EU citizens.

Furthermore, there are a number of exemptions available specifically for law enforcement agencies. As a result, the benefits of the proposed legislation on judicial redress for EU citizens are unclear. The proposed legislation contemplates three types of law suits, two of which are designed to protect the right of access to and correction of personal data, and one of which enables individuals to obtain compensation for unlawful disclosures of personal data. Since law enforcement agencies commonly exempt their data bases from the access requirements of the Privacy Act, the right of action for intentional or willful disclosures that cause actual damage is the only one that would be available on a general basis.

In investigations involving ordinary crime, there are at least three different methods of personal data collection available to law enforcement officials: (1) use of private sources like commercial data brokers; (2) court and administrative subpoenas; (3) electronic surveillance and access to electronic communications based on a court order under the Electronic Communications Privacy Act. These information-gathering methods afford the same level of data protection for US and EU citizens.

With respect to EU data protection law, however, some of these methods contain relatively few data protection guarantees.

In the case of private sources of personal data, this is attributable to the absence of a comprehensive data protection scheme in the private sector and the vast quantities of personal information freely available to market actors and, consequently, also to law enforcement officials. With respect to the subpoena power and access to communications metadata and subscriber records (under the Stored Communications Act and the Pen Register Act), the lack of significant data protection guarantees is associated with the standard of “relevance” to any type of criminal investigation and the permissive application of that standard by the courts. The law and jurisprudence of “relevance,” in turn, is driven by the failure of US law to recognize a robust privacy interest in the personal data held by corporate entities and other third parties.

In investigations involving national security threats, which can involve both an intelligence and a law enforcement component, there are a number of additional means available to the government: (1) a special type of administrative subpoena known as a “national security letter”; (2) surveillance authorized by the Foreign Intelligence Surveillance Act (FISA); (3) any other form of intelligence gathering authorized by Executive Order 12,333 (and not covered by FISA). The information gathered through such methods can be shared with criminal prosecutors if relevant for law enforcement purposes.

Foreign intelligence gathering, both inside and outside the United States, follows a two-track scheme, one for US persons and another for non-US persons. With the exception of FISA electronic and physical surveillance orders, the data protection guarantees afforded to non-US persons are minimal. The stated intent of Presidential Policy Directive 28 is to provide for stronger personal data protection for non-US persons, but it is difficult to come to any conclusions at this point in time on what effect it will have.

More generally, even with respect to US persons, personal data protection under foreign intelligence law raises a couple of questions.

The first concerns the point in time when the right to privacy is burdened by government action. The US government has suggested that in the case of bulk collection of personal data, harm to the privacy interest only occurs after the personal data is used to search, or results from a search of, the information included in the data base.

This position stands in marked contrast with EU law, where it is well established that bulk collection, even before the personal data is accessed, is a serious interference with the right to personal data protection because of the number of people and the amount of personal data involved.

The second question concerns the conditions under which personal data can be shared between intelligence and law enforcement officials. In the realm of data processing by law enforcement and intelligence agencies, the European courts have emphasized that intrusive surveillance can only be conducted to combat serious threats that are carefully defined in law. They have also held that the information that results from such surveillance can only be used to combat those serious threats, whether to take national security measures or to prosecute the associated criminal offenses. In US law, by contrast, the law allows for intelligence to be transferred to the police and criminal prosecutors for any type of law enforcement purpose.

Continue reading here 

(*) Prof. at George Washington University Law School, Washington, DC, USA



by Steve PEERS

Due to my concern about inadequate democratic scrutiny of changes to UK law (often linked to EU law) affecting privacy rights, I am one of the signatories to today’s letter to MPs on this issue, published in the Guardian and elsewhere. Thanks to Andrew Murray and Paul Bernal for taking this initiative.

An open letter to all members of the House of Commons,

Dear Parliamentarian,

Ensuring the Rule of Law and the democratic process is respected as UK surveillance law is revised

Actions Taken Under the Previous Government

During the past two years, the United Kingdom’s surveillance laws and policies have come under scrutiny as the increasingly expansive and intrusive powers of the state have been revealed and questioned in the media. Such introspection is healthy for any democracy. However, despite a need for transparency in all areas of lawmaking, and in particular in areas of controversy, the previous Government repeatedly resisted calls for an open and transparent assessment and critique of UK surveillance powers. Instead, in response to legal challenges, it extended the powers of the state in the guise of draft Codes of Practice and “clarifying amendments.” As we welcome a new Government we expect another round of revisions to UK surveillance laws, with the likelihood that the Queen’s Speech will signal a revival of the Communications Data Bill. At this time we call on the new Government, and the members of the House, to ensure that any changes in the law, and especially any expansions of power, are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Last year, in response to the introduction of the Data Retention and Investigatory Powers Bill (“DRIP”), a number of leading academics in the field – including many of the signatories to this letter – called for full and proper parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled as to what powers it truly contained. Our concern emanated from the Home Secretary’s attempt to characterize the Bill, which substantially expanded investigatory powers, as merely a re-affirmation of the pre-existing data retention regime.[1]

Since that letter was written, it has become apparent that the introduction of the DRIP Bill was not the only time an expansion of surveillance powers was presented in a way seemingly designed to stifle robust democratic consideration. In February 2015, the Home Office published the draft Equipment Interference Code of Practice.[2] The draft Code was the first time the intelligence services openly sought specific authorisation to hack computers both within and outside the UK. Hacking is a much more intrusive form of surveillance than any previously authorised by Parliament. It also threatens the security of all internet services as the tools intelligence services use to hack can create or maintain security vulnerabilities that may be used by criminals to commit criminal acts and other governments to invade our privacy. The Government, though, sought to authorise its hacking, not through primary legislation and full Parliamentary consideration, but via a Code of Practice.

The previous Government also introduced an amendment via the Serious Crimes Act 2015, described in the explanatory notes to the Bill as a ‘clarifying amendment’.[3] The amendment effectively exempts the police and intelligence services from criminal liability for hacking. This has had an immediate impact on the ongoing litigation of several organisations who are suing the Government based in part on the law amended, the Computer Misuse Act 1990.[4]

The Way Ahead

The new Conservative Government has announced its intention to propose new surveillance powers through a resurrection of the Communications Data Bill. This will require internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year, and to make that information available to the government and security services. We also anticipate this Parliament will see a review of the Regulation of Investigatory Powers Act 2000, which currently regulates much of the Government’s surveillance powers. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has conducted an independent review of the operation and regulation of investigatory powers, with specific reference to the interception of communications and communications data. The report of that review has been submitted to the Prime Minister, but has yet to be made public: when it is made public, parliamentary scrutiny of the report and any recommendations made following it will be essential.

As the law requires that surveillance powers must be employed proportionate to any harm to privacy caused (as required by Article 8 of the European Convention on Human Rights and Article 12 of the Universal Declaration of Human Rights) we believe that any expansion or change to the UK’s surveillance powers should be proposed in primary legislation and clearly and accurately described in the explanatory notes of any Bill. The Bill and its consequences must then be fully and frankly debated in Parliament. When reaching an assessment of the proportionality, of any measure that restricts rights, both our domestic courts and the European Court of Human Rights place great stock on the degree and quality of Parliamentary involvement prior to any measure being adopted. If the matter ever came to before the courts one issue examined would be the nature of any “exacting review” undertaken by MPs into the necessity of extending these powers. The Government should not be permitted to surreptitiously change the law whenever it so desires, especially where such changes put our privacy and security at risk.

This letter has been prepared and signed by 35 academic researchers. We are comprised of people from both sides of this issue – those who believe that increased powers are a reasonable response to an emerging threat, and those who think them an unjustified extension of state interference. Our common goal is to see the Rule of Law applied and Parliamentary oversight reasserted. We are calling on all members of the House of Commons, new and returning, and of all political persuasions to support us in this by ensuring Parliamentary scrutiny is applied to all developments in UK surveillance laws and powers as proposed by the current Government.



Andrew Murray (contact signatory) Paul Bernal (contact signatory)
Professor of LawLondon School of Economics

Lecturer in Information Technology, Intellectual Property and Media Law University of East


Subhajit BasuAssociate Professor
University of Leeds
Sally Broughton MicovaDeputy Director LSE Media Policy Project, Department of Media and Communications
London School of Economics and Political Science
Abbe E.L. BrownSenior Lecturer
School of Law
University of Aberdeen
Ian BrownProfessor of Information Security and Privacy
Oxford Internet Institute
Ray CorriganSenior Lecturer in Maths, Computing and Technology
Open University
Angela DalyPostdoctoral Research Fellow
Swinburne Institute for Social Research
Swinburne University of Technology
Richard DanburyPostdoctoral Research Fellow Faculty of Law University of Cambridge
Catherine EastonLancaster University School of Law  
Lilian EdwardsProfessor of E-Governance Strathclyde University Andres GuadamuzSenior Lecturer in Intellectual Property Law University of Sussex
Edina HarbinjaLecturer in Law University of Hertfordshire
Julia HörnleProfessor in Internet Law Queen Mary University of London
Theodore KonstadinidesSenior Lecturer in Law University of Surrey
Douwe KorffProfessor of International Law London Metropolitan University
Mark LeiserPostgraduate Researcher Strathclyde University
Orla LynskeyAssistant Professor of Law London School of Economics
David MeadProfessor of UK Human Rights Law UEA Law School University of East Anglia
Robin MansellProfessor, Department of Media and Communication London School of Economics
Chris MarsdenProfessor of Law University of Sussex
Steve PeersProfessor of Law University of Essex
Gavin PhillipsonProfessor, Law School University of Durham Julia PowelsResearcher Faculty of Law University of Cambridge
Andrew PuddephattExecutive Director Global Partners Digital Judith RauhoferLecturer in IT Law University of Edinburgh
Chris ReedProfessor of Electronic Commerce Law Queen Mary University of London
Burkhard SchaferProfessor of Computational Legal Theory University of Edinburgh
Joseph SavirimuthuSenior Lecturer in Law University of Liverpool
Andrew ScottAssociate Professor of Law London School of Economics
Peter SommerVisiting Professor Cyber Security Centre, De Montfort University
Gavin SutterSenior Lecturer in Media Law Queen Mary University of London
Judith TownendDirector of the Centre for Law and Information Policy Institute of Advanced Legal Studies
University of London
Asma VranakiPost-Doctoral Researcher in Cloud Computing Queen Mary University of London
Lorna WoodsProfessor of Law University of Essex


Posted by Steve Peers at 03:18

Europe and “Whistleblowers” : still a bumpy road…

by Claire Perinaud (FREE Group trainee) The 9th and the 10th of April was organized in Paris by the University Paris X Nanterre la Défense in collaboration with the University Paris I Sorbonne a Conference on «  whistleblowers and fundamental rights »[1] which echoed a rising debate on the figure of  wistleblowers  after the numerous revelations of scandals and corruption which occurred last years, with some of them directly linked to EU institutions. In the following lines I will try to sketch a) the general framework then b) the main issues raised during the Conference

A) The general framework 

The term « whistle-blower » was created by Ralph Nader in 1970 in the context of the need to ensure the defense of citizens from lobbies. He defined « whistle blowing » as « an act of a man or woman who, believing that the public interest overrides the interest of the organization he serves, blows the whistle that the organization is in corrupt, illegal, fraudulent or harmful activity »[2]. The interest of scholars and lawyers to the figure of whistle-blowers in the United States dates back to the adoption by the Congress in 1863 of the False claims act which is deemed to be the first legislation related to the right of alert[3].
The system which developed afterwards is notably based on the idea that whistle-blowing is a strong mechanism to fight corruption and has to be encouraged by means of financial incentives[4]. If this mechanism is of utmost importance in the United States, protection of whistle blowers is only slowly introduced in Europe[5]
With numerous scandals related to systemic violations of human rights, the subject is progressively dealt with in the European Union (EU) and in the Council of Europe. Nevertheless, in both organizations, the protection of whistleblowers remain at the stage of project or only recommendations to the states.

The Council of Europe… Continue reading “Europe and “Whistleblowers” : still a bumpy road…”

The EU’s new (internal) security agenda


by Chris Jones, May 2015

For anyone interested in an overview of the substantial law and order bureaucracy that the European Union and its Member States have constructed over the last four decades, and the direction in which it is heading, the European Commission’s recently-published ‘European Agenda for Security’ is worth a read. This article provides an overview of the key points.

The Agenda [1] opens by stating:
“The European Union aims to ensure that people live in an area of freedom, security and justice, without internal frontiers. Europeans need to feel confident that, wherever they move within Europe, their freedom and their security are well protected, in full compliance with the Union’s values, including the rule of law and fundamental rights.”
It follows on from the EU’s 2010 Internal Security Strategy and the ‘action plan’ that sought to implement it.
The Agenda was formally requested by the Justice and Home Affairs Council in December 2014, [2] through a set of conclusions that call for many of the same proposals put forward by the Commission.
It sets out a five-year “shared agenda between the Union and the Member States” that is supposed to lead to “an EU area of internal security where individuals are protected in full compliance with fundamental rights.”

On the basis of the Commission’s communication and ongoing political and legal developments, it is doubtful – to say the least – whether the proposed “full compliance with fundamental rights” will be achieved.
Instead, the Agenda looks likely to legitimise more repressive laws and policies at EU and national level.
What’s the Agenda? The Agenda will improve:

  • “information exchange”, including of personal data;
  • “increased operational cooperation” between policing, security, border guard and customs agencies, prosecutors, companies, etc.; and
  • “mutual trust [between different national authorities], drawing on the full range of EU policies and tools.”

The three main priorities are “terrorism, organised crime and cybercrime”, although the Commission is “remaining vigilant to other emerging threats [to security] that might also require a coordinated EU response.” The Commission’s broad concerns are that:
“In recent years new and complex threats [to security] have emerged highlighting the need for further synergies and closer cooperation at all levels [of state and industry]. Many of today’s security concerns originate from instability in the EU’s immediate neighbourhood and changing forms of radicalisation, violence and terrorism. Threats are becoming more varied and more international, as well as increasingly cross-border and cross-sectorial in nature.
There are undoubtedly a number of serious ongoing crises within the EU’s “immediate neighbourhood”. Nevertheless, this rather vague statement also to some extent encourages fear of the unknown. In any case, it provides significant leeway for developing new laws, policies and activities.

The key principles The Agenda has five: Continue reading “The EU’s new (internal) security agenda”

The surveillance society (4): a further study for the European Parliament

Following the so called “Snowden revelations” at the end of the last legislature the European Parliament adopted a wide ranging resolution addressing the main problems arising from an emerging surveillance society.  The resolution adopted inter alia “A European Digital Habeas Corpus” deemed to  protect  fundamental rights in a digital age.

Work on this sensitive issue is continuing also in this legislature as the European Parliament has to play a pivotal role in the establishment of the European Digital Agenda, the reform of data protection and to approve an “umbrella” agreement with the United States which is deemed to cover also the access to personal data for security purposes.

To support this Parliamentary strategy several studies have been done the last of them being a study done by the EP “Scientific and Technology Options Assessment “(STOA) which was presented in the responsible Parliamentary Committee (LIBE) Meeting on 23 April 2015.

The aim of the study is to propose measures to reduce the risks identified with the current generation of networks and services and to identify long-term technology oriented policy options for a better, more secure and more privacy friendly internet, whilst at the same time allowing governmental law enforcement and security agencies to perform their duties, and obtain quickly and legally all the information needed to fight crime and to protect national security interests.

The first part of the study concludes with a list of security solutions to help citizens protect themselves from illicit mass surveillance activities. In its Conclusions it recognise that “Mass surveillance is a reality today and has been applied for years by national intelligence agencies of a number of countries, namely those allied in the Five Eyes coalition, but also including EU members and other countries. The agencies involved in mass surveillance practices justify these methods with the doctrine of pre-emptive prevention of crime and terrorism and adopt the principle of omniscience as its core purpose. This objective of intercepting all communication taking place over Internet or telephone networks is in many cases pursued by applying questionable, if not outright illegal intrusions in IT and Telecommunication systems.This strategy accumulates an amount of information that can only be processed and analysed by systems of artificial intelligence, able to discern patterns which indicate illegal, criminal, or terrorist activities. While warranted and lawful interception of data on targeted suspects is a required and undisputed tool for law enforcement to access evidence, the generalised approach of information gathering through mass surveillance is violating the right to privacy and freedom of speech. The delegation of decisions on suspicious data patterns or behaviour of citizens to intelligent computer systems is furthermore preventing accountability and creating the menace of an Orwellian surveillance society. Many citizens are not aware of the threats they may be subject to when using the Internet or telecommunication devices. As of today, the only way for citizens to counteract surveillance and prevent breach of privacy consists in guaranteeing uncorrupted end-to-end encryption of content and transport channel in all their communications. Due to the amount/complexity/heterogeneity of tools this is however a task too complex to achieve for most of technically unexperienced user. This situation calls for both, awareness creation and the provision of integrated, user friendly and easy to use solutions that guarantee privacy and security of their communications. But policy makers must understand that the problem of mass surveillance can not be solved on a technical terrain, but needs to be addressed on a political level. An adequate balance between civil liberties and legitimate national security interests has to be found, based on a public discussion that empowers citizens to decide upon their civil rights affected and the societal values at stake”.

The second part of the study concludes with the proposal of several policy options with different levels of public intervention and technological disruption.

A STOA options brief below provides  an overview of all the policy options and  Two short Video-Clips  have been published on YouTube to raise the awareness of the public.

Further information