The views expressed in this product are the author’s and do not imply endorsement by the Office of the Director of National Intelligence or any other U.S. Government agency.
As we witness Russia’s invasion of Ukraine and the world’s response, I am reminded once again that what unites democracies is so much stronger than what divides us. Our common beliefs, values, and commitments shine clearly across the miles and oceans that lie between us. Yet it can be so easy to lose sight of those commonalities and become distracted by what seem now to be minor differences.
For much of the past decade, I have been trying to find ways to bridge the gap between U.S. and European Union approaches to balancing national security and privacy. This work kicked into high gear when the Snowden disclosures in 2013 triggered intense concerns about the U.S. national security legal framework. At the time, I was the senior-most civil liberties and privacy officer in the Intelligence Community, a position I had held since 2005. Although I had seen periods of intense criticism before, the crisis of confidence the IC faced in 2013 was unlike anything in my experience.
With my colleagues across the IC, I worked hard to explain to Americans as well as to our friends abroad—particularly those in Europe—how our legal framework worked to enable intelligence agencies to carry out vital national security functions while at the same time constraining those agencies to protect privacy and civil liberties. As proud as we were of our framework, we knew more could be done. We learned important lessons in that period and implemented critical changes to earn back the trust that is so essential to the IC’s ability to carry out its national security mission. President Obama issued a presidential directive requiring intelligence agencies to extend key protections to all individuals, regardless of nationality, in the conduct of U.S. signals intelligence activities. Congress amended national security statutes to prohibit bulk collection. And the IC launched an unprecedented and unequaled transparency campaign that continues stronger than ever.
Yet these changes were deemed insufficient by the European Union’s top court. In 2020, the Court of Justice of the European Union (CJEU) struck down the “Privacy Shield” arrangement I had helped put in place to enable transatlantic data to flow in a manner that, we believed, met European Union data protection standards. The CJEU ruled that U.S. protections were not “essentially equivalent” to those required by EU law. In doing so, the court applied privacy standards to the U.S. national security legal framework that, by foundational EU law, do not apply to how EU member states—such as Germany, France, and Poland—regulate their own national security activities. This ruling imperils the ongoing viability of transatlantic data flows. Data protection enforcement authorities in the EU are already taking action to prohibit use of certain U.S. technology services. Meta is the tech company that faces the most imminent broad-scale enforcement action and has warned that it may not be able to offer services such as Facebook and Instagram in the EU as a result. Similar enforcement actions against other tech companies are likely to soon follow.
I am now out of government but am continuing to search for ways to bridge the gap between the U.S. and European Union on how the balance between security and privacy should be struck. Throughout my many years working on this challenge, I have always felt that the differences between the U.S. and Europe, while real, are comparatively minor when one focuses on how democracies act to both protect the security of the nation and the freedoms of its people. In short, I have felt that in many ways, the approaches democracies take to maintaining this balance are, in essence, equivalent.
Russia’s invasion of an independent, sovereign nation and the world’s response, make this feeling all the stronger. Here are some takeaways as I reflect on the implications of what we are witnessing:
- The threats are real. Russia’s invasion reminds us that the national security capabilities of our countries are there for a reason, and that unprovoked military aggression can have devastating consequences for millions of people. We cannot expect Putin to be honest and transparent about his intentions; we must, therefore, rely on intelligence services to collect and analyze information that will inform key decisions and protect people’s lives and freedoms.
- We need effective intelligence. Gaining insight into adversary plans, intentions, and operations is vital, as is understanding what is happening on the ground in Ukraine. Relevant information is hidden not only in exclusive military communications channels but can also be intermingled with everyone’s data. For example, kinetic attacks are accompanied by cyber warfare and disinformation campaigns that are carried out over the networks we all use. Using that information to protect democracies on both sides of the Atlantic is vital for our collective security.
- Bearing witness through social media. Russia has invaded Ukraine, and the world is watching in real-time. Courageous war correspondents are on the scene as always, but this time we can all see for ourselves the powerful images and video that the people directly involved are uploading as events unfold. This shared experience has galvanized the global response and united the world with unpreceded speed and power.
- Tech companies play a vital role. Tech companies do not win popularity contests, and their services raise serious risks that we must address, but it has been their platforms and technologies that have enabled us to bear witness to what is happening in Ukraine, and that connect Ukrainians with friends, family, and supporters outside the country. At the same time, the data they collect, in the wrong hands and used for the wrong purposes, could cause great harm.
- The transatlantic alliance is key. The invasion reminds us of the critical importance of a strong and vibrant NATO. NATO stands for the North Atlantic Treaty Organization—it is an alliance that is based on the proposition that the Atlantic Ocean will not divide democracies from coming together to protect themselves from the hostile actions of autocratic adversaries.
Striking the right balance between security and privacy is no easy task, and it is made even more difficult given the rapid pace of change, from the technologies we use to the threats we face. Protecting the security of democratic nations and the privacy and freedoms of individuals are both fundamentally important goals. As challenging as these goals are, they are at the heart of what democratic governments must do.
In my time working on this issue both in and out of government, I have been struck by how many different paths democracies take in pursuit of these dual goals. These paths are forged by each country’s unique culture, legal tradition, and history, and by its policy priorities, perception of threat, and location in the world. Yet notwithstanding their differences, what democracies share is fundamental: respecting individual rights and freedoms, protecting the integrity of democratic institutions, keeping our people safe, and operating under the rule of law.
Work continues to bridge the gap created by those different paths to a common goal. Progress is urgently needed as EU enforcement authorities are poised to take action that could dramatically disrupt transatlantic data flows, with hard-to-predict effects on relationships that are more important than ever. In the end, I am optimistic that as like-minded democracies, we will find a way to clarify in our legal frameworks what I believe to be a fundamental truth: We are essentially equivalent.