At the Privacy and Civil Liberties Oversight Board hearing yesterday in Washington, D.C., Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and government surveillance and provided a transnational perspective on legal regimes that regulate government access to data. From 2012 to 2013, Hogan Lovells published four White Papers (available here, here, here, and here) on government access to data in the cloud. The findings of the national security access White Paper, A Sober Look at National Security Access to Data in the Cloud, were a focal point of yesterday’s discussion.
Here is the text of Wolf’s prepared remarks, where he emphasized that the United States has greater due process and independent oversight of government surveillance activities than many of our fellow democracies and that so-called regional clouds outside of the United States do not provide individuals with greater security from government surveillance:
Good afternoon. My name is Christopher Wolf. I am director of the global privacy law practice at Hogan Lovells. I want to thank the members of the Privacy and Civil Liberties Oversight Board for inviting me to participate on this panel.
In 2013, Hogan Lovells published a White Paper examining the similarities and differences among various legal regimes that authorize and limit government access to data. Our work began before the Snowden NSA disclosures in response to the claims of certain EU cloud service providers that storage of data in the EU made it safer from surveillance than storage with a US-based cloud provider. Following the Snowden revelations, the argument in support of allegedly-secure from-surveillance regional clouds has been renewed loudly.
A previous White Paper we did on governmental access to data internationally noted the availability of Mutual Legal Assistance Treaties and other forms of cross-border governmental sharing, addressing faulty claims of regional cloud service providers about the invulnerability to foreign government access that local cloud storage might provide.
Our 2013 White Paper looked specifically at Section 702 surveillance and the frameworks in Australia, Canada, France, Germany, and the United Kingdom. My testimony today synthesizes the findings from this White Paper and includes additional information on similar laws in Brazil, Italy, and Spain that we intend to publish soon.
I will note that our White Paper foreshadowed last week’s Report of the European Parliament criticizing the practices of certain EU member states for the lack of transparency and controls on their surveillance activities.
My principal point today, following our White Paper, is straightforward: While the policies and practices of the United States addressing surveillance and related privacy concerns obviously need to be reassessed, the United States has on the books greater due process and independent oversight of surveillance activities than many of our fellow democracies.
As you know, Section 702 surveillance requires court approval. Surveillance is limited to foreign intelligence information and oversight mechanisms exist for 702 surveillance.
As our White Paper revealed, these same limitations are not always found in the laws of many of our counterparts.
Australia, Canada, France, Germany, Italy, and the United Kingdom do not require court approval for national security surveillance.
In France, the intelligence agency is allowed to conduct surveillance to protect economic and scientific assets even when national security interests are not at stake.
On the issue of intelligence agencies secretly and without any process at all asking companies for data, we have found that Australia, Canada, France, Germany, and the UK allow their governments to ask private entities voluntarily to disclose data to the government. In the United States, the government is not allowed to seek voluntary transfers – a neutral judicial body must approve the government’s request for data.
Last week’s resolution by the European Parliament recognized extensive surveillance systems in EU Member States and the “lack of control and effective oversight” that some EU Member States have over their intelligence communities. The resolution also questioned the “compatibility of some Member States’ massive economic espionage activities with the EU internal market and competition law.”
The Parliament did not go into the detail of our White Paper, but its resolution reflected the baseline finding of our research – that there are substantial deficiencies in transparency about and controls over national security access to data in countries outside the United States. Thus, when also considering the cross-border sharing arrangements available to governments for information they collect through surveillance, it is misleading in the extreme to contend that so-called regional clouds provide individuals with security from government surveillance.
I commend this Board for engaging in an assessment of United States surveillance practices and looking at how these practices relate to our counterparts. There are no guarantees, in the United States or elsewhere, that agencies will abide by the laws restricting national security surveillance. But the degree of authorization required and the kind of review that occurs is relevant to a determination of how well personal privacy and liberty are protected.
Thank you again for the opportunity to present the findings of the White Paper. I look forward to answering your questions.