PRISM and privacy: will this change everything?

TLDR: The recent revelations have exceeded what was publicly known, and have put the phenomenon of government access to online data in a whole new light, and the importance of asking the right questions is stressed so that decisions can be made about what the proper balance is between privacy and security.

Abstract: Both the offline and online media have reported extensively on access by the US National Security Agency (NSA) to electronic communications data held by private companies, most notably via the so-called PRISM program. Meanwhile, there is growing concern regarding reports the UK’s Government Communications Headquarters (GCHQ) is conducting massive surveillance of communications traffic both on its own behalf and for the benefit of other members of the ‘Five Eyes Alliance’ (comprising the UK, the USA, Canada, Australia, and New Zealand), and other European governments have been reported to have entered into arrangements to share the data collected by the USA and the UK. At least one European government (France) allegedly also runs a vast electronic surveillance operation of its own. We hesitate to make pronouncements about such developments before the facts are clear, but feel justified in predicting that they will have significant long-term impacts on data protection and privacy law around the world, and on the political, economic, and social climate for data processing. Not that there is anything new in systematic governmental access to private sector data. In November 2012 we published a symposium issue (volume 2, number 4 of IDPL) containing legal analysis of such access in nine countries (Australia, Canada, China, Germany, India, Israel, Japan, the UK, and the USA; further reports will be published in an upcoming issue), and a guest editorial concluded that it is a widespread phenomenon and gives rise to a number of legal issues that should be urgently addressed. Systematic government access to private data thus goes far beyond a particular country and a particular intelligence agency. Nevertheless, in their scope and detail, the recent revelations have exceeded what was publicly known, and have put the phenomenon of government access to online data in a whole new light. We acknowledge that data protection and privacy are not absolute rights, and the difficulty of balancing them against other important societal values, such as public security. These sorts of determinations go beyond what can be dealt with in an editorial; rather, we want to stress the importance of asking the right questions so that decisions can be made about what the proper balance is between privacy and security. The following are a few fundamental questions raised by these revelations: