The European Data Protection Board is working on its advisory opinion regarding the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework. We at Privacy Across Borders are working on our own analyses of how well the executive order at the core of that framework—Executive Order 14086—hits the targets of necessity, proportionality, and redress set out by the Schrems II case.
But first, it is important to place the Executive Order 14086 within the larger context of U.S. national security law, which establishes a system of many layers with many players. Like the national security laws of many other democracies, this system consists of layers of rules and oversight, with a range of institutions and offices playing overlapping and complementary roles. In the case of the U.S., the result is both complex and comprehensive.
At the invitation of the American Bar Association’s Standing Committee on National Security Law, I have written a paper describing certain aspects of this system, titled Protecting Privacy and Promoting Transparency in a Time of Change: My Perspective after 14 Years as Civil Liberties Protection Officer. The longer version is posted here, and a shorter version will be published by the ABA as part of An Anthology: 60 Years of Transformation in National Security Law.
As I point out in the paper, in a democracy, the national security legal framework must simultaneously achieve two vital goals. It must enable, authorize, and empower government actors to protect the nation from foreign threats; and it must constrain, restrict, and control those actors to protect privacy and civil liberties. Both are equally important. Failing either means failing as a democracy.
Achieving these goals simultaneously is no easy task. To protect against threats, agencies not only need people, resources, and skill; they also need specialized legal authorities that enable them to conduct activities that can be highly intrusive on personal privacy. And they need the ability to do so in secret, to conceal their sources and methods from their adversaries, lest those adversaries change their behavior to avoid detection. A fully transparent intelligence service, after all, would be fully ineffective. At the same time, it is vital that our legal framework also constrain and control the exercise of those powers. In other words, our national security agencies must protect the nation from foreign threats, without themselves becoming a threat.
How well does that the U.S. national security legal system accomplish these twin objectives? In the paper, I discuss in depth key elements that stand out in my mind as I look back on time as the Civil Liberties Protection Officer for the Office of the Director of National Intelligence. Looking back, I see a resilient and flexible framework that sustained shocks to the system and adapted to change. I am proud of that framework and the role I played in it. It is not perfect, and stakeholders inside and outside of government must continue to seek improvement for an era of constant and rapid change. In the paper, I offer some suggestions for the future. Foremost among those is the need to invest in the institutions, people, and processes that make up this framework, to ensure that it is both robust and flexible enough to adapt continuously to change.