GW Law Faculty Publications & Other Works Faculty Scholarship

2007

European Versus American Liberty: A Comparative Privacy

Analysis of Anti-Terrorism Data-Mining
Francesca Bignami
George Washington University Law School, [email protected]

Follow this and additional works at: https://scholarship.law.gwu.edu/faculty_publications

Part of the Law Commons

Recommended Citation
Francesca Bignami, European Versus American Liberty: A Comparative Privacy Analysis of Anti-Terrorism
Data-Mining, 48 B.C. L. Rev. 609 (2007).

This Article is brought to you for free and open access by the Faculty Scholarship at Scholarly Commons. It has
been accepted for inclusion in GW Law Faculty Publications & Other Works by an authorized administrator of
Scholarly Commons. For more information, please contact [email protected].
EUROPEAN VERSUS AMERICAN LIBERTY: A
COMPARATIVE PRIVACY ANALYSIS OF
ANTITERRORISM DATA MINING

Francesca Bignami*

Abstract: It is common knowledge that privacy in the market and the

media is protected less in the United States than in Europe. Since the ter-
rorist attacks of September 11, 2001, it has become obvious that the right
to privacy in the government sphere too is protected less in the United
States than in Europe. This Article brings alive the legal difference by
considering the case—real in the United States, hypothetical in Europe—
of a spy agency’s database of call records, created for the purpose of iden-
tifying potential terrorists. Under U.S. law such an antiterrorism database
might very well be legal. But under European law the very same database
would clearly be illegal. Numerous barriers to transatlantic cooperation
on fighting terrorism and cross-border crime have been created by this
legal difference. The Article considers the reasons for the transatlantic
difference—surprising in view of the common wisdom that Americans are
more suspicious of government interferences with individual liberty than
are Europeans. Based on the transatlantic comparison, this Article con-
cludes with a number of recommendations for the reform of U.S. infor-
mation privacy law, chief among them being the creation of an inde-
pendent privacy agency.

Introduction
On April 9, 1940, the Nazis occupied Norway.1 In May 1944, seek-
ing to bolster the German army in the face of the mounting Allied
offensive, the Nazis decided to conscript Norwegian men of fighting
age into the army.2 Men born in three different years were to be sent
to the Eastern Front.3 For this purpose, Norwegian government files

* Professor, Duke University School of Law. Many thanks to the Americans and Euro-
peans who assisted me with this project: Jon Bing, Erwin Chemerinsky, Alexander Dix,
Christopher Docksey, Patrick Doelle, David Fontana, Anna-Mirjam Frey, Carl Lebeck, Xa-
vier Lewis, Joan Magat, Noah Novogrodsky, Giorgio Resta, Marc Rotenberg, Spiros Simitis,
Daniel Solove, Graham Sutton, Stefan Walz, and David Zaring.
1 See Jon Bing, Smilets Interiør, in Angell 2002, at 114, 114–23 (Lill Granrud et al. eds.,
2002).
2 See id.
3 See id.

609

Electronic copy available at: http://ssrn.com/abstract=955024

610 Boston College Law Review [Vol. 48:609

containing names, addresses, the sex, dates of birth, and other per-
sonal information on the population were to be used.4 When the
Norwegian resistance learned of the plan, they attempted to destroy
the files, unsuccessfully.5 So these resistance fighters turned to ma-
chines that were to be used to sort, by age cohort, the files—only two
of which existed in Norway.6 They destroyed both.7 Without the ability
to tabulate the population data, a Norwegian draft was too difficult to
put into effect and the Nazi plan had to be dropped.8
This story and countless others, with less-happy endings, underpin
the law of information privacy in Europe today. The dangers of any
large-scale government effort to collect, catalogue, and manipulate in-
formation on individuals are never far-fetched. Preventing them is the
object of European privacy law.
Americans have never suffered the same disastrous abuses of their
personal records as did Europeans during World War II. Perhaps that is
why American law is so much more complacent than European law in
the face of massive government databases of personal records. One re-
cent illustration of this transatlantic difference is the revelation, in May
2006, of a National Security Agency (“NSA”) database with the phone
records of millions of ordinary American citizens.9 Ever since Septem-
ber 11, 2001, the NSA has been receiving the call records of at least one
major telecommunications provider for purposes of an antiterrorism
data-mining program.10 Even though the discovery provoked public
uproar, whether the law was broken is entirely unclear.11 In most Euro-
pean countries, had such a data-mining program come to light, the
outrage would have been not only political but also legal: the spy
agency would be acting in flagrant disregard of the law.12
In Europe, such a program would have to be authorized by a pub-
lic law or regulation. It would have to be reviewed, in advance, by an
independent privacy agency.13 Even though a European spy agency

4 See id.
5 See id.
6 See Bing, supra note 1, at 114–23.
7 See id.
8 See id.
9 See Leslie Cauley, NSA Has Massive Database of Americans’ Phone Calls, USA Today, May
11, 2006, at A1.
10 See id.
11 See infra notes 134–137, 160–168 and accompanying text (discussing the legality of
the NSA call records program).
12 See infra notes 13–18 and accompanying text.
13 See, e.g., Law No. 78-17 of Jan. 6, 1978, art. 11, Journal Officiel de la République Fran-
çaise [J.O.] [Official Gazette of France], Aug. 7, 2004, p. 227, amended by Law No. 2004-801 of

Electronic copy available at: http://ssrn.com/abstract=955024

2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 611

might be permitted access to the same type of call data, it would not
be allowed to store the data for as long as the NSA has—over five
years now.14 The data could be mined only for certain statutorily pre-
scribed “serious” threats and, in the case of terrorism, only if there
were an “imminent and specific endangerment” from the threat.15 It
could be passed on to law enforcement agencies only if a certain fac-
tual threshold had been met for suspecting an individual of having
committed, or planning to commit, one of those serious offenses.16
The same independent agency would have enforcement and oversight
powers to guarantee that the program was being run in accordance
with the law.17 Individuals would have a right—albeit subject to nu-
merous exceptions—to check on their personal data, to ensure that it
was being used lawfully.18
This Article explores the European law of data protection and ex-
plains why a government data-mining program like the NSA’s would
run afoul of that law.19 The comparative exercise serves many purposes.
By taking the same set of facts and comparing how those facts would
fare in two different legal systems—American and European—the dif-
ferences between their laws are brought into sharp focus. Considering a
concrete set of facts is especially valuable in this area of law because
many European data protection rules are framed in such abstract terms
that it is difficult to appreciate how, in the hands of regulators and
courts, they serve to curb government action.
Beyond description, this comparison has far-reaching ramifications
for transatlantic cooperation on fighting crime and protecting national
security. This Article draws out the many points of difference between
information privacy law in Europe and the United States. Because of

Aug. 6, 2004, and Law No. 2006-64 of Jan. 23, 2006; Bundesdatenschutzgesetz [Federal Data
Protection Act], May 22, 2001, BGBl. I at 904, § 24 (F.R.G.).
14 See infra notes 297–298 and accompanying text; see also Council Directive 2006/24,
arts. 3, 6, 2006 O.J. (L 105) 54 (EC) [hereinafter Data Retention Directive] (on the reten-
tion of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks, and amending
Directive 2002/58/EC).
15 See, e.g., Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court] Apr. 4,
2006, 1 Entscheidungen des Bundesverfassungsgericht [BVerfGE] 518/02 (para. 158)
(F.R.G.); Bundesverfassungsgericht [BVerfG] July 14, 1999, 1 BVerfGE 2226/94, 2420/95,
2437/95, 76 (84–85) (F.R.G.).
16 See Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 85–87.
17 See Law No. 78-17 of Jan. 6, 1978, arts. 45–49; Federal Data Protection Act § 24.
18 See, e.g., Council of Europe Convention for the Protection of Individuals with Re-
gard to Automatic Processing of Personal Data, art. 8, Jan. 28, 1981, E.T.S. No. 108 [here-
inafter Council of Europe Convention]; Federal Data Protection Act § 6(1).
19 In Europe, information privacy is known as “data protection.”

Electronic copy available at: http://ssrn.com/abstract=955024

612 Boston College Law Review [Vol. 48:609

the difference, European authorities are prohibited, by law, from shar-

ing intelligence on a routine basis with their American counterparts.20
Only an agreement between Europe and the United States, under
which the United States commits to an equivalent level of data protec-
tion, can overcome the legal barrier to information exchange.21 And to
date, it has been impossible to reach such an agreement.22 Not only has
transatlantic cooperation been stymied, but predictions of regulatory
convergence between Europe and the United States have failed, quite
spectacularly, in this area.23 Conflicts between regulatory systems have
not resulted in convergence, but rather have been resolved through
ordinary territoriality principles: when the territory or resource to
which access is sought is American, American rules prevail; when it is
European, European rules prevail.
The last aim of this comparison is to encourage critical reflection
on American law. When it comes to information privacy, liberty is pro-
tected more in Europe than in the United States. This observation goes
against the grain of recent privacy scholarship: in that view, American
privacy law protects individual liberty against the state while European
privacy law promotes dignity in interpersonal relations.24 But, as this
Article’s analysis demonstrates, privacy law in Europe also protects lib-
erty and, in the context of antiterrorism data mining, does so more
than American law. The difference is even more striking in light of the
near-identical statutes adopted on both sides of the Atlantic in the early
1970s—a single regulatory solution to what, at the time, was considered
to be a common policy problem of protecting individual privacy in the
age of information technology.25 A number of factors have contributed
to this progressive divergence: the absence of an agency committed to
privacy policy in the American regulatory scheme; the rise of executive

20 See infra notes 341–362 and accompanying text; see also Law No. 78-17 of Jan. 6, 1978,
art. 68, J.O. [Official Gazette of France], Aug. 7, 2004, p. 227, amended by Law No. 2004-801
of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23, 2006; Bundesdatenschutzgesetz [Federal
Data Protection Act], May 22, 2001, BGBl. I at 904, § 4b(2) (F.R.G.).
21 See, e.g., Federal Data Protection Act § 4c(2).
22 See infra notes 363–422 and accompanying text.
23 See infra notes 423–429 and accompanying text; see also Gregory Shaffer, Globalization
and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Pri-
vacy Standards, 25 Yale J. Int’l L. 1, 22–38 (2000) (predicting that U.S. privacy standards
would converge with European standards).
24 See infra notes 446–451 and accompanying text; see also James Q. Whitman, The Two
Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151, 1161 (2004).
25 See, e.g., Privacy Act of 1974, 5 U.S.C. § 552a (2000 & Supp. IV. 2004); Law No. 78-17
of Jan. 6, 1978 (enacted in 1978 in France); Federal Data Protection Act (enacted in 1977
in Germany).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 613

power in the United States at the very same time that the power of na-
tional executives in Europe is being checked, more and more, by the
law of multiple Europe-wide political communities; and the influence
of the Nazi experience on contemporary European human rights law.
By expanding the realm of legal possibilities, comparison can serve
as an impetus for legal change at home. Wholesale borrowing from
Europe would be misguided; a full-fledged constitutional right to in-
formation privacy and a cross-cutting law regulating information pri-
vacy in both the private and public sectors would be unlikely to achieve
the desired result of curbing government data mining. Rather, this Ar-
ticle recommends a number of changes to the U.S. Privacy Act of
1974.26 Although the intent of its drafters was to curb information pri-
vacy abuses by government actors across the board, the recent experi-
ence with data-mining programs demonstrates that the original ambi-
tion has been disappointed. Amending the Privacy Act would increase
the transparency of data mining, enhance the public debate on the pri-
vacy costs of government programs, place some fairly modest limits on
the government’s use of personal data, and improve oversight and en-
forcement. The European experience sheds light on what, in the origi-
nal transatlantic regulatory scheme, has worked well and deserves—
once again—to become part of American privacy law.
The rest of this Article is organized as follows. In Part I, the NSA
call database is described in more detail.27 This is followed by an over-
view in Part II of three sets of legal categories that are relevant, albeit in
different permutations, to the analysis on both sides of the Atlantic.28
Part III considers the applicable U.S. constitutional and statutory law
and concludes that the President might very well have lawfully author-
ized the call database.29 Part IV sets out the European law that would
apply to that same data-mining program if conducted by a European
spy agency, and reveals how the program would come into conflict with
the law.30 Finally, Part V explores the consequences of the comparison,
both for transatlantic relations and for understanding American privacy
law.31

26 See 5 U.S.C. § 552a.

27 See infra notes 32–62 and accompanying text.
28 See infra notes 63–83 and accompanying text.
29 See infra notes 84–168 and accompanying text.
30 See infra notes 169–340 and accompanying text.
31 See infra notes 341–529 and accompanying text.
614 Boston College Law Review [Vol. 48:609

I. The NSA Call Records Program

These are the details of the NSA call records program that have
been revealed so far.32 Immediately following the terrorist attacks of
September 11, 2001, the NSA approached the country’s major tele-
communications carriers, asking them to hand over their customers’
calling records and to update those records periodically. The NSA
sought information on all calls made and received: to whom, from
whom, when, and for how long. Customers were identified only by their
phone numbers, not by their names, but a quick search of any public
directory readily matches the phone number with the name. It is uncer-
tain which of the telecommunications companies complied with the re-
quest because of the secrecy of the program. From the newspaper ac-
counts, however, it appears that AT&T, the largest American telecom-
munications company, cooperated, as did Verizon’s subsidiary MCI. If
this is true, the database contains information on tens of millions of
Americans. The NSA has been “mining” the database to identify possi-
ble terrorists.
Databases can be put to many different uses. Most simply, a data-
base can organize large amounts of information so that, at a later time,
that information can be retrieved easily. Statistical software can be ap-
plied to the data in the system. Data mining is probably one of the most
sophisticated, technologically speaking, of the possible uses of data. In
the words of one helpful explanation for nonspecialists:
Many simpler analytical tools utilize a verification-based ap-
proach, where the user develops a hypothesis and then tests
the data to prove or disprove the hypothesis. For example, a
user might hypothesize that a customer who buys a hammer,
will also buy a box of nails. The effectiveness of this approach
can be limited by the creativity of the user to develop various
hypotheses, as well as the structure of the software being used.
In contrast, data mining utilizes a discovery approach, in
which algorithms can be used to examine several multidimen-

32 USA Today has done most of the reporting on this story. The facts recounted here
are drawn largely from USA Today’s original article of May 11, 2006 and its follow-up article
of June 30, 2006. See Cauley, supra note 9; Susan Page, Lawmakers: NSA Database Incomplete,
USA Today, June 30, 2006, at A2. More description of the NSA program can be found in
Terkel v. AT&T Corp., 441 F. Supp. 2d 899 (N.D. Ill. 2006), and Letter from Marc Roten-
berg, Executive Dir., Elec. Privacy Info. Ctr. (“EPIC”), Lillie Coney, Assoc. Dir., EPIC, and
Sherwin Siy, Staff Counsel, EPIC, to Kevin Martin, Chairman, Fed. Commc’ns Comm’n
(May 17, 2006), available at http://www.epic.org/privacy/phone/fcc-letter5-06.html (seek-
ing investigation of telephone companies in connection with disclosures to the NSA).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 615

sional data relationships simultaneously, identifying those that

are unique or frequently represented. For example, a hard-
ware store may compare their customers’ tools purchases with
home ownership, type of automobile driven, age, occupation,
income and/or distance between residence and the store. As
a result of its complex capabilities, two precursors are impor-
tant for a successful data-mining exercise; a clear formulation
of the problem to be solved, and access to the relevant data.33
For the hardware store, the problem is picking out those consumers
likely to buy hammers and nails. For the Department of Health and
Human Services, it is detecting welfare fraud. And, for the NSA, it is
spotting likely terrorists.
Mining the data is only one part of the process. The data must first
be collected, generally from many different databases. It must then be
cleaned, to improve the quality of the data. This can
involve the removal of duplicate records, normalizing the val-
ues used to represent information in the database (e.g., ensur-
ing that “no” is represented as a 0 throughout the database,
and not sometimes as a 0, sometimes as a N, etc.), accounting
for missing data points, removing unneeded date fields, iden-
tifying anomalous data points (e.g., an individual whose age is
shown as 142 years), and standardizing data formats (e.g.,
changing dates so they all include MM/DD/YYYY).34
Care must be taken to render different databases and data-mining soft-
ware interoperable. Only then can data mining be expected to gener-
ate valid results.35
How the call records are being mined by the NSA is unclear. Ac-
cording to some reports, only calls involving known or suspected Al
Qaeda affiliates are targeted.36 By analyzing suspected terrorists’ call
records, the NSA can gain insight into their activities, learn of possi-
ble terrorist plots, and identify other individuals who might be col-
laborating with Al Qaeda. The possibility, however, that more general
criteria are being used to mine the data has not been ruled out. For
instance, the NSA might analyze phone numbers with calls to or from

33 Jeffrey W. Seifert, Cong. Research Serv., Data Mining and Homeland Secu-
rity: An Overview 2 (2006).
34 Id. at 17.
35 Id. at 2, 17–18.
36 See Page, supra note 32.
616 Boston College Law Review [Vol. 48:609

the Middle East and located in geographic areas known to be Muslim

communities.
What happens afterwards with the phone numbers identified as
likely terrorist numbers is also unclear. One possibility is that the in-
formation is used by the NSA or other government agencies to under-
take more intrusive surveillance, for instance, eavesdropping on phone
lines. Another possibility is that the pool of suspects is further narrowed
by matching the suspicious phone numbers with other records such as
credit card histories, financial information, and airline passenger re-
cords. Given the secretive nature of the database, these are, at best, in-
formed guesses; the NSA’s data-mining methods are unlikely to be re-
vealed anytime soon.
The NSA call records database is just one of many antiterrorism
data-mining initiatives that have come to light since September 11.37
The most notorious is “Total Information Awareness,” later renamed
“Terrorism Information Awareness” in response to public criticism and
ultimately defunded by Congress.38 The goal of Total Information
Awareness was to combine all electronic information available on indi-
viduals—like Internet purchases, airline passenger data, and driver re-
cords—to single out terrorism suspects.39 Others include the Computer-
Assisted Passenger Prescreening System (“CAPPS II”), now called Secure
Flight, designed to match airline passenger records with other data to
stop likely terrorists from boarding airplanes;40 the Multistate Antiter-
rorism Information Exchange (“MATRIX”) Pilot Project, which seeks to
combine information from a variety of databases, including state law
enforcement records, to assist with criminal investigations;41 and the
Department of the Treasury’s acquisition, for data-mining purposes, of
all records on international money transfers held by the Society for
Worldwide Interbank Financial Telecommunication (“SWIFT”).42 In the
interest of brevity and clarity, the comparative legal analysis in this Arti-
cle focuses on a call records program undertaken by a spy agency. But
the analysis is also relevant to the many other antiterrorism data-mining
programs that have surfaced in the past couple of years. To be sure, the

37 See Seifert, supra note 33, at 5–17.

38 Daniel J. Solove, Marc Rotenberg & Paul M. Schwartz, Information Privacy
Law 604 (2d ed. 2006).
39 See id. at 604–05.
40 See Seifert, supra note 33, at 7–11.
41 See id. at 11–15.
42 Eric Lichtblau & James Risen, Bank Data Sifted in Secret by U.S. to Block Terror, N.Y.
Times, June 23, 2006, at A1.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 617

statutory and constitutional specifics differ, especially in the United

States, but the fundamental principles of the two legal systems and their
points of contrast remain the same.
Based on what legal authority did the NSA embark on its data-
mining mission? The agency was created by a secret executive memo-
randum in 1952.43 It was to be the sole foreign intelligence agency re-
sponsible for intercepting communications, what is generally called sig-
nals intelligence in contrast to human intelligence.44 The NSA was also
placed under the organizational umbrella of the Department of De-
fense.45 In the years since 1952, the NSA has become a critical element
of the intelligence community. It has extraordinarily powerful and so-
phisticated computing facilities, with the capacity to intercept and ana-
lyze any type of communication, anywhere in the world.46 The NSA is
the agency responsible for some of today’s most notorious spy programs:
ECHELON,47 warrantless wiretapping of international phone calls,48
and, of course, the call database.
Originally, the NSA was exempted from all regulation curbing the
government’s intelligence activities.49 In the aftermath of Watergate,
however, Congress enacted legislation specifically targeted at the NSA’s
intelligence gathering—the Foreign Intelligence Surveillance Act of
1978 (“FISA”).50 Later, in Executive Order 12,888, President Reagan set
down surveillance guidelines for the entire intelligence community,

43 Patrick Radden Keefe, Chatter: Dispatches from the Secret World of Global
Eavesdropping 7 (2005). The NSA’s original mandate was considerably elaborated and ex-
tended in Executive Order 12,333, promulgated by President Reagan in 1981. See Exec. Or-
der No. 12,333, 46 Fed. Reg. 59,941, pt. 1.12(b) (Dec. 4, 1981). Although Congress has never
enacted a specific enabling statute for the agency, it has acknowledged the agency through
appropriations legislation and laws directed at the NSA. See National Security Agency Act of
1959, Pub. L. No. 86-36, 73 Stat. 63 (codified at 50 U.S.C. § 402 note (2000)); see also Peter E.
Quint, The Separation of Powers Under Carter, 62 Tex. L. Rev. 785, 875 n.478 (1984).
44 See Robert N. Davis, Striking the Balance: National Security vs. Civil Liberties, 29 Brook.
J. Int’l L. 175, 181 (2003).
45 See id.
46 See Keefe, supra note 43, at 8.
47 Lawrence D. Sloan, ECHELON and the Legal Restraints on Signals Intelligence: A Need for
Reevaluation, 50 Duke L.J. 1467, 1471 (2001).
48 See generally David Cole & Martin S. Lederman, The National Security Agency’s Spying
Program: Framing the Debate, 81 Ind. L.J. 1355 (2006).
49 See Davis, supra note 44, at 180–95; Michael V. Hayden, Balancing Security and Liberty:
The Challenge of Sharing Foreign Signals Intelligence, 19 Notre Dame J.L. Ethics & Pub. Pol’y
247, 251, 254–57 (2005) (describing the principal statutes and executive orders applicable
to the NSA).
50 Pub. L. No. 95-511, 92 Stat. 1783 (codified as amended in scattered sections of 50
U.S.C.).
618 Boston College Law Review [Vol. 48:609

including the NSA.51 Some of these restrictions are explored below. As

this Article shows, however, they are largely ineffective against collec-
tion and use of personal data that do not entail the interception of wire
or electronic communications.
As for the call records program, it was most likely authorized by a
secret presidential directive. The President has not yet spelled out the
legal grounds for the directive, but they are likely to be similar to those
advanced in support of the warrantless wiretapping program uncovered
in December 2005.52 In a white paper submitted to Congress, the ad-
ministration made two legal arguments in support of warrantless wire-
tapping: it was a lawful exercise of the President’s constitutional powers
under Article II of the U.S. Constitution and it was authorized by the
Authorization for Use of Military Force (the “AUMF”), enacted by
Congress in the immediate aftermath of September 11.53 According to
the administration, the President’s constitutional duty to serve as
Commander-in-Chief of the Armed Forces and to prevent armed at-
tacks against the nation includes the power to conduct warrantless sur-
veillance within the United States for foreign intelligence purposes.54 In
the AUMF, Congress authorized the President “to use all necessary and
appropriate force against those nations, organizations, or persons he
determines planned, authorized, committed, or aided the terrorists
attacks” of September 11 to prevent “any future acts of international
terrorism against the United States.”55 The administration maintains
that Congress intended for the statute to cover not only conventional
military operations but also domestic electronic surveillance: such activ-
ity is necessary to identify the enemy and to foil future terrorist at-
tacks.56 Both of these arguments can also be made in support of the call

51 See Exec. Order No. 12,333, 46 Fed. Reg. 59,941, pt. 1.12(b) (Dec. 4, 1981).
52 In July 2006, Michael Hayden, Director of the NSA at the time that the call database
was created, was confirmed by the Senate for the position of Director of the CIA. In his
confirmation hearings, he was asked about the legality of the call database. Hearing of the S.
Select Comm. on Intelligence on the Nomination of General Michael V. Hayden to Be the Director of
the Central Intelligence Agency, 109th Cong. 35 (2006) (statements of Sen. Carl Levin and
Gen. Michael Hayden). Hayden said that the program was vetted by the NSA’s General
Counsel and the Inspector General, and that both had said that the program was within
the President’s Article II powers. See id. at 35, 53. Hayden, however, did not recollect any
discussion of the AUMF. See id. at 25.
53 See generally U.S. Dep’t of Justice, Legal Authorities Supporting the Activi-
ties of the National Security Agency Described by the President (2006), reprinted
in Cole & Lederman, supra note 48, at 1374.
54 Id. at 1380.
55 AUMF, Pub. L. No. 107-40, 115 Stat. 224 (2001).
56 U.S. Dep’t of Justice, supra note 53, at 1384–85.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 619

database: by ordering the creation of the call database, the President

furthered his constitutional duty to protect national security and took
the steps necessary to prevent “any future acts of international terror-
ism,” as instructed by Congress in the AUMF.57
Since the discovery of the call records program, a number of law-
suits have been filed in federal court against the telecommunications
providers and the government.58 In addition, complaints against the
providers have been filed with telecommunications regulators in over
twenty states.59 The telecommunications companies and the govern-
ment, however, have already successfully defended two of these cases by
invoking the state secrets privilege.60 This privilege protects informa-
tion related to national security from disclosure because of the possible
harm to national defense and to the success of future intelligence-
gathering operations.61 In the two cases in which the courts have found
in favor of the privilege, the plaintiffs’ claims had to be dismissed be-
cause, without court-ordered discovery, it would be impossible for them
to prove any of their claims.62 Thus, it might very well be that, as a re-
sult of the state secrets privilege, the lawfulness of the call records pro-
gram will never be decided by the courts.

II. Some Initial Transatlantic Comparisons

How convincing is the President’s legal defense of the NSA call
database? As we shall see, plausible. But before launching into a de-
tailed discussion of the legal framework, a few distinctions, important
to the analysis on both sides of the Atlantic, should be borne in mind.
The first is the difference between the content of communications
and the incidents of communications. Incidents of communications
include facts such as who was called, when, and for how long. This is
significant for examining the government’s interference with privacy in
the United States, but considerably less so in Europe. In the United
States, the content of, say, a telephone call or an email message is ex-

57 See AUMF § 2.
58 See generally In re Nat’l Sec. Agency Telecomms. Records Litig., 444 F. Supp. 2d 1332
( J.P.M.L. 2006).
59 See ACLU, Formal Complaint and Request for Investigation of AT&T and Verizon at
3, Filed with Michigan Public Service Commission, July 26, 2006, available at http://www.
aclumich.org/pdf/publicserviceletter.pdf.
60 See Terkel, 441 F. Supp. 2d at 917; ACLU v. NSA, 438 F. Supp. 2d 754, 765–66 (E.D.
Mich. 2006).
61 See Terkel, 441 F. Supp. 2d at 908; ACLU, 438 F. Supp. 2d at 759.
62 See Terkel, 441 F. Supp. 2d at 917–18; ACLU, 438 F. Supp. 2d at 765.
620 Boston College Law Review [Vol. 48:609

tensively protected under constitutional and statutory law, but the inci-
dents are not, especially when gathered after the communication has
occurred.63 In Europe, the collection of both types of data is consid-
ered an interference with the fundamental right to privacy.64 Even in
Europe, however, government surveillance is generally considered
more intrusive in the case of content data and therefore more difficult
to justify in the face of a legal challenge.65
The second distinction is the one drawn between communications
data and all types of personal data. Because letters, phone conversa-
tions, emails, and other types of communications are believed to be
more revealing of one’s self than a decision to purchase a book on the
Internet, for example, the government’s ability to obtain the former
kind of personal data is covered by separate, more stringent regulation
on both sides of the Atlantic.66 Where Europe and the United States
part ways is on their treatment of “all types of personal data.”67 With
respect to personal data processing by government actors, the U.S. le-
gal framework is far less demanding than the European one.68 As for
the private sector, an all-encompassing category for “all types of per-
sonal data” does not exist in the United States. Rather, uses of specific
types of personal data are regulated, including health information,
video store records, financial information, and so on.69 By contrast, in
European law, all personal data processing is treated as potentially
problematic, even when undertaken by private actors.70
The last important distinction regards not the type of personal
data collected, but the government purposes for which it is collected.
The law in both the United States and Europe treats information gath-
ering for purposes of law enforcement differently from information

63 See Smith v. Maryland, 442 U.S. 735, 742 (1979).

64 See Council of Europe Convention, supra note 18, art. 2(a).
65 See id. art. 6.
66 See, e.g., Grundgesetz [GG] [Constitution] art. 10 (F.R.G.) (stating that “[t]he con-
fidentiality of letters, as well as the confidentiality of post and telecommunications is invio-
lable”); Wiretap Act, 18 U.S.C.A. §§ 2510–2522 (West 2000 & Supp. 2006).
67 See Council of Europe Convention, supra note 18, art. 2(a) (defining “personal data”
as “any information relating to an identified or identifiable individual”).
68 See 5 U.S.C. § 552a (2000 & Supp. IV 2004) (regulating the collection and use of
personal information by government actors).
69 The government’s use of many of these same types of personal data is also afforded
special regulatory treatment. See, e.g., Fair Credit Report Act, 15 U.S.C. § 1681 (2000 &
Supp. III 2003); Right to Financial Privacy Act, 29 U.S.C. §§ 3401–3422 (2000 & Supp. III
2003).
70 See Council of Europe Convention, supra note 18, art. 3.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 621

gathering for purposes of protecting national security.71 The former is

regulated more stringently than the latter because of the different aims
and consequences of the two types of government activities.72 Criminal
investigations are relatively narrow in scope—their focus is a specific
past or imminent future event. By contrast, agencies charged with pro-
tecting national security must monitor a wide, inchoate range of indi-
viduals and activities that might, sometime in the future, threaten the
well-being of the population. Furthermore, the purpose of a criminal
investigation is to prosecute and convict individuals, with draconian
consequences for their life and liberty interests. By contrast, criminal
prosecutions are tangential to what national security agencies do. They
do not have arrest powers, but instead must refer cases to the police if a
plot is so far advanced that arrest and prosecution are warranted.73 The
mission of such agencies is to thwart the most dangerous types of
threats—often turning a blind eye to routine crime—and to do so us-
ing a variety of tactics.74 The targets of national security surveillance,
therefore, are not as likely to be detained and imprisoned as are those
of police investigations. Their rights are clearly compromised, but not
as directly as with criminal investigations.
Again, Europe and the United States differ as to how they further
parse the categories. On the national security side, European legal sys-
tems are designed to ward off two types of threats: domestic and for-
eign. One agency is responsible for gathering intelligence abroad on
threats posed by foreign governments—in the old days, the Soviet Un-
ion. Another agency is charged with gathering intelligence at home, on
activities sponsored by foreign powers (counter-intelligence) as well as
on home-grown security threats.75 In the past, those home-grown

71 See Richard A. Posner, Preventing Surprise Attacks: Intelligence Reform in

the Wake of 9/11, at 163–97 (2006) (discussing methods of organizing intelligence in
different countries).
72 See id. at 173–75 (describing difference between law enforcement and national secu-
rity functions).
73 See id. at 170 (discussing the role of MI5 agents in England).
74 See id. at 174 (characterizing intelligence as “threat—rather than case—oriented” as
compared to criminal investigations).
75 In Germany, there are two main sets of national security agencies: the Office for the
Protection of the Constitution (Bundesamt für Verfassungsschutz or “BfV”) and the BfV’s
counterparts at the Land (state) level, responsible for domestic intelligence; and the Fed-
eral Intelligence Service (Bundesnachrichtendienst or “BND”), responsible for foreign intel-
ligence. See Shlomo Shpiro, Parliamentary and Administrative Reforms in the Control of Intelli-
gence Services in the European Union, 4 Colum. J. Eur. L. 545, 550–51 (1998); see also Fran-
çois Thuillier, L’Europe du Secret: Mythes et Réalité du Reseignement Politique
Interne 18 (2000). The structure of the security services in France is even more compli-
cated. Intelligence on home-grown security threats is handled by a department of the Na-
622 Boston College Law Review [Vol. 48:609

threats came from extremist and separatist terrorist groups like the
Bader Meinhof and the Irish Republican Army; today, they include
radical-Islam terrorist cells. Both sets of agencies operate under far less
cumbersome procedural guidelines than do the police. Oversight is
generally entrusted not to the judiciary but to the legislative and execu-
tive branches. Specifically, both sets of agencies are covered by the
more permissive surveillance regimes discussed in Part IV on European
law—permissive, that is, compared to police surveillance for purposes
of criminal prosecutions.76
By contrast, in the United States, national security is perceived
mostly as security from foreign powers abroad, not from internal
threats, and especially not from home-grown internal threats. On the
bureaucratic level, there are no domestic counterparts to the country’s
foreign intelligence agencies—the Central Intelligence Agency (the
“CIA”) for human intelligence and the NSA for signals intelligence.
The Federal Bureau of Investigation (the “FBI”) is charged with both
criminal investigations of violations of federal law and domestic intelli-
gence operations.77 Those domestic operations, moreover, are directed
against activities sponsored by foreign governments or groups, not by
domestic ones. The rules for national security surveillance, set down in
FISA, are largely responsible for this institutional state of affairs.78 As
the name suggests, the statute applies only when the government seeks
to obtain foreign—not domestic—intelligence within the United States:
its rules are triggered when the target of the investigation is a “foreign
power” or an “agent of a foreign power.”79
In fact, until recently, the FBI’s paradigm for both domestic intelli-
gence operations and criminal investigations has been a more rights-
abiding law enforcement model, not a national security model.80 This is

tional Police, the Direction Centrale des Renseignements Généraux (“DCRG”). There is also an
antiterrorist section of the National Police: the Division Nationale Anti-Terroriste (“DNAT”).
It is responsible for investigating and preventing all terrorist activities in France. Domestic
intelligence on security threats encouraged by foreign powers is handled by the Direction de
la Surveillance du Territoire (“DST”). See Thuillier, supra, at 112–13. The Direction Générale
de la Securité Extérieure (“DGSE”) is France’s classic spy agency, responsible for gathering
signals and human intelligence outside France. See id. at 185.
76 See infra notes 169–340 and accompanying text.
77 See Posner, supra note 71, at 176 (discussing the hybrid nature of the FBI).
78 See FISA, Pub. L. No. 95-511, 92 Stat. 1783 (codified at 50 U.S.C.A. §§ 1801–1811,
1821–1829, 1841–1846, 1861–1862 (West 2003 & Supp. 2006)).
79 50 U.S.C. § 1804(a).
80 See Jacqueline Ross, The Place of Covert Surveillance in Democratic Societies: A Comparative
Study of the United States and Germany 35–36 (SSRN, Working Paper No. 909010, 2006),
available at http://ssrn.com/abstract=909010.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 623

the product of the organizational culture that developed in the 1970s

in response to congressional investigations into the FBI’s secret surveil-
lance of civil rights leaders and other political activists.81 As Jacqueline
Ross explains, under the FBI guidelines crafted in the 1970s for domes-
tic security investigations
the FBI [was] to restrict domestic intelligence operations to
the investigation of individuals or groups who not only violate
civil rights or seek to interfere with or overthrow the govern-
ment, but who do so through activities that “involve or will in-
volve the violation of federal law” as well as “the use of force
or violence.” Thus the standard for proper covert operations
in the intelligence arena became the criminal standard— re-
quiring some indication that criminal offenses were in the off-
ing.82
Compared to Europe, more government investigations are regulated as
policing than as defending against national security threats. This is true
even today, notwithstanding all the revisions that have been made since
September 11 to the FBI guidelines and FISA.83
The Nixon-era reluctance to allow national security operations to
be directed against primarily domestic conspiracies also makes sense of
a fundamental anomaly, as seen at least in European eyes, of the NSA
call database: why is a program involving primarily individuals within
the United States being handled by an agency created to gather foreign
signals intelligence? Most of the calls, even the suspicious ones, involve
individuals living in the United States whose formal ties to the United
States are likely to be at least as strong as, if not stronger than, their ties
to a foreign organization. In other words, the threat that one might
hope to discover with such data mining is as likely to be a threat com-
ing from fundamentalist Islamic groups established inside the country,
as from Al Qaeda operatives abroad. The answer to this puzzle is that
the architecture of the legal system does not fully contemplate such
investigations. In a place with one or more domestic security agencies,
like Germany, France, or the United Kingdom, such a program would
be handled by one of those bodies. But in the United States, the NSA
was the only viable institutional candidate.

81 See id.
82 Id. at 37.
83 Id. at 38. For a description of the changes to FISA made by the USA PATRIOT Act
and the reauthorization of the USA PATRIOT Act, see Solove, Rotenberg & Schwartz,
supra note 38, at 288–309.
624 Boston College Law Review [Vol. 48:609

III. The United States: Legal Plausibility

Now for a detailed consideration of the law on the American side
of the Atlantic. The law regulating data privacy is both constitutional
and statutory. One statute in particular, the Privacy Act of 1974, re-
quires close scrutiny.

A. U.S. Constitutional Law

The Fourth Amendment of the U.S. Constitution, generally the
first line of defense against intrusive surveillance, does not apply in
cases like the NSA call database.84 Under the U.S. Supreme Court’s case
law, a person must have a reasonable expectation of privacy before the
Fourth Amendment’s prohibition on unreasonable searches and sei-
zures and the related warrant requirement will apply.85 In 1967, in Katz
v. United States, the Court held that individuals have a reasonable expec-
tation of privacy in the content of their telephone conversations.86 But
over a decade later, in Smith v. Maryland, the Court held that individuals
do not have a reasonable expectation of privacy in the numbers dialed
from their telephones.87 Why? According to the Court, individuals
know that the numbers dialed from their lines can be recorded by their
providers and that, indeed, these numbers are routinely recorded for
legitimate business purposes such as billing.88 Because callers know of
this exposure to third parties, the Court reasoned, they cannot expect
their dialing information to remain secret.89 In making telephone calls
and doing business with telephone companies, subscribers “assume the
risk” that their records will be exposed to others, including the police.90
This case law is the source of the distinction between content and
incidental, or “envelope,” communications data.91 What is written in a
letter—today, an email—and what is said in a telephone conversation
are considered private. Warrantless government intrusions are believed

84 See U.S. Const. amend. IV.

85 Katz v. United States, 389 U.S. 347, 351–52 (1967).
86 Id. at 352.
87 442 U.S. 735, 742 (1979).
88 Id.
89 Id.
90 Id. at 744. The assumption of the risk rationale was first used by the Supreme Court
to deny Fourth Amendment protection to customer account information held by banks.
See generally United States v. Miller, 425 U.S. 435 (1976).
91 See Orin S. Kerr, Internet Surveillance Law After the USA PATRIOT Act: The Big Brother
That Isn’t, 97 Nw. U. L. Rev. 607, 611 (2003); Daniel J. Solove, Reconstructing Electronic Sur-
veillance Law, 72 Geo. Wash. L. Rev. 1264, 1286 (2004).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 625

to be obnoxious. By contrast, individuals cannot claim a privacy interest

in those identifiers that are necessary for the communication to oc-
cur—the mailing address, the routing information, and the telephone
numbers. That information is too “prosaic” for a constitutional privacy
right to attach.92 Because the call records collected by the NSA fall into
the noncontent category, they are not covered by the Fourth Amend-
ment.
Nor would such information be protected under the Supreme
Court’s substantive due process doctrine. The Supreme Court has long
recognized that certain types of personal decisions are constitutionally
protected from government interference, as part of the right to “lib-
erty,” even though they are not specifically listed in the Bill of Rights.
The most notorious of these personal decisions, of course, is abortion.93
In 1977, in Whalen v. Roe, the Court suggested that personal infor-
mation might also be constitutionally protected as a liberty interest.94
The Court considered a challenge to a New York statute requiring phy-
sicians to report to the state Department of Health all prescriptions
written for drugs with both medical and recreational uses—drugs like
opium, cocaine, and marijuana.95 The Court rejected the challenge,
but not before elaborating on the harm that disclosure of such medical
information might cause patients and reviewing the various safeguards
in place to prevent disclosure except when necessary to stop illegal
drug abuse.96 Since Whalen, however, the Supreme Court has been si-
lent on the so-called “constitutional right to information privacy” and
the federal circuits have come down differently on the very existence,
as well as the contours, of the right.97 Even setting aside this uncer-
tainty, information on one’s phone calls would most likely not count as
part of such a right. The Fourth Amendment case law on the lack of a
reasonable expectation of privacy is especially damning on this point.98
In sum, even if there were an established right to information privacy, it
is highly unlikely that call data would be covered by the right, and, even
if it were covered, it is unlikely that the security measures in place to
protect against unwarranted disclosures were so deficient as to render
the NSA database unconstitutional.

92 Smith, 442 U.S. at 748 (Stewart, J., dissenting).

93 See Planned Parenthood of Se. Pa. v. Casey, 508 U.S. 833, 847 (1992).
94 429 U.S. 589, 597 (1977).
95 Id. at 592–96.
96 Id. at 593–95.
97 See Solove, Rotenberg & Schwartz, supra note 38, at 400–02.
98 See Smith, 442 U.S. at 742.
626 Boston College Law Review [Vol. 48:609

B. U.S. Statutory Law

Some of the lacunae in the Supreme Court’s case law have been
filled by legislative enactments. Even though, therefore, the incidents
of communications are not constitutionally shielded from government
scrutiny, they do receive some protection under statute—albeit less pro-
tection than afforded the contents of communications.
Surveillance conducted for law enforcement is regulated sepa-
rately from surveillance conducted to protect national security against
foreign powers.99 The Electronic Communications Privacy Act (the
“ECPA”) of 1986 covers the former, and FISA the latter.100 Both have
been amended significantly since their original enactment, most re-
cently by the USA PATRIOT Act.101 The ECPA consists of three separate
acts: the Wiretap Act applies to the interception of the contents of
communications like telephone calls and emails, as the communication
is occurring;102 the Stored Communications Act applies to communica-
tions in electronic storage—for instance, an email on a server—as well
as customer records held by telephone companies and Internet service
providers;103 and the Pen Register Act applies to the installation of de-
vices that capture information on outgoing calls (pen registers) and
incoming calls (trap-and-trace devices), as well as the use of “processes”
that capture similar information on Internet users.104 The type of sur-
veillance contemplated by FISA parallels to some extent the ECPA’s
scheme: the interception of communications105 and the installation of
pen registers and trap-and-trace devices, as well as their Internet equiva-
lents.106 FISA also sets down standards for a number of other types of
information gathering, including physical searches of premises107 and
access to physical records like library borrower lists.108

99 For an overview of the electronic surveillance law discussed in this section, see So-
love, Rotenberg & Schwartz, supra note 38, at 267–97.
100 18 U.S.C. § 2510 (2000 & Supp. III 2003); FISA, 50 U.S.C.A. §§ 1801–1811, 1821–
1829, 1841–1846, 1861–1862 (West 2003 & Supp. 2006).
101 The USA PATRIOT Act was passed in 2001 and recently reauthorized with amend-
ments. See Pub. L. No. 107-56, 115 Stat. 272 (2001) (amended by USA PATRIOT Improve-
ment and Reauthorization Act of 2005, Pub. L. No. 109-177, 120 Stat. 192 (Mar. 9, 2006)).
102 18 U.S.C.A. §§ 2510–2522 (West 2000 & Supp. 2006).
103 18 U.S.C. §§ 2701–2711 (2000, Supp. III 2003 & Supp. IV 2004).
104 18 U.S.C. §§ 3121–3127 (2000, Supp. III 2003 & Supp. IV 2004).
105 50 U.S.C. §§ 1801–1811. See generally Peter P. Swire, The System of Foreign Intelligence
Surveillance Law, 72 Geo. Wash. L. Rev. 1306, 1322–29 (2004).
106 50 U.S.C.A. §§ 1841–1846 (West 2003 & Supp. 2006).
107 Id. §§ 1821–1829.
108 Id. §§ 1861–1862.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 627

Collecting call data, quite obviously, is different from the intercep-

tion of the contents of a communication, either in transmission or in
storage.109 Neither did the NSA install pen registers and trap-and-trace
devices on individual phone lines to obtain the call data. The NSA used
a far more efficient method: it piggy-backed off telecommunications
providers, requesting that information already gathered in the course
of routine business operations be transferred to the government.110
Hence, the one piece of federal electronic surveillance law that does
apply, squarely, to the kind of data involved in the NSA program is that
part of the Stored Communications Act on customer records.111
The Stored Communications Act bans companies from disclosing
customer records to the government,112 but then creates a number of
exceptions to that ban.113 If the government obtains a warrant, a court
order, or for certain categories of customer information, a specific type
of administrative subpoena, then disclosure is permitted.114 The war-
rant and court order procedures must be used for ordinary criminal
investigations, whereas the speedier administrative process may be used
“in an authorized investigation to protect against international terror-
ism or clandestine intelligence activities.”115 This type of administrative
subpoena is known as a National Security Letter.116 If the Director of
the FBI or his designee certifies that the customer records are being

109 The following discussion was informed by blog commentary by three experts on
surveillance law. See OrinKerr.com, http://www.orinkerr.com (May 12, 2006, 03:30 EST);
Posting of Peter Swire & Judd Legum to Think Progress, http://thinkprogress.org/2006/
05/page/6 (May 11, 2006, 18:25 EST).
110 See Cauley, supra note 9; Page, supra note 32.
111 See Stored Communications Act, 18 U.S.C.A. § 2702 (West 2000 & Supp. 2006); see
also Communications Act, 47 U.S.C. § 222 (2000) (requiring telecommunications carriers
to keep their customer information confidential). The duty of confidentiality, however, is
subject to any disclosures required by law and therefore the analysis is similar to that under
the Stored Communications Act.
112 See 18 U.S.C. § 2702(a)(3) (2000 & Supp. III 2003). The lawyers for the NSA might
quibble that the NSA did not obtain information on a “subscriber to or customer of [an
electronic communication] service,” 18 U.S.C.A. § 2703(c)(1)–(2) (West 2000 & Supp.
2006), because it only obtained data on phone numbers, without the names of the cus-
tomers using those phone numbers. But the NSA request certainly comes within the spirit
of the statute, given that the name of a subscriber can easily be identified based on her
phone number and that the intent of the Act is to protect customer privacy.
113 See 18 U.S.C. § 2702(c).
114 See id. §§ 2702(c)(1), 2703(c)(1)–(2). The scheme for government access to finan-
cial records and credit reports is quite similar.
115 Id. § 2709(b). This is the standard for federal administrative subpoenas. The statute,
however, also contemplates administrative subpoenas issued by state entities and governed
by state law. See 18 U.S.C.A. § 2703(c)–(d).
116 Solove, Rotenberg & Schwartz, supra note 38, at 728–29.
628 Boston College Law Review [Vol. 48:609

requested for an investigation “to protect against international terror-

ism or clandestine intelligence activities,” the telecommunications pro-
vider must hand over the information.117 Government access to cus-
tomer data, therefore, replicates the more general, two-track approach
to surveillance—one track for law enforcement, the other for national
security. Yet even though the call data was requested by the NSA for
national security purposes, administrative subpoenas were not used. At
first blush, therefore, it appears that the NSA, along with the telecom-
munications providers that collaborated with the NSA, violated the
Stored Communications Act.118
What would be the consequences of such a violation? As it turns
out, they are fairly paltry as compared to those for other types of viola-
tions, such as illegal wiretapping or illegal access to stored communica-
tions. There are no criminal penalties for breaching the customer data
provisions.119 Against the telecommunications providers, individuals
have a civil right of action for injunctive relief and damages, set at a
statutory minimum of $1000 per individual.120 Against the government,
there is a right of action for money damages, set at a minimum of
$10,000 per person.121
Why, though, is this a violation only at first blush? Because the le-
gal analysis must take into account the President’s inherent constitu-
tional power, under Article II, to authorize the call database.122 And, as
with the constitutional case law, the different treatment of the content
of communications and the incidents of communications, in this case
customer records, is critical: the legislative scheme is comprehensive
with respect to the former, patchy on the latter. The President’s au-
thorization, therefore, might very well save the NSA program.
On this aspect of the legal analysis, it is useful to consider another
NSA surveillance program—the warrantless wiretapping of telephone
calls between individuals in the United States and individuals abroad. A

117 18 U.S.C. § 2709(b).

118 The other circumstances under which a communications provider may lawfully dis-
close customer records are set out in 18 U.S.C.A. § 2702(c)(2)–(6) (West 2000 & Supp.
2006). From the information available in the media, it does not appear that the actions of
the telecommunications providers would be covered by any of these provisions. As for the
government, the statute contemplates two other means of obtaining the customer data, see
id. § 2703(c)(1)(C)–(D), neither of which is relevant here.
119 18 U.S.C. § 2701 (2000 & Supp. III 2003) (defining an offense as “access to a wire
or electronic communication while it is in electronic storage”).
120 Id. § 2707.
121 Id. § 2712.
122 See U.S. Const. art. II.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 629

group of legal scholars has mounted a forceful argument against this

program.123 They claim, for good reason, that the warrantless wiretap-
ping program is illegal.124 Their argument rests on Congress’s compre-
hensive regulation of content-based surveillance in the ECPA and
FISA—both of which require a warrant.125 The argument: Because
these statutes, by their express terms, cover the entire universe of gov-
ernment wiretapping, the President has no other legal avenue for au-
thorizing such wiretapping.126 He cannot rely on Congress’s later-in-
time AUMF because nothing in the broad, vague language of that stat-
ute suggests that Congress intended to override the explicit terms of
the earlier surveillance statutes.127 Neither can the President rely on his
Article II powers.128 According to Justice Jackson’s classic tripartite
scheme of presidential powers in Youngstown Tube & Sheet Co. v. Sawyer,
the President’s authority to act turns, in large measure, on whether
Congress has acted.129 In Justice Jackson’s famous words:
1. When the President acts pursuant to an express or implied
authorization of Congress, his authority is at its maximum, for
it includes all that he possesses in his own right plus all that
Congress can delegate. . . .

123 See generally Letter from Scholars and Former Government Officials to Congres-
sional Leadership in Response to Justice Department Letter of July 10, 2006 ( July 14,
2006) [hereinafter July 14, 2006 Letter], available at http://www.law.duke.edu/publiclaw/
pdf/lettertocongress7-14.pdf; Letter from Scholars and Former Government Officials to
Congressional Leadership in Response to Justice Department Whitepaper of January 19,
2006 (Feb. 2, 2006), reprinted in 85 Ind. L.J. 1415 (2006) [hereinafter Feb. 2, 2006 Letter];
Letter from Scholars and Former Government Officials to Congressional Leadership in
Response to Justice Department Letter of December 22, 2005 ( Jan. 9, 2006), reprinted in 85
Ind. L.J. 1364 (2006) [hereinafter Jan. 9, 2006 Letter].
124 Indeed, the first federal court to decide the issue has held the program to be ille-
gal. See ACLU v. NSA, 438 F. Supp. 2d 754, 782 (E.D. Mich. 2006).
125 See, e.g., Feb. 2, 2006 Letter, supra note 123, at 1415; Jan. 9, 2006 Letter, supra note
123, at 1364; see also 18 U.S.C.A. §§ 2510–2522, 2701–2711, 3121–3127 (West 2000 & Supp.
2006); 50 U.S.C.A. §§ 1801–1811, 1821–1829, 1841–1846, 1861–1862 (West 2003 & Supp.
2006).
126 See 18 U.S.C. § 2511(2)(f) (2000) (“Procedures in this chapter [Wiretap Act] or
chapter 121 [Stored Communications Act] and [FISA] shall be the exclusive means by
which electronic surveillance, as defined in section 101 of such Act, and the interception
of domestic wire, oral, and electronic communications may be conducted.”). The defini-
tion of both “electronic surveillance” and “interception of . . . communications” turns on
access to the content of the communication.
127 See Hamdan v. Rumsfeld, 126 S. Ct. 2749, 2775 (2006). In Hamdan, the Supreme
Court held that the AUMF could not be construed as overriding the Uniform Code of
Military Justice’s requirements for military commissions. Id.
128 July 14, 2006 Letter, supra note 123, at 4.
129 343 U.S. 579, 635–38 (1952) ( Jackson, J., concurring).
630 Boston College Law Review [Vol. 48:609

2. When the President acts in absence of either a congres-

sional grant or denial of authority, he can only rely upon his
own independent powers, but there is a zone of twilight in
which he and Congress may have concurrent authority, or in
which its distribution is uncertain. . . .
3. When the President takes measures incompatible with the
expressed or implied will of Congress, his power is at its lowest
ebb, for then he can rely only upon his own constitutional
powers minus any constitutional powers of Congress over the
matter. Courts can sustain exclusive Presidential control in
such a case only by disabling the Congress from acting upon
the subject. Presidential claim to a power at once so conclu-
sive and preclusive must be scrutinized with caution, for what
is at stake is the equilibrium established by our constitutional
system.130
Thus, in light of Congress’s express instruction to the government
to obtain a warrant—from an ordinary court in the case of criminal
investigations and from the FISA court in the case of foreign intelli-
gence—the President is at the “lowest ebb” of his powers in authorizing
the warrantless surveillance program.131 To save the program, he must
show that Congress exceeded its constitutional powers, an uphill battle,
indeed, in view of Congress’s repeated and long-standing regulation of
wire communications among states and between the United States and
foreign nations under the Commerce Clause.132 The President must
also convince the Supreme Court that his national security and foreign
relations powers extend to activities at the core of the Fourth Amend-
ment—telephone conversations conducted by Americans in the privacy
of their homes.133
Justice Jackson’s analytic framework can also be applied to the
NSA call records program. With this program, the administration is on
firmer ground because of the different statutory and constitutional
treatment of call records.134 Although Congress has comprehensively
regulated the various circumstances under which the government can

130 Id.
131 See July 14, 2006 Letter, supra note 123, at 4, 8; see also Youngstown, 343 U.S. at 637–
38.
132 See July 14, 2006 Letter, supra note 123, at 6–7 (explaining Congress’s authority to
enact statutes dealing with wire and electronic communications systems).
133 See Feb. 2, 2006 Letter, supra note 123, at 1422–23; Jan. 9, 2006 Letter, supra note
123, at 1370–71.
134 See 18 U.S.C.A. §§ 2701–2711 (West 2000 & Supp. 2006); Smith, 442 U.S. at 742.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 631

listen to what is being said in telephone calls, it has not done the same
for all the other information revealed by those calls.135 There is no
equivalent provision on customer data that says the statutory proce-
dures are to be “the exclusive means” of government access to such
data. In addition, government access that flouts the statutory proce-
dure is not criminalized. Thus, the President’s inherent constitutional
power to authorize the call database is stronger than his power to au-
thorize warrantless wiretapping. In the former, he is acting in the less
suspect “zone of twilight.”136 Moreover, in authorizing the collection of
call data, the President does not interfere with a constitutionally pro-
tected right to privacy.137 This difference is another reason why the call
records program might survive a legal challenge even if the warrantless
wiretapping program does not.
This is not to say that, even under the less-demanding constitu-
tional scrutiny of the “zone of twilight,” the President would have the
authority to order the transfer of call records from private telecommu-
nications providers to the government. After all, the NSA database con-
tains information on millions of telephone calls, the vast majority of
which involved U.S. citizens and occurred entirely within the United
States.138 This type of government initiative is a far cry from what has
been traditionally understood as a power incident to the President’s
duty to protect the nation from foreign threats.139 But it is worthwhile
to note the consequences of the Supreme Court’s and Congress’s com-
placency in the face of government access to customer records, records
that sometimes can be just as revealing to government investigators—
and as private to citizens—as what is actually said in the telephone con-
versation.

C. The Privacy Act of 1974

Before concluding this discussion of U.S. law, one more piece of
legislation should be mentioned. Once the calling records were trans-
ferred to the NSA, they were put in a database and mined for terror-

135 See 18 U.S.C.A. §§ 2510–2522.

136 See Youngstown, 343 U.S. at 637 ( Jackson, J., concurring).
137 See Smith, 442 U.S. at 742.
138 See Page, supra note 32. Unfortunately, because the government has not disclosed
any information on the program and has invoked the state secrets privilege in litigation
challenging the program, it is impossible to confirm these details. Cauley, supra note 9.
139 For an overview of what has traditionally been considered inherent in the Presi-
dent’s Commander-in-Chief powers, see generally The Constitution of the United
States: Analysis and Interpretation, S. Doc. No. 108-17, at 459–92 (2d Sess. 2002).
632 Boston College Law Review [Vol. 48:609

ists.140 The first place to which a European privacy advocate would

turn, faced with a similar European data-mining program, would be
her data protection law. In the United States, the analogue statute is
the Privacy Act of 1974.141 The Privacy Act regulates the federal gov-
ernment’s collection, use, and disclosure of all types of personal in-
formation.142 It imposes a number of duties on government agencies.
First, the responsible agency must alert the public to the existence of
a personal records system by publishing a notice in the Federal Regis-
ter.143 When information is collected from individuals, they must be
told of the nature of the government database.144 The agency may
gather only such information as is relevant and necessary to accom-
plishing the agency’s legal purposes set down by statute or executive
order.145 Personal information must be accurate, relevant, timely, and
complete.146 This information cannot be transferred to another gov-
ernment agency without the consent of the person concerned.147
Technical measures must be adopted to guarantee the security and
confidentiality of the information.148 Lastly, individuals have the right
to check their personal information and, if necessary, demand that
their information be corrected.149
Compared to the law on government surveillance canvassed ear-
lier, the reach of the Privacy Act is broader. It applies to the govern-
ment’s collection of all kinds of personal data, not just data related to
one’s telephone conversations, and a couple of other types of data pro-
tected under separate statutes, such as bank account information.150
What is more, in contrast with the focus on government collection of
information in surveillance law, the Privacy Act regulates the govern-
ment’s use of personal data from start to finish: collection, storage, use
and analysis, transfers to other parties, and modification to accommo-
date changes over time.151

140 See Cauley, supra note 9; Page, supra note 32.

141 5 U.S.C. § 552a (2000 & Supp. IV 2004). Useful discussions of the Privacy Act can
be found in Trudy Hayden & Jack Novik, Your Rights to Privacy 121–33 (1980), and
Solove, Rotenberg & Schwartz, supra note 38, at 579–83.
142 See 5 U.S.C. § 552a.
143 Id. § 552a(e)(4).
144 Id. § 552a(e)(3).
145 Id. § 552a(e)(1).
146 Id. § 552a(e)(5).
147 5 U.S.C. § 552a(b) (2000 & Supp. IV 2004).
148 Id. § 552a(e)(10).
149 Id. § 552a(d).
150 Id. § 552a(a)(4).
151 See id. § 552a.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 633

As will become evident, many of these guarantees parallel those of

European privacy law. Yet the actual scope of individual rights under
the Privacy Act is far more limited than under European laws. Most of
the government’s duties are purely hortatory due to the limited en-
forcement mechanisms; a number of exceptions have been written into
the Privacy Act; and the Privacy Act only applies to a narrow subset of
what can be done, by the government, with personal information.152
Consequently, what would be a European privacy advocate’s first line of
defense against a government program involving such massive amounts
of personal information turns out to be an entirely ineffective last re-
sort in the United States.
Some more detail on the limitations of the Privacy Act: The pri-
mary enforcement mechanism is a civil action in federal court, gener-
ally for damages.153 Yet individuals have a very difficult time establishing
the injury necessary to recover for most violations of the statute—what
court would award damages because a government agency asked too
many questions, and too many irrelevant questions? Moreover, the Pri-
vacy Act is riddled with exceptions. Disclosure of information to other
agencies is permitted even without consent if the public is notified up-
front, when the record system is created, that such disclosure consti-
tutes a “routine use” of the information.154 This is defined as a use that
is compatible with the main purpose for which the information was col-
lected.155 Even without advance notice of a “routine use,” personal in-
formation may be transferred to another agency if the transfer is for
law enforcement purposes and is requested by the agency’s head.156
Records held by law enforcement agencies and the CIA may be ex-
empted from most of the requirements of the Privacy Act (“general ex-
emptions”) if the agency head publishes a notice to that effect.157 Re-
cords held by any agency may be exempted from some of the require-
ments of the Privacy Act (“specific exemptions”) if the agency head
likewise publishes a notice to that effect and if the records fall into one
of a number of categories—investigatory material, statistical records,
matters whose secrecy is in the interest of national defense or foreign

152 For examples of exceptions, see 5 U.S.C. § 552a(b), (k).

153 See Solove, Rotenberg & Schwartz, supra note 38, at 586; see also 5 U.S.C.
§ 552a(g) (2000) (detailing civil remedies available for violations of the Privacy Act).
154 5 U.S.C. § 552a(b)(3).
155 Id. § 552a(a)(7).
156 Id. § 552a(b)(7).
157 Id. § 552a( j).
634 Boston College Law Review [Vol. 48:609

policy, and more.158 Finally, personal data held by the government is

not considered a “system of records” covered by the Privacy Act unless
the system is used by the agency to retrieve information about specific
individuals using the names, social security numbers, or other identify-
ing particulars of those individuals.159
The call records program is a perfect illustration of the limitations
of the Privacy Act. Unlike the FBI and the CIA, the NSA does not qual-
ify for a general exemption.160 In theory, therefore, the agency must
comply with the bulk of the Privacy Act’s requirements.161 But Federal
Register notices of NSA records systems generally take advantage of the
specific exemptions for national security records.162 Plus, even without
specific mention in the Federal Register, the NSA may share personal
information with other government agencies if requested to do so for
law enforcement purposes.163 Perhaps the most troubling aspect of this
analysis is the question of whether the call database would even count
as a “system of records” under the Privacy Act.164 Is a phone number,
without a name attached, an “identifying particular” assigned to an in-
dividual? If so, then it seems that searching the system by the phone
number of an Al Qaeda suspect, to obtain information on her activities
or to identify other possible suspects, would count as retrieving infor-
mation about her. But what about using the country code for Afghani-
stan as a search term? Or, as is most likely the case, combining these
and other criteria as part of complex algorithms to discover new rela-
tionships among the data and to generate presumably a better, more
accurate pool of terrorists and terrorist activity? The few courts to have
decided the question of what is a “system of records” have reached dif-
ferent, inconsistent conclusions.165 And most of them have defined the
term quite narrowly.166 Absurdly, therefore, a database containing per-

158 Id. § 552a(k).

159 See, e.g., Williams v. Dep’t of Veterans Affairs, 104 F.3d 670, 675 (4th Cir. 1997).
160 See 5 U.S.C. § 552a( j) (2000).
161 See National Security Agency / Central Security Service Privacy Act Program, 32
C.F.R. § 322 (2006).
162 See id.; see also 5 U.S.C. § 552a(k)(2).
163 5 U.S.C. § 552a(b)(7).
164 For instance, a report issued by the Congressional Research Service assumes that
the Privacy Act does not apply to data mining and suggests that Congress consider “the
possible application of the Privacy Act to these [data-mining] initiatives.” See Seifert, supra
note 33, at 19.
165 See, e.g., Jacobs v. Nat’l Drug Intelligence Ctr., 423 F.3d 512, 516 (5th Cir. 2005); Wil-
liams, 104 F.3d at 675; Henke v. Dep’t of Commerce, 83 F.3d 1453, 1459–62 (D.C. Cir.
1996).
166 See Williams, 104 F.3d at 675; Henke, 83 F.3d at 1459–62.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 635

sonal details on millions of citizens might fall entirely outside Con-

gress’s data privacy scheme.167 And again, following the logic of Justice
Jackson’s concurrence in Youngstown, the President would have a re-
spectable argument that the database comes within his inherent consti-
tutional authority to protect national security.168

IV. Europe: Legal Impossibility

In Europe, a secret government data-mining program like the
NSA’s would be clearly illegal. Why? To summarize the rather compli-
cated analysis that follows, such a data-mining program would violate
two different types of privacy guarantees—procedural and substantive.
Procedurally, government data mining, even for national security ends,
would have to be authorized by a public law or regulation that specified
the purposes of the personal data processing and the limits on that data
processing, to minimize the government’s interference with private
life.169 Before the program could be enacted, an independent govern-
ment body would have to be consulted and, while the program was in
operation, that same government body would need to have oversight
and enforcement powers.170 These procedural requirements improve
the prospect that the privacy ramifications of new government initia-
tives will be fully debated and widely understood at the outset. During
the life of the government program, these procedures improve the
chances that privacy violations will be detected and remedied.
Substantively, the reach of a European data-mining program would
be narrower than that of the NSA call database. Although a spy agency
might be allowed access to all call information held by national tele-
communications providers, it would not be allowed to retain the per-
sonal data as long as the NSA has—over five years now.171 Furthermore,
the type of analysis performed on the data, as well as the uses of the

167 In practice, given the far-reaching exemptions that apply even if the personal data
is considered part of a system of personal records, this simply means that the NSA is not
obliged to publish a notice in the Federal Register. See 5 U.S.C. § 552a(k) (2000) (detailing
numerous exemptions).
168 See Youngstown, 343 U.S. at 635–38 ( Jackson, J., concurring).
169 See Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court] Apr. 4,
2006, 1 BVerfGE 518/02 (para. 132) (F.R.G.) (providing an example of how government
data mining was analyzed under the program’s authorizing statute).
170 Law No. 78-17 of Jan. 6, 1978, art. 11, J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006; Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, § 24 (F.R.G.).
171 Data Retention Directive, supra note 14, arts. 3, 6.
636 Boston College Law Review [Vol. 48:609

results of the analysis, would have to be carefully circumscribed. The

government would be permitted to use only search terms, statistical
models, mathematical algorithms, and other analytical processes de-
signed to uncover serious threats.172 Under German law, for instance,
an international terrorist attack is considered serious, while counterfeit-
ing abroad is not.173 And, under German law, before the government
may engage in data mining there must be an “imminent and specific
endangerment” (konkrete Gefahr) of a serious offense, not simply an “ab-
stract endangerment” of international terrorism, such as that existing
in the aftermath of the September 11 terrorist attacks.174 A spy agency
in Germany would be allowed to pass on to law enforcement the names
of individuals obtained through such data-mining techniques only if
those individuals were suspected of planning to commit, or having al-
ready committed, a serious offense, and only if sufficient reasons ex-
isted for entertaining that suspicion.175
Another substantive difference would be the right, under Euro-
pean law, of individuals to check on their information. This right of
access enables individuals to ensure that their information is factually
correct and is being handled in accordance with the guarantees of pri-
vacy law.176 Finally, to switch the focus briefly from the government to
the private sector, the same amount of call data in the hands of tele-
communications providers would not have been available to a Euro-
pean government. Under European law, telecommunications compa-
nies are prohibited from retaining personal data in the same quantities
and for the same length of time as is routine—and legal—in the
American business world.177

A. The Liberal Justifications for Information Privacy

Although, as will be discussed below, some of the substantive guar-
antees of European law are quite technical, at the roots of these sub-
stantive guarantees are values easily recognizable to the members of any

172 See Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE, para. 158; Bundes-
verfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 84–85.
173 See Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court] July 14,
1999, 1 BVerfGE 2226/94, 2420/95, 2437/95, 76 (84–85) (F.R.G.).
174 See Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE, para. 158.
175 Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 85–87.
176 Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, § 6(1) (F.R.G.); Council of Europe Convention, supra note 18, art. 8.
177 See generally, e.g., Law No. 78-17 of Jan. 6, 1978, J.O. [Official Gazette of France],
Aug. 7, 2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of
Jan. 23, 2006; Federal Data Protection Act.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 637

liberal democracy. The most fundamental is what the legal philosopher

Stanley Benn calls “respect for persons.”178 At the core of liberalism is
the free, rational, equal person.179 The social contract rests upon this
vision of individual autonomy—at one and the same time a product
and promoter of this choosing being.180 From the observer’s perspec-
tive, acknowledging the privacy of another is respect for the choice
made by that person to keep something for herself or her close circle of
confidants.181 From the perspective of the observed, the right to keep
certain matters private and make others public is critical to developing
one’s identity as an autonomous person who freely chooses one’s own
life projects.182 When the observer is the state, the failure to respect the
choice for privacy has special consequences for liberty because of the
substantial means at the disposal of the state. The total surveillance of
George Orwell’s 1984 could only be achieved by the state.183 Collecting,
combining, and manipulating information about people is the digital
equivalent of gazing at them without their consent. This liberty interest
underpins the law of information privacy.
A second reason for shielding individuals from the gaze of oth-
ers—and from the unfettered collection, storage, analysis, and retrieval
of data about them—is to prevent all the possible illegitimate uses of
this knowledge. In the United States, suppression of speech and politi-
cal protest is one of the most repugnant of these illegitimate uses. The
attempt to draft Norwegian men into the German army using informa-
tion collected originally as innocent census data is another example.184
Discrimination based on religion, race, or ethnic origin is yet another
harmful use of knowledge of others. Again, although individuals and
the government can commit these wrongs, the dangers are greater
when the government is involved because of the tremendous resources
at its command. Antiterrorism data mining, which makes heavy use of
terrorist profiles based on sex (male), age (eighteen–forty years), relig-
ion (Muslim), and country of origin (country with significant Muslim
population), quite obviously triggers these discrimination and speech
concerns.185

178 Stanley I. Benn, Privacy, Freedom, and Respect for Persons, in Nomos XII: Privacy 1, 10
( J. Roland Pennock & John W. Chapman eds., 1971).
179 See id. at 22.
180 See id.
181 See id. at 11.
182 See id. at 24.
183 See generally George Orwell, 1984 (1948).
184 See supra notes 1–8 and accompanying text.
185 See Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE, para. 26.
638 Boston College Law Review [Vol. 48:609

The other reasons for information privacy are somewhat more re-
mote from what is traditionally considered the core of privacy. One of
these reasons is the theft of personal data for fraudulent or other
criminal purposes, which is more likely with electronic data than paper
records because of the ease with which such data can be collected and
copied. In the case of antiterrorism data mining, however, the foremost
of these reasons is the danger of inaccuracy. Because of the ease with
which electronic data can be gathered, stored, and combined in the
age of information technology, the accuracy of that data is difficult to
guarantee. This is not simply because it is often recorded incorrectly
through human error. When different data sets are combined, their
different coding and software systems can lead the information in one
of the data sets to be wrongly interpreted, based on the other data set’s
coding and software system. What is more, electronic data is so easy to
store that it can remain long after it has become inaccurate because the
facts on the ground have changed. A valid data-mining process, as de-
scribed earlier, is dedicated in large part to fixing these inaccuracies.
The questionable quality of electronic data is cause for concern be-
cause of the great reliance placed on such data by all types of actors in
making a vast number of decisions with adverse consequences for the
individuals concerned. When data is being mined to detect terrorists,
these consequences are especially grievous: being wrongly surveilled,
detained, prosecuted, or even convicted.

B. Information Privacy as a European Fundamental Right

Before going any further, it is necessary to clarify what is meant by
“Europe.” Personal data processing for purposes of national security
and law enforcement is covered by two Europe-wide instruments—the
European Convention on Human Rights (the “ECHR”) and the Coun-
cil of Europe Convention on Personal Data Processing.186 It is also cov-
ered by individual national laws. This Article focuses on the laws of
Germany and France because of their longstanding influence at the
European level and, through instruments at the European level, on
other national legal systems. The law of another Europe-wide organiza-
tion—the European Union—has not historically played much of a role
in this area because of the limitations on the organization’s powers.
The European Union, until recently, has been responsible for creating
a common market, not for policing or protecting national security.

186 Council of Europe Convention, supra note 18.

2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 639

That constitutional structure is gradually changing, in the face of the

expanding powers of the European Union, but the basic point is still
valid. This discussion, therefore, only raises EU law selectively, for the
few issues on which it is germane.
In European law, the main line of defense against data mining is
general data protection law, not sectoral legislation as in the United
States.187 The call records in this hypothetical are considered a subset of
personal data—albeit a more protected subset of personal data than,
say, one’s home address. For the very same set of facts, the source of
government duties and individual rights is the law of telecommunica-
tions surveillance in the United States, while it is the general law of data
privacy in Europe.
Of course, there is telecommunications law in Europe. At the con-
stitutional level, however, only in Germany is the privacy of communica-
tions and data related to communications afforded protection under a
separate article of the Constitution and a separate line of cases.188 And
even there, the constitutional reasoning is, for all intents and purposes,
identical to the reasoning in the data privacy cases. At the statutory
level, the law regulating telecommunications surveillance—which in
Europe squarely includes the collection of noncontent data—always
requires an individualized suspicion of wrongdoing before the com-
munications data may be intercepted by, or transferred to, the govern-
ment.189 The one exception to this requirement is German legislation

187 See id.

188 Grundgesetz [GG] [Constitution] art. 10 (F.R.G.). Article 10 says: “The confiden-
tiality of letters, as well as the confidentiality of post and telecommunications is inviolable.”
Sabine Michalowski & Lorna Woods, German Constitutional Law: The Protection
of Civil Liberties 293 (1999). In 1999, the Constitutional Court explained that Article 10
includes both the content of communications and noncontent data (called “connection
data”):
The protection of fundamental rights, however, is not restricted to shielding
the content of an act of communication against the state taking note of it.
The protection of fundamental rights also covers the circumstances of com-
munication, particularly including: (1) information about whether, when and
how often telecommunications traffic has taken place or has been attempted;
(2) information about the individuals between whom telecommunications
traffic has taken place or has been attempted; and (3) information about
which subscriber lines have been used. The state cannot, in principle, claim
to be allowed to take note of the circumstances of acts of communication.
The use of the medium of communication is supposed to remain confidential
in all respects.
Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 51–52 (citations omitted).
189 In France, electronic surveillance, including the monitoring and collection of non-
content data (données techniques), is regulated differently depending on whether it is con-
640 Boston College Law Review [Vol. 48:609

on foreign intelligence surveillance, which contemplates not only indi-

vidualized surveillance but also “strategic surveillance.”190 Strategic sur-
veillance is similar to data mining in that large numbers of telephone
calls and other forms of communications are intercepted, without a
particularized suspicion of wrongdoing, and then screened using cer-
tain search terms.191 Strategic surveillance is only permitted, however,
for communications with foreign nations and only to prevent interna-
tional terrorist attacks and other types of national security threats.192
Purely domestic phone calls are excluded.193 In sum, the general provi-

ducted as part of a criminal investigation or for intelligence purposes. In the law enforce-
ment context, such surveillance is known as “judicial surveillance” (écoutes judiciares) be-
cause the authorizing order is issued by a member of the judicial branch. See Code pénal
[C. pr. pén.] art. 100-100-7 (interception of communications); id. arts. 60-1, 77-1, 99-3
(police access to telecommunications data). In the intelligence context, electronic surveil-
lance is known as “administrative surveillance” (écoutes administratives) because the order is
issued by a member of the government, generally the Minister of the Interior, and is re-
viewed by an independent agency (the Commission Nationale de Contrôle des Interceptions de
Sécurité or “CNCIS”). See Law No. 2006-64 of Jan. 23, 2006, art. 5 (access to telecommunica-
tions data), J.O. [Official Gazette of France], Jan. 24, 2006, p. 1129; Law No. 91-646 of July
10, 1991, art. 3 (interception of communications), J.O. [Official Gazette of France], July
11, 1991, p. 9167. In Germany, the same distinction exists, albeit complicated by the fed-
eral organization of the German state. All telecommunications surveillance conducted for
purposes of bringing a criminal prosecution is governed by Section 100a of the Code of
Criminal Procedure. Strafprozeßordnung [StPO] [Code of Criminal Procedure] Apr. 7,
1987, BGBl. I at 1074, § 100a. Surveillance conducted by the Länder police for purposes of
preventing ordinary crime is governed by the police laws of the Länder. Domestic security
surveillance—conducted by the federal Office for the Protection of the Constitution
(Bundesamt fur Verfassungsschutz or “BfV”) and the BfV’s counterparts at the Land level—is
regulated by a separate federal law, the G10 Law. Foreign security surveillance, mostly the
responsibility of the Federal Intelligence Service (Bundesnachrichtendienst or “BND”), is
covered by the same federal law. See Jacqueline E. Ross, Germany’s Federal Constitutional
Court and the Regulation of GPS Surveillance, 6 German L.J. 1805, 1812 (2005) (explaining
organization and statutory regulation of German intelligence and law enforcement agen-
cies). In the wake of September 11, the BfV and the BND obtained broader access to cus-
tomer data held by telecommunications providers and financial institutions. Gesetz zur
Bekämpfung des Internationalen Terrorismus [Terrorismusbekämpfungegesetz] [Law for
the Fight of International Terrorism (Counterterrorism Law)], Jan. 11, 2002, BGBl I. at
361 (F.R.G.). Still, however, requests for communications and financial data must be par-
ticularized: the BfV must suspect an individual of engaging in activities aimed at over-
throwing the constitutional order; the BND must suspect an individual of being an actual
(tatsächlich) danger to the foreign and security policy interests of Germany. Id. arts. 1, 10.
190 This is the G10 Law of 1968, so-called because the law amended Article 10 of the
Basic Law and gave effect to the second paragraph of that Article. See Blanca R. Ruiz,
Privacy in Telecommunications: A European and an American Approach 218, 267
(1997); Paul M. Schwartz, German and U.S. Telecommunications Privacy Law: Legal Regulation
of Domestic Law Enforcement Surveillance, 54 Hastings L.J. 751, 778–82 (2003).
191 See Ruiz, supra note 190, at 219–20.
192 See Schwartz, supra note 190, at 779.
193 See id. at 779–80.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 641

sions of telecommunications law could not be used to authorize the

massive transfer of customer data to the government for data-mining
purposes. Rather, in Europe, a government initiative like the NSA’s
would require a new law or regulation and that law or regulation would
have to satisfy both fundamental rights standards on data privacy as well
as the requirements of general data protection legislation.
The privacy of personal information is considered a fundamental
right at both the European and national levels. It is protected by the
right to respect for private and family life in the ECHR,194 the right to
informational self-determination195 and the privacy of communica-
tions196 in Germany, and the right to respect for private life in
France.197 All information that is about a specific person is considered
personal and therefore deserving of privacy. If the government wishes
to interfere with this right, it must do so based on a law that is accessi-
ble to the public and that contains provisions precise enough to curb
arbitrary government action and to put citizens on notice of possible
incursions into their private sphere.198 The purpose of the interference

194 European Convention on Human Rights art. 8, Nov. 4, 1950, 213 U.N.T.S. 221; see
Rotaru v. Romania, App. No. 28341/95, 8 B.H.R.C. 449 para. 46 (May 4, 2000) (holding
that storage and use of personal information in police file, together with refusal of right of
correction, amounts to interference with private life under Article 8); Leander v. Sweden,
App. No. 9248/81, 9 Eur. H.R. Rep. 433 para. 48 (1987) (holding that recording of per-
sonal details in police files constitutes interference with private life under Article 8);
Malone v. United Kingdom, App. No. 8691/79, 7 Eur. H.R. Rep. 14 para. 84 (1984) (hold-
ing that pen registers constitute an interference with private life under Article 8); see also
Opinion of Advocate General Léger, Joined Cases C-317/04 & C-318/04, European Par-
liament v. Council of the European Union, 2006 E.C.R. I-4721 paras. 207–33 [hereinafter
Opinion of AG Léger] (finding that all personal data gathered by the police is covered by
Article 8); Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the
European Parliament and of the Council on the Retention of Data Processed in Connection with the
Provision of Public Electronic Communication Services and Amending Directive 2002/58/EC, 2005
O.J. (C 298) 1, para. 9 [hereinafter European Data Protection Supervisor Opinion] (same).
195 This constitutional right is based on the right to human dignity (Article 1) and the
right to free development of one’s personality (Article 2.1). GG [Constitution] arts. 1, 2.1
(F.R.G.); see Donald P. Kommers, The Constitutional Jurisprudence of the Federal
Republic of Germany 323, 324–25 (2d ed. 1997) (discussing the Census Act Case).
196 GG [Constitution] art. 10 (F.R.G.).
197 See CC decision no. 94-352, Jan. 18, 1995 (Loi d’orientation et de programmation relative
à la sécurité); CC decision no. 2004-499DC, July 29, 2004, Rec. 2 (Loi relative à la protection
des personnes physiques à l’égard des traitements de données à caractère personnel). The respect for
private life is recognized by the Constitutional Council as one of the liberties protected
under Article 2 of the Declaration of the Rights of Men and Citizens of 1789, which is con-
sidered part of the French Constitution of 1958 by virtue of the reference to the Declara-
tion in the preamble to the Constitution. CC decision no. 2004-499DC, Rec. 2.
198 This is the interpretation given by the European Court of Human Rights to the re-
quirement, under Article 8, that “[t]here shall be no interference by a public authority
with the exercise of his right [to private life] except such as is in accordance with the law.”
642 Boston College Law Review [Vol. 48:609

with privacy must be legitimate. Protecting “national security,” guaran-

teeing “public safety,” and preventing “disorder or crime” are specifi-
cally listed as legitimate purposes under Article 8 of the ECHR.199 The
European Court of Human Rights has consistently ruled in favor of
government legislation with such aims.200 Likewise, the German and
French constitutional courts have repeatedly found preventing crime,
fighting terrorism, and protecting national security to be legitimate
public reasons for impinging upon individual rights.201
Fundamental rights law requires that the government’s legitimate
interference with privacy be proportional. The proportionality test per-
vades the case law of all the European courts under consideration on
all rights, not simply the right to privacy.202 Proportionality generally
turns on three related inquiries:203 (1) Can the government action
achieve the stated purpose? (2) Is the government action necessary for
accomplishing the stated purpose, or are there alternative means of
accomplishing the same purpose that will burden the right less? and
(3) When a noneconomic right is at stake, even though there might be
no alternative means for accomplishing the same purpose, is the bur-
den on the right nonetheless intolerable, requiring the law to be with-
drawn? Of course, this formulation greatly simplifies the doctrine of
proportionality. The test differs not only among courts, but as between
different cases decided by the same court.204 Moreover, the burden of

European Convention on Human Rights, supra note 194, art. 8; see Peck v. United King-
dom, 36 Eur. Ct. H.R. 41 para. 76 (2003). Under German constitutional law, laws that au-
thorize government interference with certain basic rights must be parliamentary laws. In
other words, they must be laws directly voted on by the representatives of the people; they
cannot be regulations promulgated by the executive branch, based on authority delegated
by the parliament. This is the case for government restrictions on the right to the confi-
dentiality of telecommunication and the right to informational self-determination. See
Ruiz, supra note 190, at 194–96.
199 European Convention on Human Rights, supra note 194, art. 8.
200 See, e.g., Khan v. United Kingdom, 31 Eur. Ct. H.R. 45 (2001); Klass & Others v. Ger-
many, App. No. 5029/71, 2 Eur. H.R. Rep. 214 para. 60 (1979).
201 See Schwartz, supra note 190, at 771–82 (discussing the case law of the German Con-
stitutional Court); CC decision no. 2005-532DC, Jan. 19, 2006, Rec. paras. 14–22 (uphold-
ing a statute that permitted monitoring of certain vehicles by law enforcement officials in
order to prevent and punish terrorism).
202 See Gilles Dutertre, Key Case-Law Extracts: European Court of Human
Rights 240, 241, 307, 311, 347, 368 (2003) (discussing the European Convention on Hu-
man Rights, supra note 194, arts. 7–11, 14); Kommers, supra note 195, at 46 (Germany);
CC decision no. 94-352DC, Jan. 18, 1995, Rec. 3 (France).
203 See Kommers, supra note 195, at 46.
204 For instance, the majority and the dissent employed different versions of the pro-
portionality test in Leyla Sahin v. Turkey. Compare App. No. 44774/98, 44 Eur. Ct. H.R. paras.
119–21 (2005) (holding that the state ban on the wearing of Islamic headscarves in school
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 643

justification on the government varies tremendously depending on the

right at stake and the public interest being pursued: the more impor-
tant the right, the higher the burden on the government; the more
important the public purpose, the lower the burden on the govern-
ment.205 Nevertheless, it is useful to establish a least-common-denom-
inator point of reference.

C. Statuory Requirements: The Council of Europe Convention

and National Data Protection Laws
When the privacy right is data privacy and when the government
interference is for purposes of law enforcement or national security,
more specific conditions must also be met: the terms of the Council of
Europe Convention and national data protection laws.206 Whereas the
former sets down general data protection commitments, the latter give
effect to, and elaborate extensively upon, those commitments. In 1981,
the members of the Council of Europe concluded the Convention on
Personal Data Processing (the “Convention”).207 The Convention is
critical to understanding European data protection. Of all the Europe-
wide instruments on data protection, it has the broadest coverage, both
regarding subject matter and geography.208 The Convention, unlike EU
data protection laws, applies to all types of personal data processing, by
both government and private actors.209 It has been ratified by thirty-
eight of the forty-six members of the Council of Europe and it has been
signed, but not yet ratified, by six more member states.210 That is a con-
siderably broader group of nations than the membership of the Euro-
pean Union. Furthermore, because of the Convention’s age, it has
been influential in developing data protection legislation everywhere in
Europe. National latecomers to the policy area like the United King-

was proportional to the state’s legitimate interests), with id. paras. 1–13 (Tuklens, J., dis-
senting) (contending that the ban on wearing headscarves was not “necessary in a democ-
ratic society” in part because the ban was not proportionate to the state’s legitimate inter-
ests).
205 See Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 67.
206 See generally Council of Europe Convention, supra note 18; Law No. 78-17 of Jan. 6,
1978, J.O. [Official Gazette of France], Aug. 7, 2004, p. 227, amended by Law No. 2004-801
of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23, 2006; Bundesdatenschutzgesetz [Federal
Data Protection Act], May 22, 2001, BGBl. I at 904 (F.R.G.).
207 See Colin J. Bennett & Charles D. Raab, The Governance of Privacy and Pol-
icy Instruments in Global Perspective 84–87 (2d ed. 2006).
208 See Council of Europe Convention, supra note 18.
209 See id. arts. 2(a), 3.1.
210 See Bennett & Raab, supra note 207, at 85.
644 Boston College Law Review [Vol. 48:609

dom copied the terms of the Convention into their domestic data pro-
tection legislation at the time of implementation.211 The European Un-
ion has used the Convention’s general principles as the framework for
the more detailed provisions of its data protection law governing mar-
ket actors.212 Other EU data protection rules are copied directly from
the Convention.213
The data protection laws of Germany and France also have par-
ticular significance. National data protection legislation is generally
categorized according to historical vintage: the first generation, en-
acted in the 1970s; the second generation, dating to the 1980s and
adopted to implement the Convention; and the third generation,
adopted in the late 1990s and early 2000s to fulfill the requirements of
membership in the European Union.214 The German and French laws
belong, squarely, to the first generation.215 Because of their early vin-
tage, they were influential blueprints for the Convention. And, as a re-
sult of Germany’s and France’s extensive regulatory experience, their
legal instruments—and their data protection officials—continue to ex-
ercise influence, both on novel questions of data protection and on
countries in the process of adopting their first data protection legisla-
tion.
In Germany, the Federal Data Protection Act was originally en-
acted in 1977, and significantly amended in 1990 and 2001. It covers
private actors throughout Germany,216 including telecommunications
companies and federal public bodies, such as Germany’s federal law

211 See, e.g., Data Protection Act, 1984, c. 29 (Eng.). For a history of the U.K. legisla-
tion, see Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy
in Europe and the United States 89–94 (1992).
212 See generally Council Directive 95/46, Protection of Individuals with Regard to the
Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281)
31.
213 Schengen Acquis, Convention Implementing the Schengen Agreement of 14 June
1985 Between the Governments of the States of the Benelux Economic Union, the Federal
Republic of Germany and the French Republic on the Gradual Abolition of Checks at
Their Common Borders, 2000 O.J. (L 239) 19, art. 115 [hereinafter Schengen Acquis];
Convention Based on Article K.3 of the Treaty on European Union, on the Establishment
of a European Police Office (Europol Convention), 1995 O.J. (C 316) 2, art. 14 [hereinaf-
ter Article K.3 Convention].
214 See Bennett & Raab, supra note 207, at 126–27.
215 See generally, e.g., Law No. 78-17 of Jan. 6, 1978, J.O. [Official Gazette of France],
Aug. 7, 2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of
Jan. 23, 2006; Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001,
BGBl. I at 904 (F.R.G.) (enacted in 1977).
216 Federal Data Protection Act § 27.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 645

enforcement and intelligence agencies.217 An independent agency,

known as the Federal Data Protection Commissioner, has been estab-
lished to enforce federal data protection law.218 In addition, a special
oversight system has been established for telecommunications surveil-
lance—including surveillance of noncontent data—conducted by do-
mestic and foreign intelligence agencies; an independent commission
(the “G10 Commission”), appointed by the parliamentary committee
responsible for oversight of Germany’s intelligence services, reviews
individual surveillance orders as well as the administrative rules govern-
ing strategic surveillance.219 Each Land also has its own Data Protection
Act.220 These acts set down the data protection rules that discipline
state government. They create Land data protection authorities to en-
force both the Land rules and the Federal Data Protection Act’s provi-
sions on market actors.221 Land data protection rules are also pertinent
to intelligence gathering for purposes of preventing terrorism. The
Länder all have their own police forces, governed by Land data protec-
tion laws, and responsible not only for criminal investigations but also
for protecting public order against future offenses such as terrorist acts
(“preventive policing”).222
In contrast with federal Germany, France is a unitary system. This
greatly simplifies the legislative scheme—it has only one data protec-
tion law and one data protection law enforcer. The Law on Data Proc-
essing, Data Files and Individual Liberties (“Law No. 78-17”) was en-
acted in 1978 and significantly amended in 2004.223 It regulates data
processing throughout the economy and throughout government, in-

217 Id. § 12.

218 Bennett, supra note 211, at 77–90; David H. Flaherty, Protecting Privacy in
Surveillance Societies 22–24 (1989).
219 See Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 92–93; Ruiz,
supra note 190, at 218–20, 272–74.
220 See Flaherty, supra note 218, at 21.
221 In Germany’s federal system, state government is entrusted with implementing and
enforcing most federal legislation. See David P. Currie, The Constitution of the Fed-
eral Republic of Germany 69–76 (1994).
222 See Ross, supra note 80, at 7, 25, 28. However, the surveillance activities of the Land
agencies charged with national security (Landesamt für Verfassungsschutz) are governed
exclusively by federal law, namely the G10 Law. See Bundesverfassungsgericht [BVerfG],
July 14, 1999, 1 BVerfGE at 9; see also Gesetz zur Beschraenkung des Brief-, Post- und
Fernmeldegeheimnisses—Gesetz zu Artikel 10 des Grundgesetzes [GG10] [Law Restrict-
ing the Secrecy of Correspondence of Letters, Mail and Telecommunications—Law Apply-
ing to Article 10 of the Constitution], Aug. 13, 1968 BGBl. I at 949, § 1.1.
223 See Flaherty, supra note 218, at 165. See generally Law No. 78-17 of Jan. 6, 1978, J.O.
[Official Gazette of France], Aug. 7, 2004, p. 227, amended by Law No. 2004-801 of Aug. 6,
2004, and Law No. 2006-64 of Jan. 23, 2006.
646 Boston College Law Review [Vol. 48:609

cluding the police and national security agencies.224 An independent

agency, the Commission Nationale de l’Information et des Libertés
(“CNIL”), is entrusted with extensive enforcement powers.225 It is
charged with registering and authorizing certain types of data process-
ing operations, with promulgating interpretive regulations, with con-
ducting inspections and imposing administrative sanctions, and with
advising the government on legislative and regulatory measures affect-
ing privacy.226
Fundamental rights law is the basic framework for the Council of
Europe Convention and the German and French legislation. The Con-
vention and the legislation contain a specific set of conditions designed
to satisfy the requirements of legitimacy and proportionality in those
instances in which the right to data privacy is burdened.227 Paralleling
the fundamental rights doctrine on the need for an authorizing law,
personal data should be processed fairly and lawfully.228 Because a fun-
damental right is at stake any time an individual’s personal data is
processed, such data must be stored for specified and legitimate pur-
poses and should only be used in accordance with those purposes.229
The amount of the data processed should be no more than necessary to
accomplish the purpose.230 Neither should the time during which the
data is stored be any longer than necessary to accomplish the pur-
pose.231 The data must be accurate and, whenever necessary, kept up to
date—otherwise, how would such data processing be able to achieve
the stated purpose?232 Types of personal data that are believed to be
especially sensitive—for instance, data revealing racial origin, religious
beliefs, and health conditions—must be afforded “appropriate safe-
guards.”233 Those who process personal data must put into place “ap-
propriate security measures” to ensure that personal information will

224 Law No. 78-17 of Jan. 6, 1978, art. 2.

225 Id. art. 5.
226 Id. art. 11.
227 See Rotaru, App. No. 28341/95, para. 43 (relying on the Council of Europe Conven-
tion in interpreting European Convention on Human Rights, Article 8).
228 Council of Europe Convention, supra note 18, art. 5a. Even more precise is the
German Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, § 4(1). It says: “The collection, processing and use of personal data shall be admissible
only if permitted or prescribed by this Act or any other legal provision or if the data sub-
ject has consented.” Id.
229 Council of Europe Convention, supra note 18, art. 5b.
230 Id. art. 5c.
231 Id. art. 5e.
232 Id. art. 5d.
233 Id. art. 6.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 647

be revealed only to those for whom it is intended.234 As a special safe-

guard for the burdened privacy right, individuals should have the right
to check their personal data to make sure that it is accurate and that, in
all other respects, their personal data is being processed in accordance
with the law.235 All these guarantees can be found in the German and
French data protection laws, albeit in more detailed incarnations.236
The state parties are allowed to derogate from the Convention’s
provisions in the interests of “protecting State security, public safety, the
monetary interests of the State or the suppression of criminal of-
fences.”237 These are interests clearly at stake in our hypothetical. Such
derogations, however, must be detailed in the state party’s national law
and must be necessary, meaning that they must be carefully justified
like any other government interference with the right to privacy.238
Both the German and the French legislation take advantage of this pos-
sibility; exceptions exist for data processing for intelligence and law en-
forcement purposes.239 In neither case, however, is such data process-
ing, by the relevant government agencies, entirely or even mostly ex-
empt from the safeguards of national data protection law.
Another distinguishing feature of European data privacy law is the
enforcement system. Independent agencies responsible for the en-
forcement of data protection law have been established in all European
countries.240 To these national agencies, add the supranational bodies
responsible for overseeing compliance in the European Union: the
European Data Protection Supervisor with jurisdiction over EU institu-
tions responsible for common market regulation,241 the Joint Supervi-
sory Body with jurisdiction over personal data exchanged through Eu-
ropol,242 and the Joint Supervisory Authority with jurisdiction over per-

234 Council of Europe Convention, supra note 18, art. 7.

235 Id. art. 8.
236 See Law No. 78-17 of Jan. 6, 1978, arts. 38–43, J.O. [Official Gazette of France], Aug.
7, 2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan.
23, 2006 (rights of individuals in respect of processing of personal data); Bundesdaten-
schutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at 904, §§ 19–21, 33–35
(F.R.G.) (rights of the data subject).
237 Council of Europe Convention, supra note 18, art. 9.2a.
238 See id.
239 See Law No. 78-17 of Jan. 6, 1978, art. 41; Federal Data Protection Act § 19(3)–(4).
240 See Bennett & Raab, supra note 207, at 133, 136–37.
241 See generally Council Regulation 45/2001, 2001 O.J. (L 8) 1 (on the protection of
individuals with regard to the processing of personal data by the Community institutions
and bodies and on the free movement of such data).
242 See Article K.3 Convention, supra note 213, art. 24. Europol is located in The
Hague, Netherlands. It was established by the Member States to support their police forces
and other national law enforcement authorities, such as customs agencies, immigration
648 Boston College Law Review [Vol. 48:609

sonal data exchanged through Schengen.243 The powers of these na-

tional and supranational privacy agencies vary, but most, including the
German and French data protection authorities, have the power to re-
view proposed laws and regulations with a data protection impact, to
conduct inspections of private and public data processors, and to
commence administrative proceedings against violators which may re-
sult in injunctive orders or administrative fines.244 Because many viola-
tions of national laws are considered criminal offenses, such agencies
also have the power to bring prosecutions directly or to refer privacy
violations to public prosecutors for further action.245

services, and border and financial police. Europol’s remit covers serious organized crime
with an international dimension, including terrorism. It is to assist national authorities in
combating international organized crime by collecting, analyzing, and transmitting intelli-
gence to those authorities. Its information comes from national law enforcement bodies,
as well as international agencies. Europol, however, does not have any enforcement or
police powers; Europol information is used for national police investigations. For back-
ground information on Europol, see generally Eric Davies, European Police Office
(2000); Steven Peers, Human Rights Ctr., Europol: The Final Step in the Creation
of an “Investigative and Operational” European Police Force (2007), available at
http://www.statewatch.org/news/2007/jan/europol-analysis.pdf.
243 Schengen Acquis, supra note 213, art. 115. Schengen was originally created by a
small group of Member States to manage jointly the admission of foreign citizens to their
territories. See Madelein Colvin, The Schengen Information System: A Human Rights
Audit 7 (2000). The key elements of the scheme are a common visa—recognized by all
state parties—and the removal of internal border controls among the state parties. Id.
Currently, the signatories are the EU Member States, with the exception of Ireland and the
United Kingdom, and three European Free Trade Association (“EFTA”) countries— Ice-
land, Norway, and Switzerland. Id. Fifteen of the twenty-six signatories have implemented
the Schengen agreement. To enable national authorities to monitor foreign citizens admit-
ted on the common visa, a secure database known as the Schengen Information System
(the “SIS”) has been established. Id. at 16. Unlike the Europol system, the information
contained in the SIS is not collected and analyzed centrally. Id. at 16–17. Rather, national
police and law enforcement authorities independently enter and extract information from
the system. Id. The data contained in the SIS is extremely varied: loss or theft of passports
and other identity documents, names of individuals suspected of having committed serious
crimes, extradition warrants, car thefts, and more. Id. at 17. As should be clear from this
list of data, the SIS is no longer used solely for enforcing immigration policy. See id. It has
become a general purpose database for fighting crime with a cross-border element. See id.
at 22–23.
244 See Law No. 78-17 of Jan. 6, 1978, art. 11–12, J.O. [Official Gazette of France], Aug.
7, 2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan.
23, 2006 (establishing composition and powers of CNIL); id. arts. 45–49 (setting down
administrative sanctions); id. arts. 50–52 (setting down criminal sanctions); Bundesdaten-
schutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at 904, §§ 22–26 (F.R.G.)
(setting down composition and powers of Federal Commission for Data Protection); id.
§ 38 (setting down requirements for Land data protection authorities); id. §§ 43–44 (set-
ting down administrative and penal sanctions for breaches of Federal Data Protection Act).
245 See Law No. 78-17 of Jan. 6, 1978, arts. 50–52; Federal Data Protection Act § 44.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 649

A final important aspect of European privacy law is the application

of the law to public and private actors alike. At the level of fundamental
rights, the guarantees of the ECHR and the German Basic Law have
been applied to privacy violations committed by private actors, not only
by the government.246 At what might be termed in the European hier-
archy of legal norms, the statutory level, data protection guarantees are
binding on both public and private users of personal data. Thus, in the
Council of Europe Convention, no distinction is made between the du-
ties of private and public actors.247 Given the greater specificity of legis-
lation at the national level, the French and German laws do separate
public from private data processing, but only for purposes of stipulating
special duties that apply to certain types of data processing, such as that
involving national identification numbers.248

D. Application of European Law to the NSA Call Records Scenario

Now to apply European law to the facts of our hypothetical. As dis-
cussed above, fundamental rights law requires first that the law be ac-
cessible to the public, containing precise provisions to limit govern-
mental discretion and provide notice to citizens.249 Second, the inter-
ference with privacy must be legitimate.250 Finally, the interference
must be proportional.251 After satisfying these fundamental rights stan-
dards, the specific requirements of the Council of Europe Convention
and national data protection laws must still be met.252

246 See generally Amtsgericht Berlin-Mitte [Berlin Center District Court], Geschäftsnum-
ber [Docket No.] 16 C 427/02, Dec. 18, 2003 (F.R.G.) (holding for plaintiff in suit by pedes-
trian against Berlin department store for removal of surveillance cameras based on Basic
Law, Articles 1 and 2 and Federal Data Protection Act); Von Hannover v. Germany, App. No.
59320/00, 40 Eur. Ct. H.R. 1 (2004) (applying Article 8 in case of privacy violation by the
media); Ruiz, supra note 190, at 302–13 (discussing German constitutional doctrine of
“horizontal” effect of rights (Drittwirkung) and the application of the doctrine in the case of
Article 10 of the Basic Law).
247 Council of Europe Convention, supra note 18, art. 3.
248 See Law No. 78-17 of Jan. 6, 1978, arts. 25–29; Federal Data Protection Act §§ 12–21
(governing data processing by public bodies); id. §§ 27–38a (governing data processing by
private bodies and public law enterprises participating in competition).
249 See supra note 198 and accompanying text.
250 See supra notes 199–201 and accompanying text.
251 See supra notes 202–205 and accompanying text.
252 See supra notes 206–248 and accompanying text.
650 Boston College Law Review [Vol. 48:609

1. Application of European Principles of Fundamental Rights

Would a secret presidential directive count as a “law” for purposes
of the fundamental rights analysis? No. By definition, a secret directive
is not accessible to the public. It cannot put citizens on notice of how
their government is interfering with their basic rights. Nor can it curb
potential abuses of government power, because no one but those gov-
ernment officials know the limits placed on their power by the direc-
tive.
European law, of course, permits exceptions to data privacy rules
based on national security concerns, though surely not on the scale sug-
gested by the U.S. President, who has claimed that any disclosure of the
NSA call database threatens national security.253 One useful indicator of
how such a claim would be addressed in Europe is a German constitu-
tional case involving the G10 Law.254 That law, enacted in 1968, pro-
vides for wide-ranging surveillance by Germany’s domestic and foreign
security agencies to “ward off dangers which threaten the free democ-
ratic order, the existence or the safety of the Federal Republic of Ger-
many or of one of the German Länder.”255 Two types of surveillance are
contemplated by this law: individual monitoring and strategic surveil-
lance.256 Strategic surveillance closely resembles the NSA’s data mining:
the Federal Intelligence Service screens phone traffic between Ger-
many and certain foreign nations based on search terms related to the
national security threats set down by statute.257
When the G10 Law was amended in 1994 to expand the list of
threats warranting surveillance, a constitutional challenge was brought
against the provisions on strategic surveillance.258 Part of the challenge
involved the program’s lack of transparency.259 The basic conditions for
conducting strategic surveillance were set down in the statutory
amendments and responsibility for developing specific search terms

253 See also Terkel v. AT&T, 441 F. Supp. 2d 899, 908 (N.D. Ill. 2006) (discussing the
government’s assertion that the database is protected by the “state secrets” privilege, which
bars discovery of information that would adversely affect national security); ACLU v. NSA,
438 F. Supp. 2d 754, 765–66 (E.D. Mich. 2006) (same). See generally Cong. Research Serv.,
Statutory Procedures Under Which Congress Is to Be Informed of U.S. Intelli-
gence Activities, Including Covert Actions 9 (2006).
254 See generally Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE.
255 Id. at 9 (translating Section 1.1 of the G10 Act).
256 Id. at 5.
257 Id. at 27.
258 Id. at 15–16.
259 See Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 15–20.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 651

was delegated to the administration.260 Those search terms were subject

to review and possible cancellation by the independent body dedicated
to overseeing intelligence gathering involving telecommunications (the
“G10 Commission”). Such review, however, did not satisfy the Court.
The Court held that the G10 Commission also had to have the power to
review the other aspects of the Federal Intelligence Service’s personal
data processing: the transfer of personal data to law enforcement and
domestic intelligence agencies, the destruction of personal data, and
the steps taken to notify individuals that they had been the target of
surveillance.261 The challenge also involved the provisions setting down
the government’s duty to notify individuals singled out as a result of
strategic surveillance.262 The Court struck down an exemption from the
duty of notification for data destroyed within three months of the date
of acquisition on the grounds that this exemption impermissibly cir-
cumscribed the individual’s right to know.263 Given this reasoning, it is
highly unlikely that the German Constitutional Court would approve of
keeping an entire surveillance program secret. Any slight advantage
that the government might gain from keeping secret a database involv-
ing the personal data of millions of citizens not individually suspected
of terrorism would almost certainly be outweighed by the harm to the
fundamental right to privacy.
The good news for the call database is that it would satisfy the sec-
ond requirement of European fundamental rights law: collecting call
data and mining it to protect against terrorist attacks is, most certainly,
a legitimate purpose. But what about proportionality? Can a database
with the calling records of tens of millions of citizens be necessary to
fight terrorism? European courts and privacy officers show consider-
able deference to their intelligence services in making this kind of de-
termination.264 They are acutely aware of their limits in understanding
how to combat terrorism, as compared to the seasoned professionals in
their national spy agencies. But, in Europe, to satisfy the first prong of
the proportionality test, an argument would have to be made that data
collection was capable of reducing the terrorist threat.
One good illustration of the case that would be expected from a
European government is the debate leading up to the EU Data Reten-

260 See id. at 17.

261 Id. at 92.
262 Id. at 89–90.
263 Id.
264 See Segerstedt-Wiberg & Others v. Sweden, App. No. 62332/00, Eur. Ct. H.R., June
6, 2006, para. 104, available at http://www.echr.coe.int/eng.
652 Boston College Law Review [Vol. 48:609

tion Directive of March 2006 (the “Directive”).265 Under the Directive,

providers of electronic communications services and networks are re-
quired to keep traffic data related to phone calls, emails, and other
communications for a period of six months to two years, depending on
the Member State.266 Such data must be made available to the national
police and, via the national police, to police officers in other Member
States.267 The purpose of the Directive is to fight serious crime, most
notably terrorism.268 Notwithstanding this purpose, the Directive ap-
plies to market actors and it was therefore adopted as a common mar-
ket measure. In proposing the Directive, the national governments in
the Council of Ministers put forward a study based on the experience
of the British police showing that call data older than six months was
often useful in investigating serious crimes.269 This evidence was subse-
quently questioned by the independent data protection officers called
upon to examine the proposed directive.270 Notwithstanding this skep-
ticism, a data retention requirement of six months to two years was ul-
timately passed.271 But what is significant for purposes of this discussion
is that the Council of Ministers had to produce some evidence in sup-
port of the data processing. It could not simply order the collection of
call data based on entirely unsubstantiated speculation that the scheme
might accomplish the crime-fighting purposes.
Under the second prong of the proportionality test, the govern-
ment would need to show that the data-mining program was necessary
for protecting national security.272 In practice, this means that the gov-
ernment would have to refute claims that alternative, less privacy-
burdensome programs could accomplish, just as effectively, the same
antiterrorism aims. This issue is directly related to the amount of data
collected and the length of data retention and therefore is discussed
below, in conjunction with the Council of Europe Convention.273

265 See generally Data Retention Directive, supra note 14.

266 Id. art. 6.
267 Id. art. 4.
268 See id. art. 1.
269 European Data Protection Supervisor Opinion, supra note 194, at 3.
270 Id. at 3–4. See generally Opinion 4/2005 of the Article 29 Data Protection Working Party on
the Proposal for a Directive of the European Parliament and of the Council on the Retention of Data
Processed in Connection with the Provision of Public Electronics Communication Services and Amend-
ing Directive 2002/58/EC, at 6, COM (2005) 438 final (Oct. 21, 2005), available at http://ec.
europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp113_en.pdf.
271 Data Retention Directive, supra note 14, art. 6.
272 Kommers, supra note 195, at 46.
273 See infra notes 293–298 and accompanying text.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 653

The last part of the proportionality analysis requires the govern-

ment to demonstrate that the benefit to the public security ends of the
call database outweighs the harm to the privacy right—or, seen from
the individual’s perspective, that the burden on the right is “propor-
tionate” to the government purpose being pursued.274 This question
turns entirely on the magnitude of the harm to the individual right as
compared to the benefit to the public interest. When data mining is
conducted for national security purposes, the privacy interest is strong
because of the risk that the individual might be wrongly investigated,
detained, prosecuted, or even convicted. It is stronger than when, say,
personal information is used to distribute welfare benefits. The impor-
tance of the public interest depends on which types of threats to na-
tional security and what level of suspicion serve as the trigger for data
mining. In the case of the NSA call records program, we do not know;
this extreme secrecy is part of the problem for European privacy law.
But according to the German Constitutional Court, not all threats war-
rant intelligence-related searches of telecommunications data: interna-
tional terrorist attacks, international proliferation of weapons, and the
illegal introduction of a not-insignificant quantity of narcotics from
abroad, yes, but international counterfeiting, no.275 More to the point,
the Constitutional Court has recently held that a general fear of terror-
ism in the wake of September 11 is not good enough to trigger antiter-
rorism data mining.276
On April 4, 2006, the Constitutional Court found that police data
mining carried out after September 11 to identify Islamic sleeper cells
was unconstitutional.277 In Germany, antiterrorism data mining was first
used in the 1970s to fight the Red Army Faction, a left-wing terrorist
group.278 The German version of antiterrorism data mining (Raster-
fahndung) appears to be less ambitious technologically than the Ameri-
can version.279 Terrorist profiles are first created, based on characteris-
tics generally believed to be associated with terrorism.280 Those profiles

274 Kommers, supra note 195, at 46.

275 See Bundesverfassungsgericht [BVerfG], July 14, 1999, 1 BVerfGE at 84–85.
276 See generally Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE.
277 See generally id.
278 See id. para. 3.
279 See Note from German Delegation to Article 36 Committee on Europe-Wide Computerised Pro-
file Searches, Doc. No. 6403/02 (Mar. 8, 2002) (available in register of documents of the
Council of Ministers of the European Union).
280 See Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE, para. 2 (describ-
ing the data profiling method).
654 Boston College Law Review [Vol. 48:609

are then used to search public and private databases.281 This results in a
list of individuals who are then subject to examination by the police to
establish whether they do indeed pose a threat to public safety.282 In the
wake of September 11, the police forces of the Länder undertook a co-
ordinated effort to collect and search various data sets based on a
common terrorist profile: male, age eighteen–forty, student or former
student, Islamic faith, and citizenship or birthplace in a country with a
predominantly Islamic population.283 The results of these searches were
transmitted to the Federal Police Office, which matched the names
against other data sets containing information on other characteristics
associated with terrorism, and thereby narrowed the pool.284 The
names of suspects were then sent back to the Länder police for further
review and possible surveillance and questioning.285 These activities
were authorized by specific provisions of Land police acts that allow the
police to collect and analyze data for purposes of state security or for
protecting the “life, health, or freedom of a person.”286
In a complaint brought against the state of North-Rhine West-
phalia, the German Constitutional Court found that the data-mining
program was unconstitutional.287 The Court reaffirmed its earlier case
law on the right of informational self-determination: the right protects
against the police’s collection, transfer, storage, and processing of per-
sonal information.288 Moving to the proportionality inquiry, the Court
found that the national security purpose of the program was legitimate
and that the data mining was a suitable and necessary means of obtain-
ing that goal.289 But the Court concluded that the burden on the right
of informational self-determination was not proportionate to the public
ends being pursued.290 Such data mining, with such grave conse-
quences for constitutional rights, would only be acceptable if there
were actual facts demonstrating an “imminent and specific endanger-
ment” (konkrete Gefahr) of a terrorist attack.291 In this instance, police

281 See id.

282 See id.
283 See id. para. 26. It should be remembered that, in Germany, the police have so-
called “preventive” powers to thwart future threats as well as “repressive” powers to investi-
gate crimes that have already been committed.
284 See id. para. 31.
285 Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE, para. 63.
286 See id. paras. 5–6.
287 Id. paras. 68–75.
288 Id.
289 Id. paras. 81–86.
290 Bundesverfassungsgericht [BVerfG], Apr. 4, 2006, 1 BVerfGE, para. 68.
291 See id. para. 158.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 655

data mining had been triggered by a general fear of terrorism following

September 11—for the Constitutional Court, this was not reason
enough to intrude upon the privacy right.292

2. Applying the Council of Europe Convention and the National Laws

of Germany and France
At this point, the data protection inquiry turns to the more specific
requirements of the Council of Europe Convention and national laws.
Is the call data being used by the government only for purposes of iden-
tifying possible terrorists and thwarting future terrorist attacks? This is
one more difficulty with the secretiveness of the NSA program: no as-
surances have been given that the call data is not being used for more
banal purposes—for instance, for identifying ordinary bank robbers
and turning over their names to law enforcement officials.
Is the amount of data being processed no more than necessary to
accomplish the terrorism-fighting purpose? Curiously, at least for a
European audience, when certain U.S. Senators learned of the call da-
tabase, they complained that it contained too little data—not too
much.293 If the purpose is to foil terrorist plots on American soil, the
Senators reasoned, shouldn’t the NSA have information on all the calls
made and received by all Americans, not just clients of AT&T and Veri-
zon? But, in Europe, the amount of call data would probably be con-
sidered excessive. Again, the debates on the recent EU Data Retention
Directive are instructive. Under the Directive, the police may obtain
electronic communications data from providers only “in specific
cases”294 and only for purposes of fighting “serious crime.”295 A pro-
gram giving the government routine, indiscriminate access to all traffic
data of all customers would probably involve an excessive amount of
data under European law.296
As for the time of data retention, that also would be too long.
From the press accounts, it appears that the NSA began collecting call
data immediately after September 11, 2001.297 There does not seem to
be any requirement to erase the data. That means that some of the in-

292 See generally id.

293 See Page, supra note 32.
294 Data Retention Directive, supra note 14, art. 4.
295 Id. art. 1.1.
296 The Data Retention Directive, however, only applies to access by national police for
“purpose of the investigation, detection and prosecution of serious crime.” Id. It does not
cover access by security services. Therefore, the analogy to the NSA program is not exact.
297 See Cauley, supra note 9; Page, supra note 32.
656 Boston College Law Review [Vol. 48:609

formation is over five years old. In the European Union, even the most
hawkish of Member States—the United Kingdom, France, Ireland, and
Sweden—only pushed for a three-year data retention period, after
which call data would have had to be destroyed.298 Five years is far be-
yond anything ever imagined for the European Union.
The accuracy requirement, however, would probably be satisfied.
Because the purpose of the NSA program is to track individual behav-
ior, not, say, award benefits, it is not critical that the personal data in the
system be routinely checked and updated. Call data, moreover, does
not generally reveal sensitive personal characteristics such as religious
affiliation, and therefore it would not require additional safeguards
under European law. It seems safe to assume that the “appropriate se-
curity measures” have been adopted. The NSA, probably the most
technologically sophisticated of all U.S. government agencies, has most
likely taken the necessary steps to protect the call data from unauthor-
ized disclosures.
That being said, individuals have absolutely no right to check on
their personal data being used by the NSA. On this last step of the data
protection analysis, European systems differ considerably. Some have
made more extensive use of the national security exemption than oth-
ers. Neither Germany nor France, however, categorically bars individu-
als from exercising their right of access in cases of national security data
processing.299
Under German law, access to one’s personal data and the correc-
tion, erasure, or blocking of such data count as the “inalienable rights
of the data subject.”300 National security agencies may, on a case-by-case
basis, deny access if disclosure would “impair public safety or order or
otherwise be detrimental to the Federation or a Land.”301 Even these
agencies, however, must give reasons for denying such a request, either
to the individual directly or to the Federal Commissioner for Data Pro-

298 Council Draft Framework Decision 8958/04, On the Retention of Data Processed and
Stored in Connection with the Provision of Publicly Available Electronic Communications
Services or Data on Public Communications Networks for the Purpose of Prevention, Investi-
gation, Detection, and Prosecution of Crime and Criminal Offenses Including Terrorism,
Apr. 28, 2004, art. 4 (EU), available at http://register.consilium.europa.eu/pdf/en/04/st08/
st08958.en.04.pdf.
299 Law No. 78-17 of Jan. 6, 1978, art. 41, J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006; Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, §§ 19–21 (F.R.G.).
300 Federal Data Protection Act § 6.
301 Id. § 19(3).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 657

tection, unless giving reasons would itself jeopardize “public safety or

order or otherwise be detrimental to the Federation or a Land.”302 The
federal police, by contrast, are never exempted from their duty to give
access, although the information may be communicated to the Federal
Data Protection Commissioner rather than to the individual.303 Land
regulation of their police forces varies, but the Hessian legislation is
illustrative.304 The Hessian police are not given a blanket exemption
from disclosure.305 Rather, the Hessian Data Protection Act states that
the statutory provisions on access
shall not apply where after balancing the rights accorded to
the data subject against public interest in data secrecy . . . the
latter interests prevail. The decision shall be made by the
head, or his designated deputy, of the data storage agency. If
the data subject is denied information or the right to inspect
records, he shall be informed of the major reasons on which
the denial is based and of his right to complain to the Hessian
Data Protection Commissioner.306
Under the French data protection law, the right of access is indi-
rect “where processing involves State security, defence or public
safety,” meaning that an individual cannot approach the intelligence
agency directly but must proceed via CNIL, the independent privacy
commission.307 The procedure for so-called “indirect access” is as fol-
lows:
The [CNIL] receives the access request and appoints one of
its members, who is or has been a member of the “Conseil
d’Etat” [highest administrative court], the “Cour de Cass-
ation” [highest civil court] or the “Cour des Comptes” [inde-
pendent body responsible for auditing government accounts],

302 Id. § 19(5)–(6). In the case of telecommunications data, this procedure would be
handled by the G10 Commission. Comm’n of Inquiry into the Actions of Canadian
Officials in Relation to Maher Arar, A New Review Mechanism for the RCMP’s
National Security Activities 344 (2006), available at http://www.ararcommission.ca/
eng/EnglishReportDec122006.pdf.
303 Federal Data Protection Act § 6(2).
304 Hessisches Datenschutzgesetz [Hessian Data Protection Act], Nov. 11, 1986, BGBl. I
at 309 (F.R.G.).
305 Id. § 18(5).
306 Id.
307 Law No. 78-17 of Jan. 6, 1978, art. 41, J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006.
658 Boston College Law Review [Vol. 48:609

to carry out the necessary investigations and have the neces-

sary modifications made. An officer of the commission may
assist the appointed member of the commission. The appli-
cant shall be informed that the verifications have been carried
out.
Whenever the commission establishes, with the agreement
of the data controller, that the disclosure of the data does not
undermine its purposes, State security, the defence or public
safety, these data may be disclosed to the applicant.308
By contrast, the default rule for personal data held by law en-
forcement agencies is direct access. The regulation authorizing the data
processing, however, may provide for indirect access:
The [right of indirect access] shall apply to processing car-
ried out by public authorities and departments and private le-
gal entities entrusted with a public service mission for the
prevention, investigation or proof of criminal offenses, or the
assessment or collection of taxes, where the [authorizing
regulation] provides for this right.309
In sum, notwithstanding all of the exceptions for national security and
law enforcement, the NSA call database would violate the European
right of access, too.
The principal institution of European privacy law—an independent
watchdog agency—is also missing in the United States.310 The NSA did
not first consult an independent privacy agency before undertaking the
call records program. In France or Germany, by contrast, a government
proposal for data mining, even intelligence-related data mining, would
have to be submitted to an independent privacy regulator for review.311

308 Id.
309 Id. art. 42.
310 This is a slight oversimplification. The Computer Matching and Privacy Protection
Act of 1988 requires that each agency create a “data integrity board,” entrusted with over-
seeing privacy in computer matching projects. 5 U.S.C. § 552a(u) (2000). However, the
members of such boards are appointed by the agency head and their mandate is limited.
The Department of Homeland Security has a privacy officer, but, again, the privacy officer
is appointed by the administration and therefore is not independent. Homeland Security
Act of 2002 § 222, Pub. L. No. 107-296, 116 Stat. 2135 (codified as amended at 6 U.S.C.
§ 142 (Supp. III 2003 & Supp. IV 2004)). Moreover, she only has jurisdiction over the ac-
tivities of the Department of Homeland Security and her powers are limited.
311 See Law No. 78-17 of Jan. 6, 1978, art. 11(4)(a) (establishing general duty to consult
CNIL on “any bill or draft decree relating to the protection of individuals in relation to
automatic data processing”); id. arts. 11(2)(a), 26 (establishing specific duty to obtain
“reasoned and published” opinion of CNIL on ministerial order (arrêté) authorizing “the
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 659

Such review would entail a wide-ranging proportionality analysis—along

the lines of this Article—and would result in a finding on the lawfulness
of the program, as well as recommendations for limiting the govern-
ment’s interference with the right to privacy.312 This institutional re-
quirement is not designed solely to improve the privacy quality of the
program by ensuring that the necessary safeguards are in place to pre-
vent government abuses. Scrutiny by an independent regulator also im-
proves public awareness of government intrusions in highly technical
policy areas in which the burden on privacy can be obscure to the aver-
age citizen. In sum, the involvement of a privacy agency, coupled with
the requirement of a detailed, accessible authorizing law, gives rise to a
vigorous public debate on the privacy costs of government initiatives
that may—or may not—be necessary in a post-September 11 world.
A European privacy agency would also have the power to make
sure that intelligence officers running a data-mining program were
complying with basic privacy safeguards. In France, this takes the form
of a standard administrative enforcement scheme. CNIL has the power
to inspect government programs,313 and, if it finds violations, to impose
sanctions.314 In data processing related to national security and law en-
forcement, these powers are quite soft, but they exist nonetheless.315
Data processing related to “state security” can be insulated from CNIL’s
inspection powers at the time that the program is authorized.316 If
CNIL learns of privacy breaches in government programs involving

processing of personal data carried out on behalf of the State and: (1) which involves State
security, defence or public safety; or (2) whose purpose is the prevention, investigation or
proof of criminal offences, the prosecution of offenders or the exception of criminal sen-
tences or security measures”); Bundesdatenschutzgesetz [Federal Data Protection Act],
May 22, 2001, BGBl. I at 904, § 26(2)–(3) (F.R.G.) (establishing general power of Federal
Data Protection Commission to give opinions and recommendations on government
measures); Hessisches Datenschutzgesetz [Hessian Data Protection Act], Nov. 11, 1986,
BGBl. I at 309, §§ 24(1), 25, 29 (F.R.G.) (establishing duty to inform Hessian Data Protec-
tion Commissioner of “new procedures and techniques in data processing as well as of any
preliminary draft proposals on the automated processing of personal data” and power to
give opinions and recommendations).
312 See, e.g., CNIL decision no. 2005-208, Oct. 10, 2005, available at http://www.cnil.fr/
index.php?id=1883&delib[uid]=75&cHash=23d7fc2011 (opinion on law authorizing vari-
ous types of antiterrorism surveillance, including government access to telecommunica-
tions and airline data).
313 Law No. 78-17 of Jan. 6, 1978, art. 44.I, J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006.
314 Id. art. 45.I.
315 See id. art. 44.IV.
316 Id.
660 Boston College Law Review [Vol. 48:609

“state security” or “criminal offenses,” it has the power to issue warnings

and order the termination of such breaches.317 If the order is ignored,
CNIL may publicize the privacy breach.318 When the violation of privacy
rights is “urgent,” CNIL has the power to “notify the Prime Minister so
that he may, if necessary, take measures to stop the violation . . . . The
Prime Minister shall inform the commission of the steps he has taken
within fifteen days of receiving the notification.”319 And in the case of a
“serious and immediate” violation, CNIL’s chairman may “ask, in sum-
mary proceedings, the competent jurisdiction to order, if necessary ap-
plying a daily penalty, any security measure necessary for the protection
of these rights and liberties.”320 Finally, private actors and public offi-
cials may be criminally prosecuted under the French data protection
law.321
In contrast with the French system of privacy enforcement, the
German system relies more on consultation and persuasion than on
hard sanctions. This is also the case when data processing is conducted
for intelligence and law enforcement purposes. Thus, in Germany, each
public and private body—including intelligence agencies—must ap-
point an internal “data-protection official” responsible for overseeing
compliance within the organization.322 Internal data protection officials
must notify the responsible data protection agency of any violations.323
The Federal Data Protection Commissioner is responsible for “moni-
tor[ing] compliance”324 and the Land authorities for “monitor[ing]
implementation”325 within their respective jurisdictions. Thus, in the
case of a suspected privacy violation by an agency like the Federal Intel-
ligence Service, the Federal Commissioner would have the power to
inspect documents; to obtain answers to questions; to advise on steps
for improving data protection; and, in the case of a breach, to file a
complaint with the head of the agency and to require a response from
that agency outlining its remedial measures.326 Should compliance not

317 Id. art. 45.I.

318 Law No. 78-17 of Jan. 6, 1978, art. 46.
319 Law No. 78-17 of Jan. 6, 1978, art. 45.II(3), J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006.
320 Id. art. 45.III.
321 Id. art. 50.
322 Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, §§ 4f–4g (F.R.G.).
323 Id. § 4g.
324 Id. § 24(1).
325 Id. § 38(1).
326 Id. §§ 24–26.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 661

be forthcoming, the Federal Commissioner is authorized to report the

matter to Parliament.327 This is the standard operating procedure for
monitoring all agencies. Data protection commissioners in the Länder,
responsible for overseeing their government administrations, including
their police forces and domestic security agencies, have similar powers
of inspection and persuasion.328
Only two exceptions are made for intelligence and law enforce-
ment agencies. First, inspections must be conducted by the Federal
Commissioner in person or by assistants specially designated by him.329
Second, when the agency is a federal intelligence agency and the per-
sonal data is telecommunications data, as in our hypothetical, primary
responsibility for oversight rests with the parliamentary G10 Commis-
sion.330 The Federal Commissioner may be requested by the G10
Commission to investigate and report on such data processing, but he
does not have independent powers.331 The same is the case when the
agency is a Land intelligence agency and the personal data is telecom-
munications data—oversight is the task of the Land parliament, not the
Land data protection commissioner.332
The last aspect of the NSA episode that is puzzling to the Euro-
pean observer is the availability of so much personal data in the hands
of private firms, ready to be transferred to the government whenever it
so requests. As explained earlier, European data protection law covers
both the public and private sectors.333 To collect personal data, private
actors must have a legitimate purpose and must use such data only in
accordance with that legitimate purpose.334 For commercial operators,
the legitimate purpose is generally providing a good or service to cus-
tomers and collecting the payment due for the good or service. Only
personal information relevant to this contractual relationship can be
gathered.335 And once the contract has been fulfilled—the good or ser-
vice provided and the payment rendered—the personal data is to be

327 Federal Data Protection Act § 26.

328 See, e.g., Hessisches Datenschutzgesetz [Hessian Data Protection Act], Nov. 11, 1986,
BGBl. I at 309, §§ 27, 29–30 (F.R.G.).
329 Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, § 24(4) (F.R.G.).
330 Id. § 24(2).
331 Id.
332 E-mail from Alexander Dix, Berlin Commissioner for Data Protection and Freedom
of Information, to Francesca Bignami, Professor of Law, Duke University School of Law
(Oct. 6, 2006, 21:05:45 EST) (on file with author).
333 See Council of Europe Convention, supra note 18, art. 3.
334 Id. art. 5(b).
335 See id. art. 5(c).
662 Boston College Law Review [Vol. 48:609

erased.336 It cannot be kept and used for other purposes. The most
common American counterexample—aside from helping out the
NSA—is using personal data collected for a contractual relationship to
market unrelated goods and services.
Providers of electronic communications services are not only gov-
erned by these general principles of European law. For them, there is a
specific EU law requiring that a subscriber’s communications data be
erased once no longer necessary for connecting the communication or
for obtaining payment on the bill.337 The law allows for some excep-
tions. For instance, if the subscriber gives her consent at the time of
signing up for the service, the provider may use the subscriber’s per-
sonal information for purposes of marketing additional services.338
Member States may require, by law, that their electronic communica-
tions providers retain subscriber data and make that data available for
legitimate government purposes.339 Such data retention requirements
have been enacted in most Member States to enable their police forces
and intelligence agencies to obtain communications data necessary for
investigations. As a matter of fact, the EU Data Retention Directive was
designed to harmonize some of these very different data retention re-
quirements at the Member State level.340 In Europe, therefore, tele-
communications providers do keep personal data to assist with intelli-
gence and police operations, much as AT&T and Verizon kept the call
records that were later transferred to the NSA. But, unlike their Ameri-
can counterparts, European telecommunications providers can keep
personal data after performance on a subscriber contract only because
specific laws instruct them to do so, setting down the type of data to be
retained, the time when the data must be erased, and the conditions
under which the data may be requested by government agencies.

V. The Consequences of Comparison

These differences between European and American privacy law
have several ramifications. Politically, the legal differences have strained
relations between Europe and the United States and have frustrated

336 See id. art. 5(e).

337 Council Directive 2002/58, art. 6, 2002 O.J. (L 201) 37 (EC) (concerning the proc-
essing of personal data and the protection of privacy in the electronic communications
sector).
338 Id. art. 6.3.
339 Id. art. 15.1.
340 See Data Retention Directive, supra note 14; supra notes 265–271 and accompanying
text.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 663

transatlantic cooperation in the fight against terrorism. The compari-

son can also prompt law reform in the United States. It reveals that,
notwithstanding the common transatlantic commitment to information
privacy in the early 1970s, today the European system protects privacy
more effectively than the American one. Those parts of the European
statutory scheme that have contributed to this outcome should inform
the U.S. Congress’s attempts to legislate more effective information
privacy law.

A. Obstacles to Transatlantic Cooperation on Fighting Terrorism

The practical consequences of these legal differences are dra-
matic. Transatlantic cooperation on national security has already been
strained by differences in privacy law. The latest string of revelations
related to the NSA’s activities can only make cooperation more diffi-
cult. The U.S. government might wish to obtain information held by
European spy and law enforcement agencies for purposes of prevent-
ing terrorist attacks. Yet because the way it handles personal data is so
out of line with European law, it is increasingly unlikely that it will be
able to get that data.
The dilemma for any European government is simple: how can it
transfer information on its citizens to the U.S. government when, in all
likelihood, the information will end up in a database that would clearly
be unlawful if created by that same European government—especially
when the information might be used, at some future point in time, to
wrongly detain, prosecute, convict, or even execute a European citizen?
This reluctance is not simply a matter of moral scruples or political sur-
vival. In many European countries, it is the law of data protection. The
government can transfer personal data only to countries with an “ade-
quate” level of data protection.341 And by this point it should be clear
that the United States would not count as one of those countries.342

341 See, e.g., Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001,
BGBl. I at 904, § 4(2) (F.R.G.).
342 The adequacy of U.S. law for purposes of EU personal data transfers has been the
object of extensive study. See Shaffer, supra note 23, at 22–38. See generally Commission De-
cision 2000/520, 2000 O.J. (L 215) 71 (EC). The focus, however, has been on the adequacy
of private sector—not public sector—data protection law. This is because the only EU (as
opposed to national) adequacy requirement applies to market-based transfers of personal
data, not to transfers related to government policing or national security. See Council Di-
rective 95/46, supra note 212, art. 25. As the European Court of Justice has recently held,
third-country transfers of personal data to assist with law enforcement or national security
fall outside the scope of EU data protection law. Joined Cases C-317/04 & C-318/04, Eur.
664 Boston College Law Review [Vol. 48:609

1. Legal Obstacles to Intelligence Exchange

The law governing data transfers to the United States and other
third countries is mostly national. On this subject, the Council of
Europe Convention has little to say.343 Unfortunately, national laws vary
even more than the usual in their treatment of third-country transfers
for national security and law enforcement purposes. Both the German
and French data protection laws, however, impose blanket bans on
transfers to inadequate third countries; they create such limited excep-
tions to those bans that the routine exchange of intelligence with an
inadequate country would be prohibited.344
Under the German data protection law,
transfer [of personal data] to foreign [non-EU], suprana-
tional or international bodies . . . shall not be effected in so
far as the data subject has a legitimate interest in excluding
transfer, in particular if an adequate level of data protection
is not guaranteed . . . .345
The only exception to this prohibition is national defense or certain
duties under international law:
[The prohibition] shall not apply if transfer is necessary in
order to enable a public body of the Federation to perform its
duties for compelling reasons of defence or to discharge su-
pranational or international duties in the field of crisis man-
agement or conflict prevention or for humanitarian meas-
ures.346
To obtain personal data from Germany, the U.S. government
would have to argue that the data involved a security threat to both

Parliament v. Council, paras. 55–59, http://eur.lex.europa.eu/LexUriServ/LexUriServ.

do?uri=CELEX:62004J0317:EN:HTML (May 30, 2006).
343 A protocol to the Convention, signed in 2001, would require the parties to allow
transfers to third states only if such states provided an “adequate level of protection.” See
Additional Protocol to the Convention for the Protection of Individuals with Regard to
Automatic Processing of Personal Data, Regarding Supervisory Authorities and Transbor-
der Data Flows, art. 2.1, Nov. 8, 2001, E.T.S. 181. As of January 2007, however, this protocol
had been ratified by only fifteen countries. Moreover, the parties are allowed to derogate
from the adequacy requirement for a number of reasons including a “legitimate prevailing
interest, especially important public interests.” Id. art 2.2(a).
344 See Law No. 78-17 of Jan. 6, 1978, art. 68, J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006; Federal Data Protection Act, May 22, 2001, BGBl. I at 904, § 4b(2) (F.R.G.).
345 Federal Data Protection Act § 4b(2).
346 Id.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 665

Germany and the United States and that, as a result, the transfer would
advance the purpose of defending Germany from foreign attack.347 The
only other avenue available to the U.S. government would be an
agreement with Germany promising that it will treat personal informa-
tion in accordance with the basic principles of German privacy law.348
The German data protection law directs officials to assess adequacy “in
the light of all circumstances surrounding a data transfer operation or
a category of data transfer operations.”349 An international agreement
would count as one of those circumstances.
Likewise, under the French data protection law, personal data
may not be transferred to a state outside the European Union if that
state “does not provide a sufficient level of protection of individuals’
privacy, liberties and fundamental rights with regard to the actual or
possible processing of their personal data.”350 There are a number of
exceptions to this prohibition, the most relevant to intelligence gath-
ering being a determination that a particular transfer would serve
“the protection of the public interest.”351 Moreover, when personal
data processing “involves State security, defense, or public safety,”352 or
its “purpose is the prevention, investigation, or proof of criminal of-
fences, the prosecution of offenders or the execution of security sen-
tences or security measures,”353 transfers to inadequate third countries
may be authorized by special government decree.354 Before promul-
gating such a decree, however, the government must solicit the opin-
ions of CNIL and the Conseil d’Etat (France’s highest administrative
body).355 The government must also be convinced that privacy rights
will be afforded a “sufficient level of protection” in the receiving

347 Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, § 4b(2) (F.R.G.).
348 See id. § 4c(2).
349 Id. § 4b(3).
350 Law No. 78-17 of Jan. 6, 1978, art. 68, J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006.
351 Id. art. 69(2).
352 Id. art. 26.I(1).
353 Id. art. 26.I(2).
354 Id. art. 69. In 2003, a law was enacted to improve internal security. Among its many
provisions, the law specifically addressed exchanges of personal data between the French
police and foreign police. It too requires adequacy before such exchanges may occur. Law
No. 2003-39 of Mar. 18, 2003, art. 24, J.O. [Official Gazette of France], Mar. 19, 2003,
p. 476.
355 Law No. 78-17 of Jan. 6., 1978, art. 69.
666 Boston College Law Review [Vol. 48:609

country.356 Under French law, therefore, routine exchanges of intelli-

gence-related personal data with the United States can only occur
upon a finding of a “sufficient level of protection.”357 Given the nu-
merous discrepancies between the two systems of data privacy, such a
finding could only occur through an international agreement of the
kind discussed in relation to Germany.
In addition to German, French, and other national laws, a measure
under negotiation in the European Union, once finalized, might also
create difficulties for information exchange with the United States.358
In this instance, the main impact would be on personal data sought to
investigate past crimes or to prevent imminent offenses, a matter more
for the police—the law enforcement side of the FBI—than a national
security agency like the NSA.359 Since the early 1990s, the European
Union has become increasingly active in promoting cooperation on
criminal matters among national police forces, prosecutors, and crimi-
nal courts. To ensure that different levels of privacy protection do not
make national authorities reluctant to exchange personal information
amongst themselves, a Framework Directive is being negotiated that
would set down common data protection standards for all European
authorities responsible for “preventing and combating crime.”360 Under
the latest available draft, information sent by one Member State to an-
other may not be transferred onwards to a third country unless consent
to the transfer has been given by the original Member State and an
adequate level of data protection exists in the third country.361 The only
caveat to the adequacy requirement is for transfers that are “absolutely
necessary in order to safeguard the essential interests of a Member
State or for the prevention of imminent serious danger threatening
public security or a specific person or persons.”362 As in the German
and French laws, an international agreement with a third country,
stipulating the conditions under which data will be processed, can con-

356 Law No. 78-17 of Jan. 6, 1978, art. 69, J.O. [Official Gazette of France], Aug. 7,
2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23,
2006.
357 See id.
358 See generally Proposal for a Council Framework Directive on the Protection of Personal Data
Processed in the Framework of Police and Judicial Co-operation in Criminal Matters, Doc. No.
6450/5 REV 5 (2006) [hereinafter Proposal for a Council Framework Directive].
359 See id. art. 1.
360 See Consolidated Version of the Treaty on European Union and of the Treaty Estab-
lishing the European Community, art. 29, Dec. 29, 2006, 2006 O.J. (C 325) 1, 24.
361 Proposal for a Council Framework Directive, supra note 358, art. 15.1.
362 Id. art. 15.6.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 667

stitute grounds for an adequacy finding, even if the country’s domestic

privacy law is unsatisfactory. Again, therefore, an international agree-
ment would be the only way in which the U.S. government could obtain
routine access to European personal data.

2. Bilateral Agreements to Exchange Information

A number of bilateral agreements do allow for information ex-
change between Europe and the United States. These agreements,
known as treaties on mutual legal assistance (“MLATs”), guarantee ac-
cess to information in connection with criminal investigations.363 Police
authorities in one state may request from police authorities in another
state public or private records located there.364 MLATs, however, are
not particularly useful to the American intelligence community. Under
the terms of MLATs, before a state may request information on an indi-
vidual, it must show that the individual is suspected of a crime or has
been charged with a criminal offense.365 In other words, MLATs cover
only criminal investigations, not national security programs designed to
ward off future threats.366
MLATs have another limitation: they contain numerous exceptions
to the duty of cooperation. Many, including the French and German
MLATs, do not require states to assist with requests for government re-
cords; such assistance is left to the requested state’s discretion.367 Fur-
thermore, a state is allowed to deny a request for assistance or to attach
conditions to such a request if “execution of the request would preju-
dice [the requested state’s] sovereignty, security, public order, or other
essential interests.”368 Data protection would be considered one of
those essential interests, hence preventing cooperation. A recently ne-
gotiated MLAT between the European Union and the United States is
specifically directed at removing the data protection impediment: it
would bar European countries from routinely invoking data protection

363 See, e.g., Treaty on Mutual Legal Assistance in Criminal Matters, U.S.-F.R.G., art. 1,
Oct. 14, 2003, S. Treaty Doc. No. 108-27 [hereinafter U.S.-F.R.G. MLAT] (not yet in
force); Treaty on Mutual Legal Assistance in Criminal Matters, U.S.-Fr., art. 1, Dec. 10,
1998, S. Treaty Doc. No. 106-17 (2000) [hereinafter U.S.-Fr. MLAT].
364 See, e.g., U.S.-F.R.G. MLAT, supra note 363, art 9.
365 See id. art. 1; U.S.-Fr. MLAT, supra note 363, art. 1.
366 See U.S.-F.R.G. MLAT, supra note 363, art. 1; U.S.-Fr. MLAT, supra note 363, art. 1; see
also Agreement on Mutual Legal Assistance in Criminal Matters, U.S.-EU, arts. 4.1(b), 8,
June 25, 2003, 2003 O.J. (L 181) 34 [hereinafter U.S.-EU MLAT] (not yet in force).
367 U.S.-F.R.G. MLAT, supra note 363, art. 9; U.S.-Fr. MLAT, supra note 363, art. 20.
368 See U.S.-Fr. MLAT, supra note 363, art 6.1(b).
668 Boston College Law Review [Vol. 48:609

as grounds for denying U.S. requests for assistance.369 But because of

this bar and other provisions, it is uncertain that the MLAT will be rati-
fied on the European side. Some argue that, without guarantees from
the United States, this provision would breach European human rights
law.370
Recently, the U.S. government has sought to move beyond infor-
mation for criminal investigations and to obtain European personal
data in connection with national security operations.371 Compared to
the criminal context, vastly more information is needed in national se-
curity investigations to ascertain whether vague suspicions of possible
future harms have some basis in fact or must be dismissed. It should
come as no surprise, therefore, that agreement on this type of informa-
tion exchange has been even more elusive than in the area of criminal
investigations.
To date, the principal example of this type of cooperation on na-
tional security matters—or, more accurately, transatlantic fractious-
ness—is the transfer of European airline passenger data to the U.S.
government.372 After September 11, the U.S. Bureau of Customs and
Border Protection (the “CBP”) began demanding access to European
airline passenger data well before European airplanes took off from
European airports to land in the United States.373 Part of the purpose
was quite innocuous: to check for suspected terrorists and to require
that they be stopped from boarding planes bound for the United
States.374 But the other purpose—and the associated privacy risks—
raised red flags for the European authorities: the data was to be used to
identify individuals requiring surveillance while in the United States,
either immediately or at a future time if their subsequent behavior gave
rise to a suspicion of criminal activity.375 The method by which the pas-
senger data was to be transferred to the CBP was through a so-called
pull system: the CBP was to have direct access to the data contained in

369 U.S.-EU MLAT, supra note 366, art. 9.2(b) (“Generic restrictions with respect to the
legal standards of the requesting State for processing personal data may not be imposed by
the requested State as a condition under subparagraph (a) to providing evidence or in-
formation.”).
370 See, e.g., Select Committee on the European Union, EU/US Agreements on
Extradition and Mutual Legal Assistance, 2002-3, H.L. 153, at 14, para. 35.
371 See Francesca Bignami, Transgovernmental Networks vs. Democracy: The Case of the Euro-
pean Information Privacy Network, 26 Mich. J. Int’l L. 807, 863–65 (2005).
372 See id.
373 See id. at 863.
374 See id.
375 See id. at 864.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 669

the airline passenger systems of European carriers—systems located in

Europe, not the United States.376 This clearly constituted an extraterri-
torial exercise of regulatory jurisdiction by the United States. But these
airplanes, of course, must eventually land in the United States, at which
point they come squarely within the reach of U.S. jurisdiction. Practi-
cally speaking, this meant that if the airlines failed to cooperate with
the CBP’s earlier demands, entry of their passengers to the United
States could be denied or delayed and civil fines could be imposed.
Despite these enforcement tools, European airlines did not accede
to U.S. demands immediately. Why was cooperation not forthcoming?
This is even more surprising given that the punitive measures were ac-
tually imposed in some instances: passengers on European carriers
were sometimes stuck for hours on U.S. runways, waiting to be allowed
entry into the United States. The airlines did not cooperate for some of
the same reasons that the transatlantic exchange of personal data be-
tween spy and police agencies has been so difficult: under European
law, such transfers would have to be authorized by a specific piece of
regulation and could not occur absent a finding of the adequacy of the
data protection guarantees in the receiving country.377 In other words,
by satisfying the demands of the U.S. government, the airlines would be
breaking European law. The airlines, faced with this dilemma, went to
the European Commission seeking action that would allow them to op-
erate their transatlantic flights in compliance with the law on both sides
of the Atlantic. It took almost three years of diplomatic wrangling for
the United States and the European Union to come to an understand-
ing. Finally, in the spring of 2004, the two sides signed an agreement
specifying the type of passenger data that could be gathered from

376 Agreement Between the European Community and the United States of America
on the Processing and Transfer of PNR Data by Air Carriers to the United States Depart-
ment of Homeland Security, Bureau of Customs and Border Protection, May 28, 2004, p. 5,
available at http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/2004-05-
28-agreement_en.pdf. On the entry into force of this agreement, see generally Council
Decision 2004/496 of 17 May 2004 on the Conclusion of an Agreement Between the Euro-
pean Community and the United States of America on the Processing and Transfer of PNR
Data by Air Carriers to the United States Department of Homeland Security, Bureau of
Customs and Border Protection, 2004 O.J. (L 183) 83 [hereinafter Council Decision
2004/496].
377 See, e.g., Law No. 78-17 of Jan. 6, 1978, art. 68, J.O. [Official Gazette of France],
Aug. 7, 2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of
Jan. 23, 2006 (French statute requiring a “sufficient level of protection” of privacy in a non-
EU state before data can be transferred to that state); Bundesdatenschutzgesetz [Federal
Data Protection Act], May 22, 2001, BGBl. I at 904, § 4b(2) (F.R.G.) (German statute re-
quiring an “adequate level of data protection” before transfer of data to a non-EU state).
670 Boston College Law Review [Vol. 48:609

European airline reservation systems and the conditions under which it

would have to be handled.378
Under the terms of this agreement, the CBP is allowed access to
thirty-four out of thirty-nine fields contained in airline reservation sys-
tems under an individual’s passenger name record (“PNR”) number.379
This includes the individual’s address, email address, telephone num-
ber, travel itinerary, round-trip or one-way ticket purchase, and pay-
ment information.380 If the information is never manually accessed, it
must be erased after three-and-a-half years; otherwise, it must be erased
after eight years, with an exception for information that was used in a
government investigation.381 The purposes for which the personal in-
formation may be used are limited to “preventing and combating” the
following crimes: terrorism and related crimes, other serious crimes—
including organized crime—that are transnational in nature, and flight
from warrants or custody for those crimes.382 The CBP is barred from
processing personal data considered, under European law, to be “sensi-
tive data.”383 Only the CBP may access the data on a routine basis; it
may transfer European passenger data to other law enforcement and
counterterrorism agencies but only if it first determines that transfer of
a particular passenger’s data would further the crime-fighting purposes
outlined in the agreement.384 Those government agencies are held to
the same standards as the CBP, including the restrictions on informa-
tion sharing with other government agencies.385 Additionally, passen-
gers are guaranteed access to their personal information under the
Freedom of Information Act.386 Finally, the Chief Privacy Officer of the
Department of Homeland Security is recognized as exercising many of
the same oversight functions as independent privacy agencies in
Europe.387

378 See generally Commission Decision 2004/535 of 14 May 2004 on Adequate Protec-
tion of Personal Data Contained in the Passenger Name Record of Air Passengers Trans-
ferred to the United States Bureau of Customs and Border Protection, 2004 O.J. (L 235)
11 (EC) [hereinafter Commission Decision 2004/535]; Council Decision 2004/496, supra
note 376.
379 Commission Decision 2004/535, supra note 378, at 15 annex.
380 Id. at 22 attachment A.
381 Id. at 17 annex.
382 Id. at 11.
383 Id. at 12.
384 Commission Decision 2004/535, supra note 378, at 18 annex.
385 Id. at 18–19 annex.
386 Id. at 19 annex.
387 Id. at 18, 20 annex.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 671

From the perspective of European privacy advocates, this agree-

ment was far from satisfactory.388 It did render unlawful, however, the
kind of data mining and data sharing conducted as part of government
programs like the NSA call database. But after only two years of opera-
tion, it appeared that the PNR agreement might unravel. On May 30,
2006, the European Court of Justice found the PNR agreement to be
unlawful under European law.389 The grounds for the Court’s judgment
had nothing to do with privacy. In fact, the Advocate General’s opinion
that preceded the Court’s judgment had found that the agreement re-
spected fundamental human rights guarantees on data protection.390
Rather, the Court found that the European Commission and the Coun-
cil had exceeded their jurisdiction because they had concluded the
agreement under the common market pillar, when the purpose of the
data transfers was not to facilitate trade, but to prevent and investigate
crime.391 Therefore, the European Union announced to the United
States on July 3, 2006 that it was withdrawing and, on September 30,
2006, the agreement terminated.392
The big question following the Court of Justice’s decision was
what, if anything, would replace the PNR agreement. On the European
side, the strategy was to sign an identical agreement between the same
parties (the United States and the European Union, and not individual
European countries as some had suggested), just under the correct pil-
lar covering criminal matters.393 By the time the negotiations were con-

388 Opinion 6/2004 of the Article 29 Data Protection Working Party on the Implementation of the
Commission Decision of 14-V-2004 on the Adequate Protection of Personal Data Contained in the Pas-
senger Name Records of Air Passengers Transferred to the United States’ Bureau of Customs and Border
Protection ( June 22, 2004), available at http://ec.europa.eu/justice_home/fsj/privacy/docs/
wpdocs/2004/wp95_en.pdf.
389 See generally Joined Cases C-317/04 & C-318/04, supra note 342.
390 See generally Opinion of AG Léger, supra note 194.
391 See generally Joined Cases C-317/04 & C-318/04, supra note 342.
392 See Note from Presidency to Coreper/Council on Agreement Between the European Union and
the United States of America on the Processing and Transfer of Passenger Name Record (PNR) Data
by Air Carriers to the United States Department of Homeland Security, Doc. No. 13668/06 of Oct.
6, 2006, para. 2, p. 1 [hereinafter Note from Presidency to Coreper].
393 See EC Steps to Comply with ECJ Annulment of PNR Agreement, Legislationline, June 22,
2006, http://www.legislationline.org/?tid=219&jid=61&less=true (follow June 22, 2006 link
on the right side). The official recommendation, sent by the Commission to the Council, is
on the Council’s access to documents site, but the document is classified and the text cannot
be downloaded from the site. See Council Doc. 10826/06, Termination of the Agreement
Between the European Community and the United States of America on the Processing and
Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security,
Bureau of Customs and Border Protection—Authorisation to Open Negotiations for an
Agreement Between the EU and the United States of America on the Use of Passenger Name
Records (PNR) Data to Prevent and Combat Terrorism and Transnational Crime, Including
672 Boston College Law Review [Vol. 48:609

cluded on October 6, 2006, however, it was clear that this ambition had
not been realized.394 The current agreement, which still must be signed
and ratified by the Council, relies on the data protection undertakings
entered into by the U.S. government in 2004 as part of the first round
of negotiations.395 The undertakings implemented into U.S. law the
terms of the PNR agreement based on the Department of Homeland
Security’s (the “DHS’s”) statutory authority.396 These undertakings re-
main in effect.397 But they have been undermined by a new Letter of
Interpretation that sets out how the DHS, the CBP’s parent agency, will
interpret the undertakings.398 In the Letter of Interpretation, the DHS
states that European passenger data may be shared with all agencies
exercising counterterrorism functions, without any showing that such
data is relevant to a specific investigation;399 that all the data contained
in European passenger records systems may be requested, not only the
thirty-four items specified in the undertakings;400 and that the data may
be retained indefinitely.401
A similar set of demands for European personal data has been
made by the U.S. government on the banking industry.402 In the sum-
mer of 2006, it was revealed that ever since the events of September 11,
2001, the Society for Worldwide International Financial Telecommuni-
cation (“SWIFT”) has been transferring massive amounts of data on
international bank transfers to the U.S. Department of the Treasury.403
SWIFT is a cooperative, established under Belgian law, of financial insti-
tutions located throughout the world.404 It runs a network designed to
execute international bank transfers.405 It has two operations centers,

Organised Crime, June 23, 2006 [hereinafter Council Doc. 10826/06], available at http://
register.consilium.europa.eu (conduct advanced search for Document No. 10826/06).
394 See Council Doc. 10826/06, supra note 393, paras. 5–6, p. 2.
395 See id. para. 3, p. 2.
396 Commission Decision 2004/535, supra note 378, at 17 annex.
397 See id.; see also Note from Presidency to Coreper, supra note 392, para. 3.
398 See Note from Presidency to Coreper, supra note 392, annex 3, p. 12.
399 See id.
400 See id. annex 3, p. 14.
401 See id.
402 See Belgian Data Protection Commission, Opinion No. 37/2006 of 27 Sept. 2006
on the Transfer of Personal Data by the CSLR SWIFT by Virtue of UST (OFAC) Subpoe-
nas, at 5 [hereinafter Belgian Data Protection Commission], available at http://www.
privacycommission.be/communiqués/opinion_37_2006.pdf (nonofficial and temporary
translation as of Sept. 29, 2006).
403 See id.
404 Id. at 3.
405 Id.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 673

one in Europe and one in the United States.406 All messages ordering
payments between banks are stored, in duplicate, at these two opera-
tions centers for 124 days.407 After September 11, the U.S. Treasury De-
partment began issuing administrative subpoenas for the data held in
SWIFT’s U.S. operations center.408 Although the precise figures are se-
cret for national security reasons, according to one report the data
transferred to the Treasury Department in any given year could very
well include all the messages sent via the SWIFT system, which in 2005
numbered 2,518,290,000.409
After this came to light, a number of European data protection
authorities called for action.410 Because much of the transactional in-
formation came from Europe, it was clear to all concerned that Euro-
pean privacy law was triggered. In fact, from the beginning, SWIFT
knew that it was running the risk of violating European privacy law; it
requested and received a “comfort letter” from the U.S. Treasury De-
partment in which the Department pledged to support SWIFT in the
event that it was later sued by foreign governments or third parties.411
The Belgian Data Protection Commission took the lead in the investi-
gation because, under European data protection rules, it is the privacy
agency with the strongest claim of jurisdiction over SWIFT.412 In the fall
of 2006, the Belgian Commission categorically condemned SWIFT and,
indirectly, the U.S. government.413 It is worthwhile repeating the Bel-
gian Commission in full:
Considering that the recipient of the data (US Treasury)
was never subjected to an appropriate level of protection in
accordance with article 21 of the DPL [Belgian Data Protec-
tion Law] and Directive 95/46/EC [the EU Directive], the
Commission is of the opinion that SWIFT violated . . . [the
Belgian Data Protection Law]. It can be considered a serious
error of judgement on the part of SWIFT to subject a mass
quantity of personal data in a secret and systematic manner for
years to the surveillance of the US Treasury without at the
same time informing the European authorities and the Com-

406 Id.
407 Belgian Data Protection Commission, supra note 402, at 3.
408 See id. at 5.
409 Id. at 6.
410 Id. at 2.
411 Id. at 6.
412 See id. at 2.
413 See Belgian Data Protection Commission, supra note 402, at 26–27.
674 Boston College Law Review [Vol. 48:609

mission in order to reach a solution under Belgian and Euro-

pean law.414

3. The Relevance of Leverage

Although it is too early to tell with the bank transfer data, in the
case of airline passenger data it does not appear that Europe has been
able to exert much leverage over the United States. The state control
over territory that has served traditionally as the basis for regulatory
jurisdiction also influences which approach to privacy will prevail,
American or European.415 European airlines wish to do business with
the United States. To do so, they must land and deplane their passen-
gers at U.S. airports. To enjoy this privilege, European carriers are
forced to comply with the U.S. government’s requests for personal in-
formation. And Europe has few carrots or sticks to use in negotiating
privacy guarantees for such information. A European privacy authority
might threaten to bring prosecutions in its national courts against both
European and American airlines for complying with the CBP’s infor-
mation requests. But such prosecutions against national carriers would
be difficult as a matter of domestic politics and the same prosecutions
against American airlines would risk triggering retaliation from the
American side.
The relative power of the United States and Europe in this type of
situation suggests that the outcome of the SWIFT episode will be simi-
lar. To process transatlantic bank transfers, bank orders must be sent
from Europe to the United States where, for good business reasons,
they are stored for a certain period of time. Because the bank orders
are in storage on American territory—and because SWIFT has signifi-
cant economic assets in the United States associated with such stor-
age—it is easy to compel compliance with any government order.
Again, the European Union has few tools to pressure the United States
to adopt better privacy guarantees. Because SWIFT is a cooperative with
a significant European membership, a suit against SWIFT would en-
counter the same domestic opposition as a suit against a European air-
line. A European government might go after the financial institutions
that are part of the cooperative, some of which are undoubtedly Ameri-
can, but that would carry all the same political risks as suing American
airlines.

414 See id.

415 See Restatement (Third) of Foreign Relations Law § 204 (1987).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 675

Another episode of transatlantic discord—involving personal data

of particular value to the intelligence community—illustrates the dif-
ferent outcome when the territorial advantage is held by the Europe-
ans. This time, the Americans sought access to the information on
transnational crime contained in Europol’s central database.416 Because
the two sides were so bitterly divided over data protection, the terms
under which access would be permitted had to be negotiated in stages.
First came an agreement, signed on December 6, 2001, on the ex-
change of strategic and technical information on matters such as the
routes used by smugglers.417 This was followed, a full year later, by an
agreement on the exchange of personal data.418 This second agreement
requires that requests for information be made in writing and that such
requests “provide a concise statement identifying the authority making
the request, the matter under consideration, the reason for the request,
and the nature of the assistance sought.”419 Such requests must be
made in connection with “specific” criminal offenses or for “specific”
analytical purposes.420 The agreement therefore does not contemplate
wholesale access to information contained in the Europol database, as
has been achieved in the case of airline passenger reservation systems.
Most importantly, the parties retain full discretion to deny such re-
quests for personal information and they may subject disclosure to
various conditions, including privacy guarantees.421 The difference in
privacy laws has effectively prevented the United States from obtaining
routine access to the vast reservoir of information on transnational
criminal activity held by Europol. Once, as is planned, Europol obtains
access to the Schengen Information System, that pool of information
will become even more extensive.422

416 For Europol’s internal data protection rules, see generally Council Act of 3 Nov.
1998, Adopting Rules Applicable to Europol Analysis Files, 1999 O.J. (C 26) 1.
417 Operational Agreement Between the United States of America and the European Po-
lice Office, U.S.-Europol, arts. 2–3, Dec. 6, 2001, available at http://www.europol.europa.eu/
legal/agreements/Agreements/16268-2.pdf.
418 Supplemental Operational Agreement Between the Europol Office and the United
States of America on the Exchange of Personal Data and Related Information, U.S.-Europol,
art. 1, Dec. 12, 2002 [hereinafter Supplemental Operational Agreement], available at http://
www.europol.europa.eu/legal/agreements/Agreements/16268-1.pdf; see Europol, Annual
Report 2003, point 22 (2003), available at http://www.europol.europa.eu/index.asp?page=
publar2003#USA.
419 Supplemental Operational Agreement, supra note 418, art. 4.
420 Id. art. 5.1(a).
421 Id. art. 5.4.
422 Commission Proposal for a Council Decision on the Establishment, Operation and Use of the
Second Generation Schengen Information System (SIS II), art. 57, at 38, COM (2005) 230 final
(May 31, 2005).
676 Boston College Law Review [Vol. 48:609

4. The Failure of Predictions of Regulatory Convergence

Thus the transatlantic difference persists, notwithstanding the
burden on business and the interest of the U.S. government in obtain-
ing more European police data to better fight crime and terrorism.
This outcome defies predictions of regulatory convergence in some
quarters.423 A couple of years ago, Gregory Shaffer observed that U.S.
privacy standards were being “ratcheted up” to the level of data protec-
tion afforded under European law.424 Shaffer argued that the logic of
trade, reinforced by nongovernmental advocacy networks, had pro-
duced this phenomenon and would continue to do so.425 Building on
the work of David Vogel and others, Shaffer found that American firms
that did business in Europe had an incentive to adopt the higher, more
restrictive European privacy standard for all of their business, including
their non-European operations.426 This they accomplished by self-
regulation and by putting pressure on their American regulators to
adopt standards that were compatible with the European ones.427 At the
same time, because data privacy is a policy problem characterized by
externalities, Shaffer hypothesized that European regulators would
seek to influence foreign jurisdictions; data can be sent abroad in sec-
onds, at which point privacy is at the mercy of foreign laws and regula-
tors.428 In Shaffer’s account, these forces of globalization have com-
bined with the advocacy efforts of privacy rights groups to produce
higher privacy standards in the United States.429
There certainly is good evidence for Shaffer’s claims. The more
recent experience, however, shows the limits of the argument. Even
when the economic interests of big players in the global marketplace
such as airlines and banks are at stake, a strong countervailing regula-
tory policy will trump the trade interest in convergence. In this in-
stance, that opposing policy interest is government access to informa-
tion to assist with law enforcement and national security. Furthermore,
when an activity is entrusted to state—not private—actors, the pressure
to develop a single modus operandi applicable in all jurisdictions is sig-
nificantly lower. Policing and national defense are the prime examples

423 See generally Shaffer, supra note 23.

424 See id. at 82–83.
425 Id. at 55–80 (analyzing the effects of the EC directive in the United States).
426 Id. at 70–80 (discussing U.S. business reactions to increased pressure for privacy
protection from the European Union).
427 Id. at 44.
428 See Shaffer, supra note 23, at 85 (discussing externalities).
429 Id. at 55–80.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 677

of activities handled by government actors, not private firms. And the

resistance to convergence of such actors is evident in the continuing
difference in how police and spy agencies handle personal data in the
United States and Europe. This difference persists even though a rela-
tively small policy shift on the American side would produce significant
advantages in the form of easier access to valuable personal data, for
instance, information on Islamic extremists living in Europe.

B. Understanding American Privacy Law

To understand the possibilities of transforming American privacy
law based on European law, it is necessary to review the comparative
method and the critiques of the method. It is also critical to appreciate
the history of information privacy law. Originally, the two legal systems
appeared to share near-identical commitments to information privacy,
but, over time, they have diverged radically for reasons explored in this
Section. Mindful of the limits of the comparative method and informed
by the reasons for the transatlantic divergence, this Article makes a few
recommendations for the reform of American privacy law.

1. The Comparative Method

In some ways, this Article is a conventional exercise in comparative
law. It takes a presumed problem—safeguarding privacy in the face of
government programs like the call records program—and explores the
solutions to that problem in two different legal systems. The so-called
“functionalist” method has been employed in countless pieces of indi-
vidual comparative law research.430 It has also served as the framework
for a number of well-known collaborative projects, including Rudolf
Schlesinger’s project on the formation of contracts431 and the Common
Core Project being run out of the University of Trento, Italy.432
This collaborative work is especially revealing of the details of the
functionalist method. Research design in such enterprises must be
made particularly explicit at the outset, to guarantee that the results
will be cumulative and will be able to serve as the basis for more gen-

430 See generally Ralf Michaels, The Functional Method of Comparative Law, in The Oxford
Handbook of Comparative Law 339 (Mathias Reimann & Reinhard Zimmermann eds.,
2006).
431 See Rodolfo Sacco, Legal Formants: A Dynamic Approach to Comparative Law, 39 Am. J.
Comp. L. 1, 27–28 (1991).
432 See Vernon Valentine Palmer, From Lerotholi to Lando: Some Examples of Comparative
Law Methodology, 4 Global Jurist Frontiers 1, 16 (2004).
678 Boston College Law Review [Vol. 48:609

eral conclusions. The starting point is a factual hypothetical, abstracted

as much as possible from the law of any one country. Scholars from dif-
ferent legal systems are then asked how their system would handle the
problem: how a judge would decide the case, and based on which rules,
general principles, doctrinal reasoning, and, if relevant, rules and insti-
tutions outside that particular subject area, such as civil procedure and
constitutional law. Those answers are then synthesized to discern the
extent of commonality and difference among the many legal systems.
An example from the Common Core’s study on “Pure Economic
Loss in Europe” will illustrate:

Case 1
While maneuvering his mechanical excavator, an employee
of the Acme Road Works cuts the cable belonging to the pub-
lic utility which delivers electricity to Beta Factory. The unex-
pected black-out causes damage to machinery and the loss of
two days production. Beta Factory’s owner claims compensa-
tion from the excavator (Acme) not only for the damage to
his machinery but also for the damage caused by the loss of
production.433
Whether and for what reasons Beta Factory would be able to recover
for loss of production, together with a number of other hypotheticals,
was analyzed by scholars from thirteen different legal systems.434 Their
country reports, together with a synthesis report and a historical chap-
ter, were published seven laborious years later.435
This Article, in contrast to the Common Core, has only one hypo-
thetical—a database of all the calls made and received by the clients
of two major telecommunications providers is being used by an intel-
ligence agency to detect terrorists. It only has two legal systems—the
United States and Europe. Otherwise, the method is very similar.
This Article is at the same time an unconventional exercise in
comparative law. The field of comparative law has long been domi-
nated—some would say “obsessed” —by the problems of contracts,
torts, and property. By contrast, this comparative analysis deals with a
problem of public law.436 In the past, comparing constitutional and

433 Id. at 17.

434 Id. at 17–20.
435 Id. at 16.
436 Mathias Reimann, The Progress and Failure of Comparative Law in the Second Half of the
Twentieth Century, 50 Am. J. Comp. L. 671, 680 (2002).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 679

administrative law was dismissed as fruitless. Such law, unlike private

law, was believed to be so unscientific and value-laden that comparison
would not be able to yield any useful insights.437 Because public law was
believed to embody the distinct historical and political experience of
the nation state, comparing public law could not reveal any basic truths
that could serve as the grounds for universal, international regulation
of different areas of human activity—traditionally the main purpose of
comparative law.438
Today, comparative public law is still seen as qualitatively differ-
ent from comparative private law.439 The institutional setting in which
public law operates is still believed to be more historically and cultur-
ally contingent than the sphere of civil society relations in which pri-
vate law applies.440 As John Bell argues:
In public law, the core function of law is distinctive from
private law. Public law is about defining and controlling the
powers and activities of government. This is not the function
of private law, which exists to provide frameworks within
which individuals can undertake voluntarily, and to provide
remedies when they exceed the bounds of the acceptable use
of private power . . . . Now, to talk at a very high level of ab-
straction, one can discuss the basic principles of liberal de-
mocratic government and the control of abuse of power . . . .
But if we are going to discuss the role of law, we need to de-
scend into several layers of detail, so the question becomes:
how do you govern in a liberal and democratic way in a soci-
ety divided on linguistic grounds which has a relatively short
history of independent government and which has a broadly
French tradition of institutions (Belgium), as opposed to how
do you govern a long-standing unitary state with religious divi-
sions and with a distinct tradition of governmental institutions
(Netherlands).441

437 See Konrad Zweigert & Hein Kötz, Introduction to Comparative Law 3, 39–
40 (3d ed. 1998) (discussing early ambition to create “common law of mankind” and con-
tinuing preference for “unpolitical” as opposed to political areas of the law).
438 See generally John Bell, Comparing Public Law, in Comparative Law in the 21st
Century 235 (Andrew Harding & Esin Örücü eds., 2002).
439 See id. at 236.
440 See id. at 240–43.
441 Id. at 236–37.
680 Boston College Law Review [Vol. 48:609

The greater cultural and historical embeddedness of public law,

however, is no longer perceived as an obstacle to comparison. Indeed,
comparing constitutional and administrative law is becoming standard
fare in the academy.442 This Article is part of the academic trend to
remedy the earlier “obsession” with private law.
Another point of departure from the conventional method is this
Article’s emphasis on the difference between the American and Euro-
pean approaches to privacy in the face of government data mining.
One classic start date for comparative law is the founding of the Inter-
national Congress for Comparative Law by Edouard Lambert and Ray-
mond Saleilles in 1900.443 Their ambition was to find, through com-
parison, a common law of mankind.444 And, over one hundred years
later, this ambition still guides the comparative work of organizations
such as the United Nations Commission on International Trade Law
and the International Institute for the Unification of Private Law. The
cosmopolitan ideal explains, at least in part, the traditional ontological
choice in favor of similarity: to see similar problems of social organiza-
tion across all legal systems, and to see similar solutions to those prob-
lems, albeit accomplished through different types of rules, styles of rea-
soning, legal institutions, and social practices.445
To be fair, this analysis of the NSA call records program is prem-
ised on a good deal of similarity across societies. After all, the United
States and Europe share a common Enlightenment heritage. Privacy is
valued by both Europeans and Americans. In both places, privacy is de-
fined as a certain degree of freedom from the scrutiny of others and a
certain amount of autonomy in making life decisions. And when a gov-
ernment acquires information about individuals, both Europeans and
Americans feel that their privacy is threatened. Without privacy or a
possible government harm, the hypothetical would have no meaning.
The bulk of the discussion, however, is devoted to revealing how the
solutions—the legal categories, the sources of law, and the outcomes—
are all different.

442 See, e.g., Daniel Halberstam, Comparative Federalism and the Issue of Commandeering, in
The Federal Vision 213, 213–51 (Kalypso Nicolaidis & Robert Howse eds., 2001); Vicki C.
Jackson, Comparative Constitutional Federalism and Transnational Judicial Discourse, 2 Int’l J.
Const. L. 91, 91–96 (2004).
443 Zweigert & Kötz, supra note 437, at 2.
444 See id. at 3.
445 See Michaels, supra note 430, at 373–74.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 681

2. The Difference: European Versus American Liberty

According to the legal historian James Whitman, European privacy
law protects dignity, while American privacy law protects liberty.446 In
Whitman’s view, the law in the two places is informed by two very dif-
ferent cultural values: protecting one’s reputation against the vulgari-
ties of the market and the media in Europe, and protecting individual
freedom from intrusions of the state, especially in one’s home, in
America.447 This argument has intrigued and persuaded many privacy
scholars. It explains one very puzzling difference between American
and European privacy law: the apathy of American tort and constitu-
tional law when confronted with even the grossest of privacy abuses if
the offender happens to be a private actor, especially the media.448 It
also fits with the very different rhetoric of the American and European
case law. In American cases, the existence of a privacy interest turns on
whether an individual has a reasonable expectation of privacy, an issue
that is generally addressed by examining constitutional history and so-
cial practices—all of which point to the home as the place in which in-
dividuals have been traditionally allowed to conduct their affairs free
from the gaze of others.449 By contrast, European privacy cases, espe-
cially the German ones, begin from the need to preserve human dig-
nity and to develop personal autonomy.450 In pursuing these core val-
ues, the home is always protected, but so too are spaces and personal
matters outside the home.
Although this analysis has considerable merit, Whitman obscures
an important aspect of European privacy law. True, European privacy
law promotes interpersonal respect among individuals. But it also pro-
tects privacy against the state. And it is not always true, as Whitman
argues, that “state action will raise American hackles much more often
than European ones.”451 Indeed, the argument of this Article is that,
in the context of antiterrorism data mining, European law protects
liberty interests more than American law. At least European spy agen-
cies tell their citizens when their personal data is being collected and
combined and, depending on the results, sent to the police for fur-
ther action, a lot more than can be said for American spy agencies.

446 Whitman, supra note 24, at 1161.

447 Id.
448 See, e.g., Cox Broad. Corp. v. Cohn, 420 U.S. 469, 491 (1975) (holding that a state
could not sanction a reporter for disclosure of a rape victim’s name).
449 See Katz v. United States, 389 U.S. 351, 357 n.8 (1967).
450 See Whitman, supra note 24, at 1161.
451 See id. at 1211.
682 Boston College Law Review [Vol. 48:609

How can this somewhat counterintuitive difference between Am-

erican and European law be explained? This transatlantic difference is
even more surprising in light of the specific origins of information pri-
vacy.
When individual privacy in the age of information technology first
became a policy problem, American policymakers were every bit as ac-
tive as their European counterparts. In fact, a case can be made that
European privacy law was influenced by American law and policy. The
book Privacy and Freedom, written by the American scholar Alan Westin
and published in 1967, was one of the first systematic treatments of the
impact of computers on privacy.452 It was widely read in both the United
States and Europe.453 By the early 1970s, legislative and regulatory pro-
posals were being floated on both sides of the Atlantic.
In the United States, this was the era of the Nixon scandals. The
first data privacy proposal came from the Department of Housing,
Education, and Welfare (“HEW”).454 In 1973, HEW issued an influen-
tial report on government databases of personal records.455 To as-
suage public distrust of such databases, the report recommended that
all government departments adhere to a Code of Fair Information
Practices.456 Many of these fair information practices were soon after
incorporated in the Privacy Act of 1974. When, in 1980, a set of data
protection guidelines was adopted by the Organization for Economic
Cooperation and Development, a number of the American legal prin-
ciples were included.457 These guidelines, in turn, influenced the ne-
gotiations on the Council of Europe Convention.458 It is no wonder
then that the terms of the U.S. Privacy Act sound awfully similar to
those of the Council of Europe Convention.459
Rewinding the tape again to the early 1970s, the first national data
protection laws adopted in Europe and the United States displayed re-
markable similarities. This is well documented by political scientist
Colin Bennett in his study of data protection in the United States, Swe-

452 Alan F. Westin, Privacy and Freedom 3 (1967).

453 See Stefano Rodotà, Information Technology—Latest Developments in Scientific Research
and Regulatory Practices, in Ethik und Wissenschaft in Europa 63, 66 (Dietmar Mieth ed.,
2000).
454 See Solove, Rotenberg & Schwartz, supra note 38, at 577–83.
455 Id.; see 5 U.S.C. § 552a (2000 & Supp. IV 2004).
456 See Solove, Rotenberg & Schwartz, supra note 38, at 577–83.
457 See Marc Rotenberg, Fair Information Practices and the Architecture of Privacy (What
Larry Doesn’t Get), 2001 Stan. Tech. L. Rev. 1, 16.
458 See Bennett & Raab, supra note 207, at 75.
459 See 5 U.S.C. § 552a; see also Council of Europe Convention, supra note 18.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 683

den, Germany, and the United Kingdom.460 In his study, Bennett found
that the “problem” of privacy in the information technology age was
similar in all four countries: it contained a humanistic dimension pro-
tecting individual dignity against the alienating aspects of mass society
and information technology; a political dimension designed to prevent
a tyrannical state from using information technology—and personal
information—as a tool of oppression; and an instrumental dimension
to advance other nonprivacy values, such as equality and accuracy.461
He also found that the national legislation was similar even though all
countries, with the exception of the United Kingdom, were responding
to their own internal politics and institutional concerns.462 The only
real difference was in the regulatory styles used to advance the privacy
goals—informal and negotiated in Germany and the United Kingdom,
bureaucratic in Sweden, and legalistic in the United States.463 These
early transnational similarities were reinforced by the focus, in both the
United States and Europe, on public sector information abuses. Different
from the U.S. Privacy Act, European laws also regulated private sector
data processing.464 These provisions, however, were included almost as
an afterthought. At the time, the principal organization with the re-
sources, technology, and motive to process large amounts of personal
data was the state.
What changed? For purposes of this Article, it is not necessary to
consider the differences in private sector regulation in depth. Suffice it

460 See generally Bennett, supra note 211.

461 See Donald F. Norris, Book Review, Regulating Privacy: Data Protection and Public Policy
in Europe and the United States, 87 Am. Pol. Sci. Rev. 1035, 1035–36 (1993) (reviewing Ben-
nett, supra note 211).
462 Bennett, supra note 211, at 45–94 (describing the politics of data protection in
each of the four cases); id. at 95–152 (discussing and explaining the similarities of differ-
ent national laws).
463 See id. at 161–70 (Sweden); id. at 170–79 (United States); id. at 179–85 (Germany);
id. at 185–92 (United Kingdom).
464 A number of the congressional bills proposed in the run up to the U.S. Privacy Act
would have regulated personal data processing in both the public and private sectors. See S.
3418, 93d Cong. § 201(a) (1974) (proposing restrictions on use of private information by
government agencies as well as private parties), reprinted in Legislative History of the
Privacy Act of 1974, S. 3418 (Public Law No. 93-579): Source Book on Privacy, 94th
Cong. 2nd Sess. 9–29 (1976) (collecting all of the major bills leading up to the passage of
the Privacy Act of 1974). Industry groups and privacy experts, however, successfully op-
posed such language on the grounds that it was too early to tell what kinds of privacy prob-
lems would emerge in the private sector. See S. Rep. No. 93-1183, at 170–73 (1976), re-
printed in Legislative History of the Privacy Act of 1974, S. 3418, supra, at 151–239.
They also argued that the diverse circumstances of various economic sectors would be
handled best in tailored sector-specific statutes, not in a cross-cutting piece of legislation.
See id.
684 Boston College Law Review [Vol. 48:609

to say that, as the technology became more advanced, enabling a wide

array of private actors to engage in data processing, the scope of Euro-
pean regulation expanded, too. The naturalness with which the primar-
ily public sector framework was extended to the private sector can be
put down to a number of factors: the original legislative choice to cover
private data processing; the constitutional practice—different from the
American constitutional framework—of applying rights to both gov-
ernment and private actors (horizontal effect or drittwirkung); and the
dignity values identified by Whitman.465
But why did the two systems diverge so radically in the public sec-
tor? After all, the laws contained similar sets of legal provisions.466 And
compared to the private sector, the changes wrought by technology to
government information collection and manipulation have not been
nearly as radical. In other words, the contrast cannot be ascribed to
protecting privacy in the face of new information technology, a new
policy problem that might be addressed differently by the different so-
cieties. Rather, at least three institutional forces appear to have been at
work, forces not tied directly to the substance of information privacy
policy.

a. Enforcement
As already noted, the first major difference separating American
from European data protection laws is enforcement. In the American
case, the primary enforcers are individual litigants; in the European
case, they are independent privacy agencies.467 This is consistent with
broader patterns of regulation in the two legal systems: Americans liti-
gate in court and Europeans negotiate with government agencies.468
The American choice, however, appears to have been particularly ill-
suited to the realities of information privacy in the work of government

465 See Council of Europe Convention, supra note 18, art. 3; see also Whitman, supra
note 24, at 1161.
466 See 5 U.S.C. § 552a (2000 & Supp. IV 2004); Council of Europe Convention, supra
note 18.
467 For an illustration of the sparseness of European case law and the infrequency of
cases brought by private individuals (as compared to cases brought by agencies), see gen-
erally Eighth Annual Report of the Article 29 Working Party on Data Protection
(2005), available at http://ec.europa.ed/justice_home/fsj/privacy/docs/wpdocs/2005/
8th_annual_report_en.pdf (illustrating the major developments in data protection law in
each EU Member State).
468 See Robert A. Kagan, Adversarial Legalism: The American Way of Law 3
(2001). See generally The Dynamics of Regulatory Change: How Globalization Af-
fects National Regulatory Policies (David Vogel & Robert A. Kagan eds., 2004).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 685

agencies. The injuries suffered by individuals—not to speak of the pol-

ity—when the government secretly undertakes a program like that for
call records are generally not recognized by common law courts. When
spying occurs through unobtrusive methods and without visible conse-
quences like a criminal prosecution or civil action, it is almost impossi-
ble to prove the injury element of a tort claim. In addition, suing the
government is almost always more difficult than suing private parties.469
Even though the Privacy Act lifts the government’s sovereign immunity,
it still benefits from a form of qualified immunity: most violations of the
Act must be proven “intentional or willful” before a plaintiff can re-
cover.470 A government agency with the authority to investigate other
agencies for privacy violations, to recommend changes if such violations
are found, and, in the last resort, to impose an administrative sanction
or to take an offending government official to court, is likely to be a
better enforcer than private attorneys general.
Administrative agencies and courts, of course, are not just enforc-
ers but also policymakers. And, as compared to generalist courts, ad-
ministrative agencies have distinct advantages. Because their resources
and authority are committed to specific government policies, they de-
velop expertise, historical memory, and bureaucratic dedication in
their policy areas. When political and social realities change, adminis-
trative agencies stay put; they are there to promote the goals of earlier
legislative enactments. Indeed, privacy agencies in Europe would
probably describe themselves as policymakers first, enforcers second.
Their resources are devoted largely to vetting government proposals for
proportionality and making policy recommendations in the face of new
technological threats to privacy.
The lack of a similar institution in the United States is a big part of
the explanation for transatlantic difference. There is no one to tell a
government agency that certain personal information—say, the toll re-
cords of all AT&T customers—is not really “relevant and necessary” to
accomplishing the agency’s purpose;471 that the agency does not review
its records often enough to make sure that they are up to date and ac-
curate, hence avoiding adverse consequences for individuals;472 or that
what the agency considers to be a “routine use” of information which is
“compatible with the purpose for which it was collected” really is not

469 See, e.g., Terkel v. AT&T, 441 F. Supp. 2d 899, 917 (N.D. Ill. 2006); ACLU v. NSA,
438 F. Supp. 2d 754, 765–66 (E.D. Mich. 2006).
470 See 5 U.S.C. § 552a(g)(4).
471 Id. § 552a(e)(1).
472 5 U.S.C. § 552a(d)(5) (2000).
686 Boston College Law Review [Vol. 48:609

compatible with such purposes, thereby precluding information shar-

ing with another government agency.473 Indeed, it is unnecessary to go
abroad to understand the impact of the absence of a privacy agency. In
most other cases in which information privacy has been regulated by
Congress, an administrative agency has been charged with implementa-
tion: the Department of Health and Human Services for health privacy,
the Federal Communications Commission for telemarketers, the Fed-
eral Trade Commission for children’s privacy online.474 In none of
these areas has privacy been deemed quite as roundly and unanimously
to have failed as in the case of the Privacy Act.

b. Executive Power
The second part of the explanation for the transatlantic differ-
ence, especially since September 11, is the spectacular growth of execu-
tive power in the United States. This is a trend that began in the early
1980s with the Reagan administration, first with the theory of the “uni-
tary executive,”475 then “presidential administration,”476 and now the
“war against terror.”477 This is a well-documented phenomenon that
cannot be explored in any depth here. It is critical to understand the
rise of executive power, however, to understand the trajectory of infor-
mation privacy. The President’s aggressive assertions of executive
power—and the failure of Congress and the courts to react—have
shaped many policy areas, including information privacy. The NSA call
records program is one, obvious illustration of this institutional logic.
Since the early 1980s, the experience of European executive
branches has been quite the reverse. As the discussion of the European
law illustrates, national law enforcement and spy agencies cannot sim-
ply take heed of one national privacy agency or one set of national
courts.478 They operate in three different—in the sense of not hierar-
chically related—yet at the same time overlapping, legal systems: their
national constitutional systems, the Council of Europe, and the Euro-

473 Id. § 552a(a)(7).

474 See Solove, Rotenberg & Schwartz, supra note 38, at 379–80 (discussing the
Health Insurance Portability and Accountability Act (“HIPAA”)); id. at 666–67 (discussing
the Telephone Consumer Protections Act); id. at 667–69 (discussing the Children’s Online
Privacy Protection Act).
475 See Charles Fried, Order and Law: Arguing the Reagan Revolution—A
Firsthand Account 132–71 (1991).
476 See generally Elena Kagan, Presidential Administration, 114 Harv. L. Rev. 2245 (2001).
477 Proclamation No. 7811, 69 Fed. Reg. 55,715 (Sept. 10, 2004).
478 See supra notes 169–340 and accompanying text.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 687

pean Union. The rise of Europe as a political and legal entity has been
possible only by virtue of huge losses of national sovereignty. Although
in some ways this might strengthen executive branches—when national
ministers go to Brussels to negotiate EU laws, their national parlia-
ments cannot exercise much oversight—on the whole, the integration
process has brought more and more checks on national executive
power.479 If a Ministry of Interior wished to push back against the broad
reach of European data protection law, it would have to contend with a
number of independent bodies: in the European Union, it would con-
tend with other Member States, the Court of Justice, and the Working
Party of Data Protection Commissioners; in the Council of Europe, the
European Court of Human Rights; and at the national level, its judicial
branch and its independent privacy agency. By understanding this dif-
ferent configuration of executive power on the two sides of the Atlan-
tic, we can better understand why an area of public policy that began
with equal enthusiasm in both places fared so differently over time. In
the United States, privacy met with effective opposition from the execu-
tive branch. By contrast, in Europe, once the momentum for privacy
got going—and was institutionalized in the form of privacy commis-
sioners and constitutional case law—it was very difficult for national
governments to resist.

c. The Nazi Experience

A third element that should be mentioned in seeking to explain
the transatlantic difference is the European experience with the Nazis
during World War II, an experience that has no American equivalent.
Human rights law in Europe today, including privacy law, has been
shaped by this Nazi past.480 This is not to say that privacy law was fash-
ioned simply as a reaction to that experience—national legal traditions
were too solidly rooted to be swept away by fifteen or so years of his-
tory.481 But, as the historian Tony Judt puts it, for most of Western
Europe, World War II was an experience in profound national humilia-
tion, a period in which the entire apparatus of state and society was put

479 See William Wallace, The Sharing of Sovereignty: The European Paradox, 47 Pol. Stud.
503, 520 (1999) (explaining that, between the infrequent meetings of the heads of Euro-
pean governments, the normal business of European politics and government is “con-
ducted across state boundaries by a great many other actors and agencies”).
480 See Tony Judt, Postwar: A History of Europe Since 1945, at 565 (2005).
481 See Whitman, supra note 24, at 1165.
688 Boston College Law Review [Vol. 48:609

at the service of a foreign occupying power.482 As for the Germans, at

their feet lay responsibility for the atrocious human rights abuses of the
Nazi regime.
Throughout Western Europe, it was widely feared that the manipu-
lation of the state for tyrannical ends might occur again.483 This fear
was not abstract or irrational. Not only was there the Nazi past, but
there was also the threat of Communism, which it must be remembered
materialized even before World War II had officially come to an end.
Hence all of the references to the dangers of Nazism and Communism
by the drafters of the ECHR.484 And hence the German Constitutional
Court’s repeated references to the lessons learned from Nazism in its
own case law—including its privacy case law.485
It does not seem far-fetched to conclude that European rights, in-
cluding the right to stop large state bureaucracies from collecting and
instrumentalizing vast quantities of information about individual citi-
zens, have been shaped by a particularly vivid understanding of the
possible abuses of state power. In the United States, after President
Nixon was forced to resign, Americans could forget how government
power, including surveillance powers, could be used to subvert democ-
racy and suppress rights. With the Nazis in their past and the Commu-
nists possibly in their future, Europeans found it harder to forget.

3. Critique and Reform

By expanding the realm of legal possibilities, comparison can serve
as an impetus for legal change at home.486 Comparison brings to light
the historical contingency—as opposed to cultural destiny—that in-
forms certain legal rules and categories. By demonstrating that our na-
tional, political, and social aspirations have been better served by the

482 See Judt, supra note 480, at 14, 41; A.H. Robertson & J.G. Merrills, Human
Rights in Europe: A Study of the European Convention on Human Rights 3 (3d ed.
1993).
483 See Judt, supra note 480, at 242; Robertson & Merrills, supra note 482, at 3.
484 Robertson & Merrills, supra note 482, at 3–5.
485 See, e.g., Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court] Mar. 3,
2004, 1 BvR 2378/98, 1084/99 (115) (F.R.G.) (prohibiting police bugging of homes);
Bundesverfassungsgericht [BVerfG] Feb. 25, 1975, 39 BVerfGE 1 (36–37) (F.R.G.) (abortion
case); Bundesverfassungsgericht [BVerfG] Feb. 14, 1973, 34 BVerfGE 269 (271) (F.R.G.)
(Princess Soraya case); Bundesverfassungsgericht [BVerfG] Nov. 8, 1960, 1 BVerfGE 12
(F.R.G.) (prohibiting neo-Nazi socialist Reich party under principles of militant democracy);
Bundesverfassungsgericht [BVerfG] Aug. 17, 1956, 5 BVerfGE 85 (204) (F.R.G.) (prohibiting
communist party under principles of militant democracy).
486 See George P. Fletcher, Comparative Law as a Subversive Discipline, 46 Am. J. Comp. L.
683, 695 (1998).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 689

law abroad, comparison can sharpen our sense of disappointment with

our own legal experience. And, looking to other liberal societies can
provide a range of legal solutions—solutions that answer to the funda-
mental moral commitments of liberal societies but, at the same time,
do not impose intolerable costs on those societies.
This exploration of European privacy law serves the agenda of le-
gal change at home.487 By stressing that the point of departure, in the
early 1970s, was very similar on both sides of the Atlantic, the contin-
gency of privacy law in the United States today is revealed. In my analy-
sis of European privacy law, I have attempted to show that, indeed, that
law serves principles of transparency, democratic debate, and protec-
tion against overreaching government surveillance better than Ameri-
can law. And, in this Subsection, European law serves as a point of de-
parture for improving American law.

a. Answering the Critiques of the Comparative Method

From the outset, two objections to this constructive comparative
enterprise should be mentioned. First, some might say that even
though the United States and Europe are, roughly speaking, both lib-
eral societies, because they do not share the same moral commitments
and practical constraints, the privacy law of Europe cannot serve as a
source of inspiration for the United States. But can it really be true that
the United States is less committed to liberty than Europe? Do Ameri-
can citizens not feel a need to know about government programs de-
signed to monitor them, or to seek to confine such programs to the
minimum necessary to protect them from terrorist threats? It might be,
as argued earlier, that because of their different historical experiences,
Americans today are less fearful than Europeans of abuses of govern-
ment power. The story with which this Article began—the near-escape
from conscription of Norwegian men into the Nazi army based on cen-
sus records—is just that for most Americans. It is not lived history. But
that good luck is not a particularly sound reason for safeguarding rights
any less in the day-to-day practice of government surveillance.
Slightly more persuasive is the claim that European law has little to
offer the United States because the practical constraints of the two so-
cieties are different. It is true that the United States, unlike Europe, is
the world’s military hegemon. In threatening, or actually conducting,

487 See, e.g., Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Privacy Protection,
2006 U. Ill. L. Rev. 357, 377–80 (arguing for judicial oversight and public accountability
in government data mining and for amendments to the Privacy Act).
690 Boston College Law Review [Vol. 48:609

military operations abroad, the intelligence needs of the United States

are extensive. Moreover, because of such military operations, the
United States might be more vulnerable to terrorist attacks at home, on
American soil. Ultimately, however, such objections to comparison are
unconvincing. It is difficult to understand the connection between un-
fettered data collection and data mining at home and military opera-
tions abroad. Not only is information gathering on individuals in the
United States less likely than traditional military surveillance to garner
intelligence on, say, Al Qaeda’s operations along the Pakistan-Afghan-
istan border, but the constraints placed by European law on personal
data processing related to military operations abroad are mild, indeed.
As for the threat of terrorist attacks on national territory, the United
States might be a better symbolic target, but, logistically speaking, it is
probably easier to organize and carry out such attacks in Europe. That
difference has nothing to do with civil rights law and everything to do
with the size and cohesiveness of European immigrant populations and
Europe’s proximity to the Middle East.
A second objection to my constructive ambition is known in the
comparative law literature as the “transplant problem.”488 Like the
functionalist method, drawing on the results of comparison to make
suggestions for law reform is a conventional use of comparative law.489
But, according to the postmodern critique of the past decade or so, it is
also a dangerous use of comparative law.490 The critics point to the sub-
stantial barriers to cross-cultural communication.491 Different societies
are constituted by radically different systems of meaning that are inac-
cessible to most outsiders, certainly to casual academic tourists such as
comparative lawyers. This, of course, is a caricature of the postmodern
view. It highlights, however, one of the important insights of the post-
modern critique: the cultural distinctiveness and internal coherence of
any system of legal rules, modes of reasoning, institutions, and social
practices.
This radical pluralism complicates enormously the task of the
comparative lawyer.492 It casts doubt on the ability of comparative law
to identify any one area of social life to study across legal systems—to

488 See generally Alan Watson, Legal Transplants (1974).

489 See, e.g., Esin Örücü, The Enigma of Comparative Law: Variations on a Theme
for the Twenty-First Century 37 (2004).
490 See Reimann, supra note 436, at 680.
491 See Örücü, supra note 489, at 37–38.
492 See Palmer, supra note 432, at 5–6.
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 691

identify the functionalist “problem.”493 Assuming a researcher is able

to narrow the field of inquiry, once she goes abroad, it is highly likely
that she will misinterpret the foreign law, arriving at wrong conclu-
sions as to the meaning and consequences of the law in that society.
And, in the unlikely event that she is able to surmount all of those
barriers, she will never be able to bring the foreign law back home.
Even if foreign law appears to work better, it will never have the same
effect in the different social and cultural terrain of home.494
In some regards, I am proposing to transplant the European law of
privacy into American soil. It appears, however, that caution rather than
paralysis is the best lesson to take away from the disciplinary debates of
comparative law. The European privacy solution has a number of dif-
ferent components: a fundamental right to information privacy and a
statutory scheme regulating personal data processing in the public and
private sectors.495 The suggestion of this Article is that Americans bor-
row only from the statutory scheme, and only from that part curbing
the government’s use of personal information. In essence, the sugges-
tion is not to transplant at all, but to reinforce the U.S. Privacy Act and,
in doing so, to return to the original intent of 1974.496
At the present time, an American constitutional right to informa-
tion privacy is not worth pursuing. Such a constitutional right would
trigger judicial review of government data-mining programs similar to
the European proportionality inquiry, under the guise of substantive
due process.497 Partly, this solution is unattractive because it is implau-
sible; it is extremely difficult to imagine the current Supreme Court
expanding so dramatically the constitutional right to privacy.
Pressing for a constitutional right to information privacy, however,
might be unwise also for reasons of the broader institutional context.498
In Europe, the relationship between constitutional courts and legisla-

493 See European Convention on Human Rights, supra note 194, art. 8. See generally Law
No. 78-17 of Jan. 6, 1978, J.O. [Official Gazette of France], Aug. 7, 2004, p. 227, amended by
Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of Jan. 23, 2006; Bundesdaten-
schutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at 904 (F.R.G.).
494 See Pierre Legrand, The Impossibility of “Legal Transplants,” 4 Maastricht J. Eur. &
Comp. L. 111, 117 (1997).
495 See, e.g., Council of Europe Convention, supra note 18, arts. 1, 3.
496 See 5 U.S.C. § 552a (2000 & Supp. IV 2004).
497 See Kommers, supra note 195, at 46 (discussing the equivalence between German
proportionality and American fundamental rights doctrine).
498 In this respect, the law reform proposed in this Article is more modest than what
has been advocated elsewhere. See Paul Schwartz, The Computer in German and American
Constitutional Law: Towards an American Right of Informational Self-Determination, 37 Am. J.
Comp. L. 675, 701 (1989).
692 Boston College Law Review [Vol. 48:609

tures tends to be symbiotic.499 It is not necessary to look far for examples

of this relationship. The decision of the German constitutional court
proclaiming a right of “informational self-determination” prompted a
slew of federal and state laws to come into compliance with the constitu-
tional standards set down in that decision.500 Among these was an
amended Federal Data Protection Act (“Act”), with the declaration, in
the very first line, that the purpose of the Act was to “protect the indi-
vidual against his right to privacy being impaired through the handling
of his personal data.”501 A number of additional changes were made to
this Act to further the new, constitutionally mandated criteria for lawful
personal data processing.502 In the European Union, too, this mutually
reinforcing relationship exists. The case law of the European Court of
Justice is often incorporated, word-for-word, in subsequent legislation
and serves as a springboard for positive legislative measures in favor of
basic rights.503
In the United States, according to a number of prominent ac-
counts, this relationship is quite different: when the U.S. Supreme
Court takes action, Congress does nothing.504 And vice versa, when the
Supreme Court fails to act, Congress steps in with legislation. Thus,
when the Court refused to protect bank records under the Fourth
Amendment, Congress enacted the Right to Financial Privacy Act.505
When the Court denied Fourth Amendment protection to pen-register
information, Congress enacted the Pen Register Act.506 In other words,

499 See Kommers, supra note 195, at 53–54.

500 See Schwartz, supra note 498, at 698–99.
501 Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001, BGBl. I at
904, § 1 (F.R.G.).
502 Flaherty, supra note 218, at 46–47 (discussing the constitutional right to self-
determination first established in 1983).
503 See, e.g., Council Directive 2006/54, decl. 15, art. 9.1(h), 2006 O.J. (L 204) 23 (EC)
(on the implementation of the principle of equal opportunities and equal treatment of
men and women in matters of employment and occupation (recast)); George A. Ber-
mann et al., Cases and Materials on European Union Law 511 (2d ed. 2002) (free
movement of goods).
504 The logic behind this congressional inaction varies. See Erwin Chemerinsky, The Re-
ligious Freedom Restoration Act Is a Constitutional Expansion of Rights, 39 Wm. & Mary L. Rev.
601, 605–06 (1998) (Supreme Court’s separation of powers doctrine); William J. Stuntz,
The Political Constitution of Criminal Justice, 119 Harv. L. Rev. 780, 797–98 (2006) (political
incentives).
505 See Solove, Rotenberg & Schwartz, supra note 38, at 271, 725; see also Right to
Financial Privacy Act of 1978, Pub. L. No. 95-630, 92 Stat. 3697. See generally United States v.
Miller, 425 U.S. 435 (1976).
506 The current version can be found at 18 U.S.C. §§ 3121–3127 (2000 & Supp. III
2003).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 693

the risk is that if the Supreme Court finds a right to information pri-
vacy, Congress will not regulate government data mining. Indeed, Con-
gress might test the limits of the right to information privacy by author-
izing intrusive federal programs that might—or might not—be struck
down by the Supreme Court.
Yet, in this technologically complex area, a fine-tuned regulatory
scheme is more essential to protecting the right than the rather blunt
device of judicial review.507 In addition, at least to begin with, legislative
reform is a more legitimate mode of accomplishing change than judge-
made law.508 The opportunities for democratic participation in the leg-
islative process are more extensive. Legislation can be more easily re-
vised over time; the difficulties of repealing a law pale in comparison
with reversing Supreme Court precedent. The legislative branch, there-
fore, appears to be the venue best suited to a privacy reform agenda.
Nor would it be necessary for Americans to adopt a comprehensive
data protection law, covering all data processing in both the private and
public sectors. Without a doubt, European limitations on personal data
processing in the market make government programs like the NSA call
database vastly more difficult. This aspect of European data protection
law also affords greater visibility and accountability to any such gov-
ernment initiative: there must be a law or regulation authorizing the
government to request personal data and permitting private firms to
keep personal data. A comprehensive U.S. data protection law, how-
ever, would require a radical change of the legal environment; market
actors would be asked to limit their data processing operations across
the board, not just in a few specific areas like health care, telecommu-
nications, and financial services, as under the current system.509 Such a
change, moreover, might not be particularly well-suited to a common
law legal system. A wide range of firm activities that are currently sub-
ject to the tort and contract law of common law courts would be swept
into a statutory scheme, subject to the different mode of deciding and

507 See Stephen G. Breyer et al., Administrative Law and Regulatory Policy:
Problems, Text, and Cases 16–35 (5th ed. 2002) (describing evolution of administrative
state from common law courts to specialized regulatory agencies).
508 See Alexander M. Bickel, The Least Dangerous Branch: The Supreme Court
at the Bar of Politics 16–23 (Yale Univ. Press 1986) (1962) (describing countermajori-
tarian difficulty).
509 See Solove, Rotenberg & Schwartz, supra note 38, at 379–80 (discussing HIPAA);
id. at 666–67 (discussing the Telephone Consumer Protections Act); id. at 667–69 (discuss-
ing the Children’s Online Privacy Protection Act).
694 Boston College Law Review [Vol. 48:609

enforcing duties entailed by such a scheme.510 And all of this upheaval

would produce relatively little benefit for the problem at hand: it would
not directly curb data mining by the government.

b. Recommendations for Reform

A few changes to the U.S. Privacy Act would advance the cause of
information privacy enormously.511 The ambition should be to close
some of the gaps that have allowed for the divergence, over time, of the
American and European systems. Many of these gaps, indeed, were not
anticipated by the drafters of the Privacy Act but were produced by
weak judicial enforcement combined with aggressive bureaucratic in-
terpretation.
First, it should be made absolutely clear that the Privacy Act
catches all government programs that involve large-scale personal data
processing. The kind of Orwellian, Big-Brother abuses against which
the Privacy Act was directed are just as likely with antiterrorism data
mining as with systems designed to retrieve information on welfare re-
cipients for purposes of determining their benefits. This broader cov-
erage might be achieved by rewriting the statute to include a new defi-
nition of the statutory term “system of records” or substituting that
term with a new one. This change could also be accomplished by the
judicial branch. The legal uncertainty concerning the scope of the Pri-
vacy Act—and whether it covers data-mining programs like the NSA call
database—is largely a product of the inconsistent case law of the federal
courts.512 This shortcoming, therefore, could very well be fixed by those
same courts.
Second, the Privacy Act’s exemptions for intelligence and law en-
forcement agencies and their activities should be narrowed considera-
bly.513 These are the government bodies and public programs that are
most dangerous to individual liberty. The potential for government
abuse of private information is greatest when such information is col-

510 See generally Guido Calabresi, A Common Law for the Age of Statutes (1982)
(comparing common law decision making and statutory interpretation); John Henry
Merryman, The Civil Law Tradition (2d ed. 1985) (comparing precedent-based com-
mon law tradition and code-based civil law tradition).
511 See 5 U.S.C. § 552a (2000 & Supp. IV 2004).
512 See Jacobs v. Nat’l Drug Intelligence Ctr., 423 F.3d 512, 516 (5th Cir. 2005); Williams
v. Dep’t of Veterans Affairs, 104 F.3d 670, 675 (4th Cir. 1997); Henke v. Dep’t of Com-
merce, 83 F.3d 1453, 1459–62 (D.C. Cir. 1996).
513 See 5 U.S.C. § 552a(b)(7), ( j)–(k) (providing examples of exceptions to the Privacy
Act).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 695

lected by the police—or handed over to the police by government

spies. No other organ of the state has the power to do as much harm to
individual citizens. The very reason for these powers, of course, is the
critical public safety mission with which the police are entrusted. Yet,
the carefully constructed German and French exceptions for police
forces and security agencies demonstrate that it is possible to strike a
more reasonable compromise between individual privacy and public
safety.514 The German and French examples demonstrate that it is not
necessary to allow such agencies to go entirely unregulated.
Third, the exception in the Privacy Act for “routine uses” of per-
sonal data should be repealed.515 This exception has enabled federal
agencies to share personal information with other federal agencies, as
well as state and local bodies, virtually unchecked. If the routine use
exception were not repealed, then much of the benefit gained from
covering national security and law enforcement agencies would be lost;
the restrictions on sharing private data with law enforcement agencies
at the federal and state level would be laughable. Free-for-all informa-
tion sharing is precisely what has been condemned by the German
Constitutional Court.516 In the United States, it is also cause for con-
cern in the more traditional area of wiretapping; the so-called FBI
“wall” between law enforcement and intelligence officers was estab-
lished to prevent criminal prosecutors from using national security sur-
veillance to obtain information on all offenses, regardless of their seri-
ousness.517 The danger of using the far-reaching powers of spy agencies
to investigate mundane crimes like tax evasion, either for legitimate
public or illegitimate political reasons, is as present when personal data
is collected and analyzed. A person’s phone records, combined with
information on her bank transfers, can be as revealing to the police as
her actual conversations. Whenever authorizing a new government
program, therefore, agencies should be required to specify, up front,
exactly how personal data will be used and under what conditions it will
be transferred to other government agencies.

514 See, e.g., Law No. 78-17 of Jan. 6, 1978, arts. 25–29, J.O. [Official Gazette of France],
Aug. 7, 2004, p. 227, amended by Law No. 2004-801 of Aug. 6, 2004, and Law No. 2006-64 of
Jan. 23, 2006; Bundesdatenschutzgesetz [Federal Data Protection Act], May 22, 2001,
BGBl. I at 904, § 13 (F.R.G.).
515 See 5 U.S.C. § 552a(b)(3).
516 See generally Bundesverfassungsgericht [BVerfG] [Federal Constitutional Court] July
14, 1999, 1 BVerfGE 2226/94, 2420/95, 2437/95 (F.R.G.).
517 See Solove, Rotenberg & Schwartz, supra note 38, at 307.
696 Boston College Law Review [Vol. 48:609

Last, the enforcement scheme in the Privacy Act should be

amended to include an independent privacy agency. An independent
privacy agency would offer a solution to some of the most serious defi-
cits of the Privacy Act. This recommendation, of course, is inspired by
the European institution, but it also has a solid domestic foundation.
The original bill contained such an agency, but it was removed in the
end as part of the compromise necessary to pass the Privacy Act.518 A
later bill, proposed in 1991, would have established a Data Protection
Board, with powers similar to those of European privacy agencies.519
The bill passed in the House of Representatives, but never made it
through the Senate.520
The consequences of the absence of an administrative agency have
already been explored here in explaining the divergent paths of privacy
law in the United States and Europe.521 For the present purposes of re-
form, however, the deficiencies of the current system should be re-
viewed with more precision. Under the Privacy Act, individuals have a
right of action for injunctive relief and damages against the govern-
ment.522 This remedy, however, is inadequate for a number of reasons.
Injunctive relief is available for only two types of violations of the Pri-
vacy Act: the government refuses an individual access to her personal
records or refuses to correct her personal records.523 Additionally,
damages may be awarded for any other violation of the Privacy Act that
has an “adverse effect” on an individual.524 The circumstances under
which recovery is permitted, however, are limited.525 Plaintiffs must
prove a “willful or intentional” violation of the Act.526 Plaintiffs must
also show actual damages—and emotional damages alone generally do
not count—before they can qualify for the Privacy Act’s minimum
damages award of $1000.527 The real problem for enforcement, how-
ever, is that many privacy violations go undetected or do not result in
injury traditionally recognized by the courts. If there were restrictions

518 See Marc Rotenberg, The Sui Generis Privacy Agency: How the United States Institutional-
ized Privacy Oversight After 9-11, at 1–2 (SSRN, Working Paper No. 933690, 2006).
519 See To Establish a Data Protection Board, and for Other Purposes, H.R. 685, 102d
Cong. (1991), reprinted in Wayne Madsen, Handbook of Personal Data Protection
887–92 (1992).
520 See H.R. 685.
521 See supra notes 310–332 and accompanying text.
522 5 U.S.C. § 552a(g)(4) (2000).
523 Id. § 552a(g)(3).
524 Id. § 552a(g)(1)(D).
525 See id. § 552a(g).
526 Id. § 552a(g)(4).
527 See Doe v. Chao, 540 U.S. 614, 627 (2004).
2007] A Comparative Privacy Analysis of Antiterrorism Data Mining 697

on transferring personal data between intelligence and law enforce-

ment agencies, and these were breached, it is unlikely that an individ-
ual would ever learn of the breach. If she did, she would be able to
show damages only in the extreme circumstances of intrusive surveil-
lance or an arbitrary detention. Because of this mismatch between data
privacy injuries and the common law’s remedial architecture, an inde-
pendent body with oversight and enforcement powers is essential.
An independent privacy agency would also foster greater transpar-
ency, public debate, and, yes, privacy, at the drawing board phase, at the
time that new government initiatives are designed. Under the Privacy
Act, government agencies are already required to publish Privacy No-
tices in the Federal Register when they plan on creating or modifying a
system of records.528 A Privacy Notice must contain information on the
type of personal data in the system, the purposes for which the data will
be used, the security measures in place to protect the data, the other
agencies with which the personal data will be shared, and the proce-
dures available to individuals to access and correct their records.529 The
notice requirements could very well be expanded to include the steps
that had been taken by the agency to ensure the necessity, relevance,
and adequacy of the personal data, as well as to consider less privacy-
intrusive alternatives to the proposed system of records. With the fewer
exceptions envisioned above, agencies would be required to provide
this detailed explanation for a wider range of activities. An independ-
ent privacy agency would be in a position to provide an expert, impar-
tial analysis of the privacy implications of the proposed program. Fur-
thermore, in areas of government activity such as national security—in
which disclosure can sometimes defeat the purposes of the government
program—scrutiny by an independent agency would serve as a proxy
for public debate. In other words, if secrecy is absolutely necessary, an
independent privacy body would bring an important outsider perspec-
tive to an area of government activity that, by definition, cannot draw
on the valuable insights of broad-ranging public scrutiny.

528 5 U.S.C. § 552a(e)(4) (2000). The government must also conduct a privacy impact
assessment before establishing a new program involving personal data. E-Government Act
§ 208, 44 U.S.C. § 3501 note (2000 & Supp. III 2003). The information, however, con-
tained in impact assessments is very similar to that in privacy notices. Furthermore, impact
assessments are not required for national security systems. Id. § 202(i).
529 See, e.g., Privacy Act of 1974: System of Records; Secure Flight Tests Records Notice,
69 Fed. Reg. 57,345 (Transp. Sec. Agency Sept. 24, 2004).
698 Boston College Law Review [Vol. 48:609

Conclusion
With the exception of an independent privacy agency, this Article’s
proposed legal changes are modest. They draw on the European ex-
perience, yet they are thoroughly grounded in the text of the original
Privacy Act. Even the creation of an independent privacy agency is con-
sistent with current trends in American law. Since September 11, a
number of special-purpose privacy watchdogs have been created by
Congress to address civil liberty concerns: the Chief Privacy Office in
the Department of Homeland Security,530 the Privacy and Civil Liberties
Board in the Executive Office of the President,531 and the Civil Liber-
ties Protection Officer in the Office of the National Intelligence Direc-
tor.532 These civil liberties aims would be better achieved through a sin-
gle privacy watchdog, with powers extending to the entire federal ad-
ministration and with independence from the government officers in
charge of privacy-burdening programs.
These improvements, in fact, would lead not only to better protec-
tion of privacy, but also to a more effective government response to the
national security threat. In European eyes, such changes would consti-
tute a satisfactory guarantee that the privacy of European personal in-
formation will be protected once transferred to American authorities.
This would facilitate tremendously the transatlantic exchange of intelli-
gence among government authorities. Thus, the borderless realm of
twenty-first-century terrorism would be matched by public action also
capable of overcoming the confines of the nineteenth-century nation
state.

530 6 U.S.C. § 142 (Supp. III 2003 & Supp. IV 2004). For a comprehensive analysis of
these privacy watchdogs, see generally Rotenberg, supra note 518.
531 Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. No. 108-458,
§ 1061, 118 Stat. 3638, 3684–88 (codified as amended in scattered sections of U.S.C.).
532 Id. § 1011(a) (codified at 50 U.S.C. § 403-3d (2000 & Supp. IV 2004)).