Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform

8/20/2019 Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform

1/22

TRANSATLANTIC DIGITAL DIALOGUE

Rebuilding Trust through Cooperative Reform


2/22

CC BY-SA 2015 Te German Marshall Fund o the United States/stifung neue verantwortung

Tis paper is subject to a Creative Commons license (CC BY-SA). Te redistribution, publication, transormation or transla-

tion o publications which are marked with the license “CC BY-SA,” including any derivative products, is permitted under

the conditions “Attribution” and “Share Alike.” More details on the licensing terms can be ound here: http://creativecom-

mons.org/licenses/by-sa/4.0/

Please direct inquiries to:

Te German Marshall Fund o the United States

1744 R Street, NW

Washington, DC 20009

1 202 683 2650

F 1 202 265 1662

E [email protected]

Te ransatlantic Digital Dialogue was supported by a grant rom the German Federal Foreign Office.

Tis publication can be downloaded or ree at http://www.gmus.org/listings/research/type/publication.

Te views expressed in GMF publications and commentary are the views o the author alone.

About GMF

Te German Marshall Fund o the United States (GMF) strengthens transatlantic cooperation on regional, national, and

global challenges and opportunities in the spirit o the Marshall Plan. GMF contributes research and analysis and convenes

leaders on transatlantic issues relevant to policymakers. GMF offers rising leaders opportunities to develop their skills and

networks through transatlantic exchange, and supports civil society in the Balkans and Black Sea regions by ostering demo-

cratic initiatives, rule o law, and regional cooperation. Founded in 1972 as a non-partisan, non-profit organization through

a gif rom Germany as a permanent memorial to Marshall Plan assistance, GMF maintains a strong presence on both sides

o the Atlantic. In addition to its headquarters in Washington, DC, GMF has offices in Berlin, Paris, Brussels, Belgrade,

Ankara, Bucharest, and Warsaw. GMF also has smaller representations in Bratislava, urin, and Stockholm.

About stiftung neue verantwortung

Te stifung neue verantwortung (snv) is a Berlin-based non-profit think tank that brings together expert ise rom politics,research institutions, NGOs and businesses in order to oster the development, discourse, and publication o non-par-

tisan policy proposals to address current political debates. Te policy research at snv is organized around three central

themes: Digitalization, Energy and Resources, as well as the Future o Government. Te snv produces analysis, publishes

policy recommendations, and builds inter-sectoral coalitions. Te goal is to combine the knowledge and experience o

governmental, business, academic, and civil-society stakeholders in order to inorm and co-create policy solutions. Te

independent approach o the snv is made possible by a mix o unding rom non-profit oundations, public institutions, and

businesses as well as oversight by a diverse and representative board o directors.

mailto:info%40gmfus.org?subject=http://www.gmfus.org/listings/research/type/publicationhttp://www.gmfus.org/listings/research/type/publicationmailto:info%40gmfus.org?subject=


3/22

T D D

R T C R

N

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Framework of Deliberation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Oversight and Transparency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Extraterritorial Access to Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Cyber-Security Cooperation and Strong Encryption. . . . . . . . . . . . . . . . . . . . . 16

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20


4/22

T G M F U S2

E S

The Transatlantic Digital Dialogue is a multi-stakeholder working group of experts fromGermany and the United States. It was

assembled and stewarded by the Stiftung NeueVerantwortung and the German Marshall Fundof the United States to develop a constructiveagenda for the modernization of privacy/securitypolicy that begins to address the global debate overdigital surveillance.1 The findings presented hereare rooted in three convictions shared by all of theparticipants in the project: 1) that transatlanticrelationships have weakened as a result of the

fractious and inconclusive debate between the EUand the U.S. over surveillance practices; 2) thata multinational modernization of a rights-basedframework for privacy and security policy is neededto address these challenges; and 3) that solutionsshould be aligned with principles of human rights,responsive to the complex political economy ofsurveillance policy, and premised on commoninterests and values.

The Transatlantic Digital Dialogue presents thisreport as a framework of analysis for re-building

trust and democratic legitimacy in the transatlanticrelationship in cyberspace. The agenda we presenthere offers three areas of policy recommendationswith clear opportunities for reform. In some cases,the primary objective is a bilateral or multilateralagreement on international standards of practice.In some cases, the focus is more specifically onharmonizing domestic law around a commonframework.

1) Oversight and Transparency — In orderto restore trust and legitimacy to the law

1 Participants are listed in the appendix of this report. Allof the participants in this working group contributed ideas,analysis, and intense deliberation to this process. This reportis a summary of the discussion and conclusions of the workinggroup sessions prepared by rapporteurs in the hosting institu-tions. However, participation by a company, institution orindividual in the working group does not imply endorsement ofany particular proposal or statement in this report.

governing surveillance practices in all securityservices, standards for authorization, oversightand transparency need to be modernized. Inthis area, the U.S. government has publishedseveral expert reviews and enacted practicalreforms that could serve as the baseline for anew framework for both sides of the Atlantic.Most important here are new restrictionson the scope of authorized data collection,transparency in decision-making, and strongerindependent review. To inform what newelements a transatlantic framework might

include, we conclude that reform proposalsunder consideration in the German Parliamentwould represent groundbreaking stepstoward strengthening democratic oversight.At the center of this proposal are a majorexpansion in the judicial review of surveillanceauthorization and greatly increased capacityfor oversight bodies. These initiatives on bothsides of the Atlantic call for a greater exchangeof ideas and could position Germany and theU.S. as global leaders in the development ofnew international standards for oversight and

transparency.

2) Extraterritorial Access to Data — Nationallaws and international agreements regulatinggovernment access to commercial data, such asMutual Legal Assistance Treaties, have failedto adapt effectively to technology developmenton the Internet. As the recent EU court rulingon data exchange with the U.S. shows, there aredivergent views on the alignment of law andtechnology. Consequently, there is an urgentneed to resolve conflicting national laws by

developing common rules among countries forhow law enforcement practices in one nationwill apply to the data of citizens from othernations. Both government and businessesneed a clear framework for how to handlerequests for legitimate access to user data.


5/22

T D D 3

And citizens deserve to know how and whenthe law is applied. The existing agreements onlaw enforcement cooperation — including theBudapest Convention on Cybercrime, the EUsystem for law enforcement coordination, andthe newly signed U.S./EU Umbrella Agreement— could provide a useful foundation for thisprocess of harmonizing policy. However,both sides must agree to modernize standardsfor which laws will apply when, how, and towhom.

3) Cyber-Security and Strong Encryption — Boththe United States and European Union sharean interest in establishing stronger frameworksfor collaboration in cyber-security to protectcritical infrastructure and data assets fromcyber-attack and espionage. Technologistsargue that strong cryptography is crucial toprotect communications from digital assailantswith increasing sophistication. Thus manyexperts in the U.S. and Germany regard strongencryption as a central element of cyber-security. The German government in particular

has made commitments to strong encryptionthat — if adopted by the United States — couldserve as the trust anchors for the cooperativedevelopment of new transatlantic systems ofsecure communications. We conclude that acommon position on strong encryption createsthe basis for more collaboration on a variety ofissues from security certification standards tothreat intelligence to protection against cyber-crime and industrial espionage.

Taken as a package of issues, there is a symmetry ofcorresponding strengths and weaknesses betweenthe two countries. A focused bilateral engagementcould seek to set standards based on the strengthsof each side and in so doing raise the quality ofpolicy for both as well as establish a model forother nations to follow in their own modernizationefforts. The bilateral engagement between theUnited States and Germany is a test case in thisregard for the possibility of broader agreement atthe EU level (both within the EU and between theEU and the United States).

The discussion and recommendations providedhere reflect the views of the working group thatrestoring trust in transatlantic digital practice willrequire policies drawn from principles of humanrights, civil liberties, security, and the rule of law.Moreover, we emphasize that the controversy oversecurity and privacy policy has strong economiccomponents as well — with costly consequencesfor both the United States and the EU if theyremain unresolved. Although we expect there willlong remain areas of disagreement between the

United States and Germany (as well as the broaderEuropean Union), these will be vastly outweighedby common values and common interests. Themore constructive the policy engagement andcooperation we can build in the areas where weagree, the more likely it is we will be able to addressthose areas where we do not.

The discussion and

recommendations

provided here refle

the views of the wo

group that restoring

trust in transatlant

digital practice willrequire policies dra

from principles of

human rights, civil

liberties, security, a

the rule of law.


6/22

T G M F U S4

In the course of the debate over rights, liberties,and security in the two years since the Snowdendisclosures, public opinion and national politics

in Europe and the United States have been sharplydivided. While the initial outrage over U.S.surveillance activities in Europe has largely passed,it is clear that the breach of trust will pose anenduring challenge for transatlantic cooperation.The relationship rests on decades of close alignmentand partnership, but in cyberspace this allianceis now fraught with concerns that will not easilybe resolved. These concerns are about the U.S.

surveillance practices that continue (relativelyunabated) despite the political debate; but they arealso about the consequences of Europe’s response tothose practices. In some ways, the current challengesreflect a broader strategic and historical context inwhich the United States has taken a more offensiveapproach to cyber-capabilities while the EU hasfocused on strengthening its internal security.

The central political issue is the expectation of dataprivacy rights and an apparent divergence of valuesover the rights-based limits on surveillance for

security purposes. This is not only about the scaleof data collection enabled by modern technology,it is also about the norms of legitimacy and theenforcement of laws governing surveillance. Thesecritiques are directed at governments in the EUas well as in the United States, particularly asthe extent of transatlantic cooperation betweensecurity services becomes more evident. The gapbetween the growing power of digital technologyand the inadequacy of existing laws to contain ithas emerged as a common theme on both sides ofthe Atlantic. However, the size and scope of U.S.

capabilities revealed in the Snowden documentsfocuses most of the attention on Washington.

This debate has led to a variety of proposals inEurope to push back on U.S. surveillance. Severalof these have fostered a second set of concernsshared by both U.S. and EU stakeholders. Some

of the policy responses contemplated in Europeancapitals would decisively change the marketsfor transnational data flow, the architectures ofdistributed computing, and the legal regimes thatgovern them within and between countries. Forexample, the recent decision from the EuropeanCourt of Justice invalidates existing agreementsfor transatlantic data flow and demandsmodernization.2 This ruling creates renewedurgency for negotiating new agreements andrevisiting a discussion about norms. Embeddedin any such reform process are high-level

disagreements over the application of internationallaw, violations of sovereignty, and the appropriatecriteria to legitimize surveillance as necessaryand proportionate in democratic nations. Boththe critique of current surveillance practicesand the proposed reactions to them boil downto deep concerns about how the laws governingsurveillance on one side of the Atlantic will treatthe rights of citizens on the other.

Despite the intensity of the debate, the mostsignificant reforms of U.S. surveillance practice

enacted in the last two years have not directlyaddressed the core issues in the dispute with theEU. However, neither the EU or any member stateshave taken major countermeasures against theUnited States — though this may change in thewake of the court decision on transatlantic dataflows. Meanwhile, the impact of the distrust is feltin market distortions and in an increasingly cynicalpublic opinion. The most recent TransatlanticTrends survey of the German Marshall Fundreported a “cooling” relationship between Germanyand the United States since 2013. From 2013 to

2014 the approval rating of President Obamain Germany fell by 20%. At the same time, theshare of German respondents who called for a

2 Court of Justice of the European Union. Case C-362/14. Maximillian Schrems v Data Protection Commissioner. October6, 2015.

F D

1

The central political

ssue is the expectation

of data privacy rights

and an apparent

divergence of values

over the rights-based

limits on surveillancefor security purposes.

This is not only about

the scale of data

collection enabled by

modern technology, it

s also about the norms

of legitimacy and the

enforcement of laws

governing surveillance.


7/22

T D D 5

The United States a

Europe need to reb

a common strategy

for the Internet — a

harmonization of fo

policy through para

domestic policy chaQuiet acquiescence

to the status quo w

not suffice to realig

interests and bridg

the divides that hav

opened in the last t

years. The United S

and the EU will ben

from a resolution

both politically and

economically.

more independent approach in the transatlanticrelationship rose from 40% to 57%.3 And whilethe transatlantic alliance proceeds with business asusual in many respects, the signs of fracture overdata policy appear consistently — for examplein the public debate over the Transatlantic Tradeand Investment Partnership.4 The lack of interestin Washington and the impotence of Europeto produce a viable reform agenda deepens anormative pessimism about the Internet that willbe difficult to reverse, if it remains unaddressed.Organized efforts within civil society and business

on both sides of the Atlantic have begun seekingchange in the courts and in market practice —as well as before legislatures. Meanwhile, thediscussions between governments on surveillancepolicy have gone relatively quiet.

The United States and Europe need to reboota common strategy for the Internet — aharmonization of foreign policy through paralleldomestic policy change. Quiet acquiescence tothe status quo will not suffice to realign interestsand bridge the divides that have opened in the

last two years. The United States and the EU willbenefit from a resolution both politically andeconomically. But conversely, political leaders onboth sides are wary of the political risks involvedand the consequences of trying and failing. Thisproject seeks to assemble the voices of civil society,academia, and business from the United States andGermany to serve as a catalyst for this necessaryengagement. We intend here to set an agenda of

3 German Marshall Fund of the United States. 2014. “Transat-lantic Trends: Key Findings 2014.” p23-24. http://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdf

4 Jeremy Fleming. 2013. “TTIP: Data is the elephant in theroom.” EurActiv. http://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654 ; EuropeanParliament. 2015. “TTIP: Trade agreements must not under-mine EU data protection laws, say Civil Liberties MEPs.” CivilLiberties Committee. http://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPs

constructive policy recommendations that unite theUnited States and the EU around common interestswhile achieving reform of data privacy/securitypolicy.

We start from the premise that modernizingdata policy for the digital age must begin withthe human rights and civil liberties that embodyour democratic values. These principles must beapplied in practice in ways that support securityinterests without being eclipsed by them. Hereinlies the essence of democratic legitimacy — the

assurance that the power of the state will be applied judiciously, with transparent adherence to the law,and within the constraints of liberal social values.Further, we recognize that the practice of securitypolicy in the digital age necessarily implicateseconomics. The owners of most digital networksand the controllers of most of the world’s data areprivate companies. And sustaining the growth ofdigital commerce (which requires restoring trustin secure communications) is a strong transatlanticinterest, joined as we are by a multi-national supplychain and networked global markets.

The stakes of these debates are therefore veryhigh — testing our commitments to democraticprinciples, public safety, and economic prosperity.These challenges will not be solved quickly — andthey will not be solved by governments alone.We believe the inclusion of multi-stakeholderparticipants in these dialogues and a transparentprocess of deliberation will give governmentsimpetus to act, strengthen the quality of proposedsolutions, and achieve that which has eluded usfor over two years — progress toward common

goals. Therefore, we present this analysis and policyagenda with the intention to initiate a reformprocess around the three major issues of oversight/transparency, extraterritorial access to data, andcyber-security and encryption, which combinepolitical, economic, and social interests at thecenter of the transatlantic relationship.

http://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdfhttp://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdfhttp://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.europarl.europa.eu/news/en/news-room/content/20150330IPR39308/html/TTIP-Trade-agreements-must-not-undermine-EU-data-protection-laws-say-MEPshttp://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://www.euractiv.com/specialreport-eu-us-trade-talks/ttip-data-elephant-room-news-530654http://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdfhttp://trends.gmfus.org/files/2012/09/Trends_2014_complete.pdf


8/22

T G M F U S6

In both the European

Union and the United

States, there are

structural weaknesses

in the legal systems

for authorization and

review of surveillancepractices because the

laws and institutions

established to govern

these powers predate

the advent of digital

technology. Technical

expertise is often in

hort supply; resources

are insufficient to

provide for meaningful

accountability; andansparency is avoided

in pursuit of efficacy

and secrecy.

Summary

Germany and the United States should usethe work of this Dialogue as a startingpoint to develop best practices regarding

the structure and methods of oversight andtransparency. These policies hold security agenciesto the standards, criteria, and procedures underwhich domestic laws authorize surveillance andrestrict the operation of such programs. Oversightand control over the application of “digital power”are critical for restoring legitimacy in the publiceye. In both the European Union and the United

States, there are structural weaknesses in the legalsystems for authorization and review of surveillancepractices because the laws and institutionsestablished to govern these powers predate theadvent of digital technology. Technical expertiseis often in short supply; resources are insufficientto provide for meaningful accountability; andtransparency is avoided in pursuit of efficacy andsecrecy.

The most significant public policy reforms inthe post-Snowden era have been initial steps to

address these problems. We find that contraryto popular representation, U.S. laws on oversightof surveillance contains myriad constraints onthe security services. And while they may beconsidered modest in impact, they are morecomprehensive than similar laws in Germany.Further, the Obama administration has expandedthese oversight provisions to tighten restrictionson authorization and operation of surveillancepractices as well as to increase transparency. Noneof these reforms has yet been pursued in Europe.However, the German government is debating a setof procedural reforms that would set a new globalstandard for democratic oversight of surveillanceprograms.5 We conclude that these efforts represent

5 Georg Mascolo. 2015. “Dem BND droht eine Revolution.”Süddeutsche Zeitung . http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411

an alignment of interests and should function asa basis of further modernization and subsequentharmonization of law governing surveillancepractices across all security services — includingintelligence agencies.

Discussion

Pragmatic discussions over domestic legal reformin both the United States and Germany havefocused on issues of standards, oversight, andtransparency of digital surveillance programs.Among the commitments in Presidential Policy

Directive 28 (the Obama administration’s formalresponse to the Snowden debate), the White Houseordered U.S. intelligence agencies to improvestandards of transparency, internal oversight andaccountability.6 The White House Review Group7 and the Privacy and Civil Liberties OversightBoard8 have been only the most prominent ofnumerous expert inquiries offering sharp critiqueand practical recommendations for reform onprocedural issues. These reforms are also corecomponents of the USA Freedom Act — thelegislation signed into law by U.S. President BarackObama in June 2015.9 For example, the USAFreedom Act creates a panel of experts on privacy,civil liberties, and technology to offer consultationand guidance to the FISA Court (the panel of

judicial review for surveillance authorized by theForeign Intelligence Surveillance Act). The new law

6 The White House. 2014. “Presidential Policy Directive —Signals Intelligence Activities.” https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities

7 The White House. 2013. “President Obama’s Meeting with the

Review Group on Intelligence and Communications Technolo-gies.” https://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-t

8 Privacy and Civil Liberties Oversight Board. https://www.pclob.gov/about-us.html

9 USA Freedom Act. H.R. 2048. http://judiciary.house.gov/index.cfm/usa-freedom-act

O T

2

http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.pclob.gov/about-us.htmlhttps://www.pclob.gov/about-us.htmlhttp://judiciary.house.gov/index.cfm/usa-freedom-acthttp://judiciary.house.gov/index.cfm/usa-freedom-acthttp://judiciary.house.gov/index.cfm/usa-freedom-acthttp://judiciary.house.gov/index.cfm/usa-freedom-acthttps://www.pclob.gov/about-us.htmlhttps://www.pclob.gov/about-us.htmlhttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2013/12/18/president-obama-s-meeting-review-group-intelligence-and-communications-thttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttps://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activitieshttp://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411


9/22

T D D 7

requires the declassification of FISA Court opinionsthat contain novel interpretations of law, includingthe defined scope of search terms. These proceduralreforms are important and could serve as a modelfor parallel efforts in Europe.

In Germany, oversight and transparency are centralthemes in the debate over surveillance. Ironically,the German parliamentary investigation into theNational Security Agency (NSA) has uncoveredlittle new information about the NSA, but agreat deal about the cooperation of the German

intelligence agency (BND) with the NSA. Manyof the critiques leveled at BND practices focuson oversight and accountability. Warnings aboutthe inadequacy of the oversight mechanisms inGermany have come directly from the members(past and current) of the oversight bodies (G10Commission and Parliamentary Control).10 Inaddition, prominent legal scholars and former

judges have concluded that the application ofsurveillance policies on non-citizens is likelyunconstitutional.11 Finally, scrutiny of thecooperation between the BND and the NSA

(now a central issue in the German debate) isfundamentally concerned with whether theseprograms were properly authorized and reviewed.12 At issue is the legitimacy of surveillance programsthat operate with the imprimatur — but not thereality — of informed and competent oversight.

10 Berthold Huber. 2013. “Die strategische Rasterfahndung desBundesnachrichtendienstes – Eingriffsbefugnisse und Rege-lungsdefizite.” Neue Juristische Wochenschrift 2013. p. 2572

11

Matthias Bäcker. 2014. “Erhebung, Bevorratung und Über-mittlung von Telekommunikationsdaten durch die Nach-richtendienste des Bundes.” Stellungnahme zur Anhörung desNSA-Untersuchungsausschusses am 22. Mai 2014. https://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdf

12 Stefan Wagstyl. 2015. “Revelations of role in spying on alliesturn tables on Berlin.” Financial Times Europe. http://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.html

In the last months, the German governmenthas begun a serious debate about whether totake steps to set the world’s highest standard ofsurveillance oversight.13 In response to the workof the Inquiry Committee, the Social DemocraticParty (the coalition partner of the ruling ChristianDemocrats in the current government) publisheda policy paper outlining a reform agenda.14 Central elements of the proposal focus on a broadexpansion of the capacity in the authorization andoversight of BND surveillance. Some parliamentaryleaders have called for quasi-judicial review of

all surveillance programs, including the foreign-to-foreign communications that do not currentlyrequire external authorization. Increased oversightand transparency is seen as a direct path back tolegitimacy. Thus far, these efforts have not resultedin a legislative draft, but that is expected eitherlater this year or in 2016. Representatives fromboth parties in the coalition government are stillnegotiating main components of the reform. Theyhave already agreed to strengthen parliamentaryoversight. The parliamentary oversight committeewill be supported by a commissioner with staff

consisting of legal, data protection, and technicalexperts who will be responsible for examiningany aspect of the work of the intelligence agencieson behalf of the parliament. Other issues suchas a broader application of constitutionalprivacy protections and higher standards for theauthorization and review of surveillance programsare more controversial and still hotly debated.

Recommendation

The similarities between the German and U.S.

systems of legal authorization for surveillance —

13 Georg Mascolo. 2015. “Dem Bundesnachrichtendienst drohteine Revolution.” Süddeutsche Zeitung. http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411

14 SPD-Bundestagsfraktion. 2015. “Rechtsstaat wahren – Sicher-heit gewährleisten!.” http://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdf

https://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttp://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttp://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttp://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.spdfraktion.de/sites/default/files/2015-06-16-eckpunkte_reform_strafma-r-endfassung.pdfhttp://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.sueddeutsche.de/politik/bundesnachrichtendienst-unter-freunden-1.2679411http://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttp://www.ft.com/cms/s/0/3bf16734-fd5d-11e4-b072-00144feabdc0.htmlhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdfhttps://www.bundestag.de/blob/280844/35ec929cf03c4f60bc70fc8ef404c5cc/mat_a_sv-2-3-pdf-data.pdf


10/22

T G M F U S8

The similarities

between the German

and U.S. systems of

legal authorization for

surveillance — and the

rallels in the oversight

structure — open anopportunity for working

on common types

of reform proposals.

Drawing from the ideas

and actions of the

Obama administration

as well as the current

debate in the German

parliament, the options

n the table are already

very significant.

and the parallels in the oversight structure — openan opportunity for working on common types ofreform proposals. Drawing from the ideas andactions of the Obama administration as well asthe current debate in the German parliament, theoptions on the table are already very significant.The two governments should explore a variety ofproposals for the improvement of oversight as ameans to limit surveillance and to reestablish publiclegitimacy. These could include:

• Governments should publish an official

interpretation of legal authority underspecific statutes to authorize specific typesof surveillance. This should include alist of the delimited purposes for whichsurveillance is authorized. It should identifythe procedural/operational restrictions onauthorized surveillance programs. And itshould clarify the requirements for reportingto oversight bodies, the rights/duties of thoseoversight bodies, and the mechanisms forcorrecting noncompliant practices. Even if thispublication represents no change to existing

practices, the act of codification is beneficialbecause it establishes an opportunity for publicevaluation.

• The institutions of authorization and oversightof surveillance programs should receivesubstantial increases in the size of staff andbudget allocations. In particular, decision-makers should have access to technologists,attorneys, and analysts (with appropriatesecurity clearances) sufficient to evaluate fullythe claims made by the requesting agency

concerning the necessity and proportionality ofa particular surveillance operation.

• Governments should create/enhancemechanisms for permanent, independentoversight. These might include examples suchas the Privacy and Civil Liberties Oversight

Board in the United States or the commissionerfor the oversight of security services proposedin Germany. The professionalization andmaintenance of oversight activities that informpolicy decisions will support evolving reformover time.

• Authorization and oversight proceedingsshould include adversarial counsel so thatdecision-makers may hear views independentof those offered by the government.

• Governments should set and implement public

standards for the publication of all non-classified elements of authorizing decisions andoversight reports — including the numbersof errors in the minimization process. Inparticular, all novel interpretations of law inthe authorizing process should be availablefor public review (with appropriate redactionsfor sources and methods). Elements of thesestandards were codified in the USA FreedomAct.15

• Governments should require regular public

reporting by all public agencies (and stronglyencourage the practice in the private sector)about the number, type, and purpose ofinterception requests, the number of people/communications affected, as well as the criteriacited to authorize surveillance.

• Governments should have explicit andpublished restrictions/rules on intelligenceacquisition from foreign agencies in order torespect national laws. Raw intelligence may notbe accepted from a partner country that would

have been illegal to gather at home, and vice versa.

15 USA FREEDOM Act of 2015. TITLE VI: FISA Transparencyand Reporting Requirements. Section 602.


11/22

T D D 9

• Governments should define public standardsfor the rights of non-citizens subjected tosurveillance programs. Ideally these standardsshould be identical to those offered to citizens.However, if there is differentiation, that shouldbe explicit in the law.

• Governments should establish an effectiveform of judicial (or quasi-judicial) review ofall surveillance requests evaluated against thesame rights-based standard and interpreted onnecessary/proportionate criteria.

• Governments of allied countries that shareintelligence and defense resources shouldinitiate inter-parliamentary dialogue betweenoversight committees of surveillance programs.These exchanges should be designed to sharebest practices and to anticipate emergingproblems.

If a number of these policies were implemented bycountries on both sides of the Atlantic, this wouldrepresent a major reform of surveillance policy.It would also mark significant progress towardaddressing the issue of adequate fundamental rightsprotections identified in the ECJ decision on SafeHarbor. What we propose here is that the startingpoint for bilateral engagement is to identify abaseline of practices that already exist in at least onecountry, engage directly on common incrementalreforms, and contemplate a path forward tosystematic change and harmonization of standards

for authorization, oversight, and transparency.


12/22

T G M F U S10

The problem of access

data is a fundamental

one for U.S.- EU

economic relations.

Firms on both sides of

the Atlantic routinely

share data withincorporate subsidiaries,

to vendors, suppliers,

and customers.

Moreover, in modern

cloud computing

architectures, data

may not be exclusively

stored in one location

— but rather in many

locations.

Summary

Germany and the United States shouldexplore a bilateral (or multilateral)framework to regulate governmental access

to extraterritorial commercial data for legitimatelaw enforcement purposes.16 This frameworkshould first seek to address two problems.

The first is Europe’s concern that U.S. lawenforcement may access the data of Europeancitizens (even when on servers located in Europe)by presenting a U.S. company with a lawful order.

The criteria for this warrant are a matter of U.S. law.Notification (much less preauthorization) to theEuropean government is not required. The resultis often a conflict between national laws that putsthe data-holding company in a difficult positionand triggers calls for the localization of data storageand routing. The central question here is how toharmonize the laws from different countries thatgovern the legitimate interception or retrievalof data associated with a particular end user,originating from a particular location, regardinga national or transnational law enforcement

investigation.

The second problem is in some ways the reverse ofthe first. EU law enforcement authorities seekingaccess to the data held by U.S. firms (on servers inthe United States) must proceed through MLATs(Mutual Legal Assistance Treaties). These require aprocess of coordination with U.S. law enforcementto reach the data-holding company. The critique

16 In this section, we are explicitly excluding the governance ofsignals intelligence (SIGINT) collection from this recommenda-tion. This not because the problem does not apply to SIGINT.However, intelligence agencies are governed by different legalregimes in this respect. And we conclude nations are unlikelyin the near term to reach bilateral or multilateral agreementon transparent standards for data privacy restrictions appliedto extraterritorial access to data by intelligence services. Bycontrast, law enforcement cooperation has a clear precedent.However, we strongly encourage the United States and Germany(and other nations) to discuss a similar type of agreement withrespect to SIGINT through appropriate channels.

of this system is that it is far too slow andoverwhelmed by the quantity of requests. This leadto pressure for data localization and a short circuitof the MLAT process by companies that in theoryshould require an MLAT proceeding (because datais stored abroad) but in practice do not. Substantialreforms to the MLAT process — or its replacement— will be required to resolve the problem.

The rules governing national law enforcementagencies’ access to the data of foreign citizensrequire urgent reform. Both government and

businesses need a clear framework for how tohandle requests for legitimate access to user data.And citizens deserve to know how and whenthe law is applied. The following questions areat the center of the reform effort. What are thecircumstances under which transnational data isdetermined to be subject to the national law ofone country versus another? What laws apply todata that is stored outside of the jurisdiction ofgovernments that seek access to it? When and howshould law enforcement agencies be permitted toaccess the data of foreigners? What are the criteria

deemed legitimate to grant that access?

The problem is a fundamental one for U.S.-EU economic relations. Firms on both sidesof the Atlantic routinely share data withincorporate subsidiaries, to vendors, suppliers, andcustomers. Moreover, in modern cloud computingarchitectures, data may not be exclusively storedin one location — but rather in many locations.For many companies, it is no longer accurate orrelevant to discuss a single location for particulardata as the trigger for engagement of a specific

national legal regime. As these technologiesdevelop further, it will become more and moreurgent to define a common legal regime betweencountries. Otherwise, we should expect to see thenationalization of cloud infrastructures to optimizefor security interests at the expense of technical

E A D

3


13/22

T D D 11

innovation, commercial efficiency, and the freeflow of information.

To avoid this balkanization of the Internetinfrastructure, nations will require a functional setof standards to govern extra-territorial access todata. We find that the EU has an existing systemof law enforcement coordination that — whileimperfect and in need of improvement— couldserve as a baseline for transatlantic reform. Inaddition, the Budapest Convention on Cybercrimeoffers a decade of cooperation in related practices.

Furthermore, the recently signed “UmbrellaAgreement” — setting the terms for US and EUlaw enforcement data exchanges — offers anotheravenue to develop constructive, harmonizingreforms.17 However, there remains much work tobe done.

Discussion

We are now experiencing an international legal,commercial, and moral dispute over whether andhow global IT companies must respond to the legalrequests from one government for data stored in

an international location and/or belonging to aninternational customer. The debate has two keyelements — 1) clarity/legitimacy in the laws thatapply; and 2) effective procedure for the transparentimplementation and enforcement of the law.

The problem of legitimacy in the laws that apply toextraterritorial data access begins with asymmetryin the global digital market of data storageand processing. The simple fact is that a smallnumber of American companies control a vastlydisproportionate quantity of global data than any

other nation. As a result, the U.S. government has

17 European Commission. 2015. “Agreement between TheUnited States of America and The European Union on theprotection of personal information relating to the prevention,investigation, detection, and prosecution of criminal offenses.”http://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdf

access to much of this data through lawful courtorders issued to these U.S. companies. U.S. courtshave also held that US companies are compelled toprovide data to law enforcement even if it is storedabroad, provided they have technical access to it.This requirement holds irrespective of whetherdoing so violates the law of the country in whichthe data is stored and absent any notification ofthe foreign law enforcement authorities. (Thisinterpretation of the law is currently beingchallenged.18 And some argue that companiescan evade this requirement by structuring foreign

operations as independent subsidiaries.19) Thisasymmetric access of U.S. law enforcement to thedata of foreigners is seen by other countries as achallenge to their sovereignty and a violation ofdomestic law. They have no role in the compulsionof data that belongs to their own citizens; they haveno influence over the criteria used to judge the lawenforcement purpose for the data request; and theyhave no recourse in U.S. courts.

The implications of these circumstances wereamplified in the public eye by the Snowden

disclosures. The consequent debate fueled apush to reach an agreement — at least on the lawenforcement issues, if not the intelligence agencies— between the EU and the United States to settlesome of the issues involved. The result was theso-called Umbrella Agreement. This agreementoffers a new baseline of transatlantic rules andexpectations for law enforcement access to data.However, it only applies standards of privacy

18 This interpretation of the law is currently being challengedby Microsoft in a high profile case in the United States Courtof Appeals for the Second Circuit, see: Alex Ely. 2015. “Second

Circuit Oral Argument in the Microsoft-Ireland Case: An Over- view.” Lawfare. https://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overview

19 For an interesting analysis of this question of separatelegal entities, see: Orin Kerr. 2015. “Does it matter who winsthe Microsoft Ireland warrant case?” The Washington Post. https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/

The debate over

access to data held

by companies has

two key elements:

clarity/legitimacy in

the laws that apply

and effective procefor the transparent

implementation an

enforcement of the

http://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdfhttp://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdfhttps://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttps://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttps://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/07/23/does-it-matter-who-wins-the-microsoft-ireland-warrant-case/https://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttps://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overviewhttp://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdfhttp://ec.europa.eu/justice/data-protection/files/dp-umbrella-agreement_en.pdf


14/22

T G M F U S12

protection to data exchanged between U.S. andEU law enforcement authorities; and it does notfocus on the reach of U.S. warrants to foreign data

via U.S. companies. Further, recent legal analysesof the Umbrella Agreement have presented astrong critique that the new rules do not meetEU standards of data protection.20 The need toaddress this gap has been highlighted by the recentEuropean Court of Justice decision that effectivelyinvalidates the Safe Harbor agreement governingcommercial data exchange with the United States.The ruling emphasizes that data transfers between

the EU and the US can only occur if U.S. law meetsthe EU standards of protection of fundamentalrights.

To be clear, the violations of rights cited by theCourt involve a mix of laws and practices in theUnited States that the judges found insufficient.These include both law enforcement access to dataand surveillance by national security agencies.We expect that the issues of law enforcement andintelligence agency data collection will be addressedseparately. However, a common framework for

law enforcement access to data (governing dataexchanged between agencies as well as foreign dataacquired via a domestic company) would constitutea significant step forward. We do not underestimatethe significance of the challenge to achieve evenmodest progress. According to a recent legalanalysis prepared for the European Parliament,even if the U.S. government were to give Europeansthe privacy protections granted to US citizens, thesewould still be insufficient to meet EU standards.21

20 Douwe Korff. 2015. “EU-US Umbrella Data Protection

Agreement : Detailed analysis by Douwe Korff.” European Areaof Freedom Security & Justice http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/

21 Franziska Boehm. 2015. A Comparison Betwen US and EUData Protection Legislation for Law Enforcement , Preparedfor the LIBE Committee, European Parliament, http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf

Harmonizing transatlantic data protection rulesis a complex enterprise because it involves theinteraction of laws that apply to commercialentities, law enforcement agencies, and intelligenceservices. The system established by the U.S. andEU for commercial data protection rules — SafeHarbor — essentially came undone before theCourt because of the methods of U.S. governmentaccess to commercial data. Under Safe Harbor, U.S.companies that do business in the EU can transferdata of European citizens to the U.S. for storage andprocessing, if they certify compliance with the Safe

Harbor agreement. The Safe Harbor rules catalogthe measures of privacy and security protectionthat must be provided for commercial data in theU.S. in order to meet EU standards. However, theSafe Harbor framework grants primacy for nationalsecurity, public interest, or law enforcementrequirements over the Safe Harbor principles. TheCourt of Justice of the EU ruled that such generalexemptions are invalid as they provide no adequateprotection of the fundamental rights of EU citizensfrom the U.S. government.

At the center of the Court’s arguments aboutthe violation of European rights are surveillancepractices (revealed in the Snowden documents)conducted by U.S. national security agencies forintelligence collection purposes. However, theCourt also cites problems with the rules governinglaw enforcement access to data. Though related,of course, these can be treated as separatelyaddressable problems. For the purposes of therecommendations in this paper, we will set asidethe SIGINT issues — even as we recognize theirimportance — and focus on the rules governing law

enforcement access. With regard to the operationof their intelligence agencies, it seems questionablewhether all members of the EU would meet thestandards laid out by the Court with respect toother member states. A comprehensive resolutionof the problem would require a multilateral

Harmonizing

transatlantic data

protection rules is a

complex enterprise

because it involves

the interaction of

laws that apply toommercial entities, law

enforcement agencies,

and intelligence

services. The system

established by the U.S.

and EU for commercial

data protection

rules — Safe Harbor

— essentially came

done before the Court

ecause of the methodsof U.S. government

access to commercial

data.

http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdfhttp://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/http://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/


15/22

T D D 13

agreement on rules for data collection andprocessing for national security purposes. Such anagreement requiring changes to domestic securitypolicy does not seem feasible in the short term.However, a starting point would be the rules of theroad governing extraterritorial access to data andthe coordination of international law enforcement.

When it comes to the process of internationallaw enforcement coordination, there is a longhistory with respect to accessing internationalcommunications data as a part of an investigation.

In the telephone era, law enforcement data requestswith targets outside the legal jurisdiction of anation were coordinated through Mutual LegalAssistance Treaties (MLATs). In the Internet era,technology has changed faster than the law. Thescale of data requests by law enforcement hasexpanded dramatically, and the traditional MLATprocess is easily overwhelmed. These channelstend to be slow, intransparent, and cumbersomefor all parties involved. In their current form,MLAT procedures are no longer viable instrumentsto coordinate law enforcement across borders.

However, the function they were designed to serveis perhaps more relevant than ever before. And ifit were reformed into an effective regime for lawenforcement coordination, such a solution couldhelp solve for the problem of extraterritorial accessto data in this context by establishing commonrules.

Recommendations

The objective of government engagement on theseissues should be to establish a path to resolve at abilateral (and ultimately multilateral) level how lawenforcement requests for extraterritorial privatesector data should be treated under the law. Asuccessful transatlantic solution could establish acommon policy to address these underlying issues.

Governments must coordinate and set commonpolicies to determine how the law applies

in circumstances with conflicting laws. Thealternative (currently the status quo) is placingprivate sector companies in the position to decidefor themselves which laws to honor and whichto violate. This is poor policy, undemocratic, andunsustainable. This conflict should not be left toIT companies to adjudicate. Instead, it needs to beaddressed and resolved on an inter-governmentallevel to restore legitimacy and trust. In part, thisproblem must be solved through coordination and

notification among governments. But, it will likelyalso require a harmonization of national standardsand criteria for when law enforcement access todata is deemed legitimate under the law. Oneapproach is represented in the LEADS Act— a billintroduced in the U.S. Senate that would permitU.S. law enforcement to reach content outsidethe United States (with a lawful warrant) only ifthe data is in an account held by a “U.S. person”(defined as a U.S. citizen or permanent resident).22 If the account is held by a non-US person, the USlaw enforcement agency would have to comply with

the laws of the country where the data resides viaan MLAT (the bill also provides for streamliningthat procedure from the US side). There are verylegitimate concerns about the bill, and it will likelyundergo significant change if and when it movesthrough the Congress.23 However, its introductionhighlights support for a solution in Washingtonfrom a bipartisan group of lawmakers and a host ofbusiness and civil society interests.24

22 Law Enforcement Access to Data Stored Abroad Act. S.512.https://www.congress.gov/bill/114th-congress/senate-bill/512

23 See, for example: Greg Nojeim. 2014. “LEADS Act ExtendsImportant Privacy Protections, Raises Concerns.” Center forDemocracy and Technology. https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/

24 Grant Gross. 2015. “Lawmakers introduce two bills to protectemail privacy.” Computerworld. http://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.html

In the Internet era,

technology has cha

faster than the law

scale of data reque

by law enforcemen

expanded dramatic

and the traditionalMutual Legal Assis

Treaties process is

easily overwhelmed

These channels ten

be slow, intranspar

and cumbersome f

parties involved.

https://www.congress.gov/bill/114th-congress/senate-bill/512https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/http://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttp://www.computerworld.com/article/2884018/lawmakers-introduce-two-bills-to-protect-email-privacy.htmlhttps://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/https://cdt.org/blog/leads-act-extends-important-privacy-protections-raises-concerns/https://www.congress.gov/bill/114th-congress/senate-bill/512


16/22

T G M F U S14

Governments must coordinate on amodernization (or the replacement) of MLATs.An obvious starting point is the current systemthat exists among EU countries. Currently,law enforcement agencies across the EU are(relatively) efficiently coordinated when it comesto extraterritorial data access. This is donethrough different mechanisms, including theEuropean Judicial Network, which establishespoints of contact for law enforcement that facilitateinvestigation and prosecution of criminal activitiesacross the member states.25 Another important

institution is Eurojust — which actively coordinatesthe exchange of information between memberstate law enforcement systems.26 Eurojust alreadycoordinates with the United States, and this systemshould be examined for ways in which the existingcooperation might be extended between theUnited States and the European Union to addressmore specifically the data access and privacyissues. The goal should be accelerating the processof legitimate data request and retrieval acrossborders while maintaining common standardsof privacy protection. The Budapest Convention

on Cybercrime offers another model of existingcooperative agreement to examine and build upon.

Governments should build on the U.S.-EU

“Umbrella Agreement” for the protection of data

shared between EU and US law enforcement

agencies. This agreement — completed inSeptember 2015 — establishes rules of the roadfor how law enforcement agencies will handledata transferred to them during the course ofa transatlantic criminal investigation.27 Theserules include limits on how the data may be used,

25 European Judicial Network (EJN). http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2#

26 History of Eurojust. http://www.eurojust.europa.eu/about/background/Pages/History.aspx

27 European Commission. 2015. “Questions and Answers on theEU-US data protection ‘Umbrella agreement’.” http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm

restrictions on data transfer and retention, rights toaccess/verify/correct data, notification of securitybreaches, and judicial redress for citizens of theEU in U.S.courts if data is mishandled. This rightof legal redress already exists for U.S. citizens inEU courts. In order for EU citizens to enjoy thisright in U.S. courts, Congress must pass legislationknown as the Judicial Redress Act.28 This billremains pending in the U.S. Senate (after passage inthe House of Representatives); it has the support ofboth business and civil society stakeholders.29

Taken together, these recommendations (either atthe bilateral or multilateral level) would establisha set of mutually granted privacy rights amongnations, offer certainty to both companies andconsumers in the market, and set clear rules andexpectations among law enforcement agenciesabout which laws apply in different circumstances.As a concluding note, we emphasize here that thisanalysis and recommendations deal only withthe question of law enforcement access to data,rather than intelligence agencies. But that does notmean that such reforms would be irrelevant for

signals intelligence. With policy changes vis-a- vis law enforcement, we are resetting norms andexpectations across a sector of security servicesthat will alter practices that have carry-over effectsto intelligence agencies over time. Further, westrongly encourage governments to have bilateralreform efforts along similar lines to deal withextraterritorial data access outside of the lawenforcement context.

28

Judicial Redress Act. H.R.1428. https://www.congress.gov/bill/114th-congress/house-bill/1428

29 Open letter from the Information Technology IndustryCouncil to the Judiciary Committee in support of the JudicialRedress Act. http://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdf ; Sarah St. Vincent. 2014. “PrivacyAct Reforms Would Promote US Respect for Human Rights.”Center for Democracy & Technology. https://cdt.org/blog/privacyact-reforms-would-promote-us-respect-for-human-rights/

http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2http://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttp://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttps://www.congress.gov/bill/114th-congress/house-bill/1428https://www.congress.gov/bill/114th-congress/house-bill/1428http://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttp://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttps://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/https://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/https://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/https://cdt.org/blog/privacy-act-reforms-would-promote-us-respect-for-human-rights/http://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttp://www.itic.org/dotAsset/d/6/d6445b59-2508-45ab-a4ba-6d731bb53b39.pdfhttps://www.congress.gov/bill/114th-congress/house-bill/1428https://www.congress.gov/bill/114th-congress/house-bill/1428http://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttp://europa.eu/rapid/press-release_MEMO-15-5612_en.htmhttp://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://www.eurojust.europa.eu/about/background/Pages/History.aspxhttp://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2http://www.ejn-crimjust.europa.eu/ejn/EJN_StaticPage.aspx?Bread=2


17/22

T D D 15

If the encryption de

concludes with a

transatlantic alignm

around strong

encryption and sec

communications, th

cryptographic standand implementatio

could become a

plank in a platform

of cooperation on

cybersecurity.

Summary

Germany and the United States shouldconduct bilateral engagement on twosets of related cyber-security issues: 1)

common policies of cooperative cyber-securityfor critical infrastructure; and 2) the dilemmaof strong encryption. Recent intrusions into thenetworks of the Office of Personnel Management30 in Washington and the servers of the GermanParliament31 have re-emphasized the vulnerabilityof sensitive data and communications for bothgovernments. In the private sector, the estimated

losses of cyber-espionage is measured in the billionsof dollars/euros per year.32

Meanwhile in the United States, the strongencryption technologies that could prove the bestprotection for sensitive data in our informationsystems are the focus of a dispute between lawenforcement,33 technology companies, and otherparts of the government.34 Technologists arguethat strong cryptography is crucial to protectcommunications from digital assailants withincreasing sophistication. However, widespread

30 Kim Zetter. 2015. “The Massive OPM Hack Actually Hit 21Million People.” Wired. http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/

31 Anton Troianovski. 2015. “German Parliament Strugglesto Purge Hackers From Computer Network.” The Wall Street

Journal. http://www.wsj.com/articles/german-parliament-strug-gles-to-purge-hackers-from-computer-network-1434127532

32 Ellen Nakashima and Andrea Peterson. 2014. “Report:Cybercrime and espionage costs $445 billion annually.” TheWashington Post. https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html

33 Cyrus R. Vance Jr. et al. 2015. “When Phone EncryptionBlocks Justice.” The New York Times. http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryp-tion-blocks-justice.html?_r=2

34 Terrell McSweeny. 2015. “Worried About Your Data Security?How Encryption Can Help Protect Your Personal Informa-tion.” Huffington Post. http://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.html

implementation of strong encryption effectivelylimits some forms of legitimate law enforcementaccess to data. Governments must decide howto maximize the economic and security benefitsof encryption while managing competing lawenforcement priorities. Recently, after deliberation,the Obama administration announced it wouldnot seek legislation to mandate backdoor accessto communications technologies with strongencryption.35 This indicates de-escalation of thisdebate and a move toward common ground withGermany — which has long argued for strong

encryption without mandatory backdoors.

If the encryption debate concludes with atransatlantic alignment around strong encryptionand secure communications, these cr yptographicstandards and implementations could becomea plank in a platform of cooperation on cyber-security. Security policy is ultimately a nationalconcern, but building resilient defenses againstglobal threats is a mutual interest and could be aconstructive arena for reestablishing trust. In thiscontext, the United States brings to the table strong

capabilities in Information Assurance that wouldbenefit European partners. Meanwhile, the Germangovernment’s policy commitment to strongencryption is exemplary and the global credibilityof German data security could lay the groundworkfor new standards that benefit all participatingcountries.

Discussion

The debates over global surveillance in the lasttwo years have driven two important trends incyber-security — a political focus on so-called“technological sovereignty” in cyber-security policyand an increase in the commercial deployment

35 Nicole Perlroth and David Sanger, 2015. “Obama Won’t SeekAccess to Encrypted User Data,.”The New York Times.http://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.html

4C-S C

S E

http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/http://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532http://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttp://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.nytimes.com/2015/10/11/us/politics/obama-wont-seek-access-to-encrypted-user-data.htmlhttp://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.huffingtonpost.com/terrell-mcsweeny/worried-about-your-data-s_b_8083756.htmlhttp://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html?_r=2https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttps://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.htmlhttp://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532http://www.wsj.com/articles/german-parliament-struggles-to-purge-hackers-from-computer-network-1434127532http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/


18/22

T G M F U S16

of strong encryption technologies. The first ofthese trends has been especially prominent inGermany where outrage over the transgressions ofallied intelligence services and foreign companiesdrives a new focus on national-level solutions.Meanwhile, the question of sovereignty in cyber-security policy is not a prominent debate in theUnited States. The second trend, however, has beencentral in the U.S. debate as major Silicon Valleyfirms (e.g. Apple and Facebook) have implementedstrong encryption on popular services as a meansto restore confidence with customers that data is

secure. By contrast, in Germany, a commitment tounbreakable encryption is the stated position of thegovernment (although concerns have been raised athigh levels).36 Moreover, the German cyber-securityagency (BSI) has issued recommendations onpersonal communications and strong encryption.37 While most implementations of encryption leavemetadata open for intercept, the increase in securityprovided by increased use of these technologieswould be substantial.

If governments join together in a common embrace

of encryption policy for data security (coupled witha commitment to expanding other methods of lawenforcement), this policy could release some of thepressure to create nationalized regimes of security(i.e. technological sovereignty) by establishing abasis of trusted computing on mathematics ratherthan on nationality (e.g. sourcing hardware andsoftware exclusively from domestic providers). Arobust agreement on technical standards couldfacilitate greater cooperation in conventionalcyber-security policies such as threat intelligencesharing, resilience in critical infrastructure,

mutual protection against industrial espionage,

36 Deutscher Bundestag. 2015. Drucksache 18/5144. http://dip.bundestag.de/btd/18/051/1805144.pdf

37 Bundesamt für Sicherheit in der Informationstechnik. 2015.“Wie verschlüsselt kommunizieren.” https://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommu-nizieren/Einsatzbereiche/einsatzbereiche.html

and stability through norms and codes of conduct.Differentiated national level defensive strategies wilalways be a priority for both countries (includingagainst one another’s cyber capabilities), but a farhigher security policy concern for both nations isthe common threat they face from hostile actors.

Recommendation

Acknowledging the needs of citizens, firms,and governments to communicate securely, wefocus on strong encryption solutions as a tenetof a cyber-security strategy and a basis for a

cooperative cyber-security policy. Recognizing thatthe dilemma of encryption and law enforcementaccess does not have a technical solution, theclear path forward is to embrace the technology.This is not to dismiss the central challenges andgrave threats faced by law enforcement agencies,but it does mean that increasing the capacityof security agencies will require other methodsbeyond communications intercept. While nationalgovernments could mandate that companiesprovide keys for legitimate law enforcementinquiries (and some are considering this),it appearsunlikely that the genie will return to the bottlebecause so many products are already availablein the market.38 Moreover, if one governmentmandates a backdoor to digital services, allgovernments are likely to do so — placingtechnology service providers on untenable legal andmoral ground.39 And finally, the near-consensus

view of cryptography experts is that vulnerabilitiescreated for law enforcement access will ultimately

38

David Kravtes. 2015. “U.K. prime minister wants backdoorsinto messaging apps or he’ll ban them.” ars technica. http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/

39 Kevin Bankston. 2015. “Hearing on ‘Encryption Tech-nology and Possible U.S. Policy Responses’..”US CongressIT-Subcommittee. http://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdf

We focus on strong

encryption solutions

as a tenet of a cyber-

security strategy and a

basis for a cooperative

cyber-security policy.

Recognizing that thedilemma of encryption

and law enforcement

ccess does not have a

technical solution, the

clear path forward is to

mbrace the technology.

http://dip.bundestag.de/btd/18/051/1805144.pdfhttp://dip.bundestag.de/btd/18/051/1805144.pdfhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttp://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://oversight.house.gov/wp-content/uploads/2015/04/4-29-2015-IT-Subcommittee-Hearing-on-Encryption-Bankston.pdfhttp://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/http://arstechnica.com/tech-policy/2015/01/uk-prime-minister-wants-backdoors-into-messaging-apps-or-hell-ban-them/https://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttps://www.bsi-fuer-buerger.de/BSIFB/DE/SicherheitImNetz/Verschluesseltkommunizieren/Einsatzbereiche/einsatzbereiche.htmlhttp://dip.bundestag.de/btd/18/051/1805144.pdfhttp://dip.bundestag.de/btd/18/051/1805144.pdf


19/22

T D D 17

be exploited by adversaries as well.40

Consequently,we recommend the following steps:

First, rather than arguing for “master key”government access to encrypted data, the Germanand the U.S. government should explore howthey can strengthen cryptography and thus makeeveryone’s communications more secure —including their own. This should include robustengagement with technology experts to raise thelevel of informed debate and to help policy-makerscoalesce around realistic options.

Second, a unified approach to strong encryption(normative practice, standard setting, andinteroperability) would provide a basis for bothcommon security and economic policy as thesetechnologies will be a central part of the globalcloud computing market. Different regimes ofsecurity standards in the United States and Europewould introduce costs for both sides. Here, theGerman geopolitical brand (backed up by itstechnical track-record) for data privacy suggeststhat Berlin could deliver a strong contribution to amultilateral standard for secure communicationsthat carries global credibility.

Third, for both governments the discussion aboutstrong encryption could provide a jumping offpoint for a broader engagement about cybersecurity cooperation, including:

• Threat Intelligence: Effective mechanisms topromote the transatlantic sharing of criticalinformation about cyber incidents;

• Industrial Espionage: Coordinated protection

against common threats of cyber-attacksagainst private sector targets;

40 Ellen Nakashima. 2015. “Tech giants don’t want Obama togive police access to encrypted phone data.” The WashingtonPost. https://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.html

• Transnational Cybercrime: Coordinatedapproach to updating the Budapest Conventionon Cybercrime to match technologicaldevelopments in the ten years sinceimplementation;

• Critical Infrastructures: Policies and practice toincrease resilient security and thwart attacksmore efficiently through closer cooperation;

• Certification standards: Commoncommitments to building trust in IT-securityproducts through revised security certification

processes;

• Norms: Partnership in promoting internationalcyber norms and codes of conduct to fightcybercrime and cyberespionage;

• Zero-days: Commitments betweengovernments to reject agency stock-piling ofzero-day vulnerabilities (undiscovered securityholes), a practice that only strengthens the

viability of the zero-day black market.

https://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.htmlhttps://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.html


20/22

T G M F U S18

C

The central conclusion of the TransatlanticDigital Dialogue working group is that thereis broad support in both countries across

the private sector, academic, and civil society fora pragmatic reform agenda. Furthermore, thereform agenda we propose squarely addressesthe economic consequences of the transatlanticdivision while grounding its recommendationsin a rights-based framework. The breadth ofsupport that unites the private and civic sectors ofthe United States and Europe contrasts with thedivision between the governments and indicates the

opportunity for viable political discussions that leadto policy change.

Our major conclusions are organized around threeareas of policy reform — oversight/transparency,extraterritorial data access, and cyber-security.Taken as a whole, we demonstrate that each sidehas something to offer to the other; and each sidehas comparative advantages and disadvantages inthe current state of law and policy with respect tomodernization and reform.

On the issues of oversight and transparency ofsurveillance practices, it is EU states that mayfind useful examples of reform in the U.S. system.Though to be clear, we see substantial work to bedone to modernize the U.S. system as well, even ifit offers a useful starting point. We offer a varietyof steps that both countries could take in parallel— ranging from simple methods of enhancingoversight to comprehe

Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform

Documents

Transcript of Transatlantic Digital Dialogue: Rebuilding Trust through Cooperative Reform