Surveillance, Data and Rights

Alexandru Glontaru, Alexandru Maiereanu, Tudor Maiereanu, Alin Popa


National security and Public Safety

The National Security Agency’s (commonly referred to as NSA) mass surveillance has greatly expanded in the years since September 11, 2001. Recent disclosures have shown that the government is regularly tracking the calls of hundreds of millions of Americans and spying on a vast but unknown number of American citizens’ international calls, text messages and emails.


This secret surveillance program of the goverment are being ble to operate due to two standing laws in America: the Patriot Act and the FISA Amendments Act. Also, the primary allows the agency to monitor and surveill outside of the United States territory.

The Patriot Act grants the government the right to intercept, track and store each ongoing call made by every phone in America. This violation of privacy comes against the Fourth Amendment, and has been addressed in in June 2013 after the program’s exposion in „The Guardian”.

The FISA Amedments Act was issued in 2008 and empowered NSA to also monitor all the international calls, emails and text messages made by every single American. In such a way, as more recent dislosures confirm, Americans’ privacy is weakly protected, as even purely domestic communications are being evaluated and every email that reaches American servers is scanned for keywords that could allert NSA.


The ACLU (American Civil Liberties Union ) has been at the forefront of the struggle to rein in the surveillance superstructure, which strikes at the core of our rights to privacy, free speech, and association. Following their statement, this institution addressed both of the Acts, with little succes unfortunately. Although the Foreign Intelligence Surveillance Court oversees the government’s surveillance activities, it operates in near-total secrecy through one-sided procedures that heavily favor the government.

Private sphere

PRISM Project is a clandestine surveillance program under which the United States National Security Agency collects internet communications from at least nine major US internet companies. Since 2001 the United States government has increased its scope for such surveillance, and so this program was launched in 2007. The active collection process is based on the user demand provided to the an internet company (transfer of the data) and the obligation of the company to provide  any data that matches court-approved search terms (collector of data). Based on this, NSA can now decrypt every message that it was already tracked but not solved, thus getting deeper into the private sphere.


Applicable laws that grant the legal operation of such a program come from the Foreign Intelligence Surveilllance Act (FISA), since June 2008. The National Intelligence of the United States has stated then that “PRISM is not an undisclosed collection or data mining program, but rather an internal government computer system”.  Even more power can be taken by the agency since inside the act it is mentioned that: “the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information”. This action may come without a proper justification since the act states that “intelligence important to the national security of the United States may be lost or not timely acquired and time does not permit the issuance of an order” .

Data Privacy

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.

Therefore, common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.

The EU’s Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.

Right to be forgotten

The right to be forgotten “reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them.” It has been defined as “the right to silence on past events in life that are no longer occurring. The right to be forgotten leads to allowing individuals to have information, videos or photographs about themselves deleted from certain internet records so that they cannot be found by search engines.The right to be forgotten is distinct from the right to privacy, due to the distinction that the right to privacy constitutes information that is not publicly known, whereas the right to be forgotten involves removing information that was publicly known at a certain time and not allowing third parties to access the information.

1995 Directive

               In 1995 the European Union adopted the European Data Protection Directive about the regulation of the processing the personal data. Article 12 of the Directive stated that a person can ask for personal data to be deleted once that data is no longer necessary:

Article 12: Right of access

Member States shall guarantee every data subject the right to obtain from the controller:

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort

The proposed Data Protection Regulation is about much more than the right to be forgotten. It is a fundamental modernisation of Europe’s data protection rules, establishing a number of new rights for citizens of which the right to be forgotten is only one (data portability, data breach notifications for instance), creating a single market for data in the European Union and streamlining cooperation between the Member States’ regulators.


Actual Case: Spanish court ruling against Google

In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Google Spain and Google Inc. The citizen complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these was entirely irrelevant. He requested, first, that the newspaper be required either to remove or alter the pages in question so that the personal data relating to him no longer appeared; and second, that Google Spain or Google Inc. be required to remove the personal data relating to him, so that it no longer appeared in the search results.

The Spanish court referred the case to the Court of Justice of the European Union asking:

  1. whether the EU’s 1995 Data Protection Directive applied to search engines such as Google;
  2. whether EU law (the Directive) applied to Google Spain, given that the company’s data processing server was in the United States;
  3. whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine (the ‘right to be forgotten’)

Google Spain and Google Inc. subsequently brought separate actions against the decision before the Audiencia Nacional (National High Court of Spain). Their appeal was based on:

  1. Google Inc. was not within the scope of the EU Directive 95/46/EC(Data Protection Directive) and its subsidiary Google Spain was not responsible for the search engine
  2. there was no processing of personal data within the search function
  3. even were there processing, neither Google Inc. nor Google Spain could be regarded as a data controller
  4. in any event, the data subject did not have the right to erasure of lawfully published material



Google Images

2 thoughts on “Surveillance, Data and Rights

  1. Your descriptions of the The Patriot Act and the FISA Amendments Act, in comparison to the European Data Protection Directive already provide an insight into the striking differences between data privacy in the European Union vs. in the United States.

    Remembering the EU-U.S. Privacy Shield passed this summer, which “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States” (, I looked more into the topic and found a very interesting report from the European Parliament’s Directorate-General for Internal Policies, which compares US and EU data protection legislation.

    Key aspects of the comparison are the following:
    – EU data protection framework is mostly codified in primary and secondary law and accompanied by case law, while in the US, data protection is sector-specific and thus authorizes US agencies to process personal data
    – Data protection and privacy are fundamental rights in the EU, while there is no equivalent protection in the US
    – Most EU data protection guarantees do not exist un US law
    – In EU law, fundamental rights cover everyone targeted by surveillance measures, no matter their nationality, while the US makes a differentiation between US and non-US nationals, and discriminates against the latter

    If you want to look into more this topic, make sure to check out:


    1. “Data protection and privacy are fundamental rights in the EU, while there is no equivalent protection in the US”

      -This is not quite true. At least in theory they have the fourth amendment and even if they are outside of the constitution they have the same status as if they would not. So in theory they have the same rights.
      However, there is one big difference the so called “broken fence” which allows anybody (including for instance police officers) to use information which are “publicly observable”. This especially implies that whenever some data was originally intended to be protected, but the protection measure is dysfunctional it can become legal to circumvent it.

      And of cause if this amendment has ever been taken seriously by anyone, this changed in 2001.

      To be fair in many (at least most of the ones I know) European states they have exception rules for their own agencies as well.

      “In EU law, fundamental rights cover everyone targeted by surveillance measures, no matter their nationality, while the US makes a differentiation between US and non-US nationals, and discriminates against the latter”

      -This is a valid point, although I think it is a bit unfair to compare national laws in the states with European level laws. Of cause the member states of the EU have their own laws which might very well discriminate again. And it still remains to be seen what happens if EU laws is contradicting national law (at least it would be interesting to see what happened if the highest national court contradicts the EU court).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s