US law on global hacking will puncture Privacy Shield

Privacy Shield, the proposed replacement to the now-invalid US-EU data exchange agreement Safe Harbour, may end up the prominent casualty of a relatively obscure US supreme court action last week.

The court’s action, in the form of an amendment to federal court rules, would grant US agencies such as the FBI permissions to hack into and monitor computers and devices anywhere in the world.

Privacy Shield – which has yet to be approved by the European Parliament – must address the key faults of Safe Harbour noted by the European Court of Justice in its Schrems decision last year. Thousands of European and US businesses are eager to get an effective Safe Harbour replacement to ease compliance with data-protection responsibilities.

The most daunting challenge in addressing the ECJ’s objections to Safe Harbour is to somehow guarantee that European data processed in the US will be given the same protections as in the EU. This requires ensuring federal agencies cannot access that data, at least not without following formal and transparent procedures such as those contained in the mutual legal assistance treaties already agreed.

But, of course, as we know post-Edward Snowden’s document releases, surveillance agencies don’t bother with such inconveniences when they have the means to easier snooping, and when post 9/11 laws provide much scope, and little meaningful oversight, for such activities.

Critics have already noted the US letters of assurance offered to the EU as part of the Privacy Shield proposal don’t mean much as long as opaque federal laws permit surveillance as well as secrecy. For example, under US law, companies that wish to formally oppose certain requests for access to their customer’s data are not allowed to reveal that such requests were ever made, nor the result of their appeal.

How can anyone know what is going on in such a world of unknown unknowns?

Explosive content

That’s one of the reasons the EU’s Article 29 Working Group of data protection authorities has already expressed reservations about Privacy Shield.

The supreme court’s move last Thursday is a change, but in the wrong direction.

The court has the ability to put forward amendments to federal judiciary procedures. On Thursday, it passed an amendment to Rule 41 of the Federal Rules of Criminal Procedure. The dry title belies some explosive content. Up until now, this rule stated warrants could only be granted to access and search electronic data held on a computer or device, if the location of the device were known. The amendment allows law enforcement “to search electronic storage media and to seize or copy electronically stored information located within or outside that district.”

In other words, the computer can be outside the US – or completely unknown. Advocates of the amendment argue that, as data can be held in the “cloud”, law enforcement needs these new permissions. Opponents say the amendment could allow the sensitive personal data of victims in a criminal investigation to be gathered. They see the move as having the potential of creating open-door surveillance opportunities, endangering vulnerable individuals and activists, and raining on cloud computing.

The amendment has drawn the ire of technology companies for what Silicon Valley digital rights group the Electronic Frontier Foundation called its “sweeping expansion” of powers. In a statement to the court, Google argued that “[despite a] weak assurance that the amendment does ‘not purport’ to expand the current scope of Rule 41, in reality it will: the nature of today’s technology is such that warrants issued under the proposed amendment will in many cases end up authorising the government to conduct searches outside the United States.”

The court has sent the amendment to congress, which has until December to approve it. Some US legislators are saying they will propose new laws to undermine the amended Rule 41.

As for Privacy Shield: the supreme court’s action will – if let stand – further undermine existing US assurances to the EU. On the one hand, negotiators and US authorities have insisted EU citizen data will not be subject to surveillance. On the other, new legal rights to do exactly that are being added to vague legislation.

Even before this amendment, Privacy Shield was on unstable ground. If the European Parliament somehow approves Privacy Shield, it will only be a brief period before Privacy Shield is hauled up before the ECJ.