Steve Peers

The Court of Justice of the European Union (CJEU) recently made significant rulings on data privacy. In the Digital Rights case, the court struck down the EU’s data retention directive, deeming it mass surveillance lacking adequate safeguards. They also ruled against Google in the “right to be forgotten” case. These decisions have prompted questions about their broader implications. For instance, an Irish court has referred the “Europe v Facebook” case to the CJEU, questioning the compatibility of the EU-US “Safe Harbour” data protection arrangement in light of the Snowden revelations.

Adding to this, the European Parliament (EP) has decided to refer the proposed EU-Canada passenger name record (PNR) agreement to the CJEU. The EP is seeking clarification on its compatibility with privacy and data protection rights, given the CJEU’s recent stance. This judgment could indirectly impact similar EU-US and EU-Australia PNR data treaties and the proposed PNR Directive, potentially determining their validity concerning privacy rights. If these treaties are found to infringe on these rights, it could cast further doubt on the EU-US treaty regarding banking data transfers.

This begs the question: are we witnessing a domino effect? Will a series of EU laws and treaties be deemed in breach of privacy and data protection rights by the CJEU, collapsing now that the data retention Directive has been overturned? Or are these measures different enough to avoid such an outcome?

Background

The EP’s decision to involve the CJEU in the EU-Canada PNR treaty debate echoes a past event. In 2004, the EP sought the court’s opinion on the initial EU-US treaty on the same matter. Back then, the Advocate-General’s opinion refuted all of the EU’s arguments, including those related to privacy rights. However, the CJEU’s 2006 judgment addressed only one legal argument put forth by the EP: that the EU-US treaty was based on the wrong “legal base” and required approval through a different process (related to police cooperation, not the internal market). This procedure excluded the EP from approving the treaty or seeking the CJEU’s opinion on its compatibility with EU law.

The legal landscape has changed considerably since then. The Treaty of Lisbon, in effect since 2009, empowers the EP (or the Commission, Council, or a Member State) to request CJEU rulings on EU treaties with other nations regarding police or criminal law cooperation. This will be the first such ruling under this provision. While awaiting the court’s judgment, the EP can now prevent the EU-Canada treaty from being finalized, as it now holds the power of consent over such agreements. Back in 2004, the Council bypassed a separate request by the EP for the CJEU to assess the EU-US PNR treaty by finalizing the treaty before the court could issue an opinion. Moreover, the court’s ruling against mass surveillance earlier this year has significantly altered the substantive legal context.

The CJEU had another opportunity to address privacy rights in the international arena when the Commission, in 2012, sought a ruling on whether the international Anti-Counterfeiting Agreement (ACTA) violated EU law. However, the Commission’s request was submitted too late, and the EP vetoed the proposed agreement before the court could intervene, leading the Commission to withdraw its case. We should now expect a long-awaited ruling from the court on the compatibility of international data transfers with EU privacy and data protection rights – unless the EP is persuaded to withdraw its request.

Today, the EP invoked a unique process allowing the CJEU to determine the compatibility of a draft treaty with EU law before it takes effect. This applies to treaties the EU or its Member States intend to conclude on its behalf. (This process is comparable to requesting a Supreme Court ruling on a draft law’s constitutionality, although the EU process is limited to treaties.) If the CJEU finds the draft treaty incompatible with EU law (likely in approximately 18 months, unless expedited), it must either be amended according to the ruling, or, less likely, the EU Treaties themselves must be changed to allow its ratification.

It is important to note that the EU-Canada PNR treaty is separate from the EU-Canada treaty liberalizing air transport (already in effect) and the proposed EU-Canada free trade agreement (CETA). However, the latter, along with the EU-US free trade agreement currently under negotiation, will be indirectly influenced by a pending case. In this case, the EU Commission has asked the CJEU to assess the EU-Singapore free trade agreement’s compatibility with EU law.

Comments

Does the EU-Canada PNR treaty infringe upon the right to privacy? A recent study by Boehm and Cole provides a comprehensive analysis of the data retention judgment’s impact on other EU measures. Therefore, this is a brief overview of the issues explored in their study. The interpretation of the judgment is paramount: does it prohibit all mass surveillance or only instances with insufficient safeguards? It appears to outlaw all mass surveillance linked to EU law, and any draft treaty involving the EU would undoubtedly fall under this umbrella.

However, a fundamental question precedes this: at what point does a treaty with another nation constitute mass surveillance? The data retention case involved collecting data on all phone and internet usage within the EU. This could be compared to social media use (relevant to the pending Facebook case) or international banking transfers. Still, arguing that collecting data on all flights to a specific country constitutes mass surveillance in itself is more challenging. However, the proposed PNR Directive, applicable to all flights within the EU, would likely meet this criterion.

If, contrary to this interpretation, the Digital Rights judgment permits mass surveillance with sufficient safeguards, what must these safeguards entail? According to the judgment, they must include definitions of “serious crimes” or other purposes for data exchange; rules governing data access; limitations on the number of individuals with access to the data; independent oversight by a court or supervisory body; robust data protection periods; provisions to protect data from unauthorized access and use; and a requirement to store the data within the EU. This last requirement, in the context of treaties with non-EU nations, implies an obligation to retain data within the EU or the specific third country.

Do the EU’s treaties with other nations meet these standards? Evaluating this necessitates a case-by-case approach. The EU-Canada PNR treaty, at first glance, incorporates provisions addressing all these safeguard issues except one: the transfer of PNR data to other countries is permitted, albeit with conditions. However, one might argue that, in practice, privacy and data protection rights are not as robustly protected under such treaties due to inadequate national legislation or practices. Examples include NSA access to Facebook data or limitations on non-US citizens seeking privacy rights in court.

Finally, a crucial practical question arises. Suppose the CJEU rules that the proposed EU-Canada treaty violates privacy and data protection rights or upholds the treaty while raising concerns about other EU treaties’ compatibility with these rights. How can these existing treaties be challenged?

While it’s too late to initiate annulment proceedings against these treaties or seek an advance ruling from the CJEU on their compatibility with EU law, individuals can still challenge their application through national courts, as in the Digital Rights and Facebook cases. Alternatively, the EP could argue that other EU institutions must take steps to denounce these treaties to guarantee effective protection of rights under the EU Charter of Fundamental Rights. Should they fail to do so, the EP could sue them for “failure to act” as outlined in the EU Treaties.

Barnard & Peers: chapter 9