US Private Sector Privacy Chapter 13 Civil Lit and Gov Invp2.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP 13.3.2 Statutes That Go Beyond Fourth Amendment Requirements A number of federal statutes affect law enforcement access to personal information. Some of the statutes placed additional requirements on law enforcement after the Supreme Court held that the Constitution did not require search warrants in the relevant circumstances. For instance, the Right to Financial Privacy Act of 1978 was passed after the Supreme Court held that the Fourth Amendment did not apply to checking accounts, and the Electronic Communications Privacy Act of 1986 was passed after the court held that it did not apply to telephone numbers called. 72 In these instances, Congress has required some legal process for law enforcement to access the records, but the requirements are not as strict as a probable cause warrant approved by a neutral magistrate. These two statutes are examples of disclosure to law enforcement that is prohibited unless the statutory requirements are met. Some law enforcement provisions permit, but do not require, companies to release personal information to law enforcement. HIPAA illustrates the sometimes-complex trade-offs between protecting confidentiality and providing information for law enforcement purposes. The general rule in HIPAA is that PHI may be disclosed to third parties, including law enforcement, only with optin consent from the patient. Unauthorized disclosures can lead to enforcement by HHS. Section 512(f), however, goes into considerable detail about precisely when disclosure to law enforcement is permitted. 73 Disclosure is permitted pursuant to a court order or grand jury subpoena, or through an administrative request, if three criteria are met: 1. The information sought is relevant and material to a legitimate law enforcement inquiry 2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought 3. Deidentified information could not reasonably be used Disclosure is also permitted in other specific instances, such as about a crime on the premises, about decedents in connection with a suspected crime, in emergencies, and about victims of a crime even in the absence of patient consent if a multifactor test is met. Limited information may in some instances also be released for identification and location purposes. As discussed at the beginning of the chapter, other statutes require the release of personal information to law enforcement. Companies thus can face multiple, potentially conflicting laws about when and how to disclose to law enforcement. HIPAA addresses this problem by saying that disclosure is permitted when it is “required by law,” even if a disclosure does not otherwise fit within the law enforcement or other exception. 74 13.3.3 The Wiretap Act, Electronic Communications Privacy Act, and Stored Communications Act From strictest to most permissive, federal law has different rules for (1) telephone monitoring and other tracking of oral communications, (2) privacy of electronic communications, and (3) video surveillance, for which there is little applicable law. Federal law is also generally stricter for realtime interception of a communication, as contrasted with retrieval of a stored record. In each area, states may have statutes that apply stricter rules. 75 Furthermore, monitoring that is offensive to a reasonable person can give rise to claims under state invasion of privacy or other common-law claims. 76 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP 13.3.3.1 Intercepting Communications Federal law is generally strict in prohibiting wiretaps of telephone calls. The Wiretap Act today derives from Title III of a 1968 anticrime law, and its rules are thus often called Title III requirements. 77 The law applies to “wire communications,” which includes a phone call or other aural communication made through a network. The law also applies to “oral communications,” such as hidden bugs or microphones, and defined as “any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation.” 78 The Electronic Communications Privacy Act (ECPA) extended the ban on interception to “electronic communications,” which essentially are communications, including emails, that are not wire or oral communications. 79 The exact rules for wire, oral and electronic communications vary. 80 Unless an exception applies, however, interception of these communications is a criminal offense and provides a private right of action. The prohibition on interception has a number of exceptions, each of which may have its own nuances requiring an expert to analyze. Under federal law, interception is permitted if a person is the party to the call or if one of the parties has given consent. 81 A number of states, however, have the stricter rule that all of the parties to the call must consent. 82 This all-party consent requirement is why customers often hear a message giving notice that a call is being recorded for quality assurance or other purposes. With the increase in businesses using video conferencing, privacy practitioners should be alert that video conferencing may fall within the protections of state laws that require all-party consent. 83 A second exception relevant to many companies concerns interception done in the ordinary course of business. 84 This exception can apply where the device used for the interception is “furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business.” 85 This language, for instance, supports the ability to intercept for an employer who provides the communication service, such as the company telephone or email service. To qualify for the exception, the interception itself must also be in the normal course of the user’s business. 86 Normal course of business here would apply to routine monitoring in a call center or scanning of company emails for viruses or other malware. By contrast, the employer listening to an employee’s purely personal call would risk running afoul of the wiretap laws. Courts have split on how broadly to define “ordinary course of business,” which is a reason that many employers rely instead on the consent exception for interception of telephone calls. 87 Note that the federal law is not preemptive, so if an organization is monitoring or recording calls, it runs the risk of violating the stricter law in the “all-party consent” states mentioned above—it should not rely on any of these exceptions outside the specific state. 88 13.3.3.2 Stored Communications The Stored Communications Act (SCA) was enacted as part of ECPA in 1986. 89 It creates a general prohibition against the unauthorized acquisition, alteration, or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided. 90 As for interceptions, violations can lead to criminal penalties or a civil lawsuit, so an expert in the SCA should generally be consulted before turning over such records in a law enforcement investigation. For monitoring within a company, the exceptions are simpler than for interceptions. The SCA has an exception for conduct authorized “by the person or 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP entity providing a wire or electronic communications service,” which will often be the company. 91 It also has an exception for conduct authorized “by a user of that service with respect to a communication of or intended for that use.” 92 In general, legal limits on interceptions are stricter than for access to stored records. It should also be noted that ECPA does not preempt stricter state privacy protections, and that state laws may protect email communications. For example, Delaware law prohibits employers from “monitor[ing] or otherwise intercept[ing] any telephone conversation or transmission, electronic mail or transmission, or internet access or usage” without prior written notice and daily electronic notice. 93 Similarly, Connecticut law requires that “each employer who engages in any type of electronic monitoring shall give prior written notice to all employees who may be affected, informing them of the types of monitoring which may occur. Each employer shall post, in a conspicuous place which is readily available for viewing by its employees, a notice concerning the types of electronic monitoring which the employer may engage in.” 94 13.3.3.3 Preservation Orders The SCA states that a provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process. 95 In such instances, the company must have a technical ability to preserve those records. This is similar to “litigation holds” when a company must preserve records during civil litigation. 96 13.3.3.4 Pen Register and Trap-and-Trace Orders Traditionally, a pen register recorded the telephone numbers of outgoing calls, and a trap-andtrace device recorded the telephone numbers that called into a particular number. ECPA provided for pen register and trap-and-trace orders from a judge under the relatively lenient legal standard of “relevant to an ongoing investigation.” 97 The USA PATRIOT Act expanded the definitions beyond telephone numbers to include “dialing, routing, addressing, or signaling information” transmitted to or from a device or process. The USA FREEDOM Act set new rules for national security investigations, prohibiting the use of pen register and trap-and-trace orders for bulk collection and restricting their use to circumstances where there were specific selectors such as an email address or telephone number. 98 13.3.4 The Communications Assistance to Law Enforcement Act The U.S. Communications Assistance to Law Enforcement Act of 1994 (CALEA), sometimes referred to as the “Digital Telephony Bill,” lays out the duties of defined actors in the telecommunications industry to cooperate in the interception of communications for law enforcement and other needs relating to the security and safety of the public. 99 It notably requires “telecommunications carriers” to design their products and services to ensure that they can carry out a lawful order to provide government access to communications. The Federal Communications Commission (FCC) has implemented CALEA through various rule-making processes. 100 CALEA applies to telecommunications carriers, but not to other “information services.” As enacted, therefore, the law was interpreted not to apply to internet services. In 2004, however, the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI) and the Drug Enforcement Administration (DEA) petitioned to expand the interpretation of the scope of the legislation. In 2005, the FCC issued an order that providers of broadband internet access and voice- 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP over-internet protocol (VoIP) services were telecommunications services when they interconnect with traditional telephone services, and so they now operate under CALEA requirements. 101 13.3.5 Cybersecurity Information Sharing Act The Cybersecurity Information Sharing Act (CISA) became law in 2015. The statute permits the federal government to share unclassified technical data with companies about how networks have been attacked and how successful defenses against such attacks have been carried out. 102 Correspondingly, CISA encourages companies to voluntarily share information with the federal government, state and local governments, and other companies and private entities. Under the law, the company’s release of information about “cyberthreat indicators” and “defensive measures” receives certain protections. 103 These include limitations on liability, non-waiver of privileges, and exemption from FOIA disclosure. Participation by companies is voluntary. In addition, CISA authorizes companies to monitor and implement certain defensive measures on their information systems in an effort to counter cyberthreats. 104 The specific provisions of CISA include: Authorization for a company to share or receive “cyberthreat indicators” or “defensive measures.” Pursuant to CISA, a company is authorized to share with the federal government, state and local governments, and other companies and private entities “cyberthreat indicators” 105 and “defensive measures” for a “cybersecurity purpose” 106 or to receive such information from these entities. 107 Requirement for company to remove personal information before sharing. For sharing to qualify for protections under CISA, the company’s actions must be done in accordance with certain requirements. 108 For example, a company intending to share a “cyberthreat indicator” must first remove, or implement a “technical capacity” configured to remove, any information that is not directly related to a threat and that the company is aware at the time relates to a specific individual. 109 Sharing information with federal government does not waive privileges. Sharing information with the federal government does not waive privileges, such as attorney-client privilege. Importantly, there is no similar provision for sharing with state and local governments or other companies. 110 Shared information exempt from federal and state FOIA laws. Information shared pursuant to CISA is exempt from disclosure under FOIA as well as under any state or local provisions “requiring disclosure of information or records.” 111 Prohibition on government using shared information to regulate or take enforcement actions against lawful activities. Information shared under CISA “shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities related to monitoring, operating defensive measures, or sharing cyberthreat indicators.” The information may be used, however, to develop or implement new cybersecurity regulations. 112 Authorization for company’s monitoring and operating defensive measures. According to the act, a company is authorized to “monitor” and “operate defensive measures” on its own 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP information system—or, with written authorization, another party’s system—for cybersecurity purposes. 113 Protection from liability for monitoring activities. Under CISA, the company is protected from liability for its monitoring activities. Note, however, that there is no corresponding liability protection for operating defensive measures. 114 During the discussions prior to the passage of CISA, numerous privacy concerns were raised. 115 In part to address these concerns, the act requires the federal government to publish guidelines concerning the use and dissemination of shared information. 116 13.3.6 Right to Financial Privacy Act The special requirements of the Right to Financial Privacy Act (RFPA) of 1978 apply to disclosures by a variety of financial institutions, including banks, credit card companies, and consumer finance companies. 117 RFPA states that “no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and meet at least one of these conditions: The customer authorizes access There is an appropriate administrative subpoena or summons There is a qualified search warrant There is an appropriate judicial subpoena There is an appropriate formal written request from an authorized government authority 118 By its terms, RFPA applies only to requests from federal agencies, although over a dozen states have similar requirements. 119 It applies to the financial records of individuals and partnerships of fewer than five people. With limited exceptions, customers must receive notice in advance of the government request for the records, and they have the right to challenge disclosure of such records. As with other privacy statutes, a number of important exceptions exist. Financial institutions that produce records under the RFPA are eligible for reimbursements for reasonably necessary costs. Penalties for violation can include actual damages to the customer, punitive damages, and attorney’s fees. 13.3.7 Media Records and the Privacy Protection Act The Privacy Protection Act of 1980 provides an extra layer of protection for members of the media and media organizations from government searches or seizures in the course of a criminal investigation. 120 PPA was passed in the wake of the 1978 Supreme Court case of Zurcher v. Stanford Daily. 121 In that case, police used a search warrant to look through a newspaper’s unpublished photographs of a demonstration. Lower courts found the search unlawful, saying that the government should have used less invasive methods than a full search of the newspaper’s premises. The Supreme Court, however, found that valid search warrants “may be used to search any property” where there is probable cause to believe that evidence of a crime will be found. Under PPA, government officials engaging in criminal investigations are not permitted to search or seize media work products or documentary materials “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast or other similar form of public 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP communication.” In practice, rather than physically searching a newsroom, “the PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities.” 122 PPA applies to government officers or employees at all levels of government. It applies only to criminal investigations, not to civil litigation. Several states provide additional protections. 123 Violation can lead to penalties of a minimum of $1,000, actual damages, and attorney’s fees. One important exception is if there is probable cause to believe that a reporter has committed or is in the process of committing a crime. This PPA exception does not apply if the member of the media’s only crime is possession, receipt or communication of the work product itself. Other exceptions exist, such as to prevent death or serious injury or where there is reason to believe documents will be destroyed or concealed if the materials were requested through a subpoena. 124 PPA was drafted to respond to police physical searches of traditional newspaper facilities. Going forward, courts may face claims that PPA is significantly broader, because disseminating “a public communication” may apply to blogs, other web publishing, and perhaps even social media. 125 13.3.8 Evidence Stored in a Different Country With the growth of cloud storage of records, including by web email and social network providers, evidence for a criminal case is more frequently held in a different country, a phenomenon that has been called “the globalization of criminal evidence.” 126 Prosecutors and companies thus face an increasing number of cases that raise the issue of whether the domestic rules for accessing evidence apply to communications and other records held abroad. This section discusses: (1) the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and (2) the Second Additional Protocol to the Budapest Convention. 13.3.8.1 The U.S. CLOUD Act The CLOUD Act, passed in 2018, marks a major change in how cross-border access to evidence may develop. Part 1 of the act addresses how the DOJ can access content of communications held by companies located in the United States Part 2 of the act creates a new mechanism for other countries to access the content of communications held by U.S. service providers 127 The first part of the CLOUD Act mooted the pending Supreme Court case of United States v. Microsoft. 128 The case gained national attention in 2016 when the federal appellate court in New York ruled that the SCA did not require the company to provide electronic evidence that was stored outside of the United States, meaning the warrant was not valid for the contents of an email account that Microsoft stored overseas. 129 In 2017, the DOJ appealed the case to the Supreme Court. In oral arguments before the Supreme Court in 2018, Microsoft argued that the U.S. warrant had no legal force because the emails being sought were stored outside the United States, in Ireland. The DOJ argued that Microsoft could access the data from within the United States, and thus the place where the data happened to be stored did not matter. 130 The first part of the CLOUD Act resolved this legal issue, providing that the kind of compelled disclosure orders at issue in the Microsoft Ireland case applies “regardless of whether such communication, record, or other information is located within or outside of the U.S.” 131 18 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP The second part of the CLOUD Act creates a new mechanism for other countries to access the content of communications held by U.S. service providers. This statutory mechanism is intended to address this major concern faced by foreign law enforcement. 132 As background, ECPA prohibits U.S. service providers from disclosing content of communications to law enforcement except through a warrant or an appropriate request through a mechanism such as a Mutual Legal Assistance Treaty (MLAT). 133 When foreign law enforcement submit a request to the Unites States via the MLAT process, the request needs to show “probable cause” (the U.S. legal standard)—despite the fact that the crime occurred outside the United States. This MLAT process has been an increasing source of frustration for many governments, particularly since so much cloud-based data is held by U.S.-based providers. The MLAT process takes an estimated 10 months (global average) for law enforcement to receive electronic evidence. 134 Where the U.S. and a foreign government sign an agreement pursuant to the second part of the CLOUD Act, foreign law enforcement would be able to go directly to service providers for communications content. The foreign government, specifically, can target communications of nonU.S. citizens and residents, without the need to use the MLAT process or to get approval from a U.S. judge that probable cause exists. 135 The CLOUD Act authorizes these executive agreements only for countries meeting human rights and rule of law requirements. Notably, an executive agreement must include designated safeguards both at the level of each individual request and at an institutional level. 136 As of the writing of this book, the U.S./UK Executive Agreement has entered into force. 137 The U.S. has also announced negotiations with Australia, Canada and the EU concerning possible CLOUD Act executive agreements. 138 13.8.1.2 The Second Additional Protocol to the Budapest Convention In 2004, the first international treaty to focus explicitly on cybercrime – the Council of Europe Convention on Cybercrime (“the Budapest Convention”) – entered into force. 139 The treaty mandated participating countries outlaw certain cybercrimes, enact evidence gathering rules, and cooperate with investigations across national borders. As of the writing of this book, more than 60 countries around the world have ratified this treaty – including the U.S. 140 The Second Additional Protocol to the Budapest Convention 141 was negotiated as a way to assist countries in dealing with the globalization of criminal evidence that had occurred in the nearly two decades since the Budapest Convention first went into effect. Although the details of the Second Additional Protocol are beyond the scope of this book, the topics addressed include: - Expedited production of subscriber information and traffic data by allowing an order from the requesting country to, in essence, be treated as an order in the country where the request is being sent; - Direct disclosure of subscriber information and domain name registration information by allowing law enforcement to make requests directly to a service provider in another country; and - Emergency requests by law enforcement for stored subscriber information, stored traffic data, and stored content in another country. The Second Additional Protocol also requires protections for personal data. These protections can be accomplished in several ways: a domestic law ensuring data protection, a binding agreement between the requesting party and the receiving country concerning law enforcement requests, 142 and even a non-binding agreement between the two countries. 143 19 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP The Second Additional Protocol opened for signatures of the parties to the original treaty in 2022. The U.S. is one of the countries that has signed this protocol. 144 13.4. National Security and the Role of Privacy Professionals Compared with the law enforcement issues discussed in the previous section, somewhat different rules and issues arise when the government seeks personal information for national security purposes. This section briefly explains the key differences. It then provides an overview of FISA as amended by the USA PATRIOT Act in 2001 and more recently by the 2015 USA FREEDOM Act. 145 As with the discussion above of ECPA, the discussion here does not delve into as many details of the law as would be needed by attorneys who work for the government or communications providers. Instead, the focus is on issues that can arise in a wide range of companies. Notably, any company can be faced with a request for records under Section 215 of the USA PATRIOT Act, and a significant range of companies can receive a National Security Letter (NSL). 13.4.1 Introduction to Debates About National Security Surveillance National security wiretaps and other national security searches create a fundamental constitutional question. Under Article II of the Constitution, defining executive powers, the president is commander-in-chief of the armed forces, and the Supreme Court has stated the president has “plenary” powers in foreign affairs. 146 On the other hand, Article III of the Constitution grants judicial power to the Supreme Court and lower courts. In 1967, in Katz v. United States, the Supreme Court underscored the importance of judges under the Fourth Amendment—wiretaps require a warrant signed by a neutral magistrate. 147 The ongoing and difficult question is where the president’s inherent authority leaves off and where judicial and legal limits on that authority apply. The decision in Katz stated that its warrant rules applied for ordinary wiretaps used for domestic law enforcement rather than national security. A few years later, the court expressed skepticism about a general exception for national security cases, in part out of concerns that the term national security was too vague and could extend too far. In the Keith case, the court specifically left undecided the extent of the president’s power to conduct wiretaps without warrants “with respect to the activities of foreign powers, within or without this country.” 148 In passing FISA in 1978, both supporters and critics of broad surveillance powers achieved important goals. Supporters of surveillance gained a statutory system that expressly authorized foreign intelligence wiretaps, lending the weight of congressional approval to surveillance that did not meet all the requirements of ordinary Fourth Amendment searches. Critics of surveillance institutionalized a series of checks and balances on the previously unfettered discretion of the president and the attorney general to conduct surveillance in the name of national security. The attacks of September 11, 2001 led to important changes to FISA, as part of the USA PATRIOT Act passed in the wake of attacks. Supporters of the changes emphasized the new types of national security threat posed by Al Qaeda and international terrorism. The original FISA statute was passed during the Cold War, when a major target of national security efforts was to track the activities of agents of the Soviet Union and its allied foreign nation states. For instance, foreign intelligence wiretaps could be used in connection with communications of the Soviet Embassy or people who worked there. By contrast, the war on terrorism after 2001 involved threats from hard-to-detect 20 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP individuals who had few or no links to foreign governments. Supporters of broader surveillance argued that foreign intelligence wiretaps should be used more often and with more flexible legal limits. The USA PATRIOT Act provided more of that flexibility. Over time, however, national security surveillance received a major new round of criticism. The New York Times and other newspapers published detailed stories that showed large numbers of national security wiretaps and access to stored communications records without judicial authorization. 149 Among other lawsuits, the largest telephone companies were sued for tens of billions of dollars under the SCA for their role in providing records to the government. 150 Other reports revealed that the number of NSLs for communications and other records was orders of magnitude higher than previously stated by the government. 151 In the wake of these disclosures, Congress considered FISA once again, notably in the FISA Amendment Act of 2008. 152 This statute gave legal authorization to some of the new surveillance practices, especially where one party to the communication is reasonably believed to be outside of the United States. It granted immunity to the telephone companies so they would not be liable for the records they had provided to the government in the wake of 9/11. The new rules also required more reporting from the government to Congress, and put limits on some of the secrecy about NSLs and other government requests for records in the national security realm. Additional public debate and reform proposals emerged after the revelations made by Edward Snowden, which began in June 2013. Snowden released tens of thousands of classified documents to media outlets, detailing government programs collecting massive amounts of information on both citizens and noncitizens. The revelations were met with mixed emotions, with some commentators calling him a patriot or whistleblower for his actions and others calling him a traitor. Whatever the judgment may be about the actions, it is clear that the Snowden revelations reinvigorated the discussion surrounding national security and information privacy. Beginning soon after June 2013, President Obama worked with two independent review efforts, staffed by people briefed at the TS/SCI level (Top Secret/Sensitive Compartmented Information), the highest level of security clearance. The President’s Review Group on Intelligence and Communications Technology (“Review Group”), including an author of this book, Peter Swire, made 46 recommendations in its late 2013 report. 153 When President Obama made his major speech on surveillance reform in January 2014, the Review Group was told that 70 percent of its recommendations were being adopted in letter or spirit. Others have been adopted since. The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency in the executive branch, released detailed reports on the Section 215 and Section 702 surveillance programs, making numerous recommendations. 154 Overall, PCLOB made 22 recommendations in its Sections 215 and 702 reports, and virtually all have been accepted and implemented. The Snowden revelations led to significant reforms in U.S. surveillance law and practices. These reforms included passage of the USA FREEDOM Act in 2015, which, among multiple provisions, ended bulk collection under the Section 215 program, and the Judicial Redress Act of 2016, which extends U.S. Privacy Act protections to certain non-U.S. persons. There have also been numerous administrative changes. 155 For privacy professionals, the history since the Snowden revelations illustrates the competing values that come into play when the government makes a national security request for personal information. Company employees, including privacy professionals, generally have a strong desire to help where possible with national security requests. On the other hand, as shown by negative 21 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP reactions to some surveillance activities post-Snowden, providing information too broadly can lead to legal, public relations, and civil liberties objections. Responding to national security requests is more complicated because U.S. privacy laws have varying scope and differing definitions for national security exceptions. For instance, HIPAA permits disclosure of PHI “to authorized federal officials for the conduct of lawful intelligence, counterintelligence, and other national security” under the National Security Act. 156 GLBA has a privacy exception that is more vaguely worded, “for an investigation on a matter related to public safety.” 157 By contrast, COPPA and its implementing regulation make no mention of a national security exception. 158 Privacy professionals, IT professionals who provide access to records, and attorneys thus may need to do research in particular settings to determine what sorts of national security disclosures are permitted, for what sorts of records, and to which agencies. Debates about encryption provide another illustration of the tension between national security and law enforcement on the one hand, and civil liberties concerns and limits on lawful sharing of personal information on the other. 159 In the 2016 case of Apple v. FBI that garnered international attention, the FBI sought the assistance of Apple to gain access to the encrypted phone of one of the assailants in a high-profile shooting in San Bernardino. 160 The FBI obtained a court order requiring Apple to assist the government by creating a custom operating system that would disable key security features on the iPhone. 161 Apple filed a motion with the court asking it to reconsider its decision, expressing the company’s concern that complying with the order would result in building a back door into the encryption for all iPhones of that particular model phone. 162 On one side of this case, law enforcement sought information in a mass shooting, and they secured a warrant before proceeding. On the other side, a preeminent technology company warned that its compliance with the order could weaken the technology that protects privacy around the world. 163 The specific court case involving Apple ended when the FBI announced that it had gained access to the encrypted phone without the assistance of the company, but the debate about the government accessing encrypted data led to hearings and proposed legislation in Congress. 164 This debate has been framed by national security and law enforcement agencies as the “going dark” problem—the idea that encryption blinds the ability of officials to see evidence—while civil liberties experts have countered that the current environment is the “Golden Age of Surveillance, due to the explosive growth of personal data that is amassed in databases.” 165 13.4.2 Overview of the Foreign Intelligence Surveillance Act FISA establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the U.S. FISA orders can be issued when foreign intelligence gathering is “a significant purpose” of the investigation. 166 For law enforcement cases, court orders issue based on probable cause of a crime; FISA orders instead issue on probable cause that the party to be monitored is a “foreign power” or an “agent of a foreign power.” FISA orders issue from a special court of federal district court judges, the Foreign Intelligence Surveillance Court (FISC). Historically, only attorneys for the U.S. government appeared before the FISC. The USA FREEDOM Act created a group of independent experts in the area of privacy and civil liberties, called amicus curiae, to brief the FISC on novel or significant matters of law. 167 In addition to wiretap orders, FISA authorizes pen register and trap-and-trace orders (for phone numbers, email addresses, and other addressing and routing information) and orders for video surveillance. 22 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP Due to the secrecy of government surveillance of agents of foreign powers, entities that receive a FISA order to produce records generally cannot disclose the fact of the order to the targets of investigation. There is generally no disclosure after the fact to the target of a FISA wiretap as there is for law enforcement wiretaps. Nonetheless, there have been significant increases in transparency over time about FISA surveillance. Companies are now allowed to publish statistics about the number of FISA orders and NSLs they receive. 168 Under the USA FREEDOM Act, the government issues yearly transparency reports with more detail than previously, and the U.S. government has declassified a substantial number of orders from the FISA Court. 169 Over time, FISA orders have grown so that they outnumber traditional law enforcement wiretap orders. 170 The legal details of FISA can be important for communication providers, such as telephone companies and email services, but such issues arise much less often for most other companies. 171 13.4.3 Section 215 Orders Section 215 of the USA PATRIOT Act of 2001 received a great deal of public attention after documents released by Edward Snowden stated that the National Security Agency (NSA) had created a database containing a substantial fraction of call detail information for domestic U.S. telephone calls. The USA FREEDOM Act of 2015 ended bulk collection conducted under Section 215, requiring requests by government officials to be based upon specific selectors, such as a telephone number. 172 Section 215 expired when Congress failed to reauthorize it in 2020. 173 13.4.4 Section 702 Section 702 refers to a provision in the Foreign Intelligence Surveillance Act Amendments Act of 2008 (FISAA), which revised FISA. 174 Section 702 applies to collection of electronic communications that take place within the United States and only authorizes access to the communications of targeted individuals for listed foreign intelligence purposes. One legal question answered by Section 702 was how to govern foreign-to-foreign communications for interception of content that has been stored within the United States. This inquiry is important because communications between two non-U.S. persons is now often stored within the United States due to the growing use of U.S.based providers for webmail, social networks, and other services. The basic structure of Section 702 is that the FISC must annually approve certifications by the director of national intelligence and the attorney general setting the terms for Section 702 surveillance. 175 To target the communications of any person, the government must have a foreign intelligence purpose to conduct the collection and a reasonable belief that the person is a non-U.S. citizen located outside of the United States. 176 Section 702 can provide access to the full contents of communications, not just metadata such as to/from information. The court annually reviews and must approve targeting criteria documenting how targeting of a particular person will lead to the acquisition of foreign intelligence information. 177 Two surveillance programs are authorized under Section 702: PRISM and Upstream. The PRISM program became famous when it was publicly named in one of the first stories based on the Snowden documents. 178 The operation of PRISM resembles data requests made in other settings to service providers. In PRISM collection, acting under a Section 702 court order, the government sends a judicially approved and judicially supervised directive requiring collection of certain “selectors,” such as an email address. The directive goes to a U.S.-based service provider. The company’s lawyers have the opportunity to challenge the government request. If there is no appeal 23 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP to the court, the provider is compelled to give the communications sent to or from that selector to the government. 179 In addition to PRISM, Section 702 supports intelligence collection commonly referred to as the Upstream program. Upstream targets internet-based communications as they pass through physical internet infrastructure located within the Unites States. 180 Upstream is designed to only acquire internet communications that contain a tasked selector. To do so, Upstream filters internet transactions that pass through the internet backbone to eliminate potential domestic transactions; these are then further screened to capture only transactions containing a tasked selector. Emails and other transactions that make it through the filters are stored for access by the NSA, while information that does not make it through the filters is never accessed by the NSA or anyone else. In 2018, Congress adopted several amendments to Section 702, including requirements for querying procedures consistent with the Fourth Amendment, restrictions on the use of information pertaining to U.S. persons in criminal proceedings, and congressional oversight of “about” collection. 181 Privacy practitioners should be alert for possible changes to Section 702 as Congress regularly reconsiders the details of this provision of FISA. 182 13.4.5 National Security Letters An NSL is a category of subpoena that, prior to the PATRIOT Act in 2001, was used narrowly, only for certain financial and communication records of an agent of a foreign power and only with approval of FBI headquarters. 183 The PATRIOT Act expanded use of NSLs. The number of NSLs rose to tens of thousands per year, with most involving the records of U.S. citizens. Separate and sometimes differing statutory provisions now govern access, without a court order, to communication providers, financial institutions, consumer credit agencies, and travel agencies. 184 As the use of NSLs grew after 2001, a series of reports by the inspector general of the DOJ criticized the lack of effective procedures for implementing rules governing NSLs and related investigatory tools. 185 As amended in 2006, NSLs can be issued by authorized officials, often the special agent in charge of an FBI field office. The precise language in the statutes varies, but NSLs generally can seek records relevant to protect against international terrorism or clandestine intelligence activities. NSLs can be issued without any judicial involvement. Under the 2006 amendments, however, recipients can petition to a federal court to modify or set aside an NSL if compliance would be unreasonable or oppressive. 186 The USA PATRIOT Act included strict rules against disclosing that an organization had received an NSL. After court decisions questioned this ban on disclosure on First and Fourth Amendment grounds, the 2006 amendments said that recipients are bound to confidentiality only if there is a finding by the requesting agency of interference with a criminal or counterterrorism investigation or for other listed purposes. 187 Recipients were allowed to disclose the request to those necessary to comply with the request and to an attorney for legal assistance. Recipients could also petition a court to modify or end the secrecy requirement. Breach of the confidentiality requirements, however, was treated as a serious offense, punishable by up to five years’ imprisonment and fines of up to $250,000 for an individual. 188 Reforms in the area of NSLs have focused on the indefinite secrecy previously imposed on companies who received these. In 2014, President Obama announced the indefinite secrecy would 24 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.