Intelligence business: Trump must keep privacy protections for US firms

The Senate will consider the nomination of Dan Coats for Director of National Intelligence this week.

Before approving him, the Senate needs to ensure that he will prioritize helping American businesses — particularly in the tech industry — operate in a global commercial environment. And that means respecting Obama-era privacy protections to govern intelligence collection.  

{mosads}Here’s why.  

Many large American businesses transfer significant amounts of data between the U.S. and Europe in their daily operations.  This includes the large tech companies — think Facebook and Google — but also includes retailers, financial institutions, and other everyday businesses that have operations in Europe and that transfer payroll data, HR data, sales data, and other forms of information.  

While the U.S. and Europe have different systems for protecting individuals’ privacy they reached an agreement in 2000 called the “Safe Harbor” that allowed data to flow freely between the world’s two largest free markets.  

Edward Snowden’s revelations of U.S. surveillance practices (along with some misperceptions about those practices) led the European Court of Justice to invalidate the Safe Harbor agreement in 2015.  The terms under which U.S. companies could move data around the world to achieve their business objectives were suddenly thrown into substantial turmoil.  

Trump picks former senator for top intelligence position https://t.co/XdQUppIZAG pic.twitter.com/h764FMjrbV

— The Hill (@thehill) January 5, 2017

The U.S. and EU systems of data protection are different — with the EU focused more on regulating what companies can do with data and the U.S. system focused on government collection.  But the American system of supervising intelligence agencies is unquestionably more robust, involving all three branches of government and a thick web of statutes, executive orders, and internal regulations.  

Lawyers in the Executive Branch closely scrutinize intelligence programs, a range of congressional committees — including the two House and Senate Intelligence Committees — have jurisdiction over American spy agencies, and the courts are involved, too, including through a dedicated body, the Foreign Intelligence Surveillance Court.  

In Europe, by contrast, intelligence agencies still operate under a veil of secrecy that is now unthinkable in the U.S.  In the U.K., for example, Parliament did not have the right to oversee the operations of the U.K.’s intelligence services until a statutory change in 2013 (the U.S. House and Senate Intelligence Committees were created in the 1970s).  

And Mike Hayden, former Director of NSA and CIA, once quipped that German citizens probably know more about the NSA than they do about their own foreign intelligence agency, the BND.

After the Safe Harbor was struck down by the ECJ, the EU and U.S. negotiated a new agreement — the Privacy Shield — that allowed data to flow freely between the U.S. and Europe for companies that agreed to its terms.  

Lawmakers push for updated #SafeHarbor agreement http://t.co/WGdsWaG5E4

— Katie Bo Williams (@KatieBoWill) October 15, 2015

But the viability of that mechanism for transferring data, the lifeblood of the digital economy, depends in part on a series of representations that the Obama administration made about the oversight to which U.S. intelligence operations are subject.  

These oversight mechanisms include those established by Presidential Policy Directive-28 (PPD 28), a document adopted by President Obama in 2014 that clarifies and enhances some of the mechanisms governing U.S. collection of signals intelligence abroad.  

Any move to rescind PPD 28 could have a significant impact on the many American companies that rely on relatively unobstructed transfers of data across the Atlantic for their daily business operations.

Indeed, European officials are already on edge that President Trump may rescind privacy protections that were extended as part of the Privacy Shield agreement.  

Buried in the president’s Immigration Executive Order of Jan. 25, is a provision mandating federal agencies to withdraw protections afforded by the Privacy Act from non-U.S. persons — something that had been a key demand of the EU in the Privacy Shield negotiations.

European negotiators reacted to that provision with alarm, and while the executive order provision could not supersede the protections bargained for in the Privacy Shield (some of which are embodied in statutes), it set European leaders on edge.

The question should therefore be put sharply to Senator Coats:  Will he advise the president to conduct the business of intelligence in a way that respects the privacy interests of foreigners and protects the interests of American companies? Or will he abandon PPD 28 and other privacy protections, hindering the ability of American companies to thrive in a globalized world?

Zachary Goldman is Executive Director of the Center on Law and Security at NYU School of Law, where he teaches classes on national security law and policy, and an adjunct senior fellow at the Center for a New American Security.  He is the editor of “Global Intelligence Oversight:  Governing Security in the Twenty-First Century,” published last year by Oxford University Press.

The views of contributors are their own and not the views of The Hill.