Edward Snowden is having an international impact only a lobbyist could love. Today, an Advocate General of the European Court of Justice stepped firmly on the heels of US and European negotiators in the final rounds of post-Snowden negotiations on the US-EU Safe Harbor Framework.
Background. The 1995 European Data Protection Directive (DPD) protects data created or processed in the E.U., and contains provisions to ensure that individual member state laws do not interfere with this framework. With respect to non-member states, the DPD permits the European Commission to find that a third country ensures an adequate level of protection and permit data transfers to that state. Article 8(3) of the European Charter of Fundamental Rights (as well as Article 16 of the Treaty on the Functioning of the EU) makes DPD compliance subject to independent supervisory authorities.
As early as 2009, U.S. officials (myself included) were working on updating Safe Harbor as well as the agreement governing the transfer of passenger name records (PNR). Snowden’s exposure of broad U.S. spying on E.U. citizens put a damper on those negotiations (as did separate revelations stemming from a U.S. anti-money laundering investigation that involved accessing the servers of Swift, a Belgian electronic money transfer cooperative). An updated PNR agreement was finally approved in 2012.
The European Commission later published reform recommendations, setting the stage for fresh negotiations. One potential dealbreaker: the EU wants EU citizens in America to have a right to seek redress in US federal courts. In March, a “Judicial Redress Bill” was formally introduced in Congress. If passed as written, the law will extend the judicial redress provisions of the US Privacy Act of 1974 to EU citizens in America. (Incidentally, DHS provided similar relief to those lawfully present in the US in 2009.)
The Pending Case. Further Snowden leaks in 2013 not only stalled negotiations on a US-EU “Umbrella Agreement,” but prompted the complaint in Schrems v Data Protection Commissioner (C-362/14). Austrian privacy activist Max Schrems brought the case in Ireland, complaining about the U.S. acquisition of data from Facebook’s Irish subsidiary, and arguing that “the law and practices of the United States offer no real protection of the data kept in the United States against State surveillance.” Ireland’s Data Protection Commissioner (the relevant supervisory authority) declined to investigate, concluding that the Safe Harbor principles countenanced by Decision No. 2000/520 are dispositive. The case was appealed to the High Court of Court Ireland, which asked the Court of Justice of the European Union to decide whether the EC Decision prevents a supervisory authority from investigating the claim and suspending the contested data transfers. Arguments were heard in March.
Today, EU Advocate General Yves Bot filed an opinion in the case. (This is not a legal authority, but may persuade the judges, analogous to when the U.S. Solicitor General submits an amicus curiae brief.) The Advocate General did not simply conclude that Ireland should have conducted an investigation. He opined that the access afforded to the U.S. intelligence community (most notably the NSA) impermissibly interferes with the right to respect for private life and the right to protection of personal data, which are guaranteed by the EU Charter, such that Decision No. 2000/520 is invalid. In his view, the inability of European citizens to be heard in U.S. courts on the legality of the interception of their data also constitutes an interference with rights protected by the Charter. According to Advocate General Bot, that interference with fundamental rights is contrary to the principle of proportionality due to the scope of the “mass, indiscriminate surveillance” carried out by the United States. The Court’s press release explains:
The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.
Upshot. If the Court agrees with Bot, it could rule that the Commission decision underpinning Safe Harbor is unlawful. That would throw a serious monkey-wrench into the bilateral data transfer framework. Since Bot’s opinion is grounded in the Charter, the Court may reach the mass surveillance issue even if the Umbrella Agreement is finalized and adopted. Indeed, the Agreement, as presently envisioned, may not even settle the redress issue because redress will be subject to Privacy Act exemptions, including those permitting undisclosed data collection for law enforcement and intelligence purposes. (If the Court reaches these issues, I doubt many judges will be satisfied that the NSA’s bulk collection of phone records has been curtailed.)
More likely, the Court will rule that the EC decision is valid but does not curb or preempt the independent supervisory authorities. That would be less disruptive and less dramatic, dodging some mass collection questions. Or, they could go the other way entirely. It will be interesting to see how Court rules, how the Umbrella Agreement is affected, and what Snowden has to say.
Charles J. Borrero, Esq.