Original published on EU LAW ANALYSIS
Wednesday, 18 June 2014
by Steve Peers
Since the revelations about the extent of spying by the American National Security Agency (NSA) revealed by Edward Snowden, doubts have increased about the adequacy of the data protection regime in the United States, in particular as regards its impact on EU citizens, who are subject to the more favourable regime established by the Data Protection Directive. One aspect of these doubts concerns the ability of the NSA to examine the content of communications processed by social media companies based in the USA, such as Facebook.
Today’s decision by the Irish High Court to send questions in the ‘Europe v Facebook’ case to the CJEU raises the possibility that the NSA’s access to EU citizens’ personal data might soon come to an end. But it’s not clear if the CJEU will address the most essential issues directly, because the case raises a number of complex legal issues that need to be examined in more detail.
As a starting point, the basic legal regime governing transfers to Facebook is the ‘Safe Harbour’ system, which takes the form of a Commission Decision finding that all American companies certifying their participation in a system for complying with basic data protection principles maintain an ‘adequate’ level of data protection. This is one of the ‘adequacy decisions’ that the Commission can make pursuant to the rules on the data protection Directive on transfers of personal data outside the EU (see further my recent blog post on the planned reforms to this system). Despite the doubts arising from the Snowden revelations, the Commission’s most recent report on the Safe Harbour system did not suggest that the system should be abandonned
Not everyone accepts these assertions, however. An Austrian citizen, Mr. Schrems, complained about the transfer of his personal data as a Facebook user pursuant to the Safe Harbour rules to the Irish data protection authority, which was competent in this matter because Facebook has a subsidiary in Ireland. The national authority argued that it could not take a decision on this complaint, because it was bound by the Commission’s decision. Moreover, it argued that the complaint was ‘frivolous’.
Mr. Schrems then challenged the authority’s decision before the Irish High Court. In its ruling today, the national judge therefore decided to send a question to the CJEU. Essentially, the question is whether the national data protection authority is bound by the Commission’s Decision, and whether that authority can conduct its own examination.
The first obvious question in this case is whether the American system infringes EU data protection law. Basing itself on the recent Digital Rights judgment of the CJEU, in which that Court ruled that the EU’s data retention Directive was invalid, the national court clearly believes that it does. While acknowledging the important anti-terrorist objectives of the law, the judge, when examining national constitutional law states that it is ‘very difficult’ to see how such mass surveillance ‘could pass any proportionality test or survive any constitutional scrutiny’. Indeed, such surveillance has ‘gloomy echoes’ of the mass surveillance carried out in ‘totalitarian states such as the [East Germany] of Ulbricht and Honeker’.
The judge equally believes that the US system is a violation of EU law, with no adequate or accessible safeguards available to EU citizens, and no consideration of EU law issues built in to the review process that does exist.
Is this analysis correct? There are two fundamental issues here which the national court doesn’t consider: the scope of the data protection directive, and the derogations from that Directive. On the question of scope, the CJEU previously found in its Passenger Name Records (PNR) judgment that the EU/US agreement which provided for the transfer of data from airlines to the US authorities was outside the scope of the data protection Directive, because it regulated essentially only the activities of law enforcement authorities, and the Directive does not apply to the ‘processing of personal data…in the course of an activity which falls outside the scope’ of EU law, such as…public security, defence, State security…and…criminal law’. On the other hand, the CJEU ruled that the data retention directive was correctly based on the EU’s internal market powers, since it essentially regulated the activity of private industry, albeit for public security objectives. While in this case, it might be argued that the American law in question falls within the first type of law, the Safe Harbour agreement clearly falls within the second. So it is a sort of hybrid question, but on balance the issue falls within the scope of the Directive, since the measure at issue is essentially the Safe Harbour agreement.
Secondly, the external transfer rules in the EU Directive do not refer expressly to the issue of derogations from data protection rights on public security grounds. Yet presumably some such derogations can exist, given that the Directive itself provides for public security derogations as regards the standard EU rules. Surely the security exceptions applied by third countries don’t have to be exactly the same as those applied by the Directive. But some form of minimum standard must apply. For the reasons set out by the national judge, however, there is a strong argument that the US rules fall below the standard of anything which the EU can accept as ‘adequate’.
Because the national judge takes these two issues for granted, there is no question sent to the CJEU on whether the American regime is either within the scope of the Directive, or violates the minimum standards of adequacy which the EU can accept as regards third states. But both these issues are absolutely essential in the debate over the post-Snowden relationship between the US and EU. It would therefore be desirable if the CJEU addressed them nonetheless.
Next, another problematic issue here is which set of EU data protection rules should apply: the external transfer rules, or the more stringent standard rules? The national court, along with the data protection authority, applies the external transfer rules, given Facebook’s certification under the Safe Harbour system. However, it is doubtful whether this is correct.
As is well known, in the recent Google Spain judgment, the CJEU ruled that the standard rules applied to Google’s search engine function, given that it had an ‘establishment’ in Spain, according to the Court’s interpretation of the rules. As I then argued on this blog, it probably follows from that judgment that the standard rules apply at least to some social networks like Facebook. In any event, the issue will arise again when the revised jurisdiction and external transfer rules, mentioned above, apply. However, the complainant and the national court assume that the external transfer rules apply. Perhaps the CJEU should also examine this issue of its own motion.
Another problematic issue is the question of how to challenge the inadequacy of data protection in practice in the US, which is the subject of the only question sent to the CJEU. The Safe Harbour agreement addresses this point directly, since it allows national data protection authorities to suspend data transfers as regards an individual company, in accordance with existing national law, if either the US government or the US enforcement system has found a violation of that agreement, or if:
there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.
However, Irish national law does not provide for such a system, but simply sets out an irrebutable presumption that the Commission’s adequacy decision is sufficient. This rule may well have played a part in convincing Facebook and the subsidiaries of other US companies to set up in Ireland in the first place.
The challenge argued that the national data protection authority nevertheless had to exercise such powers, and so the national judge asked only whether this was possible. Logically, there can be only one answer, by extension from the NS judgment: Member States cannot create an irrebutable presumption that prevents the exercise of Charter rights, so the national data protection authority must have the powers in question.
In the alternative, or arguably additionally, it must be possible to challenge the validity of the Commission’s adequacy decision in the national courts, which would then have an obligation, if they thought that challenge was well-founded, to send questions on that point to the CJEU. (See the Foto-Frost judgment).
The next problematic issue is the role of the national constitutional protection for human rights. Clearly the national judge believes that the American system breaches the protection for the right to privacy guaranteed in the Irish constitution. Nevertheless, the national court proceeds to examine the issue primarily from the perspective of EU law. So if the CJEU rules against the challenge to the American law on the merits, or does not address those merits for procedural reasons, should the national court proceed to apply Irish law?
In principle, national constitutional law cannot apply here, since EU law, as the national court recognises, has extensively harmonised this issue. This means that, according to the Melloni judgment of the CJEU, only the EU’s human rights standards, in the form of the Charter, can apply. National constitutional standards cannot. But national courts in Ireland (and elsewhere) might be unwilling to accept that outcome.
National law would only apply if the CJEU rules that this issue falls entirely outside the scope of the Directive, as discussed above. If, on the other hand, the processing falls within a public security derogation from the Directive, the EU Charter would apply, by analogy with the CJEU’s recent judgment in Pfleger (discussed here), in which it ruled that the Charter applies to national derogations from EU free movement law. This parallels the argument (discussed here) that national data retention law falls within the scope of EU law, following the Digital Rights judgment, because it is a derogation from the EU’s e-privacy Directive.
Finally, the consequences of any future finding by the national data protection authority that transfers under the Safe Harbour decision must be suspended as regards Facebook must be considered. Assuming that the US had not changed its law in the meantime, Facebook would have a dilemma: should it comply with its US legal obligations, or face the suspension of transfers of data from Europe? Possibly it could avoid this dilemma by ensuring that it only processed EU residents’ data within the EU, potentially avoiding the scope of US law. But this might be expensive, and in any event the US might seek to extend the scope of its law to cover such cases. These issues would inevitably arise for other major US companies as well.
Any real prospect that Facebook transfers from the EU might be blocked would cause a major earthquake in EU/US relations, making the concerns about the recent Google Spain judgment look like a minor tremor. It may be that the only solution is for the US to take more seriously its ongoing discussions with the EU on data protection issues, with a view to reaching a solution that reconciles its security concerns with the basic principles of privacy protection.