Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

#IAPP Conference: Panel - Whose Eye is on the Five Eyes? An Intro to International Oversight Bodies

On April 19, at the International Association of Privacy Professionals Global Privacy Summit 2017 in Washington DC, privacy commission representatives overseeing intelligence and security activities in four of the Five Eye countries discussed the role of their organizations amid heightened public concern over state surveillance activities. The Five Eyes are an intelligence alliance comprising Canada, Australia, New Zealand, the UK and the US.  

The Panel:
Gabe Maldoff, CIPP/US, associate, Bird & Bird (Moderator) 
Elisebeth Collins, U.S. Privacy and Civil Liberties Oversight Board 
John Edwards, Privacy Commissioner of New Zealand, Office of the Privacy Commissioner 
Daniel Therrien, Privacy Commissioner of Canada 
Steve Wood, head of international strategy and intelligence, UK Information Commissioner’s Office 

Maldoff: How does oversight work in New Zealand, given reforms over the last few years?

Edwards: The reforms happening in New Zealand are about bringing surveillance back to a public service orientation. In 2012 there was a raid by New Zealand police on behalf of the US government against a New Zealand citizen called Kim Dotcom, who was wanted for multiple charges in the US. It was discovered that the NZ Government Communications Security Bureau had been involved in surveillance to execute the warrant (it’s illegal to surveil a citizen), and that it had sophisticated technical infrastructure that could be employed on behalf of other agencies. This caused great controversy in the country. In 2016, a bipartisan review was conducted to fix deficits in the law which allowed this to happen. During reform, information privacy principles were applied to intelligence and security in a way not seen before. We of course still have intelligence and security agencies to keep the country safe, but all of their activities are undertaken strictly in accordance with the rule of law. The Inspector General is mandated to investigate any complaint from a citizen against the intelligence agencies. Citizens also have the right to access their own information from any agency. Since Agencies often refuse to provide it, my office investigates the situation. There is also Parliamentary oversight. 

Maldoff: Are we seeing similar reforms in Canada?

Therrien: There is currently no parliamentary committee responsible for overseeing activities of national security agencies, but this is being remedied by a bill before parliament that will most likely be adopted. There is judicial oversight, and expert oversight, which is somewhat checkered, based on the history of national security activities in Canada. Traditionally we have the Mounted Police, the Security Service and the Intelligence Agency. However, since 9/11, you see more departments being involved much more regularly, especially the border services. They lack their own oversight body. The Office of the Privacy Commissioner has jurisdiction over all federal departments and agencies, but only for privacy matters, not other legal issues. We’ve had commissions of inquiry that looked into lawfulness of national security agencies over the years, including recently the Royal Canadian Mounted Police for post-9/11 information sharing with countries that have bad human rights records.

Maldoff: What about the US Privacy and Civil Liberties Oversight Board?

Collins: The Board is designed to fill a 9/11 Commission recommendation which said as we push for counter-terrorism authorities, there should be an entity to balance them. The Board is a uniquely robust oversight system in the US, made up of privacy officers and attorneys. We’re a permanent, independent and bi-partisan federal agency in the executive branch. Our mission is to provide advice and oversight regarding counter-terrorism activities of the federal government against US and sometimes non-US persons. For more information, I suggest reading at least the executive summary of two known oversight reports: Section 215 of the domestic telephony metadata program, and the Section 702 program (FISA).

Maldoff: What about the new UK Investigatory Powers Act (IPA), which seems to be known as being particularly aggressive?

Wood: When the Investigatory Powers Act was passed earlier this year, there was the intention of unifying a disparate number of pieces of legislation on how agencies could use, collect and intercept data, and to bring this into one clear framework. There has been a significant debate in parliament about passage of the legislation; the government has brought forward a lot of information about the powers being given to agencies over data. Now there is a double lock approach to authorization of warrants for acquiring data sets. For instance, equipment interference must be signed off by a Secretary of State and then a judicial commissioner. The Information Commissioner’s Office role will be looking at security, integrity and assessing how collected data is retained or ultimately destroyed. The IPA has some positive features and some that raise privacy questions. It’s not how it looks on paper, it’s how it actually works in practice.

Maldoff: What are developments in Canada around surveillance powers?

Therrien: In 2015 the government adopted an overhaul of anti-terrorist legislation. Effects short of killing allow intelligence to act on what it uncovers, and Canadians are concerned with this. The new party in power promises to repeal problematic elements of the legislation. They published a green paper in September 2016 that seeks public comments before changes are made. There are particular concerns around metadata and encryption. In 2014 Parliament adopted legislation on metadata, lowering the threshold to obtain it to “reasonable suspicion”. However, the court said at the same time that metadata in a context where it reveals sensitive personal information is entitled to the reasonable expectation of privacy, so police need to get a warrant to obtain it. In a previous case where a journalist’s communications with a target of an investigation were intercepted, thereby revealing a journalistic source, the Supreme Court upheld Freedom of the Press. It did not want to lower privacy safeguards of Canadians.

Maldoff: How will Section 702 Change?

Collins: We spent a year looking at the program as it stood in 2014 across agencies and NGOs. It is critically important that Congress determine how to reauthorize on the basis of facts, not rumors or tweets. We unanimously found it is an enormously valuable tool; it has operated consistent with statutory authorization; it’s Constitutional; and there has been no deliberate abuse. 
We made recommendations that will probably be part of the reauthorization. There has not always been a good understanding of whose communications were being collected. Is it a US person or not? We proposed five metrics to truly understand what is being collected. Another issue is the use of a “US person” query term. You can’t target a US person, but you can use a US person selector on information already collected and in a database. We made recommendations on how to increase oversight of this use.

Maldoff: What about ‘adequacy’ on national security oversight in the UK once it leaves the EU?

Wood: International data flows are recognized in Brexit as being important, but there are no firm rules yet on transfers. We understand the importance of data flows to digital economy, but what’s really important here? We’re making the case for high standards of data protection because that’s what UK citizens want. It’s likely to be very similar in form to the General Data Protection Regulation (GDPR). Essential European guarantees that were incorporated into the Privacy Shield will be respected. 

Maldoff: Any insights about the future of adequacy in New Zealand?
Edwards: Nothing post-Snowden or in the GDPR has called New Zealand or Canadian adequacy into question. The EU says adequacy is not a one-off assessment, it’s ongoing. I now report on bi-annual basis on issues that may have some bearing on our adequacy. 

What’s Hot on Infosecurity Magazine?