Cross-Border Data

U.S. DOJ Cross-Border Legislation: Meeting Human Rights Requirements from Both Sides of the Pond

By Scarlet Kim, Greg Nojeim
Monday, May 22, 2017, 3:00 PM

This post is part of a series written by participants of a conference at Georgia Tech in Surveillance, Privacy, and Data Across Borders: Trans-Atlantic Perspectives.

Cross-border law enforcement demands have become increasingly important to law enforcement in the digital age. Digital evidence in one jurisdiction—such as the United States—is often necessary to investigate a crime that has effects in another jurisdiction. Because the U.S. is home to many of the largest technology companies and exerts jurisdiction over those companies, it receives a disproportionate volume of mutual legal assistance (MLA) requests under the treaties (MLATs) that it has with other countries.  

In response, and at the request of the United Kingdom, the U.S. Department of Justice proposed legislation (“U.S. DOJ legislation”) that would permit countries hand-picked by the Department to make direct demands for communications content held by U.S. communications service providers under agreements between the U.S. and the third-party countries. The proposed agreements, and the surveillance demands that could be issued under them, must meet a number of weak standards that fall short of those required by international human rights law. This legislation would clear the way for a bilateral agreement the Justice Department has already negotiated with the U.K. (“U.K.-US. agreement”), the text of which has not been publicly released.  

Strong human rights standards must govern any solution to the problem of cross-border law enforcement demands, including bilateral agreements such as the U.K.-U.S. agreement. Many of these standards are similar on both sides of the Atlantic, as European courts in recent decisions have insisted upon similar safeguards to those imposed in the U.S. Below, we outline a few of the shortcomings of the U.S. DOJ legislation and explain why amending it to impose more stringent human rights requirements finds support in both U.S. and European law.

Independent, preferably judicial, authorization of surveillance

While the U.S. DOJ legislation would clear the way for bilateral agreements on cross-border law enforcement demands, it includes no requirement that the surveillance demand for access to communications content be issued by a court or other body independent from the criminal investigation. Rather, it contemplates that the actual demand would be issued by officials of the country seeking the communications content. It does require that the orders be subject to “oversight” by an independent authority, but that oversight could be quite weak. Indeed, the Department of Justice takes the position that surveillance under Section 702 of the Foreign Intelligence Surveillance Act is subject to judicial “oversight” even though the FISA Court does not authorize surveillance of particular targets under that program and instead approves guidelines governing some aspects of the surveillance.

Under the current MLA system in the U.S., an independent judge must authorize government access to stored communications content surveillance. By contrast, in the U.K., the Secretary of State authorizes surveillance, subject to approval by a “Judicial Commissioner.” The Judicial Commissioner’s scrutiny is limited to reviewing the Secretary’s conclusion as to “whether the warrant is necessary” and proportionate. Moreover, Judicial Commissioners are appointed by the Prime Minister and sit for three-year terms, which raises questions about their independence. The Department of Justice legislation—and the U.K.-U.S. agreement—would therefore be a step backwards for human rights by rolling back existing requirements of judicial authorization.

Imposing a requirement of judicial or other independent authorization would be consistent with decisions of the European Court of Human Rights (ECtHR). In Zakharov v. Russia, the Grand Chamber considered whether the Russian SORM system of interception was compliant with Article 8 of the European Convention on Human Rights (ECHR), which protects the right to privacy. The Court noted that it “take[s] into account a number of factors in assessing whether . . . authorisation procedures are capable of ensuring that secret surveillance is not ordered haphazardly, irregularly or without due or proper consideration” (para. 257). It emphasized, in particular, that “the authority competent to authorise the surveillance” must be “sufficiently independent from the executive” (para. 258).

The Court reiterated this principle in Szabó v. Hungary, which considered Hungarian national security surveillance powers, noting that authorisation by “a non-judicial authority . . . increases the risk of abusive measures.” The Court further explained:

[T]he rule of law implies, inter alia, that an interference by the executive authorities with an individual’s rights should be subject to an effective control which should normally be assured by the judiciary . . . judicial control offering the best guarantees of independence, impartiality and a proper procedure. In a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge. . . . Accordingly, in this field, control by an independent body, normally a judge with special expertise, should be the rule and substitute solutions the exception, warranting close scrutiny. . . . For the Court, supervision by a politically responsible member of the executive, such as the Minister of Justice, does not provide the necessary guarantees (para. 77).

In a concurring opinion in Szabó, Judge Pinto de Albuquerque commented that “[i]n view of the enlarged consensus in international law . . . and the gravity of the present-day dangers to citizens’ privacy, the rule of law and democracy, the time has come not to dispense with the fundamental guarantee of judicial authorisation and review in the field of covert surveillance gathering” (para. 23).

The Court of Justice of the European Union (CJEU) has also had occasion to discuss the importance of independent authorization prior to government access to electronic data. In Digital Rights Ireland v. Minister for Communications et al., the Grand Chamber concluded that the 2006 Data Retention Directive of the E.U., which required communications service providers to retain customer communications data in bulk for up to two years for the purpose of preventing and detecting serious crime, breached the rights to privacy and data protection under Articles 7 and 8 respectively of the E.U. Charter of Fundamental Rights. The CJEU noted that the Directive did not contain sufficient safeguards governing government access to retained data. In particular, it highlighted that “the access by the competent national authorities is not made dependent on a prior review carried out by a court or by an independent administrative body” (para. 62).

The CJEU reinforced this finding in Tele2 Sverige AB v. Post- och telestyrelsen and Secretary of State for the Home Department v. Tom Watson et al., which respectively considered Swedish and U.K. laws mandating that communications service providers retain customer communications data in bulk for the purpose of preventing and detecting serious crime. In a combined judgment, the Grand Chamber held:

It is essential that access of the competent national authorities to retained data should, as a general rule, except in cases of validly established urgency, be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body should be made following a reasoned request by those authorities submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime (para. 120).  

Strong Factual Basis for Surveillance

The U.S. DOJ legislation would substitute a weak, vague standard for a foreign state to apply in approving surveillance, in contrast to the finding currently required under the U.S. MLA system. The requirements of particularity and probable cause are widely regarded in the U.S. as a relatively strong evidentiary standard. Under the Justice Department legislation, in contrast, only a “reasonable justification based on articulable and credible facts” would be required—a standard that the Department could interpret quite broadly. Likewise, the U.K. parliament rejected an amendment to the Investigatory Powers Bill—which went into effect in December 2016—that would have required a finding of “reasonable suspicion” as a condition of interception orders. Thus, reasonable suspicion is not a requirement of the U.K. warrants that would be served on US companies as contemplated by the U.K.-U.S. agreement.  

This absence of a requirement for a strong factual basis for surveillance is inconsistent not only with U.S. law, but also with decisions of the ECtHR. In Zakharov, the Grand Chamber indicated that state surveillance is compliant with ECHR Article 8 where “the authorisation authority’s scope of review” is “capable of verifying the existence of a reasonable suspicion against the person concerned, in particular, whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security” (para. 260). Similarly, in Szabó, the Court observed that Hungarian law provides “no legal safeguard requiring” one of its law enforcement agencies to establish “a sufficient factual basis for the application of secret intelligence gathering measures which would enable the evaluation of necessity of the proposed measures . . . .” (para. 71).

Notice To Surveillance Targets

The U.S. DOJ legislation would not mandate that the law of the country with which the U.S. enters into a cross-border law enforcement agreement requires notice of surveillance to the target of surveillance, even if the notice is given after-the-fact. In contrast, U.S. law requires after-the-fact notice of real-time surveillance to surveillance targets “in the interests of justice.” Brady v. Maryland effectively mandates post hoc notice of surveillance of stored communications collected from surveillance targets accused of committing crimes, when the seized communications are exculpatory and material.

Notice is not a feature of U.K. surveillance law. Intercept orders are never disclosed to a surveillance target even if information generated by the surveillance is used to develop other information submitted into evidence, and even if information gathered in the interception is exculpatory. Interception is so secret that it is unlawful to use intercepted communications in court.

Imposing a requirement to give notice to a surveillance target would be consistent with ECtHR case law. In Szabó, the Court observed:

[T]he question of subsequent notification of surveillance measures is inextricably linked to the effectiveness of remedies and hence to the existence of effective safeguards against the abuse of monitoring powers, since there is in principle little scope for any recourse by the individual concerned unless the latter is advised of the measures taken without his or her knowledge and thus able to challenge their justification retrospectively. As soon as notification can be carried out without jeopardising the purpose of the restriction after the termination of the surveillance measure, information should be provided to the persons concerned (para. 86).

The CJEU has similarly described notification to the surveillance target as a necessary safeguard where governments access data retained by communications service providers. In its combined judgment in Tele2 Sverige AB and Watson, it held that “national authorities to whom access to the retained data has been granted must notify the persons affected . . . as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities.” The Court explained that “notification is, in fact, necessary to enable the persons affected to exercise, inter alia, their right to a legal remedy . . . where their rights have been infringed” (para. 121).

Conclusion

The DOJ legislation falls short by U.S. standards, European standards, and international human rights standards. At a minimum, it should be amended to require judicial or other independent authorization of surveillance, an individualized strong factual basis for surveillance, and notice to the targets of surveillance. Including such requirements is not “American imperialism” as some critics have alleged, but rather are among the elements necessary to respect and promote international human rights standards. Other amendments should also be adopted to make the legislation more consistent with the Necessary and Proportionate International Principles on the Application of Human Rights To Communications Surveillance, which over 400 civil society groups around the world have endorsed.