By Peter Machtiger
As governments around the world have rallied to respond to the COVID-19 pandemic, many have considered the use of surveillance tools to help monitor and curb transmission of the virus. Some countries, like China, have no qualms about using mass surveillance for this effort, while others, like several in the European Union, want to ensure that any digital tools used to map the spread of COVID-19 follow privacy standards that will protect personal data. While many of these conversations concern government surveillance of its own citizens, it is also worth considering how the pandemic may affect any existing restrictions on cross-border surveillance conducted by governments of foreign nationals.
Privacy Protections for Foreign Nationals Under PPD-28
One such restriction in the United States is Presidential Policy Directive 28 (PPD-28), which was published by President Barack Obama in January of 2014. This document, legally equivalent to an Executive Order, lays out a series of safeguards aimed at protecting the privacy interests of innocent foreign nationals whose communications are incidentally collected by American intelligence agencies in their surveillance of malicious foreign nationals that may pose a security threat. PPD-28, by extending certain privacy protections to foreign nationals that were previously reserved for U.S. citizens, was the first document of its kind among countries with significant signals intelligence (SIGINT) capabilities.
The document was partially a public affairs tool in the wake of the Snowden leaks, but it was also legally important after the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems I”) struck down the Safe Harbor agreement that facilitated the transfer of personal information from Europe to the U.S. When the EU Advocate General reviewed the subsequent Privacy Shield agreement in Schrems II, he expressed concern that PPD-28 was only a presidential directive (rather than legislation), but he suggested that bulk collection programs might be lawful if accompanied by these kinds of protections.
Might Those Protections be Erased in the Face of COVID-19
PPD-28’s most significant protections included restrictions on signals intelligence collected in bulk, which was the most troubling form of surveillance to the CJEU in Schrems I. The bulk collection restriction provides only six permissible use-cases for SIGINT collected in bulk, including “detecting and countering” espionage, terrorism, weapons of mass destruction, cybersecurity threats, transnational criminal threats, and “threats to U.S. or allied Armed Forces or other U.S. or allied personnel.” Even if “personnel” is read narrowly to mean only government employees (although there is certainly an argument that it should be read more broadly), COVID-19 certainly poses a threat to “U.S. or allied personnel” in every country where the U.S. and its allies have diplomats, intelligence professionals, or other representatives, which includes most countries in the world. Thus, bulk collection would be permissible under PPD-28 to “detect and counter” COVID-19 in almost every country in the world. This would probably encompass an immense amount of data including location data, electronic health records, financial transaction information, and more.
PPD-28 was also significant for its application of retention and dissemination limitations on collected data equivalent to those protections afforded to U.S. persons. However, such COVID-related data described above, once collected, could likely be retained and disseminated throughout the government, as “information needed to protect the safety of any persons,” one of the applicable standards under Executive Order 12333. If utilized, this end-run around the restrictions of PPD-28 would essentially render one of its most important provisions dead-letter.
What Might be the Implications if PPD-28 is Ineffective in Practice
While privacy protections for foreign nationals might not register as important to many Americans, PPD-28 should also be viewed as a document that protects Americans in practice. Government officials have estimated that the communications and data of millions, or hundreds of millions, of Americans are collected under EO 12333. With the proliferation of cloud-based storage and third-party advertisements with trackers on websites, more and more U.S. person data is ending up on servers all over the world where it might be swept up by bulk SIGINT collection. This kind of overseas surveillance conducted under EO 12333 is not subject to judicial oversight like surveillance conducted under the Foreign Intelligence Surveillance Act, so PPD-28 and documents like it may play an essential role in protecting the privacy interests of Americans as well as foreign nationals.
It is possible that this kind of mass surveillance is somewhat self-regulating because information overload can be inimical to effective intelligence analysis. However, it is still essential to maintain oversight of surveillance programs that may implicate the constitutional privacy interests of Americans. As the COVID-19 pandemic brings conversations about mass surveillance and privacy to the fore, it might provide the necessary push to increase the capacity and independence of the Privacy and Civil Liberties Oversight Board, as originally envisioned by the 9/11 Commission, perhaps with mandatory reporting requirements to Congress. Increased oversight early in this crisis might help prevent the lasting erosion of privacy protections.
Peter Machtiger is a student at NYU School of Law, where he is a Student Scholar at the Reiss Center on Law and Security, Co-President of the National Security Law Society, and Contributing Editor for The Wagner Review. Prior to law school, he was an infantry officer in the United States Marine Corps. Peter has a BA from Harvard University in Government.