By Peter Swire
Professor and Associate Director, Georgia Tech
Senior Counsel, Alston & Bird LLP
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Professor and Associate Director, Georgia Tech
Senior Counsel, Alston & Bird LLP
Any views expressed herein are not necessarily the views of CIPL nor Hunton Andrews Kurth LLP
Along with other contributors to this symposium, I have devoted much of my professional life to privacy protection. Throughout my quarter-century in the privacy field, one recurring issue has been what sorts of institutions can serve privacy, while also meeting the other goals that any society has. In the language of Article 8 of the European Convention on Human Rights, how might we best protect privacy while recognizing other interests that are “necessary in a democratic society”? The interests listed in Article 8 would seem vital to consider, whatever one’s view of politics or the just society. They are “national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
One conundrum is how close the privacy official should be to the other organs of government. If the privacy official (or institution) is entirely part of the executive branch, then the fear is that the other interests will overwhelm the privacy voice. On the other hand, if the privacy officials are entirely outside of government, then those officials may lack information or experience about what actually is “necessary in a democratic society.”
Under the European Charter of Fundamental Rights, “independence” is the principle answer. Compliance with data protection “shall be subject to control by an independent authority.” (Art. 8) In addition, for a claimed violation of rights, everyone is entitled to a hearing “by an independent and impartial tribunal.” (Art. 47)
There are compelling arguments to support such independence. Enforcement actions should be brought without favoritism. Judges should be impartial and not subject to political coercion. In addition, there is the often well-founded concern about agency “capture” – the concern that that the regulated actors will gain too much influence over decisions of the regulators.
With that said, it is deeply educational for a privacy regulator to experience being subject to privacy requirements. While I served in the White House under President Clinton, we required each agency to have a privacy policy clearly posted on its website, and worked hard to ensure compliance. Then, at a Congressional hearing, the political opposition discovered one tiny agency that we frankly had never heard of. It lacked a privacy policy, and the headlines shouted that the government was breaking its own rules. Later, when drafting the U.S. medical and financial privacy rules, one priority was to consider which requirements could actually be implemented in practice.
“Insider” experience is especially important for national security and other topics that are not readily accessible to privacy generalists. In 2013, I served on the NSA Review Group, tasked by President Obama to recommend changes after the Snowden revelations. Two of the other members had terrific knowledge of actual practice, as former anti-terrorism advisor to the President and former Director of the CIA. As the privacy lead, I suggested numerous possible reforms. So did Geoffrey Stone, who had long been a leader of the American Civil Liberties Union. When we proposed something that the insiders said was workable, then we had far greater confidence that the reform would meet the multiple goals of a democratic society, including national security and also fundamental rights.
Based on these experiences, there is reason to be cautious if authoritative interpretations of rules about data are issued by actors whose sole or primary task is to seek stricter privacy protections, to the exclusion of other goals such as national security or economic growth. As the EU seeks its own answers on such challenging questions, two institutional approaches have relatively greater experience in valuing privacy as well as other concerns. The first are those agencies complying with the Law Enforcement Directive. Similar to my own time in government, government experts there are tasked to protect privacy while also being subject to privacy requirements. That insider perspective may suggest approaches that are both workable and privacy protective.
The European Court of Human Rights (ECtHR) is a second source of expertise. In contrast to the Court of Justice of the European Union, with its jurisdictional limits on national security, the ECtHR for decades has been tasked with protecting privacy as well as national security and other values. The ECtHR has continued to provide governments a “margin of appreciation” on national security issues, in part justified by the fact that the judges are not fully briefed on the actual dangers, and the possibility that such dangers to survival of the society may change quickly.
All of us in the privacy field seek wisdom in how to uphold fundamental privacy rights while also preserving the full range of democratic values. It is risky for decisions important for national security to be made by those who lack access to classified materials. It is also risky to let national security officials make these decisions unchecked. As all democracies face the challenge of governing data in a data-based society, I hope readers will consider what mix of insider knowledge and independence will serve us best.
One conundrum is how close the privacy official should be to the other organs of government. If the privacy official (or institution) is entirely part of the executive branch, then the fear is that the other interests will overwhelm the privacy voice. On the other hand, if the privacy officials are entirely outside of government, then those officials may lack information or experience about what actually is “necessary in a democratic society.”
Under the European Charter of Fundamental Rights, “independence” is the principle answer. Compliance with data protection “shall be subject to control by an independent authority.” (Art. 8) In addition, for a claimed violation of rights, everyone is entitled to a hearing “by an independent and impartial tribunal.” (Art. 47)
There are compelling arguments to support such independence. Enforcement actions should be brought without favoritism. Judges should be impartial and not subject to political coercion. In addition, there is the often well-founded concern about agency “capture” – the concern that that the regulated actors will gain too much influence over decisions of the regulators.
With that said, it is deeply educational for a privacy regulator to experience being subject to privacy requirements. While I served in the White House under President Clinton, we required each agency to have a privacy policy clearly posted on its website, and worked hard to ensure compliance. Then, at a Congressional hearing, the political opposition discovered one tiny agency that we frankly had never heard of. It lacked a privacy policy, and the headlines shouted that the government was breaking its own rules. Later, when drafting the U.S. medical and financial privacy rules, one priority was to consider which requirements could actually be implemented in practice.
“Insider” experience is especially important for national security and other topics that are not readily accessible to privacy generalists. In 2013, I served on the NSA Review Group, tasked by President Obama to recommend changes after the Snowden revelations. Two of the other members had terrific knowledge of actual practice, as former anti-terrorism advisor to the President and former Director of the CIA. As the privacy lead, I suggested numerous possible reforms. So did Geoffrey Stone, who had long been a leader of the American Civil Liberties Union. When we proposed something that the insiders said was workable, then we had far greater confidence that the reform would meet the multiple goals of a democratic society, including national security and also fundamental rights.
Based on these experiences, there is reason to be cautious if authoritative interpretations of rules about data are issued by actors whose sole or primary task is to seek stricter privacy protections, to the exclusion of other goals such as national security or economic growth. As the EU seeks its own answers on such challenging questions, two institutional approaches have relatively greater experience in valuing privacy as well as other concerns. The first are those agencies complying with the Law Enforcement Directive. Similar to my own time in government, government experts there are tasked to protect privacy while also being subject to privacy requirements. That insider perspective may suggest approaches that are both workable and privacy protective.
The European Court of Human Rights (ECtHR) is a second source of expertise. In contrast to the Court of Justice of the European Union, with its jurisdictional limits on national security, the ECtHR for decades has been tasked with protecting privacy as well as national security and other values. The ECtHR has continued to provide governments a “margin of appreciation” on national security issues, in part justified by the fact that the judges are not fully briefed on the actual dangers, and the possibility that such dangers to survival of the society may change quickly.
All of us in the privacy field seek wisdom in how to uphold fundamental privacy rights while also preserving the full range of democratic values. It is risky for decisions important for national security to be made by those who lack access to classified materials. It is also risky to let national security officials make these decisions unchecked. As all democracies face the challenge of governing data in a data-based society, I hope readers will consider what mix of insider knowledge and independence will serve us best.