Peter Swire, Professor of Law and Ethics at the Georgia Tech Scheller College of Business, is a privacy expert at home and across the Atlantic. He has served as Chief Counselor for Privacy to President Clinton and Special Assistant for Economic Policy to President Obama. His career spans the past two decades and includes leadership positions in the most important international data privacy proceedings, including advising on U.S. intelligence policy following both the Edward Snowden surveillance revelations and Max Schrem’s claims against Facebook Ireland.
Swire’s work marks an era of change and adaptation in intelligence collection. Classified information about potential security threats now flows through the same internet channels as, say, a regular citizen’s recent sales transaction. It’s no wonder that worries about data privacy have sprung up both within the U.S. and across the Atlantic in the EU member states.
Swire assures us that “the vast majority of data flows from the EU to the U.S. have nothing to do with intelligence.” The average citizen doesn’t need to worry about their digital lives being sifted through by the National Security Agency. The NSA only seeks intelligence when and where they are legally authorized to do so. Swire explained that that might look like “targeting someone in Russia before the invasion of Ukraine or a terrorist threat. That surveillance has to meet legal requirements—it has to be targeted and for a foreign intelligence purpose.”
The EU hasn’t always been so confident that the NSA complied with intelligence surveillance law, cutting off data flows to the U.S. in 2020 and disrupting a $7.1 trillion U.S.-EU economic relationship. Since then, Swire’s work has focused on proposing safeguards against excessive government surveillance to maintain civil liberties and privacy, and increase confidence in companies who seek to collect and use data in good faith.
Swire has seen every step of the building up to the EU-U.S. Data Privacy Framework - a timeline that spans 24 years. President Biden announced his Executive Order on October 7, providing privacy safeguards while enabling effective foreign intelligence to protect the U.S. and its allies. As Peter and his colleagues wrote in their 2013 President’s Review Group Report, “Vigilance is required in every age to maintain liberty.”
Learn more about the history of EU-U.S. surveillance law with a timeline that brings us to President Biden’s “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities.”
Timeline of EU-U.S. Data Protection Relations
*1998 - 2000: International Safe Harbor Privacy Principles established with the rise of the internet’s popularity among users in the mid 1990s. This agreement was one of the first of its kind between commerce partners. In July 2000, the EU agreed that U.S. companies could transfer data from the EU to the U.S., as long as U.S. companies provided proof, in the form of registering their certification, that they complied with the 15 principles of data protection.
*2008: FISA Amendments ACT, Section 702 is ratified and establishes a program that both allows the government to intercept national security communications from foreign targets overseas and addresses the need to restrict incidental collection of communications between Americans and foreign citizens.
*May 2013: Edward Snowden, a former intelligence contractor for the NSA, leaks highly classified information about U.S. surveillance programs. He is alternately called a whistleblower, traitor, and patriot. U.S. officials state that his revelations did “grave damage” to their intelligence capabilities.
*August 27, 2013: President Obama organizes a five-member Review Group on Intelligence and Communications Technology, including Swire. He thanks them for providing recommendations on how “the United States can employ its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.”
*October 2013, Schrems I: Max Schrem, Austrian citizen, files complaints against Facebook Ireland for sending his personal data to servers in the U.S. He complains that “in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities.”
*December 13, 2013: President Obama’s Review Group submits their report. They find that the NSA’s “prowess in the realm of signals intelligence is extraordinary” and assures that it has “created an effective system for compliance with all legal requirements.” The report does encourage ending the practice of assembling massive databases of information on billions of telephone calls and adding a new layer of judicial review for queries of U.S.-based call data.
*January 17, 2014: The White House responds to the Review Group, articulating a continued commitment to maintaining the internet’s design as a “globally-distributed network of networks.” The White House states: “People around the world – regardless of their nationality – should know that the United States is not spying on ordinary people who don’t threaten our national security and takes their privacy concerns into account.”
*October 6, 2015: International Safe Harbor Privacy Principles are overturned by the European Court of Justice, because the principles did not require all organizations to guarantee they complied while working with EU privacy-related data. Companies that did opt in were “bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with national security, public interest, and law enforcement requirements.”
*February 2, 2016: EU-U.S. Privacy Shield is drafted to provide stronger obligations on U.S. companies to protect the personal data of Europeans and more stringent monitoring and enforcement by the U.S. Europeans are given the possibility of raising privacy complaints with a dedicated Ombudsperson.
*November 2, 2016: Swire delivers his expert report to the Irish High Court where Max Schrems challenges whether or not transfers of personal data to the U.S. under standard contract clauses are adequately protected under EU privacy law. Peter Swire concludes the EU’s concerns are ill-founded.
*July 16, 2020, Schrems II: EU's top court strikes down the Privacy Shield because of fears that European data was not protected from access by American agencies once transferred across the Atlantic. They believed the Privacy Shield failed to ensure that companies were complying, leaving it up to companies to “self-certify” their compliance and giving no avenue for redress for European citizens.
*February 16, 2022: Swire and colleagues Theodore Christakis and Kenneth Propp propose a new approach to address the EU’s privacy concerns. Their work points to precedents set in the Nixon Watergate scandal to build up a framework for an independently operating Foreign Intelligence Redress Authority (FIRA) within the Department of Justice that would mediate complaints from any European person who believed their rights had been infringed upon.
*March 2022: Brussels and Washington agree in principle to a new Trans-Atlantic Data Privacy Framework, but progress on the details of how it would work are slow to surface and threats of data cut-off from the EU to the U.S. continue.
*October 7, 2022: President Biden announces a new Executive Order, an agreement built to repair a two-year stalemate that includes vital benefits to citizens on both sides of the Atlantic. Based on the new announcement, companies have a lawful basis to transfer personal data from the EU to the U.S.
Swire's most recent work points to a promising Trans-Atlantic future with the EU-U.S. agreement in place. He says, “As soon as the Executive Order and Department of Justice regulation are published, the new U.S. rules create a lawful basis for transfer of personal data from the EU to the U.S. Companies involved in transatlantic commerce have to conduct ‘transfer impact assessments’ in order to determine whether it is legal to transfer data. Before this agreement was announced, many companies struggled to show any legal approach for such data flows. With the new agreement, companies can say in good faith that they are complying with European legal requirements.”