EU US PRIVACY SHIELD FRAMEWORK 3.2. Access and use by U.S. public authorities for law enforcement and public interest purposes

1. As regards interference with personal data transferred under the EU-U.S. Privacy Shield for law enforcement purposes, the U.S. government (through the Department of Justice) has provided assurance on the applicable limitations and safeguards which in the Commission’s assessment demonstrate an adequate level of protection.
2. According to this information, under the Fourth Amendment of the U.S. Constitution[1], searches and seizures by law enforcement authorities principally[2] require a court-ordered warrant upon a showing of ‘probable cause’. In the few specifically established and exceptional cases where the warrant requirement does not apply[3], law enforcement is subject to a ‘reasonableness’ test[4]. Whether a search or seizure is reasonable is ‘determined by assessing, on the one hand, the degree to which it intrudes upon an individual’s privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests’[5]. More generally, the Fourth Amendment guarantees privacy, dignity, and protects against arbitrary and invasive acts by officers of the Government[6]. These concepts capture the idea of necessity and proportionality in Union law. Once law enforcement no longer has a need to use the seized items as evidence, they should be returned[7].
3. While the Fourth Amendment right does not extend to non-U.S. persons that are not resident in the United States, the latter nevertheless benefit indirectly from its protections, given that the personal data are held by U.S. companies with the effect that law enforcement authorities, in any event, have to seek judicial authorisation (or at least respect the reasonableness requirement)[8]. Further protections are provided by special statutory authorities, as well as the Department of Justice Guidelines, which limit law enforcement access to data on grounds equivalent to necessity and proportionality (e.g. by requiring that the FBI use the least intrusive investigative methods feasible, taking into account the effect on privacy and civil liberties)[9]. According to the representations made by the U.S. government, the same or higher protections apply to law enforcement investigations at State level (with respect to investigations carried out under State laws)[10].
4. Although a prior judicial authorisation by a court or grand jury (an investigating arm of the court impanelled by a judge or magistrate) is not required in all cases[11], administrative subpoenas are limited to specific cases and will be subject to independent judicial review at least where the government seeks enforcement in court[12].
5. The same applies to the use of administrative subpoenas for public interest purposes. In addition, according to the representations from the U.S. government, similar substantive limitations apply in that agencies may only seek access to data that is relevant to matters falling with their scope of authority and have to respect the standard of reasonableness.
6. Moreover, U.S. law provides for a number of judicial redress avenues for individuals, against a public authority or one of its officials, where these authorities process personal data. These avenues, which include in particular the Administrative Procedure Act (APA), the Freedom of Information Act (FOIA) and the Electronic Communications Privacy Act (ECPA), are open to all individuals irrespective of their nationality, subject to any applicable conditions.
7. Generally, under the judicial review provisions of the Administrative Procedure Act[13], ‘any person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action’, is entitled to seek judicial review[14]. This includes the possibility to ask the court to ‘hold unlawful and set aside agency action, findings, and conclusions found to be […] arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law’[15].
8. More specifically, Title II of the Electronic Communications Privacy Act[16] sets forth a system of statutory privacy rights and as such governs law enforcement access to the contents of wire, oral or electronic communications stored by third-party service providers[17]. It criminalises the unlawful (i.e. not authorised by court or otherwise permissible) access to such communications and provides recourse for an affected individual to file a civil action in U.S. federal court for actual and punitive damages as well as equitable or declaratory relief against a government official that has wilfully committed such unlawful acts, or against the United States.
9. Also, under the Freedom of Information Act (FOIA, 5 U.S.C. § 552), any person has the right to obtain access to federal agency records and, upon exhaustion of administrative remedies, to enforce such right in court, except to the extent that such records are protected from public disclosure by an exemption or special law enforcement exclusion[18].
10. In addition, several other statutes afford individuals the right to bring suit against a U.S. public authority or official with respect to the processing of their personal data, such as the Wiretap Act[19], the Computer Fraud and Abuse Act[20], the Federal Torts Claim Act[21], the Right to Financial Privacy Act[22], and the Fair Credit Reporting Act[23].
11. The Commission therefore concludes that there are rules in place in the United States designed to limit any interference for law enforcement[24] or other public interest purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-U.S. Privacy Shield to what is strictly necessary to achieve the legitimate objective in question, and that ensure effective legal protection against such interference.

[1] According to the Fourth Amendment, ‘[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.’ Only (magistrate) judges may issue search warrants. Federal warrants for the copying of electronically stored information are further governed by Rule 41 of the Federal Rules of Criminal Procedure.

[2] Repeatedly, the Supreme Court has referred to searches without warrants as ‘exceptional’. See e.g. Johnson v United States, 333 U.S. 10, 14 (1948); McDonald v United States, 335 U.S. 451, 453 (1948); Camara v Municipal Court, 387 U.S. 523, 528-29 (1967); G.M. Leasing Corp. v United States, 429 U.S. 338, 352-53, 355 (1977). Likewise, the Supreme Court regularly stresses that ‘the most basic constitutional rule in this area is that searches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment-subject only to a few specifically established and well-delineated exceptions.’ See e.g. Coolidge v New Hampshire, 403 U.S. 443, 454-55 (1971); G.M. Leasing Corp. v United States, 429 U.S. 338, 352-53, 358 (1977).

[3] City of Ontario, Cal. v Quon, 130 S. Ct. 2619, 2630 (2010).

[4] PCLOB, Sec. 215 Report, p. 107, referring to Maryland v King, 133 S. Ct. 1958, 1970 (2013).

[5] PCLOB, Sec. 215 Report, p. 107, referring to Samson v California, 547 U.S. 843, 848 (2006).

[6] City of Ontario, Cal. v Quon, 130 S. Ct. 2619, 2630 (2010), 2627.

[7] See e.g. United States v Wilson, 540 F.2d 1100 (D.C. Cir. 1976).

[8] Cf. Roman Zakharov v Russia, Judgment of 4.12.2015 (Grand Chamber), Application No 47143/06, paragraph 269, according to which ‘the requirement to show an interception authorisation to the communications service provider before obtaining access to a person’s communications is one of the important safeguards against abuse by the law-enforcement authorities, ensuring that proper authorisation is obtained in all cases of interception.’

[9] DOJ Representations (Annex VII), p. 4 with further references.

[10] DOJ Representations (Annex VII), n. 2.

[11] According to the information the Commission has received, and leaving aside specific areas likely not relevant for data transfers under the EU-U.S. Privacy Shield (e.g. investigations into health care fraud, child abuse or controlled substances cases), this concerns mainly certain authorities under the Electronic Communications Privacy Act (ECPA), namely requests for basic subscriber, session and billing information (18 U.S.C. § 2703(c)(1), (2), e.g. address, type/length of service) and for the content of emails more than 180 days old (18 U.S.C. § 2703(a), (b)). In the latter case, however, the individual concerned has to be notified and thus has the opportunity to challenge the request in court. See also the overview in DOJ, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Ch. 3: The Stored Communications Act, pp. 115-138.

[12] According to the representations by the U.S. government, recipients of administrative subpoenas may challenge them in court on the grounds that they are unreasonable, i.e. overboard, oppressive or burdensome. See DOJ Representations (Annex VII), p. 2.

[13] 5 U.S.C. § 702.

[14] Generally, only ‘final’ agency action — rather than ‘preliminary, procedural, or intermediate’ agency action — is subject to judicial review. See 5 U.S.C. § 704.

[15] 5 U.S.C. § 706(2)(A).

[16] 18 U.S.C. §§ 2701-2712.

[17] The ECPA protects communications held by two defined classes of network service providers, namely providers of: (i) electronic communication services, for instance, telephony or e-mail; (ii) remote computing services like computer storage or processing services.

[18] These exclusions are, however, framed. For example, according to 5 U.S.C. § 552 (b)(7), FOIA rights are ruled out for ‘records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information (A) could reasonably be expected to interfere with enforcement proceedings, (B) would deprive a person of a right to a fair trial or an impartial adjudication, (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy, (D) could reasonably be expected to disclose the identity of a confidential source, including a State, local, or foreign agency or authority or any private institution which furnished information on a confidential basis, and, in the case of a record or information compiled by criminal law enforcement authority in the course of a criminal investigation or by an agency conducting a lawful national security intelligence investigation, information furnished by a confidential source, (E) would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions, if such disclosure could reasonably be expected to risk circumvention of the law, or (F) could reasonably be expected to endanger the life or physical safety of any individual.’ Also, ‘[w]henever a request is made which involves access to records [the production of which could reasonably be expected to interfere with enforcement proceedings] and– (A) the investigation or proceeding involves a possible violation of criminal law, and (B) there is reason to believe that (i) the subject of the investigation or proceeding is not aware of its pendency, and (ii) disclosure of the existence of the records could reasonably be expected to interfere with enforcement proceedings, the agency may, during only such time as that circumstance continues, treat the records as not subject to the requirements of this section.’ (5 U.S.C. § 552 (c)(1)).

[19] 18 U.S.C. §§ 2510 et seq. Under the Wiretap Act (18 U.S.C. § 2520), a person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used may bring a civil action for violation of the Wiretap Act, including under certain circumstances against an individual government official or the United States. For the collection of addressing and other non-content information (e.g. IP address, e-mail to/from address), see also the Pen Registers and Trap and Trace Devices chapter of Title 18 (18 U.S.C. §§ 3121-3127 and, for civil action, § 2707).

[20] 18 U.S.C. § 1030. Under the Computer Fraud and Abuse Act, a person may bring suit against any person with respect to intentional unauthorised access (or exceeding authorised access) to obtain information from a financial institution, a U.S. government computer system or other specified computers, including under certain circumstances against an individual government official.

[21] 28 U.S.C. §§ 2671 et seq. Under the Federal Tort Claims Act, a person may bring suit, under certain circumstances, against the United States with respect to ‘the negligent or wrongful act or omission of any employee of the Government while acting within the scope of his office or employment.’

[22] 12 U.S.C. §§ 3401 et seq. Under the Right to Financial Privacy Act, a person may bring suit, under certain circumstances, against the United States with respect to the obtaining or disclosing of protected financial records in violation of the statute. Government access to protected financial records is generally prohibited unless the government makes the request subject to a lawful subpoena or search warrant or, subject to limitations, a formal written request and the individual whose information is sought receives notice of such a request.

[23] 15 U.S.C. §§ 1681-1681x. Under the Fair Credit Reporting Act, a person may bring suit against any person who fails to comply with requirements (in particular the need for lawful authorisation) regarding the collection, dissemination and use of consumer credit reports, or, under certain circumstances, against a government agency.

[24] The Court of Justice has recognised that law enforcement constitutes a legitimate policy objective. See Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Others, EU:C:2014:238, paragraph 42. See also Article 8(2) ECHR and the judgment by the European Court of Human Rights in Weber and Saravia v Germany, Application no. 54934/00, paragraph 104.