On Tuesday, in response to Freedom of Information Act requests, a federal privacy watchdog released an important report about how the U.S. government handles people’s personal information that it sweeps up in its surveillance. Despite requests from Senator Ron Wyden and the European Union, the Trump administration had refused to make the report public — until now. The report addresses government agencies’ implementation of “PPD-28,” President Obama’s 2014 policy directive on government spying and the treatment of “personal information,” which includes communications like emails, chats, and text messages.
The release of this report, which the Privacy and Civil Liberties Oversight Board finalized in December 2016, was long overdue. The report makes clear that PPD-28’s protections are weak in practice and rife with exceptions. And it will likely only add to concerns European regulators already have about the ways in which U.S. surveillance harms the privacy rights of Europeans — jeopardizing an important transatlantic data-sharing agreement. Here are three key takeaways:
For the most part, PPD-28 simply prompted the intelligence community to memorialize existing practices. For example, it expressly allows agencies to use information collected in bulk for six purposes, which include detecting and countering “activities directed by foreign powers” and “transnational criminal threats.” These are broad and elastic categories — indeed, so broad that PPD-28 didn’t prompt the NSA to change its problematic practices at all.
The report states that “the lack of a common understanding as to the activities to which PPD-28 applies has led to inconsistent interpretation and could lead to compliance traps, especially as [intelligence community] elements engage in information sharing.”
One example is the FBI’s approach to communications collected under the Foreign Intelligence Surveillance Act (FISA). The report raises questions about whether the FBI is fully complying with PPD-28 as well as whether it’s seeking to carve out certain surveillance activities from the directive’s modest requirements:
Although the report recites the FBI’s “rationale” for exempting certain communications from the directive’s protections, it doesn’t explain why that rationale would justify these exemptions. It is true that certain types of surveillance under FISA are based on an individualized finding of probable cause that a target is a foreign power or an agent of a foreign power. But that should have no bearing on whether the directive applies to private communications acquired under those provisions.
To address these inconsistencies, the privacy board recommended that the National Security Council and the Office of the Director of National Intelligence “issue criteria for determining which activities or types of data will be subject to PPD-28’s requirements.” It is unclear whether these agencies ever issued those much-needed clarifications about the directive’s scope.
Finally, the board was concerned about how agencies would apply the directive in light of an upcoming dramatic expansion of the NSA’s power to share “raw,” unreviewed communications with 16 other agencies, like the Drug Enforcement Administration and the Department of Homeland Security.
Historically, the NSA had always reviewed and redacted some types of sensitive data from intercepted communications before sharing them with other agencies. But at the end of 2016, the Obama administration implemented new rules that allowed the NSA to broadly share raw information, including with agencies that had no prior experience handling this kind of intelligence. The Privacy and Civil Liberties Oversight Board explained that these agencies (called “IC elements”) may need to take additional measures to comply with the directive:
It’s not clear whether, after this report, agencies appropriately updated their information technology systems to purge unreviewed communications after five years, as required by the directive. Nor is it clear whether agency personnel received the training necessary to comply with this directive. More generally, there are still significant questions about how much raw data the NSA is sharing, for what purposes, and how the directive applies to this data in practice.
This new report is yet more evidence that the future of the central U.S.–EU data-sharing agreement — known as Privacy Shield — is in doubt.
Privacy Shield allows American tech firms operating in Europe to easily and lawfully transfer data to the United States, and it’s predicated on the idea that the U.S. “adequately” protects Europeans’ communications. The European Commission approved Privacy Shield in part because it believed that Obama’s directive provided meaningful protection. PPD-28 recognized that “all persons have legitimate privacy interests in the handling of their personal information” — and it explicitly extended some very modest privacy protections to non-Americans abroad.
Although the directive was a step in the right direction, we’ve explained elsewhere why it does not provide adequate protection for EU persons’ data and is too weak to serve as the legal basis for Privacy Shield. This report makes it even clearer that the directive fails to cure the fundamental problems with U.S. surveillance law.
In short, the U.S. government is exploiting the personal information it gathers using these spying activities more broadly than ever, but the report reveals just how anemic PPD-28’s protections are in practice. It also raises serious questions about whether the directive has been implemented fully and consistently across the intelligence community.
The European Commission’s second annual review of Privacy Shield is already underway, and the EU’s highest court will likely soon have the opportunity to rule on the legality of the agreement. Both the commission and the court will have to grapple with the fundamental weaknesses of PPD-28 and with these new signs that its safeguards do not go nearly far enough.