Steve Peers
This blog post is dedicated to the memory of the great privacy campaigner Caspar Bowden, who recently passed away. It is tragic that he didn’t live to witness the developments in this case. To support his work, donations can be made to the Caspar Bowden Legacy Fund here.
A bright university student challenges the inflexible establishment – and achieves a remarkable victory. This was Mark Zuckerberg, creating Facebook in 2002. However, it could also describe Max Schrems, who might soon be defeating Zuckerberg and Facebook, if the Court of Justice upholds the Advocate-General’s opinion in the Schrems case, published today.
In reality, Facebook is merely a channel in this case: Schrems’ true targets are the US government (for demanding that Facebook and similar internet companies provide personal data to intelligence agencies), along with the EU Commission and the Irish data protection authority for enabling this. The Advocate-General’s opinion states that the Commission’s decision, permitting the mass surveillance of EU citizens’ data in the US, is void. He argues that national data protection authorities within the EU must investigate these data transfers and block them if necessary. This case has the potential to significantly impact the operations of major American internet companies and complicate US-EU relations in this area.
Background
More context on this litigation is available here, and Simon McGarr’s summary of the CJEU hearing for this case is available here. However, a brief overview of the case will be provided here.
Max Schrems, an Austrian Facebook user, was troubled by Edward Snowden’s revelations about widespread surveillance by US intelligence agencies. Since such surveillance is carried out by requiring internet companies to cooperate, he wanted to file a complaint about Facebook sending his personal data to the USA. Because Facebook’s European headquarters are in Ireland, he had to submit his complaint to the Irish data protection authority.
The ‘Safe Harbour’ agreement between the EU and the USA, established in 2000, governs such personal data transfers. This agreement predates Facebook, other modern internet giants, and the 9/11 attacks that triggered the mass surveillance. A Commission decision implemented this agreement within the EU. Using authority granted by the EU’s current data protection Directive, the Commission declared that personal data transfers to the USA were subject to ‘adequate levels of protection.’
The primary enforcement method for this agreement was self-certification by the companies involved (not all data transfers to the USA fall under the Safe Harbour decision), overseen by US authorities. However, national data protection authorities enforcing EU data protection law had the option (not the obligation) to halt personal data transfers. This applied if US authorities or their enforcement system identified a violation of the rules or under these specific, limited circumstances outlined in the decision:
there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.
However, Irish law prevents national authorities from using this option. Therefore, the Irish data protection authority essentially dismissed Schrems’ complaint. He contested this decision in the Irish High Court, which questioned whether the system aligned with EU law (or even the Irish constitution). This led the court to request a ruling from the CJEU on whether national data protection authorities (DPAs) should have the power to block data transfers in these situations.
The Opinion
First, the Advocate-General addresses the Irish court’s question and then examines the legitimacy of the Safe Harbour decision. These two points will be addressed in turn.
The Advocate-General argues that national data protection authorities must be able to assess claims that personal data transfers to other countries violate EU data protection laws, even if the Commission has declared them compliant. This stems from the authorities’ powers and autonomy, as outlined in the EU Charter of Fundamental Rights, which explicitly mentions the role and independence of DPAs. (For more on recent CJEU case law concerning DPA independence, see the discussion here). It is worth noting that the new data protection Regulation currently under negotiation will likely reaffirm and potentially strengthen the powers and autonomy of DPAs. (Further details on this aspect of the proposed Regulation are available here).
Regarding the second point, the opinion evaluates whether the Safe Harbour Decision accurately determined an ‘adequate level of protection’ for personal data in the USA. Significantly, it argues that this evaluation must be ongoing and consider the current state of personal data protection, not just the situation when the Decision was adopted in 2000.
The opinion argues that ‘adequate level of protection’ ensures that other countries must provide standards ’essentially equivalent to those offered by the Directive,’ even if the implementation methods differ from those within the EU. This is crucial because of the importance of safeguarding human rights within the EU. Evaluating standards in other countries requires examining both the standards themselves and their enforcement. This involves ‘adequate guarantees and a sufficient control mechanism’ to ensure a level of protection equal to or greater than that within the European Union. Within the EU, the key method for safeguarding data protection rights is through independent DPAs.
Based on these principles, the opinion accepts that Facebook’s transfer of personal data to the USA exposes it to ‘mass and indiscriminate surveillance and interception’ by intelligence agencies and that EU citizens have ‘no effective right to be heard’ in such instances. These conclusions inevitably mean that the Safe Harbour decision is invalid due to violations of the Charter and the data protection Directive.
Specifically, the exemption for US national security laws within the Safe Harbour principles was overly broad, making the implementation of this exemption ‘not limited to what is strictly necessary.’ EU citizens also had no legal recourse against violations of the ‘purpose limitation’ principle in the US, and there should be an ‘independent control mechanism suitable for preventing breaches of the right to privacy.’
The opinion then examines the dispute in the context of the EU Charter of Rights. It concludes that transferring this personal data infringes on the right to privacy. As in last year’s Digital Rights Ireland judgment (discussed here), regarding the legitimacy of the EU’s data retention directive, the interference with rights is ‘particularly serious, given the large number of users affected and the volume of data transferred.’ In fact, the confidential nature of data access makes the interference ’extremely serious.’ The Advocate-General also expresses concern about the lack of transparency surrounding surveillance for EU citizens and the absence of effective remedies, which violates Article 47 of the Charter.
However, Article 52(1) of the Charter allows for justifying interference with these fundamental rights as long as the interference is ‘provided for by law,’ ‘respect[s] the essence’ of the right, complies with the ‘principle of proportionality,’ and is ‘necessary’ to ‘genuinely meet objectives of general interest recognized by’ the EU ‘or the need to protect the rights and freedoms of others.’
The Advocate-General contends that US law fails to ‘respect[] the essence’ of the Charter rights by encompassing the communication content. (In contrast, the data collected under the Data Retention Directive, which the CJEU struck down last year, only concerned information about phone and internet usage, not the content of calls, Facebook posts, etc.). He also objects to the ‘broad wording’ of the relevant national security exemptions, which lack a clear definition of the ‘legitimate interests’ involved. Therefore, the exemption fails to comply with the Charter, ‘since it does not pursue an objective of general interest defined with sufficient precision.’ Furthermore, it is too easy to circumvent the rule that the exemption should only apply when ‘strictly necessary.’
Only the ‘national security’ exception is specific enough to be considered an objective of general interest under the Charter. However, it is still necessary to evaluate the ‘proportionality’ of the interference. Similar to Digital Rights Ireland, this case limits the EU legislature’s discretion due to the importance of the rights at stake and the level of interference. The opinion focuses on whether transferring data is ‘strictly necessary’ and concludes that it is not. US agencies can access the personal data of ‘all persons using electronic communications services,’ without any requirement to demonstrate that the individuals pose a national security threat.
Significantly, the opinion concludes that ‘[s]uch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference’ with Charter rights. The Advocate-General agrees that since the EU and the Member States cannot enact legislation permitting mass surveillance, countries outside the EU ‘cannot in any circumstances’ be considered to provide ‘adequate levels of protection’ for personal data if they allow it.
Moreover, there are insufficient safeguards to protect the data. Based on the Digital Rights Ireland judgment, which emphasized the critical importance of such safeguards, the US system is inadequate. The Federal Trade Commission cannot investigate data protection law violations for non-commercial purposes by government security agencies, and neither can specialized dispute resolution bodies. Overall, the US lacks an independent supervisory authority, which the EU deems essential, and the Safe Harbour decision is flawed for not requiring one. A country outside the EU cannot be considered to have ‘adequate levels of protection’ without it. Additionally, only US citizens and residents can challenge US surveillance through the judicial system, leaving EU citizens without legal recourse to access or correct data (among other things).
Therefore, the Commission should have suspended the Safe Harbour decision. Its own reports suggest that the national security exemption is being violated, without adequate protections for EU citizens. While the Commission is negotiating revisions to the agreement with the USA, this is not enough: national supervisory authorities must be able to halt data transfers in the meantime.
Comments
The Advocate-General’s analysis of the first point (requiring DPAs to halt data flows if EU data protection laws are violated) is undeniably valid. Without a mechanism to address complaints and provide an effective remedy in this area, the Directive’s standards could be easily disregarded. Having insisted on the complete independence of DPAs from national governments, the CJEU should not allow them to become subservient to the Commission.
However, his analysis of the second point (the validity of the Safe Harbour Decision) is more debatable – although he reaches the correct conclusion. With all due respect, there are several weaknesses in his reasoning. EU law mandates robust and independent DPAs within the EU to uphold data protection rights, but there is more than one way to achieve this. Notably, the data protection Directive does not explicitly require independent DPAs in other countries. Effective remedies are undoubtedly essential to enforce data protection laws (and likely any law) in practice, but these remedies do not necessarily need to involve an independent DPA. An independent judiciary could also provide these remedies. After all, Americans are known for being litigious; Europeans could join them in court. However, it is evident that in national security cases like this one, EU citizens have neither an administrative nor a judicial remedy worth mentioning in the USA. This means the right to an effective remedy under the Charter is violated, and it is self-evident that processing information from Facebook infringes upon privacy rights.
Is this restriction of rights justified, though? The Advocate-General mixes up various aspects of the rules surrounding limitations. The law’s precision in restricting rights and the public interest it aims to protect are separate issues. In other words, the public interest itself doesn’t need a precise definition; however, the law restricting rights to protect that interest must be precise. Therefore, while the opinion rightly states that national security, as a public interest, can justify limiting rights, it fails to examine the precision of the rules imposing those limitations. Consequently, it neglects to address crucial questions: Should the precision of the law be assessed based on EU law, US law, or both? Should US law be held to the same standards of clarity, predictability, and accessibility as the laws of European states under the ECHR jurisprudence?
Furthermore, it is unconvincing to claim that processing communication content inherently violates the ‘essence’ of privacy and data protection rights. Both the ECHR case law and the EU’s e-privacy directive permit intercepting communication content in specific cases, provided strict safeguards are in place. Therefore, the problematic aspects of US law are its mass surveillance nature and the lack of adequate safeguards.
The opinion’s analysis on these crucial points is accurate. The CJEU ruling in Digital Rights Ireland suggests that mass surveillance is inherently problematic, regardless of any safeguards to prevent abuse. This is clearly the Advocate-General’s stance in this case, and the USA undeniably engages in mass surveillance far exceeding the EU’s data retention law. The opinion also correctly argues that EU regulations prohibiting mass surveillance also apply to Member States, as discussed here. However, even if this interpretation is inaccurate, and mass surveillance is problematic only when safeguards are weak, the Safe Harbour decision still violates the Charter due to the lack of accessible safeguards for EU citizens, as discussed earlier. The Court of Justice will hopefully clarify whether mass surveillance is intrinsically problematic or not, as this is a key issue for Member States retaining data by derogating from the e-privacy Directive. It also has implications for the validity of EU treaties (and EU legislation) on issues like passenger data retention (see discussion of a pending case here) and the renegotiation of the Safe Harbour agreement itself.
This leads to the implications of the CJEU’s upcoming judgment (assuming it aligns with the opinion) on EU-US relations. Because the opinion relies heavily on the EU Charter of Rights, which is primary EU law, amending the data protection Directive alone cannot circumvent it (for more on the proposed new rules on external transfers under the planned Regulation, see the discussion here). Instead, the US must, at a minimum, ensure adequate remedies for EU citizens and residents in national security cases and implement a judicial or administrative system to effectively enforce all rights guaranteed by the Safe Harbour certification. Facebook and other companies might consider moving data processing for EU residents to the EU, but it’s unclear how this would work for any EU resident with Facebook friends residing in the USA, for instance. In these cases, processing EU data in the USA seems unavoidable.
Furthermore, a qualified exemption for EU data protection law in the upcoming EU-US trade and investment agreement (TTIP), similar to the WTO’s GATS, would likely be insufficient. Only complete exclusion of EU data protection law from TTIP – and any other EU trade and investment agreements – would satisfy the Charter. Otherwise, companies like Facebook and Google might exploit the controversial investor-state dispute settlement (ISDS) system whenever judgments like Google Spain or (potentially) Schrems result in financial losses.
Barnard and Peers: chapter 9
Photo credit: www.techradar.com