Aug 62020

Key Takeaways from Sidley’s Privacy and Cybersecurity Monitor-Side Chat Featuring Adam Klein, Chairman of the PCLOB

Alan Charles Raul and Robin Wright Cleary
, , , ,

Posting revised August 13, 2020

On July 2, 2020, Sidley partner Alan Raul, founder and co-head of Sidley’s Privacy and Cybersecurity practice, hosted Adam Klein, Chairman of the Privacy and Civil Liberties Oversight Board (“PCLOB” or “the Board”), for a Monitor-Side Chat.

The discussion focused largely on the Commission’s work since Mr. Klein became Chairman in October, 2018. Key topics of the chat included:

  • Mission, Operation and Access of PCLOB
  • Balancing Counter-Terrorism and Privacy
  • Comparison of U.S. and Foreign Checks and Balances
  • FISA Reform
  • Emerging Technologies

Key takeaways from the Sidley Monitor-Side Chat include*:

Mission, Operation and Access of PCLOB 

  • The 9/11 Commission recommended a number of measures to improve the sharing of information within the intelligence community, but also recommended greater oversight to ensure equilibrium between privacy and national security interests.
  • Klein noted, however, that he agrees with the statute that created PCLOB in that “[t]he choice between security and liberty is a false choice,” and our government must keep us safe while keeping us free.
  • PCLOB, once housed in the White House/Executive Office of the President, is now an independent agency with three functions: (1) to conduct oversight; (2) provide advice; and (3) coordinate activities between privacy and civil liberties officers within each intelligence agency. PCLOB has its own Sensitive Compartmented Information Facility (“SCIF”), and all staff have top secret security clearances.
  • The oversight function tends to predominate because of the way the Board is now structured.
  • PCLOB publishes reports on its oversight projects as well as semi-annual reports to Congress about ongoing projects. Currently, PCLOB is reviewing the use of facial recognition technology in airport security by the Department of Homeland Security. In February of this year, PCLOB published a report in unclassified form on its evaluation of the National Security Agency’s bulk collection of call detail records under the USA Freedom Act of 2015.
  • Advice projects are generally not disclosed to the public, but Mr. Klein discussed one public advice project in which the intelligence agencies agreed that the Board could provide advice about agency guidelines on the handling of information of U.S. persons pursuant to Executive Order 12333. Every agency was required to reissue guidelines and found PCLOB’s advice pragmatic and beneficial.

Balancing Counter-Terrorism and Privacy

  • The Board tries to think about the various risks of holding data. Even if the data is stored and not used for anything other than the intended purpose, retention of data could be a risk in that there could be a security breach, the law could change, or the data could inadvertently be used for an unintended purpose.
  • The Board strives to consider the risks and mitigation strategies that intelligence agencies can utilize, as well as the protections that can be applied to data while still meeting the operational needs of the agency. One of PCLOB’s goals is to develop a taxonomy of privacy harms to facilitate more rigorous analysis of privacy harms in the context of surveillance activities.
  • This raises interesting and subtle questions: Does a privacy harm arise only when a human sees something?  What about bot-scanning, or where personal information sits on a database for years without ever being queried or used before deletion occurs?

Comparison of U.S. and Foreign Checks and Balances

  • The (now invalidated) Privacy Shield decision illustrates the importance of comparing privacy protections across systems.
  • We should want to know what a country’s law and regulations require of the government in order for the government to collect information. For example, what is required for a country to wiretap individuals traveling to that country?
  • The U.S. has a longstanding policy against economic espionage, PPD-28. However, not all EU member states have made similar commitments.
  • It is useful to draw comparisons because we can learn from other systems.  At the same time, drawing comparisons can help the unfortunate and persistent misimpression that the U.S. is uniquely malevolent when it comes to surveillance. Our agencies would say they are quite constrained and operate under a clear code of behavior that is enforced with sanctions for misconduct.
  • There are real benefits to the information sharing programs between the U.S. and other countries. There is not enough discussion about how the benefits from these programs, such as the Terrorist Finance Tracking Program, save lives.

FISA Reform

  • In 2015, the Board recommended the creation of an amicus role to assist the Foreign Intelligence Surveillance Court (“FISC”). The recommendation was implemented and by all accounts has worked well and contributed to the FISC’s deliberations on applications.
  • In December 2019, the Department of Justice’s Inspector General issued a 400-page report on the FISC application targeting Carter Page. For many who work in this area of the law, the report was very surprising and disappointing because the failures were significant and persisted across multiple renewals.
  • The Inspector General followed up with an audit of 29 selected applications from different field offices and found facial errors in all 29 applications.
  • PCLOB requested information from the Inspector General as well as the FBI, and held a public forum on the Foreign Intelligence Surveillance Act to examine the statute and consider the counter-terrorism efforts. PCLOB will not double-check the work of the Inspector General, but as Congress decides whether to change a statute, the Board may offer insights into high-level questions that arise.

Emerging Technologies

  • One of the strategic goals of PCLOB is to offer insight about the effects of new and emerging technologies on government power and individual liberties.
  • The emerging technologies may range from large data sets and advanced analytics to facial recognition and biometric technology.
  • PCLOB has a computer science PhD on staff to help it understand and digest the features of new technologies.

* This summary is not an authoritative transcript of the remarks.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Robin Wright Cleary

rwright@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.