Category: 9.2 Intelligence – National security

(Amnesty International Briefing ) FENCED OUT : HUNGARY’S VIOLATIONS OF THE RIGHTS OF REFUGEES AND MIGRANTS

ORIGINAL PUBLISHED HERE 

INTRODUCTION

“[W]e would like Europe to be preserved for the Europeans. But there is something we would not just like but we want because it only depends on us: we want to preserve a Hungarian Hungary” Viktor Orbán, Prime Minister of Hungary, 25 July 20151

“We are also humans. Before we lived in peace and we have had our lives and dreams torn apart by wars and greed of the governments.” Hiba Almashhadani, an Iraqi refugee, 21 September 20152

In the first eight months of 2015, 161,000 people claimed asylum in Hungary. The Office for Immigration and Nationality has estimated that two thirds of those arriving3 were asylum-seekers from Syria, Afghanistan and Iraq who entered the country irregularly.4 These are, unquestionably, large numbers and they have presented Hungary with considerable, if not entirely unforeseeable, challenges. Hungary’s response to these challenges has, however, been hugely problematic. While Hungary is bearing much of the brunt of the EU’s structurally unbalanced asylum regime, it has also shown a singular unwillingness to engage in collective EU efforts to address these shortcomings and participate in initiatives designed to redistribute the responsibility for receiving and processing asylum seekers, notably the relocation and “hotspot” processing schemes that the European Commission and Council have been proposing.

Instead, Hungary has moved in recent months to construct fences along its southern borders, criminalise irregular entry to its territory and expedite the return of asylum seekers and refugees to Serbia, through its inclusion on a list of safe countries of transit. The cumulative effect, and desired consequence, of these measures will be to render Hungary a refugee protection free zone. Ultimately, Hungary’s attempts to insulate itself against a regional, and wider global, refugee crisis can only be achieved at the expense of the respect its international human rights and refugee law obligations. In fact, this is already happening; only the completion of a fence along the Croatian border is preventing Hungary’s isolationist migration policies from reaching fruition.

Hungary’s determination to avoid its responsibilities towards refugees is not just a Hungarian problem. It is also an EU problem. Hungary’s policies are not preventing entry to the EU, they are merely displacing the routes refugees and migrants are taking to reach it. Hungary’s policies also represent a structural threat to the rule of law and the respect for human rights that other member states and EU institutions cannot afford to ignore. The EU should therefore engage Hungary in a formal discussion, as foreseen by Article 7 of the Treaty of the European Union, with a view to bringing its migration and asylum policies in line with EU and other international law obligations and ensuring that Hungary participates fully in collective EU initiatives and reforms designed to address the current refugee crisis, while receiving the considerable support it needs to do so.

THE UNFOLDING OF THE “CRISIS”

On 15 September 2015 the Hungarian government declared a “crisis situation caused by mass immigration”.5 On the same day, the construction of a fence on the border with Serbia was finished and amendments to the Criminal Code and Asylum Law, making it an offence to enter the country through the border fence and establishing “transit zones” at the border, entered into effect.

On 21 September, the Hungarian Parliament adopted further amendments to the Police Act and the Act on National Defence. These extend the powers of the police in situations of “crisis caused by mass immigration” to block roads, ban or restrain the operation of public institutions, shut down areas and buildings and restrain or ban the entering and leaving of such places. The new measures authorise the army to support the police securing the border in the crisis situation and to use rubber bullets, tear gas grenades and pyrotechnical devices.6

On 22 September, the Hungarian Parliament adopted a resolution which stated, among other things, that Hungary should defend its borders by “every necessary means” against “waves of illegal immigration”. The resolution stated: “[W]e cannot allow illegal migrants to endanger the jobs and social security of the Hungarian people. We have the right to defend our culture, language, and values.”7

The number of asylum seekers in Hungary in 2015, represents a significant increase on the 42,777 applications registered in 2014. 8 The Hungarian government had, however, long been received signals of an expected increase in asylum applications. As early as 2012 the United Nations High Commissioner for Refugees (UNHCR, the UN Refugee Agency) as well as NGOs were calling for an improvement of the reception facilities for asylum-seekers in Hungary and the need to bring them in line with the EU reception standards.9

Instead of introducing measures in line with these calls, the government started to work on measures to keep refugees and migrants out of the country. In 2015 it spent 3.2 million Euros10 on a “national consultation on immigration and terrorism”11 in the course of which it distributed a questionnaire to over eight million citizens seeking answers to questions such as whether or not those who cross the borders illegally should be detained for a period longer than 24 hours.12 Another 1.3 million Euros was spent on an anti-refugee billboard campaign that included messages such as “If you come to Hungary, don’t take the jobs of Hungarians” or “If you come to Hungary, you have to respect our culture!”.13 98 million Euros was spent on the construction of the border fence with Serbia.14 The 2015 budget of the Office of Immigration and Nationality responsible for reception of asylum seekers and processing applications was 27.5 million Euros.15

The government did however move swiftly with the adoption of measures aiming at keeping refugees and migrants out and facilitating their return. On 1 August 2015, an amendment of the Asylum Law16 entered into force which authorized the government to issue a lists of safe countries of origin and safe third countries of transit. Serbia, Macedonia and EU member states, including Greece, are considered safe by the Hungarian authorities as a result of these changes, meaning that asylum applications by people transiting through from these countries can be sent back to them following expedited proceedings.17 On 15 September another set of amendments came into effect. They criminalized “illegal entry” through the border fence and introduced “transit zones” for asylum-seekers at the border and other changes.18

On 17 September, the Minister of Interior ordered a “partial border closure” of the border crossings at the Röszke/Horgoš motorway and at the express road for a period of 30 days. It justified it as a measure “in the interest of the protection of public security”.19 During the period of the partial border closure, it was not possible for passengers, vehicles and cargo to cross the state border between Hungary and Serbia. The border was re-opened on 20 September after the Hungarian and Serbian Ministries of Interior “succeeded in finding a solution to opening the border crossing station and ensuring the continued flow of passenger and cargo traffic.”20

Following the effective sealing off of the border with Serbia in mid-September, refugees and migrants started entering Hungary through the border with Croatia through the crossings at Beremend21 and Zakány.22 By the beginning of October an average of about 4,000 people were entering on a daily basis according to the Hungarian police.23 The measures taken by the Hungarian government have therefore served primarily to redirect the flow of refugees and migrants, not stop it. However, Hungary has already begun constructing a similar fence along the Croatian border, and has already almost completed the laying of barbed wire along its entirety.24 Once a full-scale fence has been constructed, asylum-seekers will effectively no longer be able to access Hungarian territory and protection proceedings. Those that do succeed in crossing the fence will be liable to prosecution – and return to Serbia or Croatia.25

INTERNATIONAL CRITICISM OF HUNGARY’S MIGRATION POLICIES

Hungary’s draconian response to the increase of the number of refugees and migrants entering the country has been roundly criticised by international human rights bodies.

On 15 September, the Secretary General of the Council of Europe, Thorbjørn Jagland wrote to the Hungarian Prime Minister, Viktor Orbán, expressing concerns over the legislation adopted “in the context of the migration crisis“. He asked for assurances that Hungary is still committed to its obligations under the European Convention on Human Rights. The Secretary General also warned that Hungary cannot derogate from its obligation to protect the right to life, prohibition of torture and other rights.26

On 17 September, the UN Human Rights Commissioner Zeid Ra’ad Al Hussein said that amendments of the Criminal Code and the Asylum Law which entered into force on 15 September are incompatible with the human rights commitments binding on Hungary. “This is an entirely unacceptable infringement of the human rights of refugees and migrants. Seeking asylum is not a crime, and neither is entering a country irregularly.” The UN Human Rights Commissioner further observed that some of the actions carried out by the Hungarian authorities, such as denying entry, arresting, summarily rejecting and returning refugees, using disproportionate force on migrants and refugees, as well as reportedly assaulting journalists and seizing video documentation, amounted to clear violations of international law.27 He also noted “the xenophobic and anti-Muslim views that appear to lie at the heart of current Hungarian Government policy”.

The response of the EU institutions has been less unequivocal. The EU Commissioner for Migration, Home Affairs and Citizenship, Dimitris Avramopolous, declared during his visit to Hungary on 17 September that “[The EU] will work collectively to protect the Union’s external borders.” Hungary, he noted, “is doing part in this work… [although the EC does] not always agree with the means used.” Commissioner Avramopolous expressed a commitment “to work with [EU’s] neighbours – establishing a common list of safe countries of origin and intensifying cooperation with the Western Balkan countries and Turkey.” At the same time, however, he acknowledged a “moral duty… inscribed in international and European laws” to offer protection to those who need it.28

METHODOLOGY AND PURPOSE OF THIS BRIEFING Continue reading “(Amnesty International Briefing ) FENCED OUT : HUNGARY’S VIOLATIONS OF THE RIGHTS OF REFUGEES AND MIGRANTS”

A comparison between US and EU data protection legislation for law enforcement purposes

by  Franziska      Boehm (Prof. Dr.,University of Münster, Institute for Information, Telecommunication and Media Law,  Germany)

NOTA BENE THIS STUDY COMPLEMENT ANOTHER PREVIOUS STUDY ON THE SAME SUBJECT  (Bignami, The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens)

THE FULL  VERSION OF THE NEW STUDY FOR THE EP CIVIL LIBERTIES COMMITEE IS ACCESSIBLE HERE.

EXECUTIVE SUMMARY : This study compares EU and US data protection guarantees in the field of law enforcement. The legal approaches to regulate data protection guarantees in law enforcement, in both the EU and the US legal order, vary from their very outset, leading to structural, legal and in  particular  constitutional  differences.

Generally, it can be concluded that the EU data protection framework in the law enforcement sector is shaped by comprehensive data protection guarantees, which are codified in EU primary and secondary law and are accompanied by EU and ECtHR case law. In contrast, US data protection guarantees in the law enforcement and national security contexts are sector specific and are therefore contained within the specific instruments which empower US agencies to process personal data. They vary according to the instruments in  place and  are  far  less  comprehensive.

Above all, constitutional protection is limited. US citizens may invoke protection through the Fourth Amendment and the Privacy Act, but the data protection rights granted in the law enforcement sector are limitedly interpreted with a general tendency to privilege law enforcement and national security interests. Moreover, restrictions to data protection in the law enforcement sector are typically not restricted by proportionality considerations, reinforcing the structural and regular preference of law enforcement and national security interests over the interests of individuals. Regarding the scope and applicability of rights, non-US persons are usually not protected by the existing, already narrowly interpreted, guarantees. The same is true with regards to other US law. When data protection guarantees do exist in federal law, they usually do not include protection for non-US persons.

A majority of the EU data protection standards cannot be found in US law. For instance, rules limiting inter-agency data exchange, exchanges with other third parties, completely independent oversight, strict proportionality rules and effective judicial review possibilities and information requirements for non-US persons on surveillance or data breaches or effective access, and correction and deletion rights simply do not exist at all or are, at best, very limited. These shortcomings are also visible regarding existing data exchange agreements between the US and the EU, such as, for instance, the Safe Harbor regime. Its principles do not  necessarily comply  with the current  EU  data  protection standards.

In particular, the approach to data sharing is fundamentally different. Whereas in EU law every transfer of data to other agencies interferes with fundamental rights and requires specific justification, data sharing in the US between law enforcement authorities and the intelligence community  seems to  be the rule rather  than  the  exception.

Recently introduced US laws such as the Draft Judicial Redress Act or the FREEDOM Act do not fundamentally alter these findings. Whilst the Draft Judicial Redress Act is limited in scope and requires some clarification, the FREEDOM Act is mainly designed to improve the protection of US citizens in the framework of intelligence collection activities. Furthermore, only three out of the four remedies of the Privacy Act are available to EU individuals in the framework of the Draft Judicial Review Act, leaving an individual with no judicial review possibilities in case an agency fails to provide an accurate, relevant, timely and complete treatment  of  the individual’s data. (EMPHASIS ADDED EDC)

Nonetheless, the introduction of stricter access requirements in the FREEDOM Act using a specific selection term for the collection of tangible things and metadata for foreign intelligence   purposes    is    an   improvement    compared    to   the   former   provisions.    Regrettably, this newly introduced restriction does not affect Section 702 of the FISA Amendment Act or Executive Order 12333, which still authorize far-reaching surveillance of foreign intelligence information, including the accessing of communications, content, metadata or other records by governmental agencies. A future instrument regulating EU-US data exchange should address the mentioned issues, as serious concerns about their compatibility with EU fundamental   rights arise.

It can be also deduced, from the comparison, that even if all existing US data protection guarantees in the law enforcement and national security framework were applicable to EU citizens, there would still remain a considerable shortcoming regarding the level of privacy and personal data protection compared to the protection through EU law. Recent proposals and changes through the Draft Judicial Redress Act of 2015 and the FREEDOM Act only partially improve the current situation. The recently initialized “Umbrella Agreement” could lead to changes with regards to data protection guarantees in the law enforcement and national security sectors, but it remains to be seen which specific material rights and guarantees will be included in such an agreement. A leaked version of the Umbrella Agreement was published after the finalization of this study. A brief analysis of the agreement’s  text  is therefore added  in  the  end.

(EMPHASIS ADDED – EDC) 

CONTINUE READING FROM PAGE 9

THE PARTY’S OVER: EU DATA PROTECTION LAW AFTER THE SCHREMS SAFE HARBOUR JUDGMEN

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (on Wednesday, 7 October 2015)

by Steve Peers

The relationship between intelligence and law enforcement agencies (and companies like Google and Facebook) and personal data is much like the relationship between children and sweets at a birthday party. Imagine you’re a parent bringing out a huge bowl full of sweets (the personal data) during the birthday party – and then telling the children (the agencies and companies) thatthey can’t have any. But how can you enforce this rule? If you leave the room, even for a moment, the sweets will be gone within seconds, no matter how fervently you insist that the children leave them alone while you’re out. If you stay in the room, you will face incessant and increasingly shrill demands for access to the sweets, based on every conceivable self-interested and guilt-trippy argument. If you try to hide the sweets, the children will overturn everything to find them again.

When children find their demands thwarted by a strict parent, they have a time-honoured circumvention strategy: “When Mummy says No, ask Daddy”. But in the Safe Harbour case, things have happened the other way around. Mummy (the Commission) barely even resisted the children’s demands. In fact, she said Yes hours ago, and retired to the bath with an enormous glass of wine, occasionally shouting out feeble admonitions for the children to tone down their sugar-fuelled rampage. Now Daddy (the CJEU) is home, shocked at the chaos that results from lax parenting. He has immediately stopped the supply of further sweets. But the house is full of other sugary treats, and all the children are now crying. What now?

In this post, I’ll examine the reasons why the Court put its foot down, and invalidated the Commission’s ‘Safe Harbour’ decision which allows transfers of personal data to the USA, in the recent judgment in Schrems. Then I will examine the consequences of the Court’s ruling. But I should probably admit for the record that my parenting is more like Mummy’s than Daddy’s in the above example.

Background

For more on the background to the Schrems case, see here; on the hearing, see Simon McGarr’s summary here; and on the Advocate-General’s opinion, seehere. But I’ll summarise the basics of the case again briefly.

Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since he believed that transfers of his data to Facebook were subject to such mass surveillance, he complained to the Irish data protection authority, which regulates Facebook’s transfers of personal data from the EU to the USA.

The substantive law governing these transfers of personal data was the ‘Safe Harbour’ agreement between the EU and the USA, agreed back in 2000. This agreement was put into effect in the EU by a decision of the Commission, which was adopted pursuant to powers conferred upon the Commission by the EU’s current data protection Directive. The latter law gives the Commission the power to decide that transfers of personal data outside the EU receive an ‘adequate level of protection’ in particular countries.

The ‘Safe Harbour’ agreement was enforced by self-certification of the companies that have signed up for it (note that not all transfers to the USA fell within the scope of the Safe Harbour decision, since not all American companies signed up). Those promises were in turn meant to be enforced by the US authorities. But it was also possible (not mandatory) for the national data protection authorities which enforce EU data protection law to suspend transfers of personal data under the agreement, if the US authorities or enforcement system found a breach of the rules, or on a list of limited grounds set out in the decision.

The Irish data protection authority refused to consider Schrems’ complaint, so he challenged that decision before the Irish High Court, which doubted that this system was compatible with EU law (or indeed the Irish constitution). So that court asked the CJEU to rule on whether national data protection authorities (DPAs) should have the power to prevent data transfers in cases like these.

The judgment

The CJEU first of all answers the question which the Irish court asks about DPA jurisdiction over data transfers (the procedural point), and then goes on to rule that the Safe Harbour decision is invalid (the substantive point).

Following the Advocate-General’s view, the Court ruled that national data protection authorities have to be able to consider claims that flows of personal data to third countries are not compatible with EU data protection laws if there is an inadequate level of data protection in those countries, even if the Commission has adopted a decision (such as the Safe Harbour decision) declaring that the level of protection is adequate. Like the Advocate-General, the Court based this conclusion on the powers and independence of those authorities, read in light of the EU Charter of Fundamental Rights, which expressly refers to DPAs’ role and independence. (On the recent CJEU case law on DPA independence, see discussion here). In fact, the new EU data protection law currently under negotiation (the data protection Regulation) will likely confirm and even enhance the powers and independence of DPAs. (More on that aspect of the proposed Regulation here).

The Court then elaborates upon the ‘architecture’ of the EU’s data protection system as regards external transfers. It points out that either the Commission or Member States can decide that a third country has an ‘adequate’ level of data protection, although it focusses its analysis upon what happens if (as in this case) there is a Commission decision to this effect. In that case, national authorities (including DPAs) are bound by the Commission decision, and cannot issue a contrary ruling.

However, individuals like Max Schrems can still complain to the DPAs about alleged breaches of their data protection rights, despite the adoption of the Commission decision. If they do so, the Court implies that the validity of the Commission’s decision is therefore being called into question. While all EU acts must be subject to judicial review, the Court reiterates the usual rule that national courts can’t declare EU acts invalid, since that would fragment EU law: only the CJEU can do that. This restriction applies equally to national DPAs.

So how can a Commission decision on the adequacy of third countries’ data protection law be effectively challenged? The Court explains that DPAs must consider such claims seriously. If the DPA thinks that the claim is unfounded, the disgruntled complainant can challenge the DPA’s decision before the national courts, who must in turn refer the issue of the validity of the decision to the CJEU if they think it may be well founded. If, on the other hand, the DPA thinks the complaint is well-founded, there must be rules in national law allowing the DPA to go before the national courts in order to get the issue referred to the CJEU.

The Court then moves on to the substantive validity of the Safe Harbour decision. Although the national court didn’t ask it to examine this issue, the Court justifies its decision to do this by reference to its overall analysis of the architecture of EU data protection law, as well as the national court’s doubts about the Safe Harbour decision. Indeed, the Court is effectively putting its new architecture into use for the first time, and it’s quite an understatement to say that the national court had doubts about Safe Harbour (it had compared surveillance in the USA to that of Communist-era East Germany).

So what is an ‘adequate level of protection’ for personal data in third countries? The Court admits that the Directive is not clear on this point, so it has to interpret the rules. In the Court’s view, there must be a ‘high’ level of protection in the third country; this does not have to be ‘identical’ to the EU standard, but must be ‘substantially equivalent’ to it.  Otherwise, the objective of ensuring a high level of protection would not be met, and the EU’s internal standards for domestic data protection could easily be circumvented. Also, the means used in the third State to ensure data protection rights must be ‘effective…in practice’, although they ‘may differ’ from that in the EU. Furthermore, the assessment of adequacy must be dynamic, with regular automatic reviews and an obligation for a further review if evidence suggests that there are ‘doubts’ on this score; and the general changes in circumstances since the decision was adopted must be taken into account.

The Court then establishes that in light of the importance of privacy and data protection, and the large number of persons whose rights will be affected if data is transferred to a third country with an inadequate level of data protection, the Commission has reduced discretion, and is subject to ‘strict’ standards of judicial review. Applying this test, two provisions of the ‘Safe Harbour’ decision were invalid.

First of all, the basic decision declaring adequate data protection in the USA (in the context of Safe Harbour) was invalid. While such a decision could, in principle, be based on self-certification, this had to be accompanied by ‘effective detection and supervision mechanisms’ ensuring that infringements of fundamental rights had to be ‘identified and punished in practice’. Self-certification under the Safe Harbour rules did not apply to US public authorities; there was not a sufficient finding that the US law or commitments met EU standards; and the rules could be overridden by national security requirements set out in US law.

Data protection rules apply regardless of whether the information is sensitive, or whether there were adverse consequences for the persons concerned. The Decision had no finding concerning human rights protections as regards the national security exceptions under US law (although the CJEU acknowledged that such rules pursued a legitimate objective), or effective legal protection in that context. This was confirmed by the Commission’s review of the Safe Harbour decision, which found (a) that US authorities could access personal data transferred from the EU, and then process it for purposes incompatible with the original transfer ‘beyond what was strictly necessary and proportionate for the purposes of national security’, and (b) that there was no administrative or judicial means to ensure access to the data and its rectification or erasure.

Within the EU, interference with privacy and data protection rights requires ‘clear and precise rules’ which set out minimum safeguards, as well as strict application of derogations and limitations.  Those principles were breached where, ‘on a generalised basis’, legislation authorises ‘storage of all the personal data of all the persons whose data has been transferred’ to the US ‘without any differentiation, limitation or exception being made in light of the objective pursued’ and without any objective test limiting access of the public authorities for specific purposes. General access to the content of communications compromises the ‘essence’ of the right to privacy. On these points, the Court expressly reiterated the limits on mass surveillance set out in last year’s Digital Rights judgment (discussed here) on the validity of the EU’s data retention Directive. Furthermore, the absence of legal remedies in this regard compromises the essence of the right to judicial protection set out in the EU Charter. But the Commission made no findings to this effect.

Secondly, the restriction upon DPAs taking action to prevent data transfers in the event of an inadequate level of data protection in the USA (in the context of Safe Harbour) was also invalid. The Commission did not have the power under the data protection Directive (read in light of the Charter) to restrict DPA competence in that way. Since these two provisions were inseparable from the rest of the Safe Harbour decision, the entire Decision is invalid. The Court did not limit the effect of its ruling.

Comments

The Court’s judgment comes to the same conclusion as the Advocate-General’s opinion, but with subtle differences that I’ll examine as we go along. On the first issue, the Court’s finding that DPAs must be able to stop data flows if there is a breach of EU data protection laws in a third country, despite an adequacy Decision by the Commission, is clearly the correct result. Otherwise it would be too easy for the standards in the Directive to be undercut by means of transfers to third countries, which the Commission or national authorities might be willing to accept as a trade-off for a trade agreement or some other quid pro quowith the country concerned.

As for the Court’s discussion of the architecture of the data protection rules, the idea of the data protection authorities having to go to a national court if they agree with the complainant that the Commission’s adequacy decision is legally suspect is rather convoluted, since it’s not clear who the parties would be: it’s awkward that the Commission itself would probably not be a party.  It’s unfortunate that the Court did not consider the alternative route of the national DPA calling on the Commission to amend its decision, and bringing a ‘failure to act’ proceeding directly in the EU courts if it did not do so. In the medium term, it would be better for the future so-called ‘one-stop shop’ system under the new data protection Regulation (see discussion here) to address this issue, and provide for a centralised process of challenging the Commission directly.

It’s interesting that the CJEU finds that there can be a national decision on adequacy of data flows to third States, since there’s no express reference to this possibility in the Directive. If such a decision is adopted, or if Member States apply the various mandatory and optional exceptions from the general external data protection rules set out in Article 26 of the data protection Directive, much of the Court’s Schrems ruling would apply in the same way by analogy. In particular, national DPAs must surely have the jurisdiction to examine complaints about the validity of such decisions too. But EU law does not prohibit the DPAs from finding the national decisions invalid; the interesting question is whether it obliges national law to confer such power upon the DPAs. Arguably it does, to ensure the effectiveness of the EU rules. Any decisions on these issues could still be appealed to the national courts, which would have the option (though not the obligation, except for final courts) to ask the CJEU to interpret the EU rules.

As for the validity of the Safe Harbour Decision, the Court’s interpretation of the meaning of ‘adequate’ protection in third States should probably be sung out loud, to the tune of ‘We are the World’. The global reach of the EU’s general data protection rules was already strengthened by last year’s Google Spain judgment (discussed here); now the Court declares that even the separate regime for external transfers is very similar to the domestic regime anyway. There must be almost identical degrees of protection, although the Court does hint that modest differences are permissible: accepting the idea of self-certification, and avoiding the issue of whether third States need an independent DPA (the Advocate-General had argued that they did).

It’s a long way from the judgment in Lindqvist over a decade ago, when the Court anxiously insisted that the external regime should not be turned into a copy of the internal rules; now it’s insistent that there should be as little a gap as possible between them. With respect, the Court’s interpretation is not convincing, since the word ‘adequate’ suggests something less than ‘essentially equivalent’, and the EU Charter does not bind third States.

But having said that, the American rules on mass surveillance would violate even a far more generous interpretation of the meaning of the word ‘adequate’. It’s striking that (unlike the Advocate-General), the Court does not engage in a detailed interpretation of the grounds for limiting Charter rights, but rather states that general mass surveillance of the content of communications affects the ‘essence’ of the right to privacy. That is enough to find an unjustifiable violation of the Charter.

So where does the judgment leave us in practice? Since the Court refers frequently to the primary law rules in the Charter, there’s no real chance to escape what it says by signing new treaties (even the planned TTIP or TiSA), by adopting new decisions, or by amending the data protection Directive. In particular, the Safe Harbour decision is invalid, and the Commission could only replace it with a decision that meets the standards set out in this judgment. While the Court refers at some points to the inadequacy or non-existence of the Commission’s findings in the Decision, it’s hard to believe that a new Decision which purports to claim that the American system now meets the Court’s standards would be valid if the Commission were not telling the truth (or if circumstances subsequently changed).

What standards does the US have to meet? The Court reiterates even more clearly that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. Indeed, as noted already, the Court ruled that mass surveillance of the content of communications breaches the essence of the right to privacy and so cannot be justified at all. (Surveillance of content which is targeted on suspected criminal activities or security threats is clearly justifiable, however). In addition to a ban on mass surveillance, there must also be detailed safeguards in place. The US might soon be reluctantly willing to address the latter, but it will be even more unwilling to address the former.

Are there other routes which could guarantee that external transfers to the USA take place, at least until the US law is changed? In principle, yes, since (as noted above) there are derogations from the general rule that transfers can only take place to countries with an ‘adequate’ level of data protection. A first set of derogations is mandatory (though Member States can have exceptions in ‘domestic law governing particular cases’): where the data subject gives ‘consent unambiguously’; where the transfer is necessary to perform a contract with (or in the interest of) the data subject, or for pre-contractual relations; where it’s ‘necessary or legally required on important public interest grounds’, or related to legal claims; where it’s ‘necessary to protect the vital interests of the data subject’; or where it’s made from a public register. A second derogation is optional: a Member State may authorise transfers where the controller offers sufficient safeguards, possibly in the form of contractual clauses. The use of the latter derogation can be controlled by the Commission.

It’s hard to see how the second derogation can be relevant, in light of the Court’s concerns about the sufficiency of safeguards under the current law. US access to the data is not necessary in relation to a contract, to protect the data subject, or related to legal claims.  An imaginative lawyer might argue that a search engine (though not a social network) is a modern form of public register; but the record of an individual’s use of a search engine is not.

This leaves us with consent and public interest grounds. Undoubtedly (as the CJEU accepted) national security interests are legitimate, but in the context of defining adequacy, they do not justify mass surveillance or insufficient safeguards. Would the Court’s ruling in Schrems still apply fully to the derogation regarding inadequate protection? Or would it apply in a modified way, or not at all?

As for consent, the CJEU ruled last year in a very different context (credibility assessment in LGBT asylum claims) that the rights to privacy and dignity could not be waived in certain situations (see discussion here). Is that also true to some extent in the context of data protection? And what does unambiguous consent mean exactly? Most people believe they are consenting only to (selected) people seeing what they post on Facebook, and are dimly aware that Facebook might do something with their data to earn money. They may be more aware of mass surveillance since the Snowden revelations; some don’t care, but some (like Max Schrems) would like to use Facebook without such surveillance. Would people have to consent separately to mass surveillance? In that case, would Facebook have to be accessible for those who did not want to sign that separate form? Or could a ‘spy on me’ clause be added at the end of a long (and unread) consent form?  Consent is a crucial issue also in the context of the purely domestic EU data protection rules.

The Court’s ruling has addressed some important points, but leaves an enormous number of issues open. It’s clear that it will take a long time to clear up the mess left from this particular poorly supervised party.

Barnard and Peers: chapter 9

The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid

Court of Justice of the European Union PRESS RELEASE No 117/15

SEE THE TEXT OF JUDGMENT HERE

Luxembourg, 6 October 2015

Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a persons data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decisions validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a persons data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public     authorities     to     have      access     on      a      generalised      basis     to      the     content      of      electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schremscomplaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebooks European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

NOTES

1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
2 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
3 The safe harbour scheme includes a series of principles concerning the protection of personal data to which United States undertakings may subscribe voluntarily.
4 Communication from the Commission to the European Parliament and the Council entitled ‘Rebuilding Trust in EU-US Data Flows’ (COM(2013) 846 final, 27 November 2013) and Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU (COM(2013) 847 final, 27 November 2013).

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery. Press contact: Christopher Fretwell S (+352) 4303 3355 

 

 

 

Protection des données et relations transatlantiques : les conclusions de l’Avocat général dans l’affaire Schrems. Une fusée à plusieurs étages et une bombe à retardement…

PUBLISHED ON CDRE SITE ON 30 SEPTEMBRE 2015

par Sylvie Peyrou, (CDRE)

Les références imagées se pressent à l’esprit tant les conclusions de l’Avocat général Yves Bot s’avèrent riches – et lourdes de conséquences si la Cour de Justice s’avise de les suivre – dans cette affaire (C-362/14), où les mots « Facebook », « Prism », « NSA », protection des données, droit fondamental, qui émaillent le texte révèlent l’importance du contexte qui le sous-tend.

L’étudiant autrichien à l’origine du contentieux, Max Schrems, s’est plaint auprès de l’autorité irlandaise de protection des données de ce que ses données personnelles fournies à Facebook soient transférées, à partir de la filiale irlandaise de Facebook, sur des serveurs situés sur le territoire des Etats-Unis. Il estime en effet, eu égard aux révélations faites en 2013 par Edward Snowden dans le cadre de l’affaire « Prism », relative aux activités des services de renseignement des Etats-Unis (la NSA en particulier), que tant le droit que la pratique des Etats-Unis n’offrent aucune protection contre la surveillance par l’Etat américain des données transférées vers ce pays. Sa plainte toutefois a été rejetée au motif que la Commission européenne, par une décision du 26 juillet 2000 (2000/520/CE), a estimé que, dans le cadre du régime dit de la « sphère de sécurité (« Safe Harbor »), les Etats-Unis assurent un niveau adéquat de protection aux données personnelles transférées. La High Court of Ireland (Haute Cour de Justice irlandaise), saisie de l’affaire, a alors posé à la CJUE les questions de savoir si la décision « d’adéquation » de la Commission empêche nécessairement et obligatoirement une autorité nationale de contrôle d’enquêter sur une plainte alléguant qu’un pays tiers n’assure pas un niveau de protection adéquat, et éventuellement d’ordonner la suspension du transfert des données contestées.

Dans ses conclusions du 23 septembre, jouissant déjà d’un grand retentissement, l’Avocat général estime dans un premier temps que l’existence d’une décision de la Commission, constatant qu’un pays tiers assure un niveau de protection adéquat aux données à caractère personnel transférées, ne saurait annihiler ni même réduire les pouvoirs dont disposent les autorités nationales de contrôle en vertu de la directive 95/46/CE sur le traitement des données à caractère personnel. Et surtout, dans un second temps, et alors même que la question n’a pas été posée à la Cour, il considère que ladite décision de la Commission est invalide.

Ces conclusions aux raisonnements très logiques qui s’empilent comme les compartiments d’une même fusée, fourmillent de questions de principes auxquelles l’Avocat général apporte des réponses de principe, en convoquant tout le ban et l’arrière-ban des grandes jurisprudences de la Cour de ces dernières années : Kadi, N.S., Google Spain, Digital Rights Ireland…avec un point focal central : la protection des droits fondamentaux. Quel que soit l’angle d’attaque, le dossier semble donner raison à l’étudiant autrichien, car l’Avocat général constate clairement dans un premier temps que la décision d’adéquation ne lie pas les autorités nationales de contrôle en matière de protection des données, et – dans un contrôle à double détente – verrouille ensuite le dossier en estimant que, de toute façon, la décision d’adéquation de la Commission est invalide. Ces conclusions, si elles sont suivies, constituent une véritable bombe à retardement pour la matière.

I) Le caractère non contraignant de la décision « d’adéquation » de la Commission pour les autorités nationales de contrôle

Les questions soulevées dans cette affaire nécessitent d’analyser le cadre juridique existant s’agissant du transfert de données à caractère personnel vers des pays tiers à l’Union européenne. Celui-ci est fourni par la directive 95/46/CE relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel, texte fondamental en la matière pour le volet « marché intérieur » de l’UE. C’est en fait l’articulation entre diverses dispositions de ce texte que l’Avocat général est amené à mettre en lumière, occasion pour lui de réaffirmer la pleine indépendance des autorités nationales de contrôle.

   1. La question de l’articulation entre diverses dispositions de la directive 95/46/CE Continue reading “Protection des données et relations transatlantiques : les conclusions de l’Avocat général dans l’affaire Schrems. Une fusée à plusieurs étages et une bombe à retardement…”

Safe Harbor – No Future? How the General Data Protection Regulation and the rulings of the Court of Justice of the European Union (CJEU) will influence transatlantic data transfers

(ORIGINAL Posted on 1. Oktober 2015  in PETER SCHAAR. Der Blog. )

 by    (*)

Ladies and gentlemen,

One week ago, the Advocate General at the Court of Justice of the European Union (CJEU) issued his vote on the Safe Harbor case of Max Schrems vs. the Irish Data Protection Commissioner.

Since 1995 when the General European Directive on Data Protection came into force, data transfers from the European Union and its member states to non-EU countries have been subject to specific privacy and security restrictions. Such restrictions do not exist only in Europe.

For example in the US several legal acts and decisions of regulatory authorities constitute the obligation to store specific data in the own country, in particular data, which have been generated by public bodies and providers of critical infrastructures. The US Federal Trade Commission has stated that a company subject to privacy obligations under US law is not allowed to avoid such obligations by outsourcing their data processing activities to offshore service providers.

The key message of Art. 25 of the 1995 GD is that transfer of personal data to a third country may take place only if the recipient in question ensures an adequate level of data protection. The adequacy shall be assessed in the light of all the circumstances surrounding the data transfer operation.

The main road to adequacy are the so-called adequacy decisions of the European Commission, that the said country ensures an adequate level of data protection. These decisions are binding for the member states. They shall take the measures necessary to comply with the Commission’s decision.

One of the most discussed adequacy decisions concerns the United States – the decision on Safe Harbor, although the Commission was of the opinion, that the US in general failed to provide an adequate level of data protection for the private sector, because of the lack of any comprehensive data protection legislation.

The Safe Harbor principles, negotiated between the Commission and the US government in the late 1990s should bridge this obstacle. The SH arrangement has been aimed at guaranteeing the adequate level of protection required by EU law for those companies, committing themselves to comply with the SH principles.

From the beginning, since the Safe Harbor was agreed in the year 2000 there has been some criticism against it. The main critical argument was that the principles do not meet the high EU data protection standards defined by the General Directive.

A scientific implementation study on SH done 2004 on behalf of the Commission came to the result that „Key concepts such as ‚US organization‘, ’personal data’,’deceptive practices’ lack clarity. Moreover, the jurisdiction of the FTC with regard to certain types of data transfers is dubious.“

It also has been criticized, that companies which declare compliance with the principles at once may profit from the Safe Harbor privileges, even if their privacy practices were not yet subject to an independent audit.

These issues remain important until our days. But after the vote the Advocate General at the CJEU (GA) issued recently, the focus lays on another question: How far practices and powers of US authorities have been ignored in the adequacy assessments.

At the first glance, law enforcement authorities, police and intelligence do not fall within the scope of the Safe Harbor agreement and therefore they do not have to be subject to the assessment. But this first impression is wrong.

As Art. 25 of the GD is pointing out, the assessment is to be done in the light of „all circumstances“ surrounding a data transfer to the third country. Even activities of authorities in the third country have to be examined. It is unclear how far this happened during the Safe Harbor assessment in the late 1990s.

But even if such assessment once took place, the result may be invalid today, because things changed dramatically after 9/11 2001. As we have learnt from Edward Snowden and other whistleblowers, US government has obtained broad access to private companies’ databases, telecommunications and Internet services.

Many companies which have co-operated with the NSA – voluntarily or based on legal obligations – have been safe harborists and there is no doubt that NSA and other services have got access to big amounts of data stemming from Europe or related to EU citizens.

The PATRIOT ACT and secret Presidential Orders, issued after 9/11 provided intelligence and law enforcement agencies with a lot of new powers and simultaneously demolished many safeguards which have been introduced in the 1970s to protect civil rights and privacy.

For years it seemed that many of these changes were not on the screen of the European Commission and other European stakeholders. The implementation study on SH of 2004 came to the conclusion: „Since the new US legislation only rarely contradicts the SH principles for data covered by SH, these conflicts do not appear to undermine the level of protection for any significant flows of personal data to the United States. The controversial provisions of the USA PATRIOT Act are essentially irrelevant for SH data flows.“ (p. 101)

But 2013, after the the beginning of the Snowdon revelations, nobody can ignore any more, that the practices of NSA, CIA and FBI introduced after 9/11 have impact on the level of data protection in the United States: The legal provisions on Government access to personal information, especially the Foreign Intelligence Surveillance Act (FISA), do not meet the basic standards of the rule of law at least so far data of non-US-persons are concerned. The practices disclosed in the last two years and the commitments of US officials on mass surveillance provided the public with loads of evidence that the NSA and others are involved in bulk collection of personal data coming from Europe. Therefore it seems evident, that these practices have to be taken into account by the CJEU.

Another change happened in Europe: The Lisbon Treaty came into force in 2009, and at least since then privacy and data protection, including the independent oversight, have been fundamental rights of the European Union, as parts of the European primary law. European secondary law and European Commission’s decisions have to fulfill these requirements. Even older legislation, agreements with third countries as to PNR or TFTP and Commission’s decisions have to be reviewed in the light of Art. 7 and 8 of the EU Charter of Fundamental Rights.

Acknowledging this, the vote of Advocate General Bot (AG) in the case of Maximilian Schrems versus the Irish Data Protection Commissioner, issued last week, is not really surprising. The vote touches two big points:

Even if the Commission decides that the level of data protection in a country is adequate, this does not prevent national data protection authorities from suspending the transfer of the data, it they are of the opinion, that in the concrete case adequacy criteria are not met by the recipient. As we have learnt from the Snowden revelations, Facebook and other Internet companies cooperated closely with the NSA and provided them with broad access to personal data stored on their servers.
The AG is of the opinion that the Safe Harbor arrangement itself is invalid, because the US, especially the intelligence services, do not provide adequate protection for the personal data coming from Europe. Therefore he proposes to suspend the Safe Harbor.

Nobody knows how the European Court of Justice will decide the case. The ruling is expected on 6 October. Perhaps you know the sentence „How the judge decides depends what he ate for breakfast“. It is correct: The vote of the advocate general is only an opinion and it does not bind anybody.

But for me it seems likely that the judges will acknowledge the vote, at least in the result. In two earlier cases, the court decided last year, on data retention and on the right to be forgotten, the judges underlined the high importance of European fundamental rights on privacy and data protection. In these cases the court went beyond the Advocate general’s vote. In the Schrems’ case the AG adapted this recent orientation of the judges.

If the CJEU will decide as proposed by the AG, this does not mean automatically the end of Safe Harbor. But the Safe Harbor arrangement must be renegotiated and at the end there might be a better safe Harbor System, meeting the principles of fundamental rights and complying with the new EU Data Protection Regulation.

Art. 41 of the Commissions proposal contains criteria, conditions and procedures for adequacy assessments, more specific than the current Art. 25 of the GD from 1995: The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The new article confirms explicitly the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.

My conclusion for today: Safe Harbor will be possible even in the future. But such a „happy end“ requires changes in the SH arrangement. And it requires effective legal guarantees for EU citizens in the US.

Also necessary is a new thinking in Europe, in particular on the fields of law enforcement and intelligence. If we urge the US to respect our privacy, European secret services have to respect fundamental rights of all EU citizens and citizens of third countries as well.

(*) Keynote on the conference „New Directions in Cyber Security“  Berlin, 1 October 2015

Repetita Juvant ? The EDPS 2nd Opinion on the EU system of collection of passenger name records (PNR)

Foreword:
The systematic collection for prevention of terrorism of Air traveller’s personal data (PNR) from Airlines, Travel Agencies and Computer Reservation Systems started in the US, Australia, Canada after 9/11 and was considered illegal by the European Data Protection authorities as well by the European Parliament who challenged in 2004 before the Court of Justice the first EU-US agreement in this matter as well as the Commission Declaration (“Adequacy Finding”) which considered the adequate the condition of treatment of EU passengers data on the other side of the Atlantic.

The Court of Justice Judgment recognized in 2006 that the Commission’s “Adequacy Finding” and the EU-US Agreement were not founded on the correct legal basis but did not examined the EP plea on the fact that the agreement could had infringed the fundamental right to protection of personal data because of lack of clarity and of its incompatibility with a democratic society (at the time required by art.8 of the ECHR)

Therefore it has to be noted that already in 2004 the Commission considered that also the EU should develop its own PNR system for security purposes and after the CJ ruling decided to renegotiate with the US (on a security related legal basis) a new PNR agreements which explicitly made reference to the possibility of exchanging PNR data as soon as the EU would had has its own PNR related System.
In the absence of an EU internal legal framework for PNR data some EU Countries started building their own national systems with a more or less open support by the Commission notwithstanding the (vocal) opposition of the European Parliament.

Quite surprisingly it is after the entry into force of the LISBON Treaty and of the Charter of Fundamental Rights which recognize a self-standing fundamental right of protection of personal data that the Gericho Walls have fallen and the European Parliament has approved a transatlantic agreement in this matter (even if there was not yet an internal EU legal framework in this matter and the level of protection of Personal data in the agreement was much lower than the one that the same Parliament challenged before the Court of Justice in 2004…).

This change of strategy (due to an clear change of political majority) was seized by the Commission as the right signal to create an EU internal PNR system. After a first badly written proposal the Bruxelles Executive came back with a legislative proposal to authorise the collection of PNR data also by the EU Member States.

Needless to say this move was contested by the national data protection authorities and less convincingly by the European Parliament. Even if it blocked in the last legislature the legislative procedure it has finally decided to reopen the negotiations this year. This is probably due to the converging pressure of the European Council, of the Council Interior Ministers as well as by the convergence of the two biggest political groups (also thanks to the good offices of the EP President..).

From a procedural point of view, the legislative proposal is still in its first phase (parliamentary first reading) but the new majority (covering also the ALDE and ECR) has decided to try to obtain an early agreement with the Council in the framework of the so called “first reading agreements”.
As usual the informal (secret) dialogue has started and there is a clear political will to reach an agreement in the coming months (still under the Luxembourg Presidency).

This being the case both the National Data Protection Authorities and the European Data Protection Supervisor EDPS) are trying to slow down the process by repeating the constitutional, legislative and operational reservations which have also been summarized in the EDPS opinion adopted last week and published below.

Most of these arguments have been raised hundred of times (even by the European Parliament since its first resolution in march 2003) but quite paradoxically the new political majority in the EP, notwithstanding the stronger post-Lisbon constitutional framework of data protection, has decided to change its mind and is giving up the points which has defended in the previous legislatures.

Under such a new political situation it is more than likely that the very well drafted EDPS considerations will not be taken in account. But even if in this case REPETITA (will not) JUVANT other obstacles can arise before the adoption by the European Parliament of the EU PNR legislative proposal.

“There are still judges in Berlin”?

Like the humble miller who facing an unjust decision the Prussian King Frederick II, the Great exclaimed that “There are still judges in Berlin” our “Berlin” judges can be the European Court of Justice which will give an important judgment partially related to this matter on October 6.

The judgment deals with a case raised by Max SCHREMS, an Austrian Student who has considered that his personal data accessible via Facebook were not adequately protected in the US territory (because they can be too easily accessed by the US Security Services).

It will be interesting to see if the Court of Justice meeting as Grand Chamber (as it happens for “big” judgments) will follow the recent Conclusions of Advocate General Yves BOT who has raised strong concerns on the compatibility with the EU Charter of the current US data protection standards in the security domain.

If this was the case the same doubts could be extended on the envisaged EU PNR system which (badly) mirror the US PNR system… Will the determination of one European Citizen be more effective for the rights of each one of us of the hundred pages and countless debates of the European Parliament in the last twelve years? We will know it very soon and in the meantime let’s …fasten our seat belts.

Emilio De Capitani

EDPS SECOND OPINION ON EU PNR – ORIGINAL PUBLISHED HERE Continue reading “Repetita Juvant ? The EDPS 2nd Opinion on the EU system of collection of passenger name records (PNR)”

(MEIJERS COMMITTEE) Military action against human smugglers: legal questions concerning the EUNAVFOR Med operation

ORIGINAL PUBLISHED HERE ON 23 September 2015

  1. The EUNAVFOR Med operation

On 22 June 2015, the Council of Ministers of the European Union adopted a Common Foreign Security Policy (CFSP) Decision establishing a military crisis management operation with the aim of combatting fighting people smuggling: EUNAVFOR Med.1 This mission is currently in its first phase, focusing on intelligence gathering, i.e. surveillance and the   assessment of existing smuggling networks.

A second phase would involve searching and possibly diverting vessels on the high seas and territorial waters, either under a mandate of the UN Security Council or with the consent of the appropriate coastal state. The Foreign Affairs Council has recently established that the conditions for the second phase have been met insofar as operations in international waters are concerned.2 During the third phase, vessels and related assets of human smugglers would be destroyed and smugglers apprehended.

The mission will operate in a complex legal environment of overlapping rules of refugee law, international human rights law, the law of the sea, and international rules on the use of force. This note discusses some of the most pressing legal questions raised by this operation.

  1. General remarks

At the outset, the Meijers Committee would like to raise a general point regarding the focus on people smuggling as a response to the loss of life at sea. In the absence of safe and legal access to the right to seek asylum in Europe, together with routes for legal migration, people will turn to human smugglers as a last resort. Increased border controls have resulted in higher casualties as people are forced to take more dangerous routes.

The Meijers Committee questions the appropriateness of the approach taken under EUNAVFOR Med to stop the loss of life at sea. The Committee would like to point to the shift from saving lives at sea under  the  Italian-led  Mare  Nostrum  Operation,  to  border management  (Triton),  to  military  action (EUNAVFOR Med). The Meijers Committee emphasizes that the legal obligation to save lives at sea should have primacy in all Union action at sea and that a long-term solution must also involve improving legal access to asylum and legal employment.

  1. Human smuggling as a threat to international peace and
    security

The Meijers Committee notes that the decision establishing the EUNAVFOR Med operation refers explicitly to the need for a UN Security Council Resolution or consent of the coastal states concerned before the second phase of the operation can enter into force.

In this respect the Meijers Committee notes a fundamental difference from the EUNAVFOR operation Atalanta against piracy off the Somalian coast, which was taken as a model for EUNAVFOR Med. The Atalanta operation was explicitly supported by a UN Security Council Resolution, and had the consent of the coastal state involved.3

Articles 39 and 42 UN Charter stipulate that the Security Council shall only authorize the use of force if ‘necessary to maintain or restore international peace and security’. The Meijers Committee is not convinced that the EUNAVFOR MED mission meets this standard. Although the humanitarian crisis may meet this standard, the activities of human smugglers – unlike piracy do not qualify. Although the Security Council has previously adopted resolutions in response to refugee crises in Iraq and Haiti, these were intended to stabilize the countries of origin and not to prevent persons from seeking refuge elsewhere.

  1. Phase 2: search and diversion of ships

The Second Phase of the operation would involve the search and diversion of ships in third-country territorial waters, which requires the consent of the flag state or a UN Security Council Resolution.

The Meijers Committee recalls that on the high seas, Article 87 UN Convention on the Law of the Sea (UNCLOS) ensures the right to freedom of navigation. Article 110 permits a warship to board and inspect a vessel if, inter alia, it has no nationality. As regards the vessel, a finding of statelessness should allow states to exercise jurisdiction in order to ensure compliance with the ‘minimum public order on the high seas’, namely, the duties that normally fall on the flag state (Art. 94 UNCLOS).4 This could include a state’s power to escort the vessel into harbor for inspection. As regards the people on board, UNCLOS does not seem to provide a basis for the exercise of jurisdiction.

Although Article 110(1) UNCLOS expressly allows that grounds of interference may be established by Treaty, the UN Smuggling Protocol seems to impose a duty of cooperation only on the contracting parties, while maintaining the requirement of flag state authorization. Article 8(7) of the Smuggling Protocol provides a firmer legal basis for interference with stateless vessels than Article 110 UNCLOS. The wording ‘suppressing the use of the vessel’ or ‘take appropriate measures’ implies the possible use of force. Nevertheless, such force should be used as a means of last resort and will be subject to the requirement of necessity and proportionality. It is noted, however, that the Migrant Smuggling Protocol lacks the precision of, for instance, the UN drug trafficking regime, which explicitly sets out the measures that an intercepting power may take against a drug transport.5 Accordingly, no clear legal basis for action is provided in international law.

Diversions on the high seas may not result in the refoulement of people on board. It is important to stress that States cannot relieve themselves of this obligation by labelling an operation as ‘search and rescue’. The IMO Guidelines on the treatment of persons rescued at sea state that ‘[disembarkation of asylum-seekers and refugees recovered at sea, in territories where their lives and freedom would be threatened should be avoided.’ This approach has been confirmed by the European Court of Human Rights in the Hirsi case.6 Member States remain bound by their obligations under international human rights law, independently of the nature and location of their intervention. In this regard it is particularly problematic that Libya one of the most important coastal states whose cooperation is sought is currently a notoriously dangerous and unstable country.

It is unclear how the EU intends to give practical effect to these obligations in the course of the EUNAVFOR Med mission. The Meijers Committee would recommend that clear guidelines be put in place, comparable to the rules applicable in the framework of Frontex coordinated operations at sea.7

  1. Phase 3: destruction of vessels and apprehension of smugglers

The Third Phase of the Operation would entail the destruction of vessels and related assets, and the apprehension of smugglers. The Meijers Committee argues that clear, binding, publicly available rules should be adopted prior to the commencement of Phase 3.

As regards the smugglers it must be noted that unlike piracy and international crimes, international law does not establish universal criminal jurisdiction over human smuggling. As with diversions, the interference with vessels believed to be engaged in human smuggling requires the consent of the flag state (or a UN SC Resolution). In case the ship is sailing without a flag, Article 8 of the Protocol allows a party to take ‘appropriate measures in accordance with relevant domestic and international law’. The extent to which this includes the exercise of criminal jurisdiction over human smugglers is not clear, however.

The Council decision establishing EUNAVFOR Med is silent about the possible detention and prosecution of smugglers. The Meijers Committee points out that even though EUNAVFOR Med is executed by military forces, the EU is not acting as party to an armed conflict and thus normal peace­time law applies. This means that after arrest, those suspected of migrant smuggling should be brought promptly before a judge8. In the case of subsequent criminal prosecution, jurisdiction should be established in one of the Member States. In this respect it is noted that not all Member States have established universal jurisdiction over human smuggling. If smugglers are to be extradited or released to third countries, their fundamental rights should be guaranteed.

The Meijers Committee notes that EUNAVFOR Med is aimed at the destruction of vessels used or suspected of being used for migrant smuggling, possibly even inside third-country territory, yet it remains unclear what legal standard is applied to identify such vessels. The Meijers Committee cautions that the destruction of vessels cannot be arbitrary. Unlike UNCLOS, which provides for clear rules on the seizure and liability for seizure of pirate ships, there is no explicit legal basis in international law for the seizure of migrant smuggling boats. The right to property as enshrined in Article 1 of Protocol 1 ECHR, which will apply to the Member States acting extra-territorially, prescribes that any destruction of property must be provided for by law and must be necessary and proportionate.

  1. Unclear division of responsibility between the EU and its
    Member States

The Meijers Committee recalls that Article 21 TEU requires CFSP actions to be based on human rights. This includes respect for human dignity, including the prohibition of torture and inhuman treatment; personal security and liberty; and protection from arbitrary detention and arrest.9 It also notes, however, that the Court of Justice of the EU has no authority to ensure this respect for fundamental rights as it lack jurisdiction over the CFSP.10 This means that legal remedies would have to be provided under the national law of the participating Member States.

The experience with joint operations under the coordination of Frontex shows that in case of violations of fundamental rights, it is unclear to whom wrongful conduct must be attributed. Although the operation is coordinated by the EU, it is the Member States that provide the assets and personnel, over which they maintain operational command.

Case law issuing from the European Court of Human Rights on the obligations of the Member States as contracting parties to the European Convention on Human Rights clearly indicates with regard to the Member States that they cannot escape their responsibilities under the Convention by acting outside the Convention’s territorial scope. The situation is more complicated, however, when Member States act as agents for the European Union (Bosphorus) or within the context of UN Peace Keeping Operations (Al Jeddah, Behrami, and Saramati). The Meijers Committee therefore stresses that it is fundamentally important that questions of international responsibility and responsibility under the European Convention for Human Rights are addressed prior to commencement of Phases 2 and 3.

Conclusions and recommendations

I. There are no indications that combating migrant smuggling contributes to the restoration of international peace and security or to ending the ongoing humanitarian crises;

II.      Without express consent from third states or authorization from the UN Security Council, the EU lacks jurisdiction over   vessels or assets in third-country territorial waters;
III.      Without express consent from third-country coastal states or   authorization from the UN Security Council, there is no clear legal basis for coercive measures against vessels or assets on the high seas;
IV Despite the unclear legal framework covering interdiction on the high seas, international human rights law does apply;
V.      Should a legal basis for action on the high seas and in territorial waters be provided, clear rules of engagement and proper safeguards should be in place to prevent indiscriminate destruction of civilian property; any undue loss should be compensated;
VI.      An unambiguous legal basis for the arrest and detention of suspected smugglers is needed, and also for the seizure and destruction of any personal property. Suspects should either be prosecuted, extradited or released, the last action having due regard to the right to asylum and the prohibition of refoulement;
VII.      Clear attribution rules and accountability mechanisms for human rights violations committed by EUNAVFOR assets should be in place;
VIII.      The right to apply for asylum, access to asylum procedures on land with proper language and legal assistance, and the prohibition of refoulement should be respected and subject to judicial oversight;
IX.       Outsourcing migration control to third countries, even though outside Member State jurisdiction, should take place with assurances and safeguards against human rights violations.

Notes

1 Council Decision (CFSP) 2015/972 of 22 June 2015 launching the European Union military operation in the southern Central Mediterranean (EUNAVFOR MED), OJ 2015, L157/51.

2 Council of the European Union, “EUNAVFOR Med: Council adopts a positive assessment on the conditions to move to the first step of phase 2 on the high seas”, Press Release, 14 September 2015, no. 643/15.
3 http://www.un.org/Depts/los/piracy/piracy_documents.htm
4 E. Papastavridis, ‘Enforcement Jurisdictions in the Mediterranean Sea: Illicit Activities and the Rule of Law on the High Seas’, International Journal of Marine and Coastal Law, Vol. 25, 2010, p. 585.
5 See Council of Europe Agreement on Illicit Traffic by Sea, implementing article 17 of the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances.
6 ECHR, Hirsi Jamaa and others v. Italy, Grand Chamber, Judgment, 23 February 2012, Application no. 27765/09.
7 Regulation (EU) No 656/2014 of the European Parliament and of the Council of 15 May 2014 establishing rules for the surveillance of the external sea borders in the context of operational cooperation coordinated by the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, L 189, 27 June 2014.
8 ECHR, Medvedyev v France, 9 March 2010, appl. no. 3394/03.
9 The promotion and protection of human rights during common security and defence policy operations. In-between a spreading state of mind and an unsolved concern. M L Sánchez Barrueco, in The EU as a ”Global Player” in human rights?, J E Wetzel (edit.), 2011, pp. 158-160.
10 See also Case T-271/10, under appeal C-455/14 P.

About : The Meijers Committee is an independent group of legal scholars, judges and lawyers that advises on European and International Migration, Refugee, Criminal, Privacy, Anti-discrimination and Institutional Law. The Committee aims to promote the protection of fundamental rights, access to judicial remedies and democratic decision-making in EU legislation.

The Meijers Committee is funded by the Dutch Bar Association (NOvA), Foundation for Democracy and Media (Stichting Democratie en Media) the Dutch Refugee Council (VWN), Foundation for Migration Law Netherlands (Stichting Migratierecht Nederland), the Dutch Section of the International Commission of Jurists (NJCM), Art. 1 Anti-Discrimination Office, and the Dutch Foundation for Refugee Students UAF.

Contact info: Louis Middelkoop Executive secretary post@commissie-meijers.nl +31(0)20 362 0505

Please visit www.commissie-meijers.nl

AMERICAN MASS SURVEILLANCE OF EU CITIZENS: IS THE END NIGH?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS  (Wednesday, 23 September 2015)

by Steve PEERS

*This blog post is dedicated to the memory of the great privacy campaigner Caspar Bowden, who passed away recently. What a tragedy he did not leave to see the developments in this case. To continue his work, you can donate to the Caspar Bowden Legacy Fund here.

 

A brilliant university student takes on the hidebound establishment – and ultimately wins spectacularly. That was Mark Zuckerberg, founding Facebook, in 2002. But it could be Max Schrems, taking on Zuckerberg and Facebook, in the near future – if the Court of Justice decides to follow the Advocate-General’s opinion in the Schrems case, released today.

In fact, Facebook is only a conduit in this case: Schrems’ real targets are the US government (for requiring Facebook and other Internet companies to hand over personal data to intelligence agencies), as well as the EU Commission and the Irish data protection authority for going along with this. In the Advocate-General’s opinion, the Commission’s decision to allow EU citizens’ data to be subject to mass surveillance in the US is invalid, and the national data protection authorities in the EU must investigate these flows of data and prohibit them if necessary. The case has the potential to change much of the way that American Internet giants operate, and to complicate relations between the US and the EU in this field.

Background

There’s more about the background to this litigation here, and Simon McGarr has summarised the CJEU hearing in this case here. But I’ll summarise the basics of the case again here briefly.

Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since such mass surveillance is put into effect by imposing obligations to cooperate upon Internet companies, he wanted to complain about Facebook’s transfers of his personal data to the USA. Since Facebook’s European operations are registered in Ireland, he had to bring his complaints to the Irish data protection authority.

The legal regime applicable to such transfers of personal data is the ‘Safe Harbour’ agreement between the EU and the USA, agreed in 2000 – before the creation of Facebook and some other modern Internet giants, and indeed before the 9/11 terrorist attacks which prompted the mass surveillance. This agreement was put into effect in the EU by a decision of the Commission, which used the power conferred by the EU’s current data protection Directive to declare that transfers of personal data to the USA received an ‘adequate level of protection’ there.

The primary means of enforcing the arrangement was self-certification of the companies concerned (not all transfers to the USA fall within the scope of the Safe Harbour decision), enforced by the US authorities.  But it was also possible (not mandatory) for the national data protection authorities which enforce EU data protection law to suspend transfers of personal data, if the US authorities or enforcement system have found a breach of the rules, or on the following further list of limited grounds set out in the decision:

there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

In fact, Irish law prevents the national authorities from taking up this option. So the national data protection authority effectively refused to consider Schrems’ complaint. He challenged that decision before the Irish High Court, which doubted that this system was compatible with EU law (or indeed the Irish constitution). So that court asked the CJEU to rule on whether national data protection authorities (DPAs) should have the power to prevent data transfers in cases like these.

The Opinion

The Advocate-General first of all answers the question which the Irish court asks, and then goes on to examine whether the Safe Harbour decision is in fact valid. I’ll address those two issues in turn.

In the Advocate-General’s view, national data protection authorities have to be able to consider claims that flows of personal data to third countries are not compatible with EU data protection laws, even if the Commission has adopted a decision declaring that they are. This stems from the powers and independence of those authorities, read in light of the EU Charter of Fundamental Rights, which expressly refers to DPAs’ role and independence. (On the recent CJEU case law on DPA independence, see discussion here). It’s worth noting that the new EU data protection law under negotiation, the data protection Regulation, will likely confirm and even enhance the powers and independence of DPAs. (More on that aspect of the proposed Regulation here).

On the second point, the opinion assesses whether the Safe Harbour Decision correctly decided that there was an ‘adequate level of protection’ for personal data in the USA. Crucially, it argues that this assessment is dynamic: it must take account of the protection of personal data now, not just when the Decision was adopted back in 2000.

As for the meaning of an ‘adequate level of protection’, the opinion argues that this means that third countries must ensure standards ‘essentially equivalent to that afforded by the Directive, even though the manner in which that protection is implemented may differ from that’ within the EU, due to the importance of protecting human rights within the EU. The assessment of third-country standards must examine both the content of those standards and their enforcement, which entailed ‘adequate guarantees and a sufficient control mechanism’, so there was no ‘lower level of protection than processing within the European Union’. Within the EU, the essential method of guaranteeing data protection rights was independent DPAs.

Applying these principles, the opinion accepts that personal data transferred to the USA by Facebook is subject to ‘mass and indiscriminate surveillance and interception’ by intelligence agencies, and that EU citizens have ‘no effective right to be heard’ in such cases. These findings necessarily mean that the Safe Harbour decision was invalid for breach of the Charter and the data protection Directive.

More particularly, the derogation for the national security rules of US law set out in the Safe Harbour principles was too general, and so the implementation of this derogation was ‘not limited to what is strictly necessary’. EU citizens had no remedy against breaches of the ‘purpose limitation’ principle in the US either, and there should be an ‘independent control mechanism suitable for preventing the breaches of the right to privacy’.

The opinion then assesses the dispute from the perspective of the EU Charter of Rights. It first concludes that the transfer of the personal data in question constitutes interference with the right to private life. As in last year’s Digital Rights Ireland judgment (discussed here), on the validity of the EU’s data retention directive, the interference with rights was ‘particularly serious, given the large numbers of users concerned and the quantities of data transferred’. In fact, due to the secret nature of access to the data, the interference was ‘extremely serious’. The Advocate-General was also concerned about the lack of information about the surveillance for EU citizens, and the lack of an effective remedy, which breaches Article 47 of the Charter.

However, interference with these fundamental rights can be justified according to Article 52(1) of the Charter, as long as the interference is ‘provided for by law’, ‘respect[s] the essence’ of the right, satisfies the ‘principle of proportionality’ and is ‘necessary’ to ‘genuinely meet objectives of general interest recognized by’ the EU ‘or the need to protect the rights and freedoms of others’.

In the Advocate-General’s view, the US law does not respect the ‘essence’ of the Charter rights, since it extends to the content of the communications. (In contrast, the data collected pursuant to the data retention Directive which the CJEU struck down last year concerned only information on the use of phones and the Internet, not the content of phone calls and Facebook posts et al). On the same basis, he objected to the ‘broad wording’ of the relevant derogations on national security grounds, which did not clearly define the ‘legitimate interests’ at stake. Therefore, the derogation did not comply with the Charter, ‘since it does not pursue an objective of general interest defined with sufficient precision’. Moreover, it was too easy under the rules to escape the limitation that the derogation should only apply when ‘strictly necessary’.

Only the ‘national security’ exception was sufficiently precise to be regarded as an objective of general interest under the Charter, but it is still necessary to examine the ‘proportionality’ of the interference. This was a case (like Digital Rights Ireland) where the EU legislature’s discretion was limited, due to the importance of the rights concerned and the extent of interference with them. The opinion then focusses on whether the transfer of data is ‘strictly necessary’, and concludes that it is not: the US agencies have access to the personal data of ‘all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security’.

Crucially, the opinion concludes that ‘[s]uch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference’ with Charter rights. The Advocate-General agreed that since the EU and the Member States cannot adopt legislation allowing for mass surveillance, non-EU countries ‘cannot in any circumstances’ be considered to ensure an ‘adequate level of protection’ of personal data if they permit it either.

Furthermore, there were not sufficient guarantees for protection of the data. Following the Digital Rights Ireland judgment, which stressed the crucial importance of such guarantees, the US system was not sufficient. The Federal Trade Commission could not examine breach of data protection laws for non-commercial purposes by government security agencies, and nor could specialist dispute resolution bodies. In general, the US lacks an independent supervisory authority, which is essential from the EU’s perspective, and the Safe Harbour decision was deficient for not requiring one to be set up. A third country cannot be considered to have ‘an adequate level of protection’ without it. Furthermore, only US citizens and residents had access to the judicial system for challenging US surveillance, and EU citizens cannot obtain remedies for access to or correction of data (among other things).

So the Commission should have suspended the Safe Harbour decision. Its own reports suggested that the national security derogation was being breached, without sufficient safeguards for EU citizens. While the Commission is negotiating revisions to that agreement with the USA, that is not sufficient: it must be possible for the national supervisory authority to stop data transfers in the meantime.

Comments

The Advocate-General’s analysis of the first point (the requirement that DPAs must be able to stop data flows if there is a breach of EU data protection laws) is self-evidently correct. In the absence of a mechanism to hear complaints on this issue and to provide for an effective remedy, the standards set out in the Directive could too easily be breached. Having insisted that the DPAs must be fiercely independent of national governments, the CJEU should not now accept that they can be turned into the tame poodles of the Commission.

On the other hand, his analysis of the second point (the validity of the Safe Harbour Decision) is more problematic – although he clearly arrives at the correct conclusion. With respect, there are several flaws in his reasoning. Although EU law requires strong and independent DPAs within the EU to ensure data protection rights, there is more than one way to skin this particular cat. The data protection Directive notably does not expressly require that third countries have independent DPAs. While effective remedies are of course essential to ensure that data protection law (likely any other law) is actually enforced in practice, those remedies do not necessarily have to entail an independent DPA. They could also be ensured by an independent judiciary. After all, Americans are a litigious bunch; Europeans could join them in the courts. But having said that, it is clear that in national security cases like this one, EU citizens have neither an administrative nor a judicial remedy worth the name in the USA. So the right to an effective remedy in the Charter has been breached; and it is self-evident that processing information from Facebook interferes with privacy rights.

Is that limitation of rights justified, however? Here the Advocate-General has muddled up several different aspects of the limitation rules. For one thing, the precision of the law limiting rights and the public interest which it seeks to protect are too separate things. In other words, the public interest does not have to be defined precisely; but the law which limits rights in order to protect the public interest has to be. So the opinion is right to say that national security is a public interest which can justify limitation of rights in principle, but it fails to undertake an examination of the precision of the rules limiting those rights. As such, it omits to examine some key questions: should the precision of the law limiting rights be assessed as regards the EU law, the US law, or both?  Should the US law be held to the same standards of clarity, foreseeability and accessibility as European states’ laws must be, according to the ECHR jurisprudence?

Next, it’s quite unconvincing to say that processing the content of communications interferes with the ‘essence’ of the privacy and data protection rights. The ECHR case law and the EU’s e-privacy directive expressly allow for interception of the content of communications in specific cases, subject to strict safeguards. So it’s those two aspects of the US law which are problematic: its nature as mass surveillance, plus the inadequate safeguards.

On these vital points, the analysis in the opinion is correct. The CJEU’s ruling inDigital Rights Ireland suggests, in my view, that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. This is manifestly the Advocate-General’s approach in this case; and the USA obviously has in place mass surveillance well in excess of the EU’s data retention law. The opinion is also right to argue that EU rules banning mass surveillance apply to the Member States too, as I discuss here. But even if this interpretation is incorrect, and mass surveillance is only a problem if there are weak safeguards, then the Safe Harbour decision still violates the Charter, due to the lack of accessible safeguards for EU citizens as discussed above. Hopefully, the Court of Justice will confirm whether mass surveillance is intrinsically problematic or not: it is a key issue for Member States retaining data by way of derogation from the e-privacy Directive, for the validity of EU treaties (and EU legislation) on specific issues such as retaining passenger data (see discussion here of a pending case), and for the renegotiation of the Safe Harbour agreement itself.

This brings us neatly to the consequences of the CJEU’s forthcoming judgment (if it follows the opinion) for EU/US relations. Since the opinion is based in large part upon the EU Charter of Rights, which is primary EU law, it can’t be circumvented simply by amending the data protection Directive (on the proposed new rules on external transfers under the planned Regulation, see discussion here). Instead, the USA must, at the very least, ensure that adequate remedies for EU citizens and residents are in place in national security cases, and that either a judicial or administrative system is in place to enforce in practice all rights which are supposed to be guaranteed by the Safe Harbour certification. Facebook and others might consider moving the data processing of EU residents to the EU, but it’s hard to see how this could work for any EU resident with (for instance) Facebook friends living in the USA. Surely in such cases processing of the EU data in the USA is unavoidable.

Moreover, arguably it would not be sufficient for the forthcoming EU/US trade and investment agreement (known as ‘TTIP’) to provide for a qualified exemption for EU data protection law, along the lines of the WTO’s GATS. Only a complete immunity of EU data protection law from the TTIP – and any other EU trade and investment agreements – would be compatible with the Charter. Otherwise, companies like Facebook and Google might try to invoke the controversial investor dispute settlement system (ISDS) every time a judgment like Google Spain or (possibly) Schrems cost them money.

Schrems Versus Facebook: is the end of Safe Harbor approaching ?

by Emilio De Capitani

Today Advocate General Yves Bot has presented his long-awaited conclusions on the Case C‑362/14 Maximillian Schrems v Data Protection Commissioner. This case better described by the press as the “Schrems v Facebook” Case (why not “David V Goliath” ?)  put in question the so called Safe harbor “agreement” which frame the conditions under which personal data of the people under the EU jurisdiction can be transferred or treated by servers of US Companies (such as Facebook, Google, E-Bay) on the US territory.
As the protection of personal data is a fundamental right under EU law (notably after the entry into force of the art.8 of the EU Charter)  art. 25 of Directive 95/46 foresees that the transfer of these data to a third country is legitimate only if the data are “adequately” protected.
The problem is that in the US there is no comprehensive legal protection framework comparable to the one existing in the EU so that in 2000 the Commission negotiated with the US the establishment of a specific voluntary regime (the “Safe Harbor Principles”) which could had been considered granting an “adequate” protection of personal data  having regard to the standard applicable in Europe.

At the time the European Parliament voted against this regime but was unable to obtain stronger safeguards because of the unwillingness of the US authorities and moreover by the Commission which was more interested to the transfer of data than of their protection.

Since then the transatlantic flow of data has grown every day and with them the economic benefices of the US Companies without any real re-assesment of the compliance of the Safe Harbor principles on the US side (by the Federal Trade Commission) or on the EU side (by the Commission) even after the entry into force of the Lisbon Treaty which changed the legal basis of EU policies linked with the protection of personal data.

However when the Snowden revelations made clear to everybody that all these EU personal data could be massively analyzed without judicial overview by the US Intelligence Services someone in the EU  woke up.

Between the EU Institutions the European Parliament asked the suspension of the Safe Harbor agreement but its initiative was not followed by the Commission (as unfortunately happens more and more frequently); but it is thanks to the obstinacy of Maximilian Schrems, an Austrian law student that the case was finally been brought, first before to the Irish Data Protection Commissioner, then before the Irish High Court and now before the Court of Justice.

This case is extremely interesting  not only because it confirms that in a democracy someone has to …watch the watchers be they at national or European level (notably if they are sleeping or hiding behind each other…) but also because it shows that also an “ordinary” Citizen can dare to do in name of the EU law and of his rights what the EU Institutions are less and less willing to do.

Enjoy now the reading the instructive and very detailed Yves BOT arguments drawing him to declare that the Commission initial “adequacy finding” was not adequate at all (as also the EP wrote in its 2000 resolution) and that National Authorities should fully play their role and not hiding behind the Commission “Adequacy decisions”.

Such a strong reasoning if endorsed by the Luxembourg Judges should inspire

  • a re-assessment of other EU-US ‘executive’ agreements dealing with data protection (the draft “Umbrella agreement” included)
  • a revision of the Data Protection package at least as far as the regime of Commission “adequacy finding” is concerned (which due to its large marge of discretion could no more be considered a simple “implementing measure” but at least a “delegated” power …) and a stronger role of the Data Protection Board which should have a direct jurisdiction at least for Data controller “over the top” such as Facebook, Google, E-Bay and so on…

It is only unfortunate that the European Parliament which on these issues was on the right side between 1999 and 2004 is now slowly sliding away notwithstanding a much stronger constitutional framework and a binding Charter …

Anyway many thanks Max!! Hope that 10, 100, 1000 of European citizens could follow your example…

 

CONTINUE READING : OPINION OF ADVOCATE GENERAL BOT 

delivered on 23 September 2015 (1Case C‑362/14 Maximillian Schrems Data Protection Commissioner

Continue reading “Schrems Versus Facebook: is the end of Safe Harbor approaching ?”