Europe v Facebook: the beginning of the end for NSA spying on EU citizens?

Original published on EU LAW ANALYSIS
Wednesday, 18 June 2014

by Steve Peers

Since the revelations about the extent of spying by the American National Security Agency (NSA) revealed by Edward Snowden, doubts have increased about the adequacy of the data protection regime in the United States, in particular as regards its impact on EU citizens, who are subject to the more favourable regime established by the Data Protection Directive. One aspect of these doubts concerns the ability of the NSA to examine the content of communications processed by social media companies based in the USA, such as Facebook.

Today’s decision by the Irish High Court to send questions in the ‘Europe v Facebook’ case to the CJEU raises the possibility that the NSA’s access to EU citizens’ personal data might soon come to an end. But it’s not clear if the CJEU will address the most essential issues directly, because the case raises a number of complex legal issues that need to be examined in more detail.

As a starting point, the basic legal regime governing transfers to Facebook is the ‘Safe Harbour’ system, which takes the form of a Commission Decision finding that all American companies certifying their participation in a system for complying with basic data protection principles maintain an ‘adequate’ level of data protection. This is one of the ‘adequacy decisions’ that the Commission can make pursuant to the rules on the data protection Directive on transfers of personal data outside the EU (see further my recent blog post on the planned reforms to this system). Despite the doubts arising from the Snowden revelations, the Commission’s most recent report on the Safe Harbour system did not suggest that the system should be abandonned

Not everyone accepts these assertions, however. An Austrian citizen, Mr. Schrems, complained about the transfer of his personal data as a Facebook user pursuant to the Safe Harbour rules to the Irish data protection authority, which was competent in this matter because Facebook has a subsidiary in Ireland. The national authority argued that it could not take a decision on this complaint, because it was bound by the Commission’s decision. Moreover, it argued that the complaint was ‘frivolous’.

Mr. Schrems then challenged the authority’s decision before the Irish High Court. In its ruling today, the national judge therefore decided to send a question to the CJEU. Essentially, the question is whether the national data protection authority is bound by the Commission’s Decision, and whether that authority can conduct its own examination.

The first obvious question in this case is whether the American system infringes EU data protection law. Basing itself on the recent Digital Rights judgment of the CJEU, in which that Court ruled that the EU’s data retention Directive was invalid, the national court clearly believes that it does. While acknowledging the important anti-terrorist objectives of the law, the judge, when examining national constitutional law states that it is ‘very difficult’ to see how such mass surveillance ‘could pass any proportionality test or survive any constitutional scrutiny’. Indeed, such surveillance has ‘gloomy echoes’ of the mass surveillance carried out in ‘totalitarian states such as the [East Germany] of Ulbricht and Honeker’.

The judge equally believes that the US system is a violation of EU law, with no adequate or accessible safeguards available to EU citizens, and no consideration of EU law issues built in to the review process that does exist.

Is this analysis correct? There are two fundamental issues here which the national court doesn’t consider: the scope of the data protection directive, and the derogations from that Directive. On the question of scope, the CJEU previously found in its Passenger Name Records (PNR) judgment that the EU/US agreement which provided for the transfer of data from airlines to the US authorities was outside the scope of the data protection Directive, because it regulated essentially only the activities of law enforcement authorities, and the Directive does not apply to the ‘processing of personal data…in the course of an activity which falls outside the scope’ of EU law, such as…public security, defence, State security…and…criminal law’. On the other hand, the CJEU ruled that the data retention directive was correctly based on the EU’s internal market powers, since it essentially regulated the activity of private industry, albeit for public security objectives. While in this case, it might be argued that the American law in question falls within the first type of law, the Safe Harbour agreement clearly falls within the second. So it is a sort of hybrid question, but on balance the issue falls within the scope of the Directive, since the measure at issue is essentially the Safe Harbour agreement.

Secondly, the external transfer rules in the EU Directive do not refer expressly to the issue of derogations from data protection rights on public security grounds. Yet presumably some such derogations can exist, given that the Directive itself provides for public security derogations as regards the standard EU rules. Surely the security exceptions applied by third countries don’t have to be exactly the same as those applied by the Directive. But some form of minimum standard must apply. For the reasons set out by the national judge, however, there is a strong argument that the US rules fall below the standard of anything which the EU can accept as ‘adequate’.

Because the national judge takes these two issues for granted, there is no question sent to the CJEU on whether the American regime is either within the scope of the Directive, or violates the minimum standards of adequacy which the EU can accept as regards third states. But both these issues are absolutely essential in the debate over the post-Snowden relationship between the US and EU. It would therefore be desirable if the CJEU addressed them nonetheless.

Next, another problematic issue here is which set of EU data protection rules should apply: the external transfer rules, or the more stringent standard rules? The national court, along with the data protection authority, applies the external transfer rules, given Facebook’s certification under the Safe Harbour system. However, it is doubtful whether this is correct.

As is well known, in the recent Google Spain judgment, the CJEU ruled that the standard rules applied to Google’s search engine function, given that it had an ‘establishment’ in Spain, according to the Court’s interpretation of the rules. As I then argued on this blog, it probably follows from that judgment that the standard rules apply at least to some social networks like Facebook. In any event, the issue will arise again when the revised jurisdiction and external transfer rules, mentioned above, apply. However, the complainant and the national court assume that the external transfer rules apply. Perhaps the CJEU should also examine this issue of its own motion.

Another problematic issue is the question of how to challenge the inadequacy of data protection in practice in the US, which is the subject of the only question sent to the CJEU. The Safe Harbour agreement addresses this point directly, since it allows national data protection authorities to suspend data transfers as regards an individual company, in accordance with existing national law, if either the US government or the US enforcement system has found a violation of that agreement, or if:

there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

However, Irish national law does not provide for such a system, but simply sets out an irrebutable presumption that the Commission’s adequacy decision is sufficient. This rule may well have played a part in convincing Facebook and the subsidiaries of other US companies to set up in Ireland in the first place.
The challenge argued that the national data protection authority nevertheless had to exercise such powers, and so the national judge asked only whether this was possible. Logically, there can be only one answer, by extension from the NS judgment: Member States cannot create an irrebutable presumption that prevents the exercise of Charter rights, so the national data protection authority must have the powers in question.

In the alternative, or arguably additionally, it must be possible to challenge the validity of the Commission’s adequacy decision in the national courts, which would then have an obligation, if they thought that challenge was well-founded, to send questions on that point to the CJEU. (See the Foto-Frost judgment).

The next problematic issue is the role of the national constitutional protection for human rights. Clearly the national judge believes that the American system breaches the protection for the right to privacy guaranteed in the Irish constitution. Nevertheless, the national court proceeds to examine the issue primarily from the perspective of EU law. So if the CJEU rules against the challenge to the American law on the merits, or does not address those merits for procedural reasons, should the national court proceed to apply Irish law?

In principle, national constitutional law cannot apply here, since EU law, as the national court recognises, has extensively harmonised this issue. This means that, according to the Melloni judgment of the CJEU, only the EU’s human rights standards, in the form of the Charter, can apply. National constitutional standards cannot. But national courts in Ireland (and elsewhere) might be unwilling to accept that outcome.

National law would only apply if the CJEU rules that this issue falls entirely outside the scope of the Directive, as discussed above. If, on the other hand, the processing falls within a public security derogation from the Directive, the EU Charter would apply, by analogy with the CJEU’s recent judgment in Pfleger (discussed here), in which it ruled that the Charter applies to national derogations from EU free movement law. This parallels the argument (discussed here) that national data retention law falls within the scope of EU law, following the Digital Rights judgment, because it is a derogation from the EU’s e-privacy Directive.

Finally, the consequences of any future finding by the national data protection authority that transfers under the Safe Harbour decision must be suspended as regards Facebook must be considered. Assuming that the US had not changed its law in the meantime, Facebook would have a dilemma: should it comply with its US legal obligations, or face the suspension of transfers of data from Europe? Possibly it could avoid this dilemma by ensuring that it only processed EU residents’ data within the EU, potentially avoiding the scope of US law. But this might be expensive, and in any event the US might seek to extend the scope of its law to cover such cases. These issues would inevitably arise for other major US companies as well.

Any real prospect that Facebook transfers from the EU might be blocked would cause a major earthquake in EU/US relations, making the concerns about the recent Google Spain judgment look like a minor tremor. It may be that the only solution is for the US to take more seriously its ongoing discussions with the EU on data protection issues, with a view to reaching a solution that reconciles its security concerns with the basic principles of privacy protection.

The new guidelines for the Area of Freedom, Security and Justice: some critical comments

by Emilio De Capitani

In the coming days the European Council will debate and adopt the long awaited Guidelines which will shape the future of the EU’s Area of Freedom, Security and Justice for forthcoming years. These guidelines follow the end of the current Stockholm Programme (2009-2014) and come near the end of the last transitional period for the measures adopted before the entry into force of the Lisbon Treaty on police and judicial cooperation in criminal matters (what remains of the former intergovernmental ‘third pillar’ cooperation).

Regrettably the draft European Council Conclusions which have been circulated (see the Annex below) and the programme of the incoming “trio” Presidencies (Italian, Latvian and Luxembourg) which will implement them in the next 18 months confirm the worst provisions detailed in our previous post on this issue.

If anyone was searching for proof that European Strategies lack political vision and are a collection of bureaucratic and diplomatic choices, he or she will find in these documents the confirmation of this thesis.

The emphasis of the European Council on the external dimension of the justice and home affairs polices by privileging soft law instruments such as the Global Approach on Migration or instruments such as mobility partnerships confirm two emerging trends since the entry into force of the Lisbon Treaty :
– to transfer to the European Council the main EU political choices in the last area where the treaties still do not grant and effective parliamentary and judicial control.
– to continue to avoid legally binding measures on which solidarity mechanisms can be established (Schengen, Frontex, and Eurosur being the exceptions which confirm the rule).

Rhetorical declarations aside, the draft European Council guidelines confirm the choice for general (and generic) strategies such as the Internal security strategy or the anti-drugs strategy which are adopted without any debate between the European Council members nor with the European Parliament.
These Strategies should then be implemented by the so called “Policy Cycle” where EU agencies and the Member States representatives – instead of verifying their consistency with national internal security strategies deciding which areas the EU’s intervention could add value in – pick and choose (on voluntary basis) some priorities which are approved without debate (as point A) by their ministers without (again) any European or national parliamentary debate.

Where choices and priorities are instead very clearly stated is on the role of the EU Agencies (Europol, Eurojust, EASO..) and bodies (the Anti Terrorism Coordinator) or where it is decided to go on with the establishment of an ambitious technocratic project such as the “smart borders” system (the feasibility of which is still to be proved even in the United States).
Follows the same logic the creation of an entry-exit system for third country nationals to control better the problems of the “over stayers” (those who remain after their initial permitted period of stay runs out) which apparently is one of the most dangerous threats to the EU. Needless to say that this idea is not new as it was raised by the US Congress years ago and was considered “silly” in the US also by the former Homeland Security Secretary Chertoff under the BUSH administration.

Even worse, both the European Council draft Conclusions and the trio Presidency programme insist as one of their big priorities is the establishment of a “bona fide traveller” system which will discriminate between one traveller and another on the basis of de facto arbitrary criteria. They also reinstate their commitment to the creation of a European passenger name record (PNR) system.

All these projects have in common the rather paranoic idea that any traveller is a potential danger. This is appalling in an European Union where there is still no permanent connection between the criminal records of the Member States, so that information on real criminals could be shared by triggering adequate measures in all the EU territory. This should already happen in the Schengen framework but, obviously, only if law enforcement authority take advantage of the alerts. The fact that the author of the recent attack to Jewish Museum in Brussels was freely circulating even after been checked twice as a dangerous person on the Schengen information System is not reassuring and prove once again that the security weaknesses do not lie in the lack of personal data but in the lack of police cooperation.

Selling out, for a false sense of security, the real fundamental rights of EU citizens, cannot be the real answer to the threats the EU will face in the coming years.

These inconsistencies can be solved by overcoming the ‘silo’ approach inside and between the MS and by better framing with a legislative measure the policy cooperation between the Member States (which still do not trust each other). True efficiency should then be measured if the threats are really supranational.

Even a project like PNR could have its (crazy) logic if somewhere in Europe there were a central intelligence system which could filter these data against a massive intelligence analysis and profile, as happens in the USA. But as it has been designed, PNR will be only a policy laundering exercise where the European Union legislation is adopted to justify the collection of massive personal data at national level. Should we remember that only on April 8th the Data retention directive, which followed the same logic, wasannulled by the CJEU as a clear violation of the proportionality principle and of Articles 7 and 8 of the EU Charter?

The point is that selling out the personal data of EU citizens appears to the European Council less costly than building a real binding framework for police cooperation on the basis of Article 87 of the TFEU.
The proof is given by the new Europol whose proposed legal basis (after amendments during negotiations) makes no more reference to Article 87 TFEU and which does not compel the Member States to share their security related informations.

These being the worrying projects on the European Council and Council side one can only hope that the newly elected European Parliament, in its July session, will challenge them and take the lead for a new alternative and legally sound policy which can shape in the next legislature an European area of Freedom, Security and Justice where the citizens’ needs and not the administrations will be the real compass.

Barnard & Peers: chapter 25, chapter 26

Annex – Draft European Council Guidelines (published on Statewatch)

1. One of the key objectives of the Union is to build an area of freedom, security and justice without internal borders, with full respect for fundamental rights. To this end, coherent policy measures need to be taken with respect to asylum, immigration, borders, police and judicial cooperation.

2. All the dimensions of a Europe that protects its citizens and offers effective rights to people inside and outside the Union are interlinked. The success or failure in one field depends on the performance in the other fields as well as on synergies with related policy areas. The answer to many of the challenges in the area of freedom, security and justice lies in relations with third countries, which calls for improving the link between the EU’s internal and external policies. This has to be reflected in the internal organisation of the EU institutions and bodies. Coordination with and within the Member States should be stepped up.

3. Building on the past programmes, the overall priority is now to consistently transpose, effectively implement and consolidate the legal instruments and policy measures in place. Intensifying operational cooperation, enhancing the role of the different EU agencies and ensuring the strategic use of EU funds will be key. In further developing the area of freedom, security and justice over the next years, it will be crucial to ensure the protection of fundamental rights, including data protection, whilst addressing security concerns, also in relations with third countries, and to adopt a strong EU General Data Protection framework by 2015.

4. Faced with challenges such as instability in many parts of the world as well as global demographic trends, an ageing population and skills shortages in Europe, the Union needs an efficient and well-managed migration and asylum policy. A comprehensive approach is required, optimizing the benefits of legal migration and offering protection to those in need while tackling irregular migration resolutely.

5. To remain an attractive destination for talents and skills, Europe must compete in the global race for talent. Strategies to maximise the opportunities of legal migration should be developed, including the streamlining of existing rules and a dialogue with the business community. The Union should also support Member States’ efforts for active integration policies which foster social cohesion and economic dynamism.

6. The Union’s commitment to international protection requires a strong European asylum policy based on the Treaty’s principles of solidarity and responsibility. The full transposition and effective implementation of the Common European Asylum System (CEAS) is an absolute priority. This should result in high common standards and stronger cooperation, creating a level playing field where asylum seekers are given the same procedural guarantees and protection throughout the Union. It should go hand in hand with a reinforced role of the European Asylum Support Office (EASO), particularly in promoting the uniform application of the acquis. Converging practices will enhance mutual trust and allow to move to future next steps, including mutual recognition of asylum decisions.

7. Addressing the root causes of irregular migration flows is an essential part of the EU migration policy. It is imperative to avoid the loss of lives of migrants undertaking hazardous journeys as well as to prevent and reduce irregular migration. A sustainable solution can only be found by intensifying cooperation with countries of origin and transit. Migration policies must become a much stronger integral part of the Union’s external and development policies, applying the more for more principle and building on the Global Approach to Migration and Mobility. The focus should be on the following elements:
– strengthening and expanding Regional Protection Programmes, in particular in the Horn of Africa, in close collaboration with UNHCR. In view of the protracted crisis in Syria, increase contributions to global resettlement efforts;
– addressing smuggling and trafficking in human beings more forcefully, with a focus on priority countries and routes. Particular attention should go at present to the situation in Eritrea and the Sinai;
– establishing an effective common return policy and enforcement of readmission agreements;
– fully implementing the actions identified by the Task Force Mediterranean.

8. The establishment of the Schengen zone, allowing people to travel without internal border controls, and the increasing numbers of people travelling to the EU require efficient management of the EU’s external borders to ensure strong protection. This is in the first place the role of the Member States, which must fully take their responsibilities. At the same time the Union must mobilize all the tools at its disposal to support them in this task. To this end:
– the integrated management of the external borders should be modernised to ensure smart border management with an entry-exit system and registered travellers programme and helped by the new Agency for Large Scale IT systems (EU-LISA);
– Frontex, spearheading European solidarity in the area of border control, should reinforce its activities in terms of operational assistance and increase its reactivity towards rapid evolutions in migration flows, making full use of the new European Border Surveillance System EUROSUR;
– the possibility of setting up a European System of Border Guards to enhance the control and surveillance capabilities at our external borders should be explored.
At the same time, the common visa policy needs to be modernised by facilitating legitimate travelling while maintaining a high level of security and implementing the new Schengen governance system.

9. It is essential to guarantee a genuine area of security to European citizens by preventing and combatting organised crime, human trafficking and corruption. At the same time, an effective EU Counter terrorism policy is needed, whereby all relevant actors work closely together, integrating the internal and external aspects of the fight against terrorism. In this context, the European Council reaffirms the role of the EU Counter Terrorism Coordinator. In its fight against organised crime and terrorism, the Union should back the national authorities by mobilising all instruments of judicial and police cooperation, with a reinforced coordination role for Europol and Eurojust, including through:
– the review of the internal security strategy;
– the improvement of cross-border information exchanges, including on criminal records;
– the development of a comprehensive approach to cybersecurity and cybercrime;
– the prevention of radicalisation and extremism and addressing the phenomenon of foreign fighters, including through a legal instrument allowing for EU wide alerts.

10. The smooth functioning of a true European area of justice with respect of the different legal systems and traditions of the Member States is vital for the EU. In this regard, mutual trust in each other’s justice systems should be further enhanced. A sound European justice policy will contribute to economic growth by helping businesses and consumers to benefit from a reliable business environment within the internal market. Further action is required to:
– promote the consistency and clarity of EU legislation for citizens and businesses;
-simplify access to justice; promote effective remedies and use of technological innovations including the use of e-justice;
– examine the reinforcement of the rights of persons, notably vulnerable persons, in civil procedures to facilitate enforcement of judgements in family law and in civil and commercial matters;
– enhance mutual recognition of decisions and judgments in civil and criminal matters;
– reinforce exchanges of information between the authorities of the Member States;
– fight fraudulent behaviour and damages to the EU budget by advancing negotiations on the European Public Prosecutor’s Office;
– facilitate cross-border activities and operational cooperation;
– enhance training for practitioners;
– mobilise the expertise of relevant EU agencies such as Eurojust and the Fundamental Rights Agency (FRA).

11. As one of the fundamental freedoms of the European Union, the right of EU citizens to move freely and reside and work in other Member States needs to be protected, including against possible abuse or fraudulent claims.

12. The European Council calls on the EU institutions and the Member States to ensure the appropriate legislative and operational follow-up to these guidelines and will hold a mid-term review in 2017.

The reform of Europol: modern EU agency, or intergovernmental dinosaur?

(ORIGINAL PUBLISHED on EU LAW ANALYSIS)

by Steve PEERS

Introduction

The EU’s police cooperation agency, Europol, has played a major role in the development of Justice and Home Affairs cooperation in the EU from an early stage. Europol was originally set up informally, then on the basis of a 1995 Convention, subsequently replaced by a Council Decision in 2009. While its powers have gradually been expanded, so has the controversy about its accountability and the adequacy of its data protection rules. Since it is a creature of the former ‘third pillar’ (the previous special rules on policing and criminal law) it is something of a ‘dinosaur’ in institutional terms, being an essentially intergovernmental body.

With the entry into force of the Treaty of Lisbon, the European Parliament (EP) now has joint powers with the Council as regards the adoption of a Regulation governing Europol, and the Treaty now refers expressly to the importance of ensuring accountability to both national parliaments and the EP. Furthermore, the EU institutions agreed in 2012 a ‘Common Understanding’ on standard rules which would apply to the governance of EU agencies. To expand Europol’s powers further, while addressing the issues of governance, accountability and data protection, the Commission proposed a new Regulation reconstituting Europol in 2013.

At the most recent Justice and Home Affairs Council, ministers agreed the Council’s position on the Commission’s proposal. Since the European Parliament also recently agreed its own position, this clears the way for negotiations to take place between the two institutions for a final deal, once the EP is fully operational again following the recent elections. This is therefore a good time to examine the progress of discussions on the proposed Regulation so far.

It should be noted that Ireland has opted in to this proposed Regulation, while the UK and Denmark have opted out. The UK’s objections are due to the proposals to place national law enforcement bodies to comply with Europol’s requests to start investigations, and to supply information to Europol without a national security exception. However, as discussed further below, the Council’s and EP’s positions on the proposal address these issues, raising the possibility that the UK will opt in after adoption of the Regulation.

Europol’s powers
Continue reading “The reform of Europol: modern EU agency, or intergovernmental dinosaur?”