US Panel Review Group on Intelligence and Communications Technologies Publishes Report

Yesterday the panel established by President Obama to review the surveillance practices of the NSA released its final report. One important dimension relates to the possible privacy protections of non-US citizens abroad. You can find the Review Group’s report HERE. The report does not elaborate on the international human rights law obligations of the US (as a matter of law) but it draws inspiration from them and comes pretty close to the correct conclusions. Recommendation 13 quoted below (p. 151) comes close to a proper permissible limitations test. What is missing is proportionality, though as necessity is present (see “exclusively” in item 2) even proportionality can be inferred. Some of the reasoning quotes international law standards on privacy, even if presented in the context of policy considerations (democracy and reciprocity). The points articulated on pp. 155-156 in the report can be seen as a turn from policy to principle and can (perhaps optimistically) be read as an aspiration to respect foreigners’ privacy also/just because it happens to be a human right (please see quote #2, below). QUOTE #1: ‘Recommendation 13’ (on page 29 of the report) – “We recommend that, in implementing section 702, and any other authority that authorizes the surveillance of non-United States persons who are outside the United States, in addition to the safeguards and oversight mechanisms already in place, the US Government should reaffirm that such surveillance: (1) must be authorized by duly enacted laws or properly authorized executive orders; (2) must be directed exclusively at the national security of the United States or our allies; (3) must not be directed at illicit or illegitimate ends, such as the theft of trade secrets or obtaining commercial gain for domestic industries; and (4) must not disseminate information about non-United States persons if the information is not relevant to protecting the national security of the United States or our allies. In addition, the US Government should make clear that such surveillance: (1) must not target any non-United States person located outside of the United States based solely on that person’s political views or religious convictions; and (2) must be subject to careful oversight and to the highest degree of transparency consistent with protecting the national security of the United States and our allies.” QUOTE #2:  (pp. 155-156 of the report) – “Perhaps most important, however, is the simple and fundamental issue of respect for personal privacy and human dignity – wherever people may reside. The right of privacy has been recognized as a basic human right that all nations should respect. Both Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights proclaim that “No one shall be subjected to arbitrary or unlawful interference with his privacy. . . .” Although that declaration provides little guidance about what is meant by “arbitrary or unlawful interference,” the aspiration is clear. The United States should be a leader in championing the protection by all nations of fundamental human rights, including the right of privacy, which is central to human dignity.”

Professor Martin Scheinin testifies today before European Parliament’s LIBE Committee inquiry on surveillance

Professor Martin Scheinin, the Coordinator of the FP7-Research Project SURVEILLE, testifies before the European Parliament’s LIBE Committee inquiry on mass surveillance Today SURVEILLE’s Coordinator, Professor Martin Scheinin of the EUI, provided testimony to the LIBE Committee with regard to mass surveillance and addressed the issues that concern such practices with respect to European citizens’ fundamental rights. Live video feed: The PDF documents below contain: 1. Professor Martin Scheinin’s main statement for the inquiry ~CLICK HERE~ 2. Supporting documents relating to the statement ~CLICK HERE~        

EDPS issues opinion on smart metering systems

On June 8th the European Data Protection Supervisor (EDPS) published an opinion commenting on the Commission’s ‘Recommendation on preparations for the roll out of smart metering systems’ (issued March 9th), and on smart energy metering systems in general. Providing that the economic assessment to be carried out by Member States by the end of the summer gives favourable results the rollout for electricity and gas markets should take place by 2020. The EDPS warned that the introduction of smart meters is likely to raise serious threats to privacy in terms of the right to respect of family life and home, data protection concerns and the security of the citizen. It could constitute unwarranted surveillance if appropriate safeguards are not adopted. As with traditional gas and electricity meters, the new devices could be installed in all households. What makes them ‘smart’ is the fact that they will enable the automatic transmission of consumption data from each household to energy suppliers. The reading, recording and transmission of such data would occur regularly – and could take place as frequently as every fifteen minutes. Smart meters will pave the way to a dynamic, ‘demand and response’ pricing system whereby energy consumption at peak times will be more expensive than consumption off-peak, or even change from customer to customer. As such, smart meters are a precondition for the modernisation of energy supply chains and deliver ‘smart grids’, which are supposed to provide considerable economic benefits. The collection of such fine-grained information on consumption, though, could allow for the extraction of personal information, which could impinge upon the privacy of the members of EU households. The EDPS notes, for instance, that “by analysing detailed electricity usage data it may be possible in the future to infer or predict – also on a basis of deductions about the way in which electronic tools work – when members of a household are away on holiday or at work, when they sleep and awake, whether they watch television or use certain tools or devices, or entertain guests in their free time, how often they do their laundry, if someone uses a specific medical device or a baby monitor, whether a kidney problem has suddenly appeared or developed over time, if anyone suffers from insomnia, or indeed whether individuals sleep in the same room.” (p. 5). Over time the collection of such massive information can amount to tracking and reveal very detailed behavioural patterns, or profiles, which could prove of benefit to both businesses (for targeted advertising and value-added services) and law enforcement agencies. Moreover, if data were not secured properly criminals could hack into the servers of the energy suppliers to obtain information on individuals, for instance, in order to commit burglary. The EDPS commented extensively on the content of the recommendation. Whilst the recommendation incorporates new concepts such as privacy by design, privacy impact assessments (PIAs) and notification of data breaches, the EDPS highlighted a number of shortcomings such as the omission of basic principles of, and practical guidance on, data protection. He then suggested to introduce specific guidance and a clear methodology in the Template which will be prepared by the Commission for the voluntary impact assessments to be carried out by Member States, and proposed the assessment of additional legislative measures at the EU level to guarantee homogeneity of applicable laws and data protection standards.

European Commission proposes law enforcement access to EURODAC

The European Commission on Wednesday (30 May) proposed to allow law enforcement authorities access to EURODAC, a biometric database of asylum seekers. The proposal will be presented to the Home Affairs Ministers at the next Justice and Home Affairs Council on 7-8 June 2012. The Commission has yet to release the full details of the proposal. Member state law enforcement authorities and EUROPOL would be able to request the comparison of fingerprint data with those already stored in the EURODAC central database, but under strict conditions. The comparison with the EURODAC database for law enforcement purposes would be strictly limited to the prevention, detection or investigation of terrorist offences as defined in the Council Framework Decision on combating terrorism (2002/475/JHA) and of other serious criminal offences as defined in the Council Framework Decision on the European Arrest Warrant (2002/584/JHA).

 The new proposal introduces the possibility for Member States’ law enforcement authorities and Europol to request comparison of fingerprint data with those stored in the EURODAC central database in a specific case when they seek to establish the exact identity of or get further information about a person who is suspected of a serious crime or is a victim of crime. Law enforcement authorities may only request the comparison with EURODAC data if there are reasonable grounds to consider that such comparison will substantially contribute to the prevention, detection or investigation of the serious criminal offence in question. The proposal makes clear that the comparison of fingerprint data using EURODAC may only be made after national fingerprint databases and the Automated Fingerprint Databases of other Member States under Council Decision 2008/615/JHA (the Prüm Agreements) were consulted and have returned negative results. A comparison using the EURODAC database will provide result on a ‘hit’/’no hit’ basis. Following a hit, the available information on the person (related to his/her asylum application) can then be requested from that Member State by using existing instruments for information exchange, such as Framework Decision 2006/960/JHA on simplifying the exchange of information and intelligence between law enforcement authorities. The proposal excludes that the EURODAC database be searched by law enforcement authorities on a systematic basis, and prohibits them from sharing personal data obtained with third countries, organisations or other entities. According to responsible Commissioner Malmstrom, “robust safeguards have been introduced to guarantee full the respect of fundamental rights and of privacy and in order to ensure that the right to asylum is not in any way adversely affected.” But Melita Sunjic, spokeswoman for the United Nations High Commissioner for Refugees (UNHCR) in Brussels, told EUobserver that law enforcement access to the database would equate asylum seekers with criminality. A similar proposal was already tabled by the Commission in 2009 but was quickly shot down the European Data Protection Supervisor (EDPS) and the Meijers Committee, a group of experts on international immigration, refugee and criminal law. According to Dr. Maarten den Heijer, a member of the Meijers Committee: “The proposal would effectively transform all asylum seekers whose data is stored into criminal suspects and it will, indeed, increase the chance of prosecution of asylum seekers solely on the basis that they have once lodged an asylum claim somewhere,” said Dr den Heijer. Furthermore, Dr den Heijer argues the proposal would violate a data protection principle of ‘purpose limitation’ which holds that stored personal data may only be used for the purpose it was initially collected for. He cited a case brought against Germany by an Austrian national at the European Court of Justice in 2008 which ruled that a system for processing personal data specific to foreign nationals for the purpose of fighting crime is not permissible.