The Right to Privacy, Clandestine Surveillance and International Trade in the United States and European Union

AuthorRoisin Costello
PositionThe author would like to thank Katie Latchford, Senior Editor, for her thoughts and comments on earlier drafts in preparation for publication
© 2014 Roisin Costello and Dublin University Law Society
“But only a host of phantom listeners, that dwelt in the old house then,
Stood listening in the quiet of the moonlight, to that voice from the world
of men”
Walter De La Mere1
Privacy is rarely lost all at once; more commonly it is eroded over time,
suffering constant, individually imperceptible attritions until a single
revelation reveals how little remains to citizens. This article will examine
how surveillance in the service of security can be reconciled with rights to
privacy and data protection in light of the recent revelations concerning
United States (US) surveillance activities. Part One will examine the
revelations concerning US surveillance activities and locate the legal basis
for such surveillance. Part Two will identify the positive and negative
potentials that the gathering and retention of data gleaned from such
surveillance and online transactions may have for the governments and
citizens in the European Union (EU) and US principally, analysing the
impacts on the right to privacy, rule of law concerns and the uses of big
data which such actions import.
These concerns will be considered and weighed against the
countervailing benefits of big data in predicting patterns of demand and
producing more efficient and responsive public services, as well as
achieving increased security for citizens. Part Three will examine the
manner in which US surveillance operations might be reformed to better
congrue with the concerns outlined in Part Two. In conclusion, Part Four
will examine the impact of divergent levels of surveillance and privacy
* The author would like to thank Katie Latchford, Senior Editor, for her thoughts and
comments on earlier drafts in preparation for publication.
1 Walter De La Mere, “The Listeners” in The Collected Poems of Walter De La Mere (Faber
and Faber, 1979).
38 Trinity College Law Review [Vol 17
laws in place in the EU and the US with a view to assessing their potential
impact on EU-US trade and business.
I. Unmasking the Listeners
In 2013 the European Parliament voted2 to investigate PRISM3 and other
US surveillance programs following revelations by ex-Central Intelligence
Agency (CIA) contractor Edward Snowden and urged representatives to
reexamine the arrangements in place regarding the transfer of banking and
travel data between the two jurisdictions, even as the Union considered a
new trade deal with the United States and pending a proposal to strengthen
privacy protections.4 The revelations of the activity of the National Security
Agency (NSA) are arguably the latest high water mark of the triumph of
security concerns over civil liberties as part of the United States’ escalating
surveillance mission in the wake of 9/11.5 Such increased security activity
clashes with the fundamental premise accepted by the EU, of privacy as a
2 483 to 98, with 65 abstentions
surveillance-programmes> (visited 1 February 2014).
3 PRISM is the central surveillance program of the NSA and is a clandestine mass electronic
surveillance and data-mining program that has been underway since 2007 (Barton Gellman
and Laura Poitras, US Intelligence Mining Data from Nine US Internet Companies in Broad
Secret Progra m
8845-d970ccb04497_story.html> (visited 1 February 2014), Glenn Greenwald and Ewen
MacAskill, NSA Pr ism P rogram Taps Into User Data of Apple, Google a nd Others
(visited 1 February
2014). The program collects stored online communications based on requests made to Internet
companies such as Google subject to section 702 of the FISA Amendments Act of 2008 to
relinquish data matching court-approved search terms. Documents leaked by Snowden
flagged PRISM as "the number one source of raw intelligence used for NSA analytic reports"
accounting for 91% of the information acquired under the authority of FISA section 702
authority" (NSA Slides Explain the PRISM Data-Collection Progr am
(visited 1 February 2014). The equivalent program in the United Kingdom’s GCHQ is
MUSCULAR (DS-200B) which acted in tandem with the NSA to break into the data centers
of Yahoo and Google (Barton Gellman, Andrea Peterson and Ashkan Soltani, How We Know
the NSA Had Access To Internal Google and Yahoo Cloud Data
had-access-to-internal-google-and-yahoo-cloud-data/> (visited 1 February 2014).
4 William Mauldin, Spying Revelations Add Hurdle to US-EU Trade Talks
(visited 1 February 2014).
5 Louise K Comfort, “Risk, Security and Disaster Management” (2005) 8 Annual Review of
Political Science 335, at 342.
2014] Privacy, Surveillance and International Trade 39
civil right and that state power is best contained by promoting transparent
and accountable government that encourages public participation.
Yet government surveillance, especially in the US context, is not a
recent development. In October 1975, Senator Frank Church began
hearings on abuses in the intelligence community focusing on the NSA
interception of the communications of Americans, including Vietnam War
protestors and civil rights leaders as part of national security measures
aimed to prevent domestic threats.6 However, the 2013 revelations by
Snowden have shown that current NSA capabilities far exceed even the
most sophisticated and aggressive of its 1970 operations. This increased
NSA capability imports a parallel increase in erosion of civil liberties and
fundamental rights. 7 Indeed, perhaps the most troubling developments
following Snowden’s revelations were the sharing of the data of EU
citizens by British intelligence agencies with their US colleagues in bulk.8
Britain and the US are two of the main partners in the 'Five-Eyes'
intelligence-sharing alliance, whose citizens are generally understood to
enjoy protection from surveillance by any of the other members.9 However,
Snowden revealed that in 2007, these rules were altered to allow the NSA
to retain and analyse mobile, Internet Protocol (IP) addresses, email and
fax details of British citizens.10
The operations of the British Intelligence Services have faced legal
challenges, most notably in a case brought by Privacy International11 who
called for the immediate suspension of Britain's use of material sourced
through the PRISM programme and sought a temporary injunction to the
Tempora programme, which allows Britain's Government Communications
Headquarters (GCHQ) to monitor and collect emails, phone calls and
Skype conversations. 12 Privacy International (PI) allege the contact-
6 Church argued the NSA was in violation of US law by tapping the phones of American
citizens. Tom Bowman, NSA’s Reach Leads to Calls for Updated Eavesdropping Laws
eavesdropping-laws> (visited 1 February 2014).
7 Ibid.
8 James Ball, Leaked memos reveal GCHQ efforts to keep mass surveillance secret
secret-snowden> (visited 1 February 20014).
9 Whose other members include Australia, New Zealand and Canada. See Paul Farrell, History
of 5-Eyes Explainer
explainer> (visited 1 February 2014).
10 Ball, note 8.
11 Nick Hopkins, NSA a nd GCHQ Spy Progra mmes Face Legal Challenge
challenge> (visited 1 February 2014).
12 Over-arching project at GCHQ called "Mastering the Internet." The data is shared with
NSA and by last year 550 analysts from both countries were filtering through the contents.
40 Trinity College Law Review [Vol 17
changing analysis employed by the NSA on British data allows the agency
to search the data of individuals at three removes from a target of interest.13
PI grounded its claims in the legal ambiguity surrounding British co-
operation with the PRISM program, which allows the NSA to intercept the
communications of non-US citizens living outside America from global
internet companies such as Google, Facebook and Yahoo.14 Similar to the
Australian context, PI notes that had GCHQ sought to obtain the
information for itself, it would have been obliged to apply under the
Regulatory of Investigatory Powers Act (RIPA) for a warrant from a
minister.15 Moreover, if UK authorities are permitted to access private
communications without the knowledge or consent of the citizens involved,
the ECHR requires that there be a legal regime in place that provides
sufficient safeguards against abuse of power and arbitrary use.16
While every national intelligence service will necessarily impinge on
individual liberties to some degree as it seeks to prevent adverse security
outcomes, democracies must also keep such encroachments in check and
hold their agents to account.17 Absent such a checks and balances approach,
several adverse outcomes may potentially develop. Such outcomes are
considered in Part Two.
See Ewen MacAskill, Julian Borger, Nick Hopkins and Nick Davies Mastering the Internet
(visited 1
February 2014).
13 Ibid.
14 Directorate General for Internal Policies: Citizens Rights and Constitutional Affairs,
National Progra mmes for Mass Surveillance of Personal Data in EU Member States and their
Compatibility with EU Law
2013/493032/IPOL-LIBE_ET(2013)493032_EN.pdf> (visited 1 February 2014).
15 In a classified briefing document from Australia’s surveillance agency, The Defence
Signals Directorate (DSD) in December 2013, the Australian agency indicated it might share
material in bulk absent the privacy restraints imposed in European jurisdictions as long as
there was “no intent to target an Australian national," further noting that unintentional
collection was “not viewed as a significant issue" though the agency acknowledged
substantial interrogation based on the material would require a warrant. Geoffrey Robertson
has noted that the actions described in the memo would constitute a breach of sections 8 and
12 of the Australian Intelligence Services Act 2001 which establishes strict requirements
concerning the need for ministerial authorisation where data of an Australian citizen is
involved, and requires the citizen must be a "person of interest" for the collection of such data
to be legitimate. See Ewen MacAskill, James Ball and Katherine Murphy, Revealed:
Australian spy agency offered to share data about ordinary citizens
share-data-about-ordinary-citizens> (visited 1 February 2014).
17 Antoinette Rouvroy, “Privacy, Data Protection and the Unprecedented Challenges of
Ambient Intelligence” (2008) 2(1) Studies in Ethics, Law and Technology 941.
2014] Privacy, Surveillance and International Trade 41
II. The Surveillance Society: A One Way Mirror
Following revelations concerning the NSA, its representatives argued the
practice of data warehousing was vetted by the Congress and a national
security court and that consequently the executive was notionally being
held to account. However, such arguments are increasingly under scrutiny.
In reality, evidence indicates the NSA exists in a rarefied absence of
judicial and legislative oversight and a vacuum of public opinion.18
The NSA is tasked with monitoring, collecting and analysing data for
intelligence and counterintelligence purposes, including surveillance of
specific individuals by clandestine means.19 NSA actions are authorised and
monitored by Foreign Intelligence Surveillance Courts (FISC) which are
charged with regulating NSA activities and are largely incapable of
investigating or verifying NSA adherence to its rules.20 Congressional
oversight seems largely absent, with many members claiming ignorance of
the NSAs activities following Snowden’s revelations. 21 Indeed a 2009
opinion of the FISC, released by court order, stated the NSA had "so
frequently and systemically violated its own protocols restricting data
queries that it can be fairly said that this critical element of the overall ...
regime has never functioned effectively."22 In 2011 the same court noted
the "volume and nature" of the NSA's interceptions were "fundamentally
different from what the court had been led to believe."23
18 “How the NSA’s Domestic Spying Program Works” Electronic Frontier Foundation
<> (visited 1 February 2014).
19 Executive Order 13470 2008 Amendments to Executive Order 12333, United States
Intelligence Activities, 30 July 2008
(visited 1 February 2014).
20 Carol D Leonnig, Court: Ability to police U.S. spying program limited
limited/2013/08/15/4a8c8c44-05cd-11e3-a07f-49ddc7417125_story.html> (visited 1 February
21 Glen Greenwald, Members of Congress denied access to basic information about NSA <>
(visited 1 February 2014).
22 Ellen Nakashima, Julie Tate and Carol Leonnig, Declassified court documents highlight
NSA violations in data collection for surveillance <
violations/2013/09/10/60b5822c-1a4b-11e3-a628-7e6dde8f889d_story.html> (visited 1
February 2014).
23 Spencher Ackerman and Dan Roberts, Obama Presents NSA Reforms with P lan to End
Government Storage of Call Data <
nsa-reforms-end-storage-americans-call-data> (visited 1 February 2014).
42 Trinity College Law Review [Vol 17
Given such operational shortcomings coupled with the breadth of
collection of data on individuals, several adverse legal consequences of this
surveillance arise. These shall now be examined in turn.
A. The Right to Privacy
The rise of the information society and its unlocking of vast amounts of
readily accessible, largely free, sources of formal and informal data has led
to an unprecedented availability of information which has the potential to
be drawn on in seeking to assess opportunity cost as well as more efficient
provision of public and commercial goods.24 Yet the exploitation of data for
such ends also poses a threat to traditional conceptions of and protections
afforded to citizens’ rights to privacy. The right to privacy is recognised by
a majority of constitutions worldwide,25 as well as significant number of
international instruments. 26 However, such rights to privacy are
increasingly eroded by new technologies.27 Privacy issues are in certain
cases inadequately balanced against conflicting interests, a shortcoming
that may be largely due to a failure to present an accepted applicable
conceptual definition of privacy.
i. The Right to Privacy Under US Law
The beginnings of the right to privacy in the US lie in “The Right to
Privacy,” the seminal article by Samuel Warren and Louis Brandeis, which
articulated the right to privacy primarily as a "right to be left alone."28
Analysing the precedents under US law concerning private property and
slander, Warren and Brandeis deduced "a principle which may be invoked
to protect the privacy of the individual from invasion either by the too
enterprising press, the photographer, or the possessor of any other modern
device for recording or reproducing scenes or sounds.29
Though the US Constitution does not specifically mention a right to
privacy, the Supreme Court has interpreted the Bill of Rights as implicitly
guaranteeing "a right of personal privacy, or a guarantee that certain areas
24 Viktor Mayer-Schonberger and Kenneth Cukier, Big Data, (Houghton Mifflin Harcourt,
25 David Banisar and Simon Davies, Privacy and Human Rights: An International Survey of
Privacy Laws and Practice <> (visited 1 February
26 Ibid.
27 Ibid.
28 Samuel Warren and Louis Brandeis, “The Right to Privacy” (1890) 4 Harv L Rev 193.
29 Ibid.
2014] Privacy, Surveillance and International Trade 43
or zones of privacy exist under the Constitution" under the Fourth
Amendment.30 Early case law in America dealing with the right to privacy
largely centres on defamation cases such as New York Times Co v
Sullivan 31 and search and seizure under the Fourth Amendment as in
Olmstead v United States.32 In Olmstead the Supreme Court ruled that no
warrant was necessary for federal agents to tap telephone wires, the Fourth
Amendment protecting only against "physical invasions."33 Olmstead was
later overruled by the Court in Katz v United States.34 The right to privacy
was first fully and more explicitly articulated by the Supreme Court
decision of Griswold v Connecticut, which held that the right to privacy is
implicit in the Bill of Rights, whose penumbrasmust be read as creating
zones of privacy.35
ii. The Right to Privacy in the EU
The current, extensive European regulation of matters concerning privacy
is commonly justified with reference to continental experiences under
fascist governments and post-War Communist regimes, pursuant to which
Europeans retain a somewhat suspicious perception of unchecked uses of
personal information.36 In the age of computers, European guardedness
concerning government surveillance has arguably translated to a distrust of
corporate databases. The right to privacy is recognised by all member
states at a European level in Article 8 of the European Convention on
Human Rights as well as Articles 7 and 8 of the European Charter of
Fundamental Rights which provide a right to respect for "private and
family life" and “data protection” respectively.37 In giving practical effect
to the right to privacy the most notable feature of Europe’s legal landscape
30 Roe v Wade 410 US 113 (1973) holding that the right to privacy is broad enough to
encompass a woman’s decision whether or not to terminate her pregnancy and Griswold v
Connecticut 381 US 479, 485 (1965) holding a statute prohibiting the giving of contraceptive
information unconstitutional, thereby recognising a right to marital privacy. Paul v Davies
424 US 643, 713 (1976) holding that the constitution protects a right of privacy from
governmental intrusions regarding intimate personal decisions, concerning matters relating to
marriage, procreation, contraception, family relationships and child rearing and education.
31 New York Times Co v Sullivan 376 US 254 (1964).
32 Olmstead v United States 277 US 438 (1928), at 466.
33 277 US 438, at 464.
34 Katz v United States 389 US 347 (1967), at 353 [hereinafter Katz].
35 Griswold v Connecticut 381 US 479 (1965), at 485.
36 Colin J Bennett, Regulating Privacy: Data Protection a nd Public Policy in Europe and the
United States (Cornell University Press, 1992), at vii.
37 European Charter of Fundamental Rights 2000/C 364/01
(visited 1 February 2014).
44 Trinity College Law Review [Vol 17
is its regulation of data protection through a number of conventions and
The 1980 Organisation of Economic Co-operation and Development
(OECD) issued its Recommendations of the Council Concerning
Guidelines Governing the Protection of Privacy and Trans-Border Flows of
Personal Data’ with the aim of creating a comprehensive data protection
system throughout Europe.38 The guidelines enumerated seven principles
for protection, including factors such as notice of data collection, that data
should be only for the purpose collected, be kept secure and that data
subjects should be informed as to who is collecting their data. However,
due to the non-binding nature of the guidelines and the varied legal
landscape across Europe, the principles enjoyed limited success. Among
the first instruments regulating the protection of data in Europe was the
Council of Europe’s 1981 Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data.39 The Convention
obliged signatories to enact legislation concerning the automatic processing
of personal data; however, it suffered from the same limitations as the
OECD guidelines, resulting in a continuing divergence of national data
protection standards within the EU. The later Cybercrime Convention
sought to provide additional clarity on rights to privacy explicitly noting
the need for a balance to be struck between privacy, invasive technologies
and fundamental rights in Article 15.40 The Convention, in line with EU
legislation, grants particular prominence to the principle of proportionality
under Article 16 (2).41
The EU, in recognition of a growing need for a uniform approach to
data protection across its member states, proposed the Data Protection
Directive in 1995.42 The Directive regulates the processing43 of personal
38 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
ml> (visited 1 February 2014).
39 Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data (visited 1
February 2014).
40 Convention on Cybercrime
Html/185.htm> (visited 1 February 2014).
41 Letter addressed to Commissioners Malmstrom, Reding and Kroes by organisations from
more than 23 European Countries suggesting the implementation of data preservation as a
replacement to data retention
view/370/79/lang,en/> (visited 1 February 2014).
42 Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data.
43 Processing of data is defined as any operation or set of operations performed on personal
data, whether or not by automatic means Article 2(b) Data Protection Directive 1995.
2014] Privacy, Surveillance and International Trade 45
data44 applicable not only when the controller45 is established within the EU,
but whenever the controller uses equipment situated within the EU in order
to process data.46 However, the Directive was not only drafted and enacted
long before the rise to prominence of the Internet, but in the absence of
amendments it has also failed to keep pace with the rapid technological
change which has characterised the near decade since its enactment. Thus,
in January 2012, the European Commission unveiled a draft European
GDPR that will supersede the Data Protection Directive.47 The GDPR will
extend EU data protection law to all foreign companies processing data of
European Union residents,48 in addition to prohibiting any processing of
data where conditions of transparency, legitimate purpose and
proportionality are not met.49 Under the Directive the data-subject enjoys
the right to be informed of the name and address of the controller
processing their data, as well as when such processing takes place.50 The
recipients of the data and associated information are obliged to ensure the
processing is fair,51 with additional restrictions in cases involving sensitive
data.52 The Directive also requires each member state to establish an
independent supervisory authority to monitor the data protection level in
that member state, advise the government on administrative measures and
regulations and commence legal proceedings when data protection
regulations have been violated.53
44 Personal data is defined in the directive as "any information relating to an identified or
identifiable natural person ("data subject"); an identifiable person is one who can be
identified, directly or indirectly." See Article 2(a) Directive 95/46/EC.
45 Who is charged with ensuring compliance with the Directive, the controller is defined
within the directive as meaning the natural or artificial person, public authority, agency or any
other body which alone or jointly with others determines the purposes and means of the
processing of personal data; See Article 2(d) Directive 95/46/EC.
46 Article 4, Directive 95/46/EC.
47 See Commission Proposes a Comprehensive Reform on the Data Protection Rules 25
January 2012
en.htm> (visited 1 February 2014).
48 European Commission, Why do we need an EU data protection reform?
(visited 1 February 2014), European Commission, How will the EU’s data protection reform
make international cooperation ea sier
protection/document/review2012/factsheets/5_en.pdf> (visited 1 February 2014).
49 Article 6, Directive 95/46/EC.
50 The Intelligence Oversight and Surveillance Reform Act, summary available at
(visited 1 February 2014).
51 Article 10 and 11, Directive 95/46/EC.
52 Article 8, Directive 95/46/EC.
53 Article 28, Directive 95/46/EC.
46 Trinity College Law Review [Vol 17
Three European Court of Justice (ECJ) cases concerning the right to
privacy, namely Lindquist,54 Rundfunk55 and Passenger Name Record 56
focus on the interpretation and application of the Data Protection Directive.
These cases provide an insight into the trade-offs between securing
individual rights and avoiding undue restriction of commercial actors,
illustrating the tensions that characterise this area of law. Notably in the
PNR case, the tension between US and EU rights to privacy and national
security and transatlantic business is highlighted. For the purposes of this
article, the focus shall be on Rundfunk and PNR. Rundfunk evolved from
two Austrian cases, consolidated by the ECJ, concerning the application of
an Austrian statute that required select public bodies to disclose the salaries
and individuals to whom they were paid above an identified threshold.57
Several bodies subject to the obligations58 had provided disclosures which
were considered incomplete, resulting in proceedings being brought against
them by the Court of Auditors to whom the incomplete report was made.
The Court then referred the matter to the Austrian Federal Constitutional
Court against the bodies in breach, seeking a declaratory ruling as to their
jurisdiction to require the disclosure standards be adopted.59
The Constitutional Court recognised that the intention, in making the
data public, was to provide comprehensive information and thus bring
pressure to bear on the bodies concerned so that public funds are used
thriftily and efficiently. In addition, the right to the protection of personal
data under the Directive and right to respect for private life under the
Fundamental Freedoms referred to the ECJ for preliminary ruling would be
respected.60 The ECJ held that, though the Directive’s applicability could
not rest on a case-by-case determination, it did not preclude national
legislation as long as it could be demonstrated that the broad disclosure
requirement was necessary and appropriate for the objective of proper
management of public funds as contemplated by the Austrian legislature.
The ECJ deferred to the Austrian courts, holding that it is for them to
determine whether this was indeed the case. 61 In its analysis the ECJ
55 Joined Cases C-465/00, C-138/01 and C-139/01.
56 Joined Cases C-317/04 and C-318/04 [hereinafter PNR].
57 C-465/00, C-138/01 and C-139/01.
58 Such as local and regional authorities, a public broadcasting corporation and a statutory
professional body, C-465/00, C-138/01 and C-139/01.
59 C-465/00, C-138/01 and C-139/01.
60 Sky Osterreich GmbH v Osterreishischer Rundfunk Case C-283/11, See also, Opinion of
Advocate General Izzano 14 November 2002.
61 Case C-283/11, at [5].
2014] Privacy, Surveillance and International Trade 47
emphasised the relationship between the Directive and provisions of the
ECHR, specifically Article 8's guarantee62 of the respect for the private life
of the individual, weighing the existence of an interference with private life
against its justification.63
Perhaps the most salient case examining the tensions between EU
and US data protection laws is the PNR case.64 The case concerned the use
and release of information collected for the automated reservation and
departure control systems of commercial airlines to US security
authorities.65 The Passenger Name Record (PNR) information at issue
related to thirty four discrete fields of data collected regarding passengers
including names, addresses, telephone numbers, e-mail addresses, payment
and credit card information, travel itinerary, ‘no show history, one way
ticket status, baggage and seat information. Such data was routinely
collected by airlines in the course of supplying travel services and
combatting terrorism. In the aftermath of 9/11 the US government began to
demand that PNR data collected by airlines for flights entering and leaving
US airspace be turned over to them. It was in this context that the PNR case
The case was an agglomeration of two separate actions brought by
the European Parliament against both the Council and Commission for
annulment of decisions reached by them regarding the sharing of PNR
data. European airlines in the aftermath of 9/11 could either provide PNR
data to the US government and risk liability in the EU for violations of data
protection laws, or alternatively, comply with EU data protection laws, risk
having landing privileges revoked and experience major disruptions to
their transatlantic service. Consequently, in March 2003, several airlines in
the EU began providing the US government access to their PNR data.
Simultaneously, the Commission began negotiating with the US with a
view to reaching an agreement that would alleviate the burden on the
airlines by allowing the PNR data to be transferred while still respecting
EU data protection laws as a result of which an agreement on PNR data
was reached. While the Council approved of the agreement, the Parliament
disapproved of concessions relating to the adequacy of protection afforded
to data in the US and the lack of authority on the part of the Commission or
Council to reach such an agreement without their approval. Thus in July
2004, the Parliament initiated proceedings in the ECJ against both the
62 Case C-283/11, at [19].
63 Case C-283/11, at [73-74].
64 Joined Cases C-317/04 and C-318/04.
65 Joined Cases C-317/04 andC-318/04, at [1-3].
48 Trinity College Law Review [Vol 17
Commission and Council, seeking an annulment of their decision to
approve the conclusion of an agreement with the US.
The Court determined the Commission's actions could not have been
considered to be governed by the Directive. Article 3(2) excludes from the
Directive’s scope the processing of personal data in the course of activities
that fall outside Community law. Further, the processing of personal data
in the case constituted processing operations concerning public security
and the activities of the State in the areas of criminal law, activities which
are expressly excluded from the scope of the Directive. 66 Thus, the
Commission could not act on the basis of the Directive using its Article 25
powers to assess the adequacy of the level of protection afforded by the US
authorities for the PNR data as the Directive itself excludes such data
processing activities from its scope and so made no further determinations
on the remaining arguments made by the Parliament.67
iii. Breaching The Right to Privacy
NSA voyeurism threatening the right to privacy of European citizens is far
from hypothetical. In 2008, a former NSA employee admitted employees
of the agency had eavesdropped on private calls of soldiers stationed
overseas.68 According to the agency, 22 officials have the competence to
authorise queries against the phone records database.69 However, there is no
guarantee that such controls are as stringent in practice as policy suggests.
The more restricted the access to the database is, the more challenging it
becomes for NSA analysts to make effective use of the collected data. Yet
it appears such abuses are far from being resigned to history. In November
2013 it was revealed that the NSA had engaged in surveillance of access to
online pornography as part of a proposal to discredit a handful of
individuals identified as ‘radicalising’ others.70 None of the individuals
identified had been accused of involvement in terrorist activity and all were
resident outside of the US.71 Such revelations further underline the erosion
66 Joined Cases C-317/04 and C-318/04.
67 Joined Cases C-317/04 and C-318/04, at [1-408].
68 Brian Ross, Vic Walter and Anna Schecter, Inside Account of US Eavesdropping on
americans/story?id=5987804andsinglePage=true#.Udohpz6Y6a5> (visited 1 February 2014).
69 Privacy and Civil Liberties Oversight Board, Report on the Telephone Records Conducted
under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence
Surveillance Court (visited 1 February 2014).
70 Nate Rawlings, NSA Monitored Porn Habits to Discredit ‘Radicalizers
radicalizers/> (visited 1 February 2014).
71 Ibid.
2014] Privacy, Surveillance and International Trade 49
of the right to privacy by current surveillance activities and highlight some
of the most pressing concerns raised by the current governance architecture
and operations of US surveillance agencies, such as rule of law concerns,
concerns over the erosion of the presumption of innocence and the use and
abuse of big data.
B. Redressing Rule of Law Concerns
The second issue raised by the surveillance operations conducted by the
NSA relate to rule of law concerns. These concerns are raised by the
operational structure of the current US surveillance agencies and largely
affect their home jurisdiction, though they also import broad concerns for
EU-US relations.
i. The Foreign Intelligence Surveillance Courts
The FISC is a US federal court established under the Foreign
Intelligence Surveillance Act (FISA) 1978 to deal with requests for
surveillance warrants against suspects by federal law enforcement
agencies, notably the NSA and the Federal Bureau of Investigation (FBI).72
Eric Lichtblau argues that the powers of the court have expanded to the
extent that its authority rivals that of the Supreme Court,73 a position of
authority achieved through its allegedly broad interpretation of the Patriot
Perhaps the most evident example of the breadth of FISC authority
was the leaked order issued by the court compelling a Verizon subsidiary
to release the entirety of its phone records. 75 This was arguably a
disproportionate requirement, with consequences for those residing far
beyond US borders, and has led to calls for the standards of records
considered relevant to be raised. Currently, opinions of the court
authorising NSA surveillance programs are classified. Despite suits under
the Freedom of Information Act having been brought by advocacy groups
72 David B Cohen and John Wilson Wells, American National Security and Civil Liberties in
an Era of Terrorism (New York City: Palgrave Macmillan, 2004), at 34.
73 Eric Lichtblau, In Secret, Court Vastly Broadens P owers of NSA
nsa.html?pagewanted=all> (visited 1 February 2014).
74 Jennifer Valentino-Devries and Siobhan Gorman, Secret Court's Redefinition of 'Relevant'
Empowered Vast NSA Data -Gathering
SB10001424127887323873904578571893758853344> (visited 1 February 2014).
75 Full text of order available at
Verizon.pdf> (visited 1 February 2014).
50 Trinity College Law Review [Vol 17
seeking the release of FISC documents, the Justice Department continues
to refuse to release opinions or court documents.76
Both Representative John Conyers and Senator Bernie Sanders have
introduced bills in light of such revelations requiring that the government
demonstrate “specific and articulable facts” illustrating the manner in
which records are relevant.77 Senator Mark Udall introduced legislation
which would require any applications to include an explanation of how any
records sought are relevant to an authorised investigation.78 Senator Dianne
Feinstein has explained that once the NSA has phone records in its
possession, analysts may query the data without individualised court
approvals, so long as they possess “reasonable suspicion, based on specific
factsthe data is related to a foreign terrorist organisation. Such ambiguous
standards for searches should be reformed and replaced by clear standards
for approval by a court before analysts search metadata. A similar
recommendation for reform was included in the bill proposed by
Representative Stephen Lynch, which seeks to require the government to
petition the FISC on each occasion an analyst wants to search telephone
metadata.79 The FISC judge would then be required to find “reasonable,
articulable suspicion” that the search is “specifically relevant to an
authorised investigation” before approving the application.80 Furthermore,
the legislation would require the FBI to report monthly to congressional
intelligence committees on all the searches the analysts made.
Brian Tamanaha contends that central to addressing rule of law
concerns is a declassification of FISC opinions which would allow a right
of notice and reply to those under suspicion. This would ensure that the law
is well-known, prospective and characterised by generality, equality and
certainty of applicability.81
The manner in which FISC judges are appointed should be changed
as the current law does not grant Congress the power to confirm FISC
judges; rather, they are appointed by the Chief Justice of the United States,
from individuals who previously served on the federal bench, to serve
76 Legal Times, In Secret Court, DOJ F ights Access to Surveillance
surveillance-ruling.html> (visited 1 February 2014).
77 Paul Lewis and Dan Roberts, NSA reform bill to trim ba ck US sur veillance unveiled in
congress> (visited 1 February 2014).
78 Ibid.
79 Telephone Surveillance Accountability Act of 2013
bin/query/z?c113:H.R.2684:> (visited 1 February 2014).
80 Ibid.
81 Brian Tamanaha, The Rule of Law for Everyone (2002) 55 Current Legal Problems 1.
2014] Privacy, Surveillance and International Trade 51
seven year terms.82 Chief Justice Roberts appointed all eleven of the current
judges, ten of whom were nominated to federal courts by Republican
presidents.83 Representative Adam Schiff has proposed a bill that would
give the President the power to appoint FISC judges while the power to
confirm would be granted to the Senate.84 In the alternative, the Chief
Justice might retain the power of appointment but the House Speaker, the
House minority leader, the Senate majority leader and the Senate minority
leader each appoint two judges to ensure a less evidently partisan bent on
the bench.85
The announcement by President Obama that a public advocate would
be appointed to argue before the FISC on matters concerning the public
interest was a welcome reform as to date the FISC has rejected only 11 of
an estimated 33,900 government requests. 86 Government officials
petitioning the FISC have encountered no adversarial process, no
representation for targets of surveillance before the court, nor any notice or
right of response for those in respect of whose data any orders or warrants
are issued.87
ii. The Presumption of Innocence
The relationship between surveillance and the presumption of innocence is
intricate in that it is through increasing surveillance that crime is detected,
deterred or controlled and prevented. However surveillance technologies,
which have proved invaluable in supporting prosecutions and minimising
wrongful convictions in the last fifty years,88 may now import a risk of pre-
emptive prosecution. Recent revelations that GCHQ in the UK had
potentially engaged in the interception of privileged communications
82 Garrett Epps, Chief Justice John Roberts Appointed Every Judge on the FISA Court
judge-on-the-fisa-court-20130812> (visited 1 February 2014).
83 Ezra Klein, Did you know Kohn Roberts is also chief justice of the NSA’s surveillance state
roberts-is-also-chief-justice-of-the-nsas-surveillance-state/> (visited 1 February 2014).
84 Bill available> (visited 1
February 2014).
85 Klein, note 83.
86 Alan Perez, Secret Court’s Oversight Gets Scrutiny
SB10001424127887324904004578535670310514616> (visited 1 February 2014).
87 Ibid.
88 Fred F Manget, “Intelligence and the Criminal Law System” (2006) 17 Stanford Law and
Policy Review 415.
52 Trinity College Law Review [Vol 17
between lawyers and their Libyan clients89 highlight the aforementioned
At a more specific level, the treatment of individual whistleblowers
by the US government has also raised significant concerns. Private Bradley
Manning, recently sentenced to thirty five years in jail, has become a high-
water mark for America’s security and surveillance culture.90 Yet even as
Manning awaited his sentence, Snowden set out to expose the warrantless
warehousing by the NSA of private data belonging to millions of American
citizens, potentially in breach of the Patriot Act and the Fourth
Amendment, in addition to activities with the potential to reach and affect
those far beyond its own borders. 91 The severity of the reaction to
Manning’s revelations, including his detention, stands in stark contrast to
the national administrative attitude of the US, in which the privacy and
data of millions of citizens is seen as freely available but the data or
privacy of the State remains sacrosanct.92
C. Big Data: Use and Abuse
Law has traditionally relied on the exploitation of all forms and sources of
information at its disposal to reach informed and authoritative decisions,
yet lawyers have traditionally been restricted to those reports available and
known to them. Following the emergence of the Internet, the availability of
information has increased with the result that there is little barring a further
increase in the courts’ fields of reference.93 However, this increased ease of
access should import attendant benefits for the endeavours on which data is
available and not compromise pre-existing privacy rights. Concerns over
breaches of privacy through the use of big data range from indifference to
abuse of individual rights or effects of actions in addition to lack of
transparency and accountability.
89 Owen Bowcott, GCHQ a ccused of monitoring privileged emails between lawyers and
privileged-emails-lawyer-client-libya> (visited 1 February 2014).
90 The Economist, Liberty’s lost decade
(visited 1 February 2014).
91 Mark Hosenball, NSA Chief says Snowden leaked up to 200,000 secr et documents
idUSBRE9AD19B20131114> (visited 1 February 2014).
92 Tom McCarthy, Bradley Manning Sentenced to 25 Years
live> (visited 1 February 2014).
93 Mayer-Schonberger and Cukier, note 24.
2014] Privacy, Surveillance and International Trade 53
A potential harm is that from the aggregation of information and
seemingly innocuous data one may identify trends or behaviors that more
seriously breach the overall right to privacy of the individual. For example,
if a citizen purchases a book about dementia, this single piece of
information is not particularly revealing. However, if such purchase
information is combined with an Internet search history, which reveals
research on assisted living facilities and a phone call or email to a family
lawyer or doctor, these combined pieces of information may provide a
clear inference of a recent medical diagnosis - information that an
individual may well have chosen not to share.
A second problem is exclusion. Exclusion occurs when individuals
are prevented from accessing information about how the knowledge or
information concerning them is being used and are as a result unable to
correct errors in such data. The new GDPR in Europe aims to combat
exclusion by requiring that data held is kept up to date, yet national
security measures involve maintaining large databases containing
information which individuals are barred from accessing or correcting.94
Such an exclusion of notice or right of the individual to respond to false
information presents a clear problem of due process under administrative
law standards at common law.95
III. US Reforms
In the aftermath of Snowden’s revelations numerous individuals have
petitioned the US government for reform of existing surveillance and
security laws. Senate Judiciary Committee Chairman Patrick Leahy has
pushed for legislation to limit the power of the National Security Agency,
stating he was convinced that the system set up in the 1970s to regulate
the surveillance capabilities of our intelligence community is no longer
Senator Wyden, one of the senators at the forefront of bipartisan calls
for reform, noted the need to institute a higher threshold for not cosmetic"
intelligence reform.97 The Intelligence Oversight and Surveillance Reform
Bill proposed by the Senators would prohibit bulk collection of phone
94 Jonas Lerman, “Big Data and Its Exclusions” (2013) 66 Stanford Law Review Online 55.
95 Ibid.
96 Timothy B Lee, The Switchboard: Five Tech Policy Stories You Need to Read Today
policy-stories-you-need-to-read-today-23/> (visited 1 February 2014).
97 The Intelligence Oversight and Surveillance Reform Act, summary available at
(visited 1 February 2014).
54 Trinity College Law Review [Vol 17
records of Americans by the NSA under section 215 of the Patriot Act,
prevent similar harvesting of Internet communications and prohibit the
NSA’s interception of Internet communications of Americans under
programs protected by s.702 of the FISA Amendments Act.98 The bill also
seeks to limit the legal authority for the PRISM program which operates
under s.702 of the 2008 FISA Amendments Act by strengthening the
prohibition on ‘reverse targeting of Americans.99 In addition, the Bill
would require the NSA to more aggressively filter and discard information
about Americans accidentally collected through PRISM and related
Although the official response to criticisms of the current system in
the US is that there are “checks and balances built in” to their tools, in
reality the NSA largely succeeded in evading oversight.101 Currently, the
agency relies on jurisdictional arbitrage that precludes much of its activity
from legal challenge due to the location of its collection points outside the
US.102 Criticism of the governance architecture of the NSA as well as its
operation has been widespread, yet the official position remains indecisive.
The Privacy and Civil Liberties Oversight Board, an independent US
Privacy watchdog, in its January 2014 report advised by a 3-2 majority that
the programme should end as it was illegal and has had only "minimal"
benefits in preventing terrorism.103
A federal court in Washington DC declared the NSA activity was a
violation of the Fourth Amendment protection against searches and
seizures and refused to follow the precedent of Smith v Maryland,104 the
judge noting I cannot possibly navigate these uncharted Fourth
Amendment waters using as my north star a case that predates the rise of
cellphones.”105 Yet fewer than ten days later a New York court upheld the
constitutionality of the NSA metadata collection on the basis there was no
evidence it had been used for any purpose other than counter-terrorism.106
98 Ibid.
99 Ibid.
100 Ibid.
101 Yochai Benkler, How the NSA Imposes New Limits on State Surveillance
(visited 1 February 2014).
102 Ibid.
103 Charlie Savage, Watchdog Reports Says NSA Program is Illegal a nd Should End
illegal-and-should-end.html> (visited 1 February 2014).
104 Smith v Maryland 442 US 735 (1979).
105 Klayman et al v Obama et al Civ Action No. 13-0851 (RJL) Dec 16 2013 US District
Court for the District of Columbia.
106 American Civil Liberties Union v Clapper No 13 Civ 9334 (SDNY Dec 27 2013).
2014] Privacy, Surveillance and International Trade 55
While President Obama has committed to NSA reforms through curbing
the use of such mass data, as well as the appointment of a public
representative in cases coming before FISC courts, he has failed to redress
deeper failings in the regulatory architecture of the current surveillance
system.107 An early opportunity for a more fundamental reform may present
itself in 2014 as the current director of the NSA General Keith Alexander
prepares to depart from the federal government.108 The current system of
dual leadership of the two agencies has been harmed by the overarching
dominance of the NSA over Cyber Command. Alexander’s departure offers
an opportunity to separate the governance of the two agencies and redress
such imbalances by dropping the current dual authority and reforming the
way in which Cyber Command monitors surveillance by the NSA.
Jennifer Sims, writing in Foreign Affairs, has argued that there are
legitimate justifications for surveillance, notably in cases when normal
diplomatic or intelligence channels are not sufficient.109 In the absence of
such justifications interception and inspection of private communications
by US authorities constitutes a disproportionate interference with the rights
of citizens. Moreover, it is unclear whether there is a context in which bulk
interception of the communications of large numbers of citizens of several
European member states is ever either proportionate or necessary. In reality
such actions constitute a prima facie breach of the rights guaranteed by
Article 8 of the ECHR where they are not undertaken pursuant to a legal
regime containing sufficient safeguards to render it in accordance with the
law. The US, in seeking to counteract the controversy which the
revelations concerning its surveillance have precipitated, must recognise
that for Europeans, privacy is political. They must endeavour to institute a
system of credible and independent privacy oversight that will be
integrated within existing transatlantic security and trade arrangements.
The Privacy and Civil Liberties Oversight Board in the US could easily be
expanded to include such a mandate - in its current incarnation it is largely
107 Privacy and Civil Liberties Oversight Board, Report on the Telephone Records Program
Conducted under Section 215 of the USA Patriot Act and on the Operations of the Foreign
Intelligencee Surveillance Court” <
Report-on-the-Telephone-Records-Program.pdf> (visited 1 February 2014). See also
Ackerman, note 23.
108 James G Stavridis and Dave Weinstein, Divide and Conquer: Why Dual Authority at the
NSA and Cyber Command Hurts US Cyber security
and-conquer> (visited 1 February 2014).
109 Jennifer Sims, I Spy... Why Allies Watch Each Other
(visited 1 February
56 Trinity College Law Review [Vol 17
toothless and despite the popular support gained by its recent report on
surveillance, largely without political traction as it vies with American
security lobbiers. A truly independent board with investigative powers,
public reporting requirements and strong international relationships would
reassure citizens of both jurisdictions and go a long way towards
reinstating the relationship of trust which has characterised US-EU
relations for much of the last century.
One of the underlying tenets of law in a democratic society is legal
certainty. Absent a means for citizens to know of the existence,
interpretation or execution of a law, as is the case with the FISC in the US,
the law is effectively secret and in breach of traditional and fundamental
tenets of western liberal democracy as well as arguably the US doctrine of
“fair warning.”110 In France revelations concerning the storage of large
amounts of data on a supercomputer at the headquarters of the national
intelligence service, the Director General of External Security, provoked
claims the operation was "outside the law, and beyond any proper
IV. Privacy and International Trade
Privacy’s effect on international trade is largely a result of the
economic character of the data protection laws that have emerged in
Europe as well as their delineation between third party and European
treatment and use of data. Such an approach, moreover, is gaining traction
in other jurisdictions. In South Africa lawmakers looked to European
examples as they sought to implement the country’s first comprehensive
data protection laws while, in the Middle East, the overseers of
international free trade zones in Qatar and Dubai have announced plans to
adopt data protection laws that also mirror the European rules.112 Such a
shift towards the European model has, as Lee Bygrave notes, created a fear
among companies of disrupted data flows and the development of
110 Erik Claes, Wouter Devroe and Bert Keirsblick, Facing the limits of the law (2009,
Springer), at 93.
111 BBC News, France ‘has vast data surveillance’ Le Monde
(visited 1 February 2014).
112 Justin Cornish, a lawyer at Latham and Watkins in Dubai, quoted in Kevin J O’Brien,
Firms Bra ce for New Eur opean Data P rivacy Law
privacy-law.html> (visited 1 February 2014).
2014] Privacy, Surveillance and International Trade 57
international standards that create a community of countries which meet
those requirements to the potential exclusion of others.113
The European approach has not, however, been met with universal
approval. In 2012 Facebook warned the new European directive would
constitute a significant regulatory step in determining Europe's future as an
innovation economy and could act as a barrier to meaningful EU-US free
trade agreements if not correctly structured.114 Google, Facebook, Apple,
Amazon and IBM have all lobbied to participate in the proposed European
legislative process, the outcome of which could grant over 500 million
consumers the right to withhold basic personal details online, significantly
impinging on the financial model in which current online businesses
operate by limiting their ability to provide targeted advertising based on
user movements and prior history. 115 In addition, the Bill would grant
European consumers a fundamental right to data portability or the right to
easily transfer an individual’s posts, photographs and videos from one
online service site to another and in doing so generate a more competitive
market by removing disincentives to change social networking and other
online habits. US technology and communications companies, including
Facebook and Google, face a potential requirement to comply with 28
European data protection watchdogs after one of the European Union’s
chief legal advisers raised an unexpected objection to the proposed “One
stop shop rule” included in new European data protection law, which
would allow companies to submit to a single privacy regulator rather than
competing national ones.116
Studies from the Federal Trade Commission and Georgetown
University found that between 85% and 97% of websites collect at least
one type of personal identifying information, commonly a name or e-mail
address, often without user consent.117 The studies further found that many
site operators do not alert users that such personal data is being collected,
nor do they offer a purpose for which collection is undertaken or used.118
113 Lee A Bygrave, Data Pr otection Law: Approaching Its Rationa le, Logic and Limits
(Kluwer Law International, 2002), at 34.
114 RTE News, Facebook Warns over Impact of EU Directive
(visited 1
February 2014).
115 O’Brien, note 112.
116 James Fontanella-Khan, EU Data Pr otection Rules Hit by Surprise Legal Objection
00144feabdc0.html#axzz2s6SNNrY8> (visited 1 February 2014).
117 George Milne and Mary Culnan, “Information Privacy: Measuring Individuals’ Concerns
about Organisational Practices” (2004) 18(3) Journal of Interactive Marketing.
118 Electronic Commerce: The Current Status of Privacy Protections for Online Consumers
(visited 1 February 2014).
58 Trinity College Law Review [Vol 17
Media reports of ailing “dot coms” selling customer information to third
parties without consent have added to public awareness and concern over
privacy online.119
It has also been argued that data protection laws in fact place the EU
nations at a competitive disadvantage compared with nations that allow
the use of data with less regulation.” 120 Personal data regulation is,
increasingly, strategically important in the information age. Indeed, a
survey of leading US financial services companies suggests free flow of
personal information contributes some $17 billion to that industry on an
annual basis.121 Adherence would likely involve compliance, transaction,
operation and opportunity costs for US businesses resulting from the
Directive's requirement that businesses maintain detailed records of the
purposes for which the data was collected and processed. Furthermore, in
situations where businesses must obtain the data subject's informed consent
before transferring the data, data subjects may elect not to permit the
disclosure of their personal information. The result may be that businesses
have less information at their disposal when making business decisions or
seeking to secure revenue through advertising. More realistically, US
companies based in Europe may simply take an increasingly holistic
approach to their privacy policies which seek to accommodate heightened
customer privacy standards, such as the additional security technology
introduced by Twitter to make it more difficult for outside parties to spy on
its users in 2013. Under the system, new keys were created for individual
sessions, making it impossible to use a master key to decrypt them.122
Primarily based on such concerns, US companies have waged a vocal
campaign against Europe’s approach to data protection and privacy but
have largely failed to either force a formal liberalisation of the EU stance
or contain further adoption of European rules by countries such as Japan,
Canada, and Australia, all of whom previously demonstrated an adherence
to an approach similar to the US model.123 Moreover, Europe has been
119 Ibid.
120 Unworkable Data Protection Reforms May Place Businesses at Competitive Disadvantage
CBI Says
reforms-may-place-businesses-at-competitive-disadvantage-cbi-says/> (visited 1 February
121 Ibid.
122 Ciara O’Brien, Twitter Implements New Measures to Protect User s
to-protect-users-1.1605781> (visited 1 February 2014).
123 David Banisar and Simon Davies, “Global Trends in Privacy Protection; An International
Survey Of Privacy, Data Protection And Surveillance Law And Developments” (1999) XVIII
Journal of Computer and Information Law 1.
2014] Privacy, Surveillance and International Trade 59
viewed in some respects as having forced the US to make concessions to
its legal and policy stances through the adoption of the Safe Harbour
agreement, which stipulates that US firms active in European markets shall
abide by EU rules even where such data is processed in the United States.
Such divergences are broadly reflective of the historical conceptual
differences between the doctrine of privacy in the United States and
Europe. The European approach as embodied in the Articles 7 and 8 of the
European Charter of Fundamental Rights and Article 8 of the European
Convention on Human Rights have long conceptualised privacy as allied
with rights to personal dignity and family life in which proportionality acts
as the watchword for any infringement. In contrast judicial attitudes to
privacy in the US are characterised by narrow “zones” of privacy as
established in Griswold and Roe124 and the limited protections afforded
under the Fourth Amendment concerning searches and seizures as
extrapolated in Olmstead and Smith v Maryland, which was later
liberalised in Katz. The tension between the presumptive primacy of a right
to privacy in family and in relation to personal data in Europe contrasts
starkly with the American attitude which has been observed by many to
have become characterised by a relationship with national security and the
Patriot Act, which have compromised its limited effect.125
Yet such bright line distinctions are misleading. European Union
member states are far from unified in the primacy they afford privacy as a
fundamental right. As noted, Ireland’s own approach in relation to a
constitutional guarantee of privacy rights accord with that taken in the US,
while other member states, most notably France126 and Belgium,127 privilege
privacy to a degree not seen in other member states. Meanwhile Germany’s
Constitutional Court continues to break ground on issues of privacy,
notably online. 128 Additionally, in seeking to assess the first
conceptualisations of the right to privacy, Warren and Brandeis “The Right
124 An approach notably similar to that of Ireland in which the right to privacy in certain areas
of family life is implied under Article 40.3 per McGee v Attorney General [1973] IESC 2 as it
is under the due process clause in the 14th Amendment per Roe v Wade 410 US 113 (1973).
125 Steve C Posner, Privacy Law and the USA PATRIOT Act (LexisNexis, 2006).
126 See Délibération n°2013-420 de la formation restreinte prononcant une sanction pécuniaire
àl’encontre de la société Google Inc available at
D2013-420_Sanction_Google.pdf> (visited 22 January 2014). See also Article 226-1 of the
French Criminal Code which criminalises invasions of privacy, Article 9 of the French Civil
127 See Scarlet v SABAM Case C-70/10 concerning whether an IP address could be considered
personal information covered by the right to data privacy.
128 Who ruled that there is a right to protection against remote online searches in BVerfG NJW
2008, 822.
60 Trinity College Law Review [Vol 17
to Privacy” remains the seminal work expounding the normative grounds
on which the right might be based- namely conceptions of the right to life
and to private property as generating a second generation right to be left
As Ireland enjoys its favoured status as the jurisdiction of choice for
headquarters of global technology corporations and as both the EU and US
grapple over how divergent views of privacy and national security might
be reconciled to facilitate continued and improving trade and diplomatic
relations, definitions of privacy are set once again to take centre stage.
Jurists might do worse than to turn once more to the 19th century
articulations of Warren and Brandeis to re-animate the privacy debate and
find a definition of this long guarded but seldom written right, founded
both in the European conception of dignity and the right to life and the
right to property, or control or autonomy as to the use of personal
information and data.
However, an adoption of a less stringent regulatory approach on
Europe’s part dwindles as further revelations emerge. Boston Consulting
Group’s on the value of digital identity lends further support to the
contention that new European data protection regulations will not impede
the personal data economy.129 Five of the six areas of use outlined by
Boston Consulting Group for personal data are already compatible with the
proposed regulation. For example the firm views personal data as a lever
for process automation, personalisation and the improvement of products
and services which can be used if companies maintain healthy relationships
with their customers who are willing to exchange personal data in return
for improved services. Thus what is good for the surveillance authorities in
the US is not necessarily good for business. Though in the past lax
regulation of data allowed a mutual abuse and exploitation of data reserves
online, the public’s increasing awareness of such activities mean it will be
less trusting of IT giants in the future, notably as companies develop
technologies that increase the volume and type of personal information
they can collect.
Reports that the NSA spied on Brazilian oil company Petrobras and
gained access to data held by US cloud providers including Google and
Yahoo have heightened corporate paranoia about state surveillance, already
129 Boston Consulting Group, The Value of Our Digital Identity
(visited 1 February 2014).
2014] Privacy, Surveillance and International Trade 61
elevated by revelations over surveillance of political figures. 130 NSA
Director General Keith Alexander denied the claims stating the NSA was
“not authorised to go into a US company’s servers and take data.”
However, though the surveillance through the MUSCULAR131 programme
would be illegal within the US it continues to operate overseas on the
assumption individuals using foreign data links are non-US citizens.132
While the US continues to abstain from reforming domestic data
privacy rules, European regulations have become something of a de facto
international standard in matters concerning data privacy, as the
globalisation of markets drives a parallel globalisation of regulation and
national public policies increasingly unfold and impact across borders.133
Throughout the 1990s, the EU acted as a market-creating organisation in
which data protection laws operated to prevent rights abuses by market
actors. The challenge in light of international security concerns is for the
European Union to continue to foster positive transatlantic relations while
endeavouring to ensure it adequately protects the privacy of its own
A data-based cold war between the US and EU could do irreparable
damage to the leading of internet companies growth prospects. This fear
culminated in the decision in December 2013 by eight prominent
companies to challenge the US government’s surveillance practices.135 Such
a challenge imports clear risks; should calls for reform be ignored, the
companies negligence in protecting customer data will only be highlighted,
causing further reputational damage. Moreover, the companies could be
accused of cynicism in the aftermath of the surveillance revelations that
raised suspicions over the extent of the industry’s complicity in the state’s
data gathering. Conflicts in approaches to and attitudes concerning
130 Chris Bryant, NSA Revelations Boost Corporate Paranoia About State Surveillance
00144feabdc0.html#axzz2s6SNNrY8> (visited 1 February 2014).
131 Gelman, Peterson and Ashkan, Note 3.
132 Greenwald, note 21.
133 David Scheer, Europe’s New High-Tech Role: Playing Pr ivacy Cop to the World> (visited 1 February
134 Francesca Bignami “Privacy and Law Enforcement in the European Union the Data
Retention Directive” (2007) 8(1) Chicago Jour nal of International Law 231.
135 Richard Waters, Data cold war could damage leading US internet companies
(visited 1
February 2014).
62 Trinity College Law Review [Vol 17
information privacy have long dominated international commerce between
the US and EU, whose divergent approaches to data protection have caused
tensions concerning transatlantic business and trade. This concern is
heightened as increasing amounts of trade and commerce move online
where data is a valuable commodity.
Yet the recent revelations have cast doubt on such bright line
distinctions between approaches and clear-cut areas of concern. The
opacity of the procedures of the judicial system of FISC courts in the US
raises significant questions. Both the EU and US have in effect
demonstrated a largely similar approach in relation to their surveillance of
citizens. Both approaches have undoubtedly infringed the rights of
European citizens to privacy and data protection in addition to eroding trust
in European as well as national regimes.
Moreover, while individual activists such as Snowden have brought
surveillance activities to light, the struggle to ensure the integrity of data
protection and the right to privacy of citizens is no longer one
characterised, as it arguably was in the 1990s and early 2000s, as the
noble hacker versus the State. Links between the hacker and intelligence
communities grew during the 2000s as the US government sought to
establish an online, military presence creating a dependence which leaves
both sides increasingly uneasy as hackers loudly proclaim the government
has overstepped the boundary of acceptable behaviour.136
The response to such a changing landscape lies in ensuring that there
exist explicit legal guarantees which delineate the boundaries of acceptable
surveillance in the service of national security and which outline the
offences to apply where such mandates are exceeded or the rights of
individual citizens are violated. In addition, such processes and indeed, the
processes by which warrants and operations are sought and approved, must
be conducted in accordance with due process and the rule of law to ensure
a measured exercise of surveillance mandates and a balanced executive
power. Such checks do not preclude the ability of such courts to operate in
a manner which respects the sensitive and classified nature of certain
security operations and requests through the use of in camera proceedings,
but do preclude the continuance of a situation in which checks and
balances exist only as rhetorical flourishes in official reports.
In seeking to redress current imbalances there is at least one issue
that is generally agreed upon - the laws governing electronic eavesdropping
136 Danny Yadron, Where Hackers and Spooks Mingle
(visited 1 February 2014).
2014] Privacy, Surveillance and International Trade 63
and technology have failed to keep pace with technology.137 The updates to
European Data Protection laws as well as the heightened legislative
attention which is evident in the US may go some way towards redressing
disparities between legal provisions and practice, yet as Kelly noted
[t]he ultimate protection of human rights in a democracy lies with the
people themselves. If they allow villains into Government, a piece of
paper will not protect them from the consequences, nor can they
expect a few learned men in wigs and gowns to save the fools from
the knaves they have elected.138
137 Bowman, note 6.
138 JM Kelly “The Irish Constitution” (4th ed., Bloomsbury Professional, 2003). A sentiment
echoed by Alito J who stated “Historically the greatest protections of privacy were neither
constitutional nor statutory, but practical.” In Re: Application of the United States of American
for Historical Cell Site Data No 11-20884, 30 July 2013, at 22.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT