http://register.consilium.europa.eu/doc/srv?l=EN&t=PDF&gc=true&sc=false&f=ST%2016987%202013%20INIT&r=http%3A%2F%2Fregister.consilium.europa.eu%2Fpd%2Fen%2F13%2Fst16%2Fst16987.en13.pdf
This report provides a useful review of current state and issues raised by EU on data protection which may ultimately impact review of safe harbor standard.  I found it a bit curious that the US position is that GRS 20 provides authorization for disposal of documentation collected under the US Patriot Act. I would be interested if that reflects the view of NARA

A few things that I found especially interesting:


1.       The US makes a distinction between data collection and data processing that the EU generally does not make. Under US protocols processing is defined by human review and certain privacy protections are not triggered until such a review takes place

2.       The US indentified the following as the legal  basis for collection personal data by US intelligence agencies:

a.       Foreign Intelligence Surveillance Act of 1978(FISA)/Section 702

b.      USA Patriot Act of 2001/Section 215

c.       Executive Order of the President of the USA, 12333 issued in 2001 and amended in 2008

d.      The US members indicated that there were other legal/regulatory authorities for the intelligence collection where non-US persons may be collected but declined to provide specific references

3.       EU members asked for specific information of the type of information being collected. The US members indicated that they could only speak in abstract terms due to classified information regulations

4.       Information collected under Executive order 12333 is not subject to judicial review or oversight unless such information is used in  a legal proceeding.  Oversight of such information is exercised by the Inspector General's of the involved agencies

5.       The US confirmed that 1.6% of all global internet traffic is "acquired" and 0.025% of it is selected for review (0.0004% of all global traffic is looked at by NSA analysts).  The report noted that most internet traffic consists of high volume streaming and downloads such as TV series, sports, etc. and that communications data makes up a very small part of global internet traffic.  It is not clear if the 1.6% figure refers to all global traffic or is limited to text based communication.

6.       Retention

a.       FISA - unreviewed data is generally retained for 5 years, although data collected via upstream collection is retained for 2 years.  If information is deemed to be of foreign intelligence interest than it is retained indefinitely.

b.      Patriot Act - 5 yrs except for documentation responsive to queries (in that case they are retained pursuant to the procedures of the agency holding the documentation).  The US members referenced General Record Schedule 20 as providing the disposition authority for such documentation.  However, I would expect that the retention of such information would more properly be defined in an agency record schedule rather than a general record schedule

c.       Executive order 12333 -not been specified to the work group.

7.       EU asked if targets of surveillance are notified of this in the event that the US determines that they have no link to terrorist or criminal activity. The US responded that no such legal right exists under US law

8.       EU asked if there were quantitative limits on the percentage of communications of people with no identified links to crime or matters of state security. The US responded that no such limits exist under US law

David B. Gaynon
Huntington Beach CA, USA
[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]