U.S. Surveillance Society Could Learn from EU Approach to Privacy
We have learned in the past year that privacy protection can often conflict with pandemic protections, as contact tracing regimes and databases of infections and vaccinations highlight people’s personal situations in the public sphere. Similarly, privacy protection limits law enforcement and criminal investigation, as the police demand more information to solve crimes and privacy advocates push back.
In the U.S., the Fourth Amendment to the Constitution places limits on inspection of a citizen’s places, papers and person so that indiscriminant searches are against the foundational law of the land. But as we move further into the surveillance society, with cameras at every intersection, ATM, doorbell and business, plus the ability of machine-learning driven software to match names to nearly all the faces captured, our two-hundred-year-old system of personal protection seems inadequate and out of date. Readers of this blog know that I advocate for a Fourth Amendment based warrant requirement for use of facial recognition software by law enforcement. As of yet, no court or legislature seems interested in requiring warrants for use of this intrusive technology.1 A similar argument exists for requiring a warrant for law enforcement officers to use license plate reading database software and “stingray” cell phone call capturing technology as well.
But these constitutional arguments attempt to build protections around affirmative police actions to sort and search the massive material gathered about everyday life in today’s society. They don’t touch the underlying concern – so much information is being gathered that people can’t walk or drive in obscurity anymore. In this country, the general public sees no problem that we are being tracked by our own phones, watches and other devices every moment of every day, that cameras and IoT devices record our activity everywhere, and all of this information is available to police. The U.S. Supreme Court has placed some limits on grabbing 24/7 electronic surveillance and indiscriminant tracking of cell phone information, but nearly all of the data captured on all of us by public and private sources is freely available to law enforcement, from DNA collected by Ancestry.com to security video of your home collected by Amazon and others. Data collected by passive cameras owned by business or local government is barely a consideration for Constitutional privacy discussions.
Most people interested in privacy know that Europe approaches protection of personal information in a different manner than the U.S. Capture of your image in public spaces by “public” cameras is an important difference. A recent criminal case arising in Estonia makes this point clear. In this case the European Court of Justice decided that a prosecutor does not have authority to request traffic or location data for investigation of a criminal matter, and that a neutral court must make that determination. The effect is similar to what I have advocated for scanning such pictures through facial recognition software – a procedure should be introduced where a court can weigh the law enforcement necessities against the infringements on the protected privacy interests of suspects.
The EU CoJ ruling was broadly applicable, stating,
“the Court holds that the directive on privacy and electronic communications, read in the light of the Charter, precludes national legislation that permits public authorities to have access to traffic or location data, that are liable to provide information regarding the communications made by a user of a means of electronic communication or regarding the location of the terminal equipment which he or she uses and to allow precise conclusions to be drawn concerning his or her private life, for the purposes of the prevention, investigation, detection and prosecution of criminal offences, without such access being confined to procedures and proceedings to combat serious crime or prevent serious threats to public security.”
Structural reasons mean that the Court must rule not only on the prohibited conduct by on national legislation that enables such conduct. This ruling will affect how long and for what purposes traffic and location information can be held, even if the local government is capturing and keeping the data. The laws tipping the balance here are core EU privacy rules that hold that privacy is a human right of all residents, enacted by decades of more specific laws, like 2018s General Data Protection Regulation (GDPR).
But this finding is broad and the Court chose to be more specific as to the facts of the case, holding, “The Court further holds that [the privacy] directive, read in the light of the [EU] Charter, precludes national legislation that confers upon the public prosecutor’s office the power to authorise access of a public authority to traffic and location data for the purpose of conducting a criminal investigation.” The court felt that law enforcement agency like the prosecutor’s office would be too swayed by the pressure of its policing responsibilities to properly take a suspect’s privacy rights into consideration, so the court found a third party, like the judiciary, should hold the legal ability to weigh these factors and make these judgments.
In the U.S. we have allowed surveillance technologies to grow unchecked and generally to be used by the government without regard to what this means to our ability to conduct private lives. Maybe we should take this page from the European Court of Justice and add some balance to the bonanza of information that has fallen on law enforcement in the past two decades. Maybe somebody neutral should be more aggressive about righting the balance between police use of technology and our privacy.
1 Although some cities have blown all the way past a warrant requirement and attempted to ban police use of facial recognition software and services altogether.