Friday, February 14, 2014

The Snowden Effect: a new international right to privacy and new privacy clauses

Edward Snowden, a former National Security Agency (NSA) contractor, leaked documents to The Guardian and The Washington Post newspapers leading to exposes from 5 June 2013 concerning the NSA’s collection of data using Internet surveillance programs.

The controversy surrounding this leak of information has been notoriously far-reaching, and had many interesting outcomes. Two of them are dealt with here:

a. A Right to Privacy

The UN General Assembly has recently adopted a resolution titled “Right to Privacy in the Digital Era,” which was drafted by Germany and Brazil and unanimously supported via a recorded vote of 148 in favour to 4 against (the countries voting against being Canada, Israel, The United Kingdom, and the United States) and with 27 abstentions.

The resolution is intended to protect the rights to privacy in the digital age, and directly linked to the NSA tap of the cell phones of the leaders of Germany and Brazil, as revealed by Snowden.

One of the UN Human Rights Council’s special rapporteurs on Freedom of Expression, Frank La Rue, emphasized that surveillance of communications must not be allowed without independent judicial oversight.

“Blanket and indiscriminate surveillance should never be legal,” Mr. La Rue stressed during a press conference last November 29, 2013. “International human rights standards demand that any interference with human rights be considered on a case-by-case basis in which a court weighs the proportionality of the benefit to be gained against the harm which may be done.”

The right to privacy in the digital age resolution has the General Assembly calling upon their Member States and encouraging them to review existing procedures, practices and legislation regarding the surveillance of communications and the storing of data, in the hopes to uphold the right to privacy and ensure that all implementations of surveillance complies with international human rights law.

b. Contractual Terms

As of April this year, Australia’s Privacy Act will require recipients of personal data which have revenue of over AUD 3 million and which transmit this data overseas to be responsible for where the data may end up (for example, in the hands of direct marketers). The penalties under the strengthened privacy regime are considerable – the Privacy Commissioner will be able to impose fines of in excess of a million dollars for non-compliance with sections of the Privacy Act. Companies not only must ensure that the overseas recipient is subject to an equivalent privacy regime, but also that the Australian company can enforce that protection (in other words, by contract). If these requirements are not met (and none of the exceptions are available), the Australian collector of the information can be liable for the privacy breaches of the overseas recipient.

In the United States, the Foreign Intelligence Security Act of 1978 created a court that manages information requests from intelligence organisations to, primarily, companies which have aggregated that information. Wired Magazine reported in January 2014 that Yahoo! “waged a secret battle in the FISA court to resists turning over user data. But it was for naught. An August 22, 2008, order determined that the government’s interest in national security, along with safeguards in the program, outweighed privacy concerns in a manner consistent with the law. A subsequent appeal [to the Foreign Intelligence Surveillance Court of Review] went nowhere.”

This came into the public eye when The Washington Post published an article on 6 June 2013 referring to a 41-slide NSA PowerPoint presentation, which listed the names and logos of US tech companies which were alleged to be cooperating with the NSA in FISA information requests. Most famously, the exposes revealed that US telco Verizon had voluntarily handed a database of every call made on its network to the National Security Agency. This bulk disclosure of information certainly contained masses of personal data that had nothing to do with law enforcement or anti-terrorism.

What does this mean for contracts, especially privacy agreements which specify that the recipient of personal data may convey that data to the US? Australian subsidiaries of US companies regularly send information such as human resources records to US-based head offices. What if that information is part of a bulk data request from the NSA?

The answer is that clauses like this appear in privacy terms and conditions, to mount an argument that disclosers of personal data have given informed consent:

“The Recipient makes no warranty or guarantee in relation to the privacy of any or all Personal Data which the Recipient conveys directly or indirectly to the United States if the Personal Data is subject to a request pursuant to the Foreign Intelligence Security Act of 1978 (as amended) issued by a US government intelligence agency and is consequentially conveyed to a US government intelligence agency or any of its authorised affiliates. The Discloser acknowledges that the Recipient may not by operation of US law be able to inform the Discloser that any or all Personal Data has, in those circumstances, been conveyed to US government intelligence agencies or their affiliates.”

Australian Privacy Principle 8, which deals with cross-border transactions, carves out an exclusion for “disclosure… to an overseas enforcement body for enforcement-related purposes.” Whether disclosure to an American spy agency of personal information as part of a bulk dump of data is an “enforcement-related purposes” is not, in my view, immediately obvious because it is clear that much of the information being gathered has nothing to do with law enforcement. The solution is to ensure that disclosers of personal data in those circumstances know of the risk.

No comments:

Post a Comment