By Arindrajit Basu

On July 16, the Court of Justice of the European Union (CJEU) invalidated the US-EU Privacy Shield that facilitated cross-border data transfers between the two jurisdictions. The decision, colloquially called Schrems II, was based partly on the absence of a clear legal framework in the USA which adequately protects the personal data of non-US citizens from surveillance by US intelligence agencies. In December 2019, I had written a paper for the NUJS Law Review titled ‘Extra-Territorial Surveillance and the incapacitation of human rights law’, part of which unpacked the law and practice on surveillance adopted by American intelligence agencies. In this post, I summarise parts of my paper which looked at the programs and legal enablers exploited by the NSA to spy on foreigners. As I discuss in the NUJS Law Review paper, the legal protections provided in the United Kingdom are similarly weak. It remains to be seen how this impacts UK-EU data flows post Brexit.

The Schrems II decision also threatens “standard contractual clauses“, that is, standardised sets of contractual terms which both the sender and receiver of personal data sign up to, and therefore serve as firm based workarounds to any restrictions on data transfers. I will not discuss SCCs in this piece and limit it to the law and policy on extra-territorial surveillance in the UK.

How surveillance works in the US

Algorithmic surveillance exploited by American intelligence agencies can broadly be divided into two phases:

1. Dataveillance and bulk collection

In this stage, vast amounts of data are captured through the ‘bulk collection’ of data generated online by individuals — a phenomenon that Roger Clarke termed  ‘dataveillance‘ in 1998, referring to the systematic monitoring and surveillance of an individual’s action and behaviour through the use of information technology.

Dataveillance may be conducted on two kinds of datasets — metadata and content. Metadata only provides information on the time and length of the communication between individuals but does not reveal the language (content) of these communications. While the NSA itself is a public authority, it has set up multiple partnerships with private sector corporations including Microsoft, Verizon, Intel, Quest and AT&T. The NSA intercepts data from these platforms and redirects these to their data repositories. An example of such a repository is the one in Bluffdale, Utah, codenamed ‘Mainway‘ that is capable of recording 20 billion ‘record events’ daily. Mainway was first revealed by USA Today in 2006 and it is unclear since when it has been in operation. A slide leaked by the New York Times as part of the Snowden revelations indicates that it has been recording over 20 billion events daily and making them available to the NSA.There is no evidence suggesting that this program has been discontinued or amended since the Snowden revelations.

Through its private partners, the NSA is able to get access to data generated in multiple territories through various programs. BLARNEY , in operation at least since 2006,is one such program which uses NSA’s relationship with AT&T to access “high capacity international fibre optic cables, switches and/or routers throughout the world”. Countries targeted using this program include Brazil, France, Germany, Greece, Italy, Japan, Mexico, South Korea and Venezuela. FAIRVIEW, another NSA program, engaged in something similar with the aid of an unknown corporate partner. The existence of the program only became known due to a leaked slide. STORMBREW is yet another program conducted closely with the US Federal Bureau of Investigation that provides the NSA access to data which is travelling through various ‘choke points’ on US, territory. A significant proportion of the world’s internet traffic passes through these ‘choke points’ given the talismanic role the US had in setting up the world’s internet architecture. ‘Choke points’ are “any network node that internet traffic passes through when it enters or exits a country’s internal networks”.

The NSA’s most infamous program PRISM targets data containing the content of communications from the nine biggest internet companies. Unlike the programs mentioned before which utilise upstream collection using fibre optic cables, PRISM enables the NSA to directly obtain content from the servers of private internet providers in the US.

2. Algorithmic Processing and Targeting

At this stage of algorithmic surveillance, collected data is processed using data mining techniques to identify potential suspects, whose profiles are subsequently examined in detail. This is known as ‘data-chaining’ which connects recorded events into a topographic mapping of patterns that selects suspicious patterns. XKeyscore and TreasureMap are analytical programs developed by the NSA for this purpose. XKeyscore allows for aggregated processing of information based on suspicious patterns derived from nationality, location or online behaviour. For example, one declassified NSA slide shows a query titled ‘germansinpakstin’ which would enable an NSA analyst to examine residents in Pakistan that may be use German language messaging systems. Treasure Map constructs the risk analysis done by programs like Xkeyscore to construct recognisable patterns. Through this process, suspect profiles are developed, which enable the NSA to make predictions about their future behaviour.

US legal framework

The legal authority for the NSA’s surveillance programmes stems from Section 702 of the Foreign Intelligence Surveillance Amendment Acts 2008 (FISAA). The FISAA adopts different standards of protection for American citizens, including American citizens overseas, and non-citizens, including those on US soil. Non-citizens may be surveilled under a lower reasonable belief standard without a warrant from the Foreign Intelligence Surveillance Court (FISC) though the FISC must annually sign off on the ‘high level’ plan of action with a broad strategy for surveillance, rather than approving surveillance measures on a case to case basis. Although the relevant provision was set to expire in January 2018, Congress voted to re-authorise it for another six years, thus providing tacit approval to surveillance programmes as they stand now.

Executive Order 12333, which was promulgated by President Reagan, has empowered the President to order surveillance activities at his discretion. E.O.12333 has been shrouded in opacity. The aftermath of the Snowden revelations prompted President Barack Obama to issue the Presidential policy Directive (‘PPD-28′) in 2014 which is legally not binding. This Directive states that

“Our signals  intelligence  activities  must  take  into  account  that  all  individuals must  be  treated  with  dignity,  regardless  of  their  nationality  or  wherever  they reside  and  that  all  persons  have  legitimate  privacy  interests  in  the  handling  of their personal information.”

PPD-28 pays lip-service to the notion that signals intelligence will not be collected to suppress criticism or discriminate against persons. However, it suggests that bulk collection is necessary to decipher threats in today’s complex age where communications are often weaponised by terrorist groups. The Directive goes on to state six cases where bulk targeting is permissible. These include:

  1. Espionage
  2. Terrorist threats to the United States
  3. Threats due to proliferations of weapons
  4. Cybersecurity
  5. Threats to the United States or allied armed forces, and
  6. Transnational criminal threats

This list of purposes is seemingly exhaustive though categories such as ‘terrorist threats’ or ‘cybersecurity’ are fairly broad and ambiguous. PPD-28 also includes safeguards that are drawn from the broad parameters of any standard data protection framework, including minimisation of data collection, limits on dissemination, use and retention, and proportionality and oversight. There was therefore an implicit recognition that signals intelligence should comply with International Human Rights Law, although its real-life implementation is far from clear.

What the CJEU said about US foreign surveillance

The CJEU’s argument on surveillance in Schrems II was that Section 702 FISAA and E.O. 12333 do not comply with the principle of proportionality, equivalent to the standard provided in Article 52 (1) of the European Charter of Human Rights (para 178-184). The court explained that while the annual certifications by the FISC check whether surveillance is undertaken with the objective of acquiring foreign intelligence information, it does not look into the question of whether individuals are properly targeted in order to acquire foreign intelligence information.

The CJEU in Schrems II picked up on this and stated that while PPD-28 is binding on the US intelligence authorities, it does not grant data subjects (that is, non-US citizens) actionable rights against these authorities in court. It went on to say,

“PPD-28 … allows for ‘bulk’ collection of a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community cannot use an identifier associated with a specific target. This allows in the context of surveillance programmes based on E.O. 12333 access to data in transit to the US without that access being subject to any judicial review and thus does not delimit in a sufficiently clear and precise manner the scope of such bulk collection of personal data.”

What Schrems II means for surveillance law and policy in India

Schrems II opens an avenue for emerging economies like India to push back against their entrenched extra-territorial surveillance practices. India’s surveillance framework has been in dire need for a legal overhaul. For starters, it makes no distinction between citizens and non-citizens as the US does. Yet, the provisions governing surveillance in India (which applies equally for citizens and non citizens) would likely not satisfy thresholds for adequacy determination and even if it did, it would likely be struck down by a Schrems like challenge at the CJEU. While there is no evidence of Indian intelligence agencies running mass extra-territorial surveillance programs like the NSA does, the law and policy is certainly not in line with the thresholds articulated in Schrems.

The legal framework governing surveillance in India stems from four statutes — the Telegraph Act (1885), Information Technology act, 2000, Code of Criminal Procedure (1973), and is enabled further by the Personal Data Protection Bill (tabled in 2019). The Telegraph Act enables targeted surveillance and covers the interception of post and telephone/telegraph. Section 5(2) has a two-tiered threshold for the Central Government to authorise the interception of messages. First, there should be a public emergency or the authorisation must be in the interest of public safety. Second, the official must be satisfied that the interception is necessary or expedient in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. Rule 419A charts out the process that needs to be followed prior to, during and subsequent to the interception, including the relevant sanctioning authority, the review process, and duration.

In addition to calls and messages, the government can also intercept information contained in computer resources through Section 69 of the Information Technology Act. While it is modelled on the Telegraph Act, there are important distinctions. First, it allows the government to “intercept, monitor or decrypt” any information generated, transmitted, received or stored in any computer resource” without the prerequisites of public emergency of public safety, which are there in the Telegraph Act. Further,the second tier test is widened by providing two additional and ambiguous grounds which are “defence of India and ” investigation of any offence.” Section 69(3) imposes an obligation on an intermediary to comply with the intercepting agency.

Section 69B allows the Central Government to undertake bulk surveillance by collecting and monitoring ‘traffic data’ (defined in 69B4(ii) to include metadata) for “enhancing cybersecurity and for identification,analysis, and prevention of any intrusion or spread of computer contamination in the country” — a threshold that is as low and as ambiguous as the parameters contained in the US PPD-28. It is worth noting here that the regime does not provide for any judicial oversight of this surveillance mechanism.

The Personal Data Protection Bill served as an opportunity to reform the surveillance regime in India. However, Section 35 of the Bill states that exemptions can be made to collection rules, reporting requirements, and other requirements whenever the government feels that it is ‘necessary or expedient’-a significant departure from the 2018 version which used the term ‘necessary and proportionate’ — a standard recognised in international human rights law, and the Schrems II decision. This Bill is still under consideration by the Joint Parliamentary Committee and India has an opportunity yet to enact meaningful reform that will comply with the EU’s adequacy standards.

Looking ahead

Schrems II comes as a victory for the critical mass of civil society organisations trying to restrict extraterritorial surveillance and bring it within the boundaries of International Human Rights Law. A German court recently rendered extra-territorial surveillance by German authorities unconstitutional. Schrems II has mounted a firm judicial challenge to the US on this front, and given the importance of cross-border data flows, it might prompt the US to reconsider its surveillance practices, though worryingly some experts have already recommended stubborn retaliation instead through trade retaliatory measures, among other forms of diplomatic pressure.

It remains to be seen whether the EU will use GDPR adequacy to challenge the practices of other countries. The UK, for example, still allows extra-territorial bulk surveillance through the Investigatory Powers Act 2016 (formerly Regulation of Investigatory Powers Act, 2000) Further, will other countries whose citizens are victims of US surveillance but do not have the EU’s geopolitical clout be emboldened by this decision to take a judicial or policy stance against US surveillance? India initially cited foreign surveillance in the Srikrishna Committee Report (2018) as one of the reasons underpinning its localisation gambit but failed to ground this argument in the discourse on individual sovereignty. It still has an opportunity to change this by amending Section 35 of the Act and thereby furthering the pushback against unbridled extra-territorial surveillance. Similar pushback from middle powers will likely determine the future of extra-territorial surveillance although the Schrems II decision is a giant leap forward towards developing a norm ostracising it. It has been recognised for some time that US surveillance practices have been illegal as per the standards of international human rights law. The CJEU’s decision highlighted that the US needs to abide by these rules in order to survive in today’s era of inter-dependence and cannot create and implement rules unilaterally.

The complete paper is available here.

Arindrajit Basu is a Research Manager at the Centre for Internet and Society.

Edited by Aditi Agrawal