American Volume Surveillance Of Eu Citizens: Is The Terminate Nigh?

Steve Peers

*This weblog postal service is dedicated to the retentivity of the cracking privacy campaigner Caspar Bowden, who passed away recently. What a tragedy he did non locomote out to consider the developments inwards this case. To locomote on his work, you lot tin donate to the Caspar Bowden Legacy Fund here.

Influenza A virus subtype H5N1 bright academy pupil takes on the hidebound institution – in addition to ultimately wins spectacularly. That was Mark Zuckerberg, founding Facebook, inwards 2002. But it could endure Max Schrems, taking on Zuckerberg in addition to Facebook, inwards the close time to come – if the Court of Justice decides to follow the Advocate-General’s opinion inwards the Schrems case, released today.

In fact, Facebook is solely a conduit inwards this case: Schrems’ existent targets are the U.S.A. authorities (for requiring Facebook in addition to other Internet companies to mitt over personal information to news agencies), every bit good every bit the European Union Commission in addition to the Irish Gaelic information protection control for going along amongst this. In the Advocate-General’s opinion, the Commission’s determination to let European Union citizens’ information to endure patch of study to volume surveillance inwards the U.S.A. is invalid, in addition to the national information protection authorities inwards the European Union must investigate these flows of information in addition to prohibit them if necessary. The representative has the potential to modify much of the way that American Internet giants operate, in addition to to complicate relations betwixt the U.S.A. in addition to the European Union inwards this field.

Background

There’s to a greater extent than nigh the background to this litigation here, in addition to Simon McGarr has summarised the CJEU hearing inwards this representative here. But I’ll summarise the basics of the representative in 1 lawsuit again hither briefly.

Max Schrems is an Austrian Facebook user who was disturbed yesteryear Edward Snowden’s revelations nigh volume surveillance yesteryear U.S.A. news agencies. Since such volume surveillance is set into effect yesteryear imposing obligations to cooperate upon Internet companies, he wanted to complain nigh Facebook’s transfers of his personal information to the USA. Since Facebook’s European operations are registered inwards Ireland, he had to convey his complaints to the Irish Gaelic information protection authority.

The legal regime applicable to such transfers of personal information is the ‘Safe Harbour’ understanding betwixt the European Union in addition to the USA, agreed inwards 2000 – earlier the creation of Facebook in addition to another modern Internet giants, in addition to indeed earlier the 9/11 terrorist attacks which prompted the volume surveillance. This understanding was set into effect inwards the European Union yesteryear a decision of the Commission, which used the powerfulness conferred yesteryear the EU’s electrical flow information protection Directive to declare that transfers of personal information to the USA received an ‘adequate marking of protection’ there.

The original agency of enforcing the organization was self-certification of the companies concerned (not all transfers to the USA autumn inside the reach of the Safe Harbour decision), enforced yesteryear the U.S.A. authorities.  But it was also possible (not mandatory) for the national information protection authorities which enforce European Union information protection police delineate to suspend transfers of personal data, if the U.S.A. authorities or enforcement scheme conduct keep found a breach of the rules, or on the next farther listing of limited grounds laid out inwards the decision:

there is a substantial likelihood that the Principles are beingness violated; at that topographic point is a reasonable ground for believing that the enforcement machinery concerned is non taking or volition non select adequate in addition to timely steps to settle the representative at issue; the continuing transfer would do an imminent chance of grave damage to information subjects; in addition to the competent authorities inwards the Member State conduct keep made reasonable efforts nether the circumstances to furnish the organization amongst notice in addition to an chance to respond.

In fact, Irish Gaelic police delineate prevents the national authorities from taking upward this option. So the national information protection control effectively refused to consider Schrems’ complaint. He challenged that determination earlier the Irish Gaelic High Court, which doubted that this scheme was compatible amongst European Union police delineate (or indeed the Irish Gaelic constitution). So that courtroom asked the CJEU to dominion on whether national information protection authorities (DPAs) should conduct keep the powerfulness to foreclose information transfers inwards cases similar these.

The Opinion

The Advocate-General commencement of all answers the inquiry which the Irish Gaelic courtroom asks, in addition to and then goes on to examine whether the Safe Harbour determination is inwards fact valid. I’ll address those ii issues inwards turn.

In the Advocate-General’s view, national information protection authorities conduct keep to endure able to consider claims that flows of personal information to tertiary countries are non compatible amongst European Union information protection laws, fifty-fifty if the Commission has adopted a determination declaring that they are. This stems from the powers in addition to independence of those authorities, read inwards lite of the European Union Charter of Fundamental Rights, which expressly refers to DPAs’ role in addition to independence. (On the recent CJEU representative police delineate on DPA independence, consider word here). It’s worth noting that the novel European Union information protection police delineate nether negotiation, the information protection Regulation, volition probable confirm in addition to fifty-fifty heighten the powers in addition to independence of DPAs. (More on that expression of the proposed Regulation here).

On the minute point, the catch assesses whether the Safe Harbour Decision correctly decided that at that topographic point was an ‘adequate marking of protection’ for personal information inwards the USA. Crucially, it argues that this assessment is dynamic: it must select line of piece of work organization human relationship of the protection of personal information now, non just when the Decision was adopted dorsum inwards 2000.

As for the pregnant of an ‘adequate marking of protection’, the catch argues that this agency that tertiary countries must ensure standards ‘essentially equivalent to that afforded yesteryear the Directive, fifty-fifty though the mode inwards which that protection is implemented may differ from that’ inside the EU, due to the importance of protecting human rights inside the EU. The assessment of third-country standards must examine both the content of those standards in addition to their enforcement, which entailed ‘adequate guarantees in addition to a sufficient command mechanism’, thus at that topographic point was no ‘lower marking of protection than processing inside the European Union’. Within the EU, the essential method of guaranteeing information protection rights was independent DPAs.

Applying these principles, the catch accepts that personal information transferred to the USA yesteryear Facebook is patch of study to ‘mass in addition to indiscriminate surveillance in addition to interception’ yesteryear news agencies, in addition to that European Union citizens conduct keep ‘no effective right to endure heard’ inwards such cases. These findings necessarily hateful that the Safe Harbour determination was invalid for breach of the Charter in addition to the information protection Directive.

More particularly, the derogation for the national safety rules of U.S.A. police delineate laid out inwards the Safe Harbour principles was also general, in addition to thus the implementation of this derogation was ‘not limited to what is strictly necessary’. European Union citizens had no remedy against breaches of the ‘purpose limitation’ regulation inwards the U.S.A. either, in addition to at that topographic point should endure an ‘independent command machinery suitable for preventing the breaches of the right to privacy’.

The catch in addition to then assesses the dispute from the perspective of the European Union Charter of Rights. It commencement concludes that the transfer of the personal information inwards inquiry constitutes interference amongst the right to individual life. As inwards terminal year’s Digital Rights Ireland judgment (discussed here), on the validity of the EU’s information retention directive, the interference amongst rights was ‘particularly serious, given the large numbers of users concerned in addition to the quantities of information transferred’. In fact, due to the surreptitious nature of access to the data, the interference was ‘extremely serious’. The Advocate-General was also concerned nigh the lack of information nigh the surveillance for European Union citizens, in addition to the lack of an effective remedy, which breaches Article 47 of the Charter.

However, interference amongst these key rights tin endure justified according to Article 52(1) of the Charter, every bit long every bit the interference is ‘provided for yesteryear law’, ‘respect[s] the essence’ of the right, satisfies the ‘principle of proportionality’ in addition to is ‘necessary’ to ‘genuinely run across objectives of full general involvement recognized by’ the European Union ‘or the demand to protect the rights in addition to freedoms of others’.  

In the Advocate-General’s view, the U.S.A. police delineate does non abide by the ‘essence’ of the Charter rights, since it extends to the content of the communications. (In contrast, the information collected pursuant to the information retention Directive which the CJEU struck downwards terminal twelvemonth concerned solely information on the usage of phones in addition to the Internet, non the content of telephone calls in addition to Facebook posts et al). On the same basis, he objected to the ‘broad wording’ of the relevant derogations on national safety grounds, which did non clearly define the ‘legitimate interests’ at stake. Therefore, the derogation did non comply amongst the Charter, ‘since it does non pursue an objective of full general involvement defined amongst sufficient precision’. Moreover, it was also slow nether the rules to escape the limitation that the derogation should solely apply when ‘strictly necessary’.

Only the ‘national security’ exception was sufficiently precise to endure regarded every bit an objective of full general involvement nether the Charter, but it is soundless necessary to examine the ‘proportionality’ of the interference. This was a representative (like Digital Rights Ireland) where the European Union legislature’s discretion was limited, due to the importance of the rights concerned in addition to the extent of interference amongst them. The catch in addition to then focusses on whether the transfer of information is ‘strictly necessary’, in addition to concludes that it is not: the U.S.A. agencies conduct keep access to the personal information of ‘all persons using electronic communications services, without whatever requirement that the persons concerned stand upward for a threat to national security’.

Crucially, the catch concludes that ‘[s]uch mass, indiscriminate surveillance is inherently disproportionate in addition to constitutes an unwarranted interference’ amongst Charter rights. The Advocate-General agreed that since the European Union and the Member States cannot adopt legislation allowing for volume surveillance, non-EU countries ‘cannot inwards whatever circumstances’ endure considered to ensure an ‘adequate marking of protection’ of personal information if they permit it either.

Furthermore, at that topographic point were non sufficient guarantees for protection of the data. Following the Digital Rights Ireland judgment, which stressed the crucial importance of such guarantees, the U.S.A. scheme was non sufficient. The Federal Trade Commission could non examine breach of information protection laws for non-commercial purposes yesteryear authorities safety agencies, in addition to nor could specialist dispute resolution bodies. In general, the U.S.A. lacks an independent supervisory authority, which is essential from the EU’s perspective, in addition to the Safe Harbour determination was deficient for non requiring 1 to endure laid up. Influenza A virus subtype H5N1 tertiary province cannot endure considered to conduct keep ‘an adequate marking of protection’ without it. Furthermore, solely U.S.A. citizens in addition to residents had access to the judicial scheme for challenging U.S.A. surveillance, in addition to European Union citizens cannot obtain remedies for access to or correction of information (among other things).  

So the Commission should conduct keep suspended the Safe Harbour decision. Its ain reports suggested that the national safety derogation was beingness breached, without sufficient safeguards for European Union citizens. While the Commission is negotiating revisions to that understanding amongst the USA, that is non sufficient: it must endure possible for the national supervisory control to halt information transfers inwards the meantime.

Comments

The Advocate-General’s analysis of the commencement signal (the requirement that DPAs must endure able to halt information flows if at that topographic point is a breach of European Union information protection laws) is self-evidently correct. In the absence of a machinery to listen complaints on this number in addition to to furnish for an effective remedy, the standards laid out inwards the Directive could also easily endure breached. Having insisted that the DPAs must endure fiercely independent of national governments, the CJEU should non instantly select that they tin endure turned into the tame poodles of the Commission.

On the other hand, his analysis of the minute signal (the validity of the Safe Harbour Decision) is to a greater extent than problematic – although he clearly arrives at the right conclusion. With respect, at that topographic point are several flaws inwards his reasoning. Although European Union police delineate requires strong in addition to independent DPAs inside the European Union to ensure information protection rights, at that topographic point is to a greater extent than than 1 way to peel this item cat. The information protection Directive notably does not expressly require that tertiary countries conduct keep independent DPAs. While effective remedies are of class essential to ensure that information protection police delineate (likely whatever other law) is really enforced inwards practice, those remedies do non necessarily conduct keep to entail an independent DPA. They could also endure ensured yesteryear an independent judiciary. After all, Americans are a litigious bunch; Europeans could bring together them inwards the courts. But having said that, it is clear that inwards national safety cases similar this one, European Union citizens conduct keep neither an administrative nor a judicial remedy worth the advert inwards the USA. So the right to an effective remedy inwards the Charter has been breached; in addition to it is self-evident that processing information from Facebook interferes amongst privacy rights.

Is that limitation of rights justified, however? Here the Advocate-General has muddled upward several dissimilar aspects of the limitation rules. For 1 thing, the precision of the police delineate limiting rights in addition to Blue Planet involvement which it seeks to protect are also dissever things. In other words, the public interest does non conduct keep to endure defined precisely; but the law which limits rights inwards lodge to protect Blue Planet involvement has to be. So the catch is right to say that national safety is a world involvement which tin justify limitation of rights inwards principle, but it fails to undertake an exam of the precision of the rules limiting those rights. As such, it omits to examine about key questions: should the precision of the police delineate limiting rights endure assessed every bit regards the European Union law, the U.S.A. law, or both?  Should the U.S.A. police delineate endure held to the same standards of clarity, foreseeability in addition to accessibility every bit European states’ laws must be, according to the ECHR jurisprudence?

Next, it’s quite unconvincing to say that processing the content of communications interferes amongst the ‘essence’ of the privacy in addition to information protection rights. The ECHR representative police delineate in addition to the EU’s e-privacy directive expressly let for interception of the content of communications inwards specific cases, patch of study to strict safeguards. So it’s those ii aspects of the U.S.A. police delineate which are problematic: its nature every bit volume surveillance, addition the inadequate safeguards.

On these vital points, the analysis inwards the catch is correct. The CJEU’s ruling inwards Digital Rights Ireland suggests, inwards my view, that volume surveillance is inherently a problem, regardless of the safeguards inwards house to bound its abuse. This is manifestly the Advocate-General’s approach inwards this case; in addition to the USA patently has inwards house volume surveillance good inwards excess of the EU’s information retention law. The catch is also right to debate that European Union rules banning volume surveillance apply to the Member States too, every bit I hash out here. But fifty-fifty if this interpretation is incorrect, in addition to volume surveillance is solely a work if at that topographic point are weak safeguards, in addition to then the Safe Harbour determination soundless violates the Charter, due to the lack of accessible safeguards for European Union citizens every bit discussed above. Hopefully, the Court of Justice volition confirm whether volume surveillance is intrinsically problematic or not: it is a key number for Member States retaining information yesteryear way of derogation from the e-privacy Directive, for the validity of European Union treaties (and European Union legislation) on specific issues such every bit retaining rider information (see word here of a pending case), in addition to for the renegotiation of the Safe Harbour understanding itself.

This brings us neatly to the consequences of the CJEU’s forthcoming judgment (if it follows the opinion) for EU/US relations. Since the catch is based inwards large role upon the European Union Charter of Rights, which is original European Union law, it can’t endure circumvented only yesteryear amending the information protection Directive (on the proposed novel rules on external transfers nether the planned Regulation, consider word here). Instead, the USA must, at the rattling least, ensure that adequate remedies for European Union citizens in addition to residents are inwards house inwards national safety cases, in addition to that either a judicial or administrative scheme is inwards house to enforce inwards practise all rights which are supposed to endure guaranteed yesteryear the Safe Harbour certification. Facebook in addition to others powerfulness consider moving the information processing of European Union residents to the EU, but it’s difficult to consider how this could function for whatever European Union resident amongst (for instance) Facebook friends living inwards the USA. Surely inwards such cases processing of the European Union information inwards the USA is unavoidable.

Moreover, arguably it would non endure sufficient for the forthcoming EU/US merchandise in addition to investment understanding (known every bit ‘TTIP’) to furnish for a qualified exemption for European Union information protection law, along the lines of the WTO’s GATS. Only a consummate immunity of European Union information protection police delineate from the TTIP – in addition to whatever other European Union merchandise in addition to investment agreements – would endure compatible amongst the Charter. Otherwise, companies similar Facebook in addition to Google powerfulness examine to invoke the controversial investor dispute short town scheme (ISDS) every fourth dimension a judgment similar Google Spain or (possibly) Schrems terms them money.

Barnard in addition to Peers: chapter 9

Photo credit: www.techradar.com

Share this post