American vs. European surveillance: Analysis of differences in fundamental rights when using cloud services

Author: Arman Borghem, Regulatory and Compliance Advisor at Cleura

This is an English translation of the summary conclusions of the report Amerikansk vs europeisk övervakning: Analys av skillnader i rättighetsskyddet vid användning av molntjänster.

Summary conclusions

Both the United States and European countries conduct signals intelligence activities. This raises the question of whether there is any difference in terms of our fundamental rights when information is handled by a US cloud service provider compared to a European one. This report highlights significant differences in the protection of rights when information is handled by a US cloud service provider compared to a European one.

The report does not claim to be exhaustive. It addresses some fundamental aspects of the legal frameworks in the US and Europe, both for conducting signals intelligence activities and the rights affected by signals intelligence activities.

Collection whose main purpose is to investigate and prosecute crimes, as is the case under the CLOUD Act, is only addressed briefly. The report focuses on intelligence gathering, including through US cloud service providers, which is subject to a much vaguer regulatory framework and weaker legal certainty.

Two types of signals intelligence activities are discussed. One type of collection is carried out through interception via telecommunications companies and is conducted by, for example, the Swedish signals intelligence agency FRA and the US signals intelligence agency NSA. In the US, this is called upstream collection. It takes place in real time and can, for example, provide information about where traffic is coming from and where it is going. At the same time, such collection can face significant challenges and is not necessarily suitable for searching for specific information content in a flood of encrypted traffic.

The second type of collection referred to in the report is carried out through directives that require US cloud service providers to give US authorities access to information. In the United States, this is called downstream collection. In several ways, this appears to expand the possibilities for collecting information compared to upstream collection. Downstream collection appears to be more precise and comprehensive, can refer to previously stored data, and can normally be carried out without encryption posing an insurmountable obstacle. The vast majority of all internet communications that the NSA collects under FISA 702 are collected through downstream collection. Our understanding is that Swedish law does not allow the Swedish signals intelligence agency FRA to conduct such collection. Nor are we aware of any other EU country that has legislation with a similar focus and scope to that of the United States.

We also believe that the assumption should be that US surveillance legislation, such as FISA 702, is extraterritorial. This means that the legislation can be used to demand information processed by the EU subsidiary of a US cloud service provider, even on its servers in the EU.

The US constitutional right to privacy, in the Fourth Amendment, is waived or limited in several significant ways in the context of surveillance. The Fourth Amendment’s right to privacy does not, in principle, cover information that a person voluntarily transfers to a service provider. This has enabled US authorities to collect data on everything from bank transactions to who has called whom, without the Fourth Amendment applying.

The possibility of obtaining standing – meaning the right to pursue a case in court – in the United States in matters concerning signals intelligence is further limited by the requirement to demonstrate that surveillance of the complainant is certainly impending. Even if the complainant were to obtain standing, the authorities could have the case dismissed by invoking the principle of state secrets privilege. This is a US legal principle that can prevent evidence of surveillance from being considered in a case. State secrets privilege can even prevent judges from assessing evidence in private, without the complainant given access to it.

Even if these obstacles were to be overcome, the Fourth Amendment’s right to privacy does not apply to non-US citizens outside the United States.

Cleura has analysed the European Commission’s adequacy decision, Executive Order 14086 and the Data Protection Review Court in the report What your organisation needs to know about the third adequacy decision. The report highlights several circumstances that suggest that these instruments – from an EU legal perspective – do not provide sufficient protection against the risk that US surveillance laws are abused. In addition, a number of circumstances are highlighted that suggest that individuals’ right to judicial review is not being met.

Regardless, we believe that US extraterritorial legislation essentially prevents businesses in the EU from using US cloud service providers (and their subsidiaries), even if they exclusively process personal data on servers in the EU. The reasons for this are explained in more detail in the aforementioned report.

The US situation can be compared with the protection of fundamental rights in Europe.

One of the EU’s values is the rule of law. The right to a fair trial is a fundamental requirement of the rule of law in EU law. Key fundamental rights such as the right to privacy, protection of personal data, the right to a fair trial and freedom of expression apply in the EU regardless of citizenship.

The Court of Justice of the European Union has also stated that authorities cannot invoke confidentiality to prevent the Court of Justice from accessing information. Access to all relevant information may be necessary to ensure the right to effective judicial protection. Although EU law does not cover the activities of Member States’ signal intelligence agencies themselves in relation to national security, it has nevertheless played a prominent role in the context of surveillance, including surveillance carried out on the initiative of the Member States themselves.

In several cases concerning the storage of traffic data by telecommunications operators, the Court of Justice of the European Union (CJEU) has emphasised that EU legislation restricting fundamental rights must be clear and precise, and not go beyond what is strictly necessary. Due to such shortcomings, the CJEU has declared the EU Data Retention Directive invalid.

All EU countries have also ratified the European Convention on Human Rights (ECHR), which requires acceptance of the rule of law. The ECHR covers not only the activities of private service providers but also those of signal intelligence agencies. The ECHR states that governments may not restrict the right to privacy except in accordance with the law and if it is necessary in a democratic society in the interests of a number of specified values, including national security.

The European Court of Human Rights has ruled on cases concerning signals intelligence legislation and the right to privacy without the complainant having to prove – or even appear to claim – that surveillance was directed specifically at the complainant.

It should be noted that the situation is far from perfect when it comes to European signals intelligence gathering. For example, the European Court of Human Rights reprimanded Sweden in three areas in the case Centrum för rättvisa v. Sweden. The dissenting opinions in the ruling suggest that there are further reasons to improve legislation, both in Sweden and in other European countries. At the same time, the case is one of several examples of how European law is actually present in the context of surveillance.

US and European law were created and developed under very different circumstances.

The Fourth Amendment to the US Constitution, which introduced a form of right to privacy, was adopted in 1791. This right has since been interpreted by the courts throughout history in a common law system.

This can be compared to EU law, whose current main treaty and charter were adopted in 2009, although its drafts are older than that. As for the Council of Europe, the organisation was formed in 1949 and the European Convention on Human Rights came into force in 1953.

Both the Council of Europe and what would become the European Union were founded against the backdrop of the legacy of the Second World War. The Union’s treaties and charter emphasise the rule of law, which is also explicitly mentioned in the preamble to the European Convention on Human Rights. Both the Court of Justice of the European Union and the European Court of Human Rights have emphasised the importance of the rule of law in rulings concerning signals intelligence.¹

Above all, the difference between US and European law becomes clear in such a fundamental issue as the possibility for a complainant to have their case heard at all in a signal intelligence collection case. In the US, the complainant must be able to show that surveillance is certainly impending – an insurmountable hurdle in most cases, given the secret nature of surveillance. The European Court of Human Rights, on the other hand, has examined cases concerning signals intelligence without the complainant having demonstrated – or even seemingly claimed – that they are subject to surveillance.

In Europe, there is therefore a real possibility of challenging the powers of the state with regard to signals intelligence gathering relating to national security. In the US, this possibility is in practice severely curtailed or even non-existent.

To avoid exposing personal data to US legislation, which provides individuals with less protection than European law, we therefore draw the conclusion that a European cloud service provider is preferable to a US one.

In the report What your organisation needs to know about the third adequacy decision, we describe the EU rules that shall protect personal data in the EU from being disclosed under third-country legislation. We believe that these rules in principle prevent the use of US cloud service providers, due to what US intelligence legislation may require US cloud service providers to do.

References

1. Judgment of the Court of Justice of the European Union in C-311/18 Schrems II, paragraph 187, from 2020, and judgment of the European Court of Human Rights in Centrum för rättvisa v. Sweden, paragraphs 246 and 373, from 2021. ↩︎