Edward Snowden is having an international impact only a lobbyist could love. Yesterday, Advocate General Yves Bot of the European Court of Justice filed an opinion suggesting that, due to mass surveillance by the NSA, the “Safe Harbor Principles” framework is invalid. In doing so, Bot has stepped firmly on the heels of US and European negotiators in the final rounds of negotiations on the US-EU Safe Harbor Framework. We’ll learn later this year whether it leads to the eradication of the framework many American and European companies have come to rely on.
Background. The 1995 European Data Protection Directive (Directive 95/46/EC) protects data created or processed in the European Union, and does not allow individual member states’ laws to interfere. With respect to non-member states, the DPD permits the European Commission to find that a third country ensures an adequate level of protection and permit data transfers to that state. Article 8 of the European Charter of Fundamental Rights makes DPD compliance “subject to control by an independent authority.” Article 16 of the Treaty on the Functioning of the EU similarly requires compliance with data protection rules legislated by the European Parliament and Council to be “subject to the control of independent authorities.”
As early as 2009, U.S. officials were working on updating Safe Harbor as well as the agreement governing the transfer of passenger name records (PNR). Snowden’s exposure of broad surveillance of EU citizens (in addition to separate revelations stemming from a US anti-money laundering investigation that involved accessing the servers of Swift, a Belgian electronic money transfer cooperative) put a damper on those negotiations. (An updated PNR agreement was finally approved in 2012.)
The European Commission later published reform recommendations, setting the stage for fresh negotiations. One potential deal-breaker: the EU wants EU citizens in America to have a right to seek redress in US federal courts. In March, a “Judicial Redress Bill” was formally introduced in Congress. If passed as written, the law will extend the judicial redress provisions of the US Privacy Act of 1974 to EU citizens in America. (Incidentally, DHS provided similar relief for those lawfully present in the US in 2009.)
The Pending Case. Further Snowden leaks in 2013 not only stalled negotiations on a US-EU “Umbrella Agreement,” but prompted the complaint in Schrems v Data Protection Commissioner (C-362/14). Austrian privacy activist Max Schrems brought the case in Ireland, complaining about the U.S. acquisition of data from Facebook’s Irish subsidiary, and arguing that “the law and practices of the United States offer no real protection of the data kept in the United States against State surveillance.” Ireland’s Data Protection Commissioner declined to investigate, concluding that the Safe Harbor principles countenanced by Decision No. 2000/520 are dispositive. The case was appealed the High Court of Ireland, which asked the Court of Justice of the European Union to decide whether the European Commission Decision prevents a supervisory authority from investigating the claim and suspending the contested data transfers. Arguments were heard in March.
The EU Advocate General opinion is not a legal authority, but it may persuade the judges. The opinion does not simply conclude that Ireland should have conducted an investigation. Bot goes beyond that to opine that the access afforded to the U.S. intelligence community (most notably the NSA) impermissibly interferes with the right to respect for private life and the right to protection of personal data, which are guaranteed by the EU Charter, such that Decision No. 2000/520 is invalid. In his view, the inability of European citizens to be heard in U.S. courts on the legality of the interception of their data also constitutes an interference with rights protected by the Charter. According to Bot, that interference with fundamental rights is contrary to the principle of proportionality due to the scope of the “mass, indiscriminate surveillance” carried out by the United States. The press release accompanying the opinion explains:
The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.
Upshot. If the Court agrees with Bot, it could rule that the Commission decision underpinning Safe Harbor is unlawful. That would throw a serious monkey-wrench into the bilateral data transfer framework. Since the opinion is grounded in the Charter, the Court may reach the mass surveillance issue even if the Umbrella Agreement is finalized and adopted. Indeed, the Agreement, as it stands, may not even settle the redress issue because redress will be subject to Privacy Act exemptions, including those permitting undisclosed data collection for law enforcement and intelligence purposes.
More likely, the Court will rule that the European Commission decision is valid but does not curb or preempt the independent supervisory authorities. That would be less disruptive and less dramatic, dodging some mass collection questions. American law is familiar with outside auditing requirements in this context, as Sarbanes Oxley requires independent audits of internal controls, and the FTC often requires via consent decrees in its unfair and deceptive privacy practices cases. The DPD (as well Article 3 of the 2000 Decision) provides for a national Data Protection Authority (in this case, Ireland’s Office of the Data Protection Commissioner) to suspend data transfers if it finds a substantial likelihood that the Safe Harbor Principles are being violated. The Court may therefore remand the matter for a determination of whether the Snowden leaks reveal an exceptional circumstance that justifies the suspension of data transfers. (It’s unclear whether this could be done in a blanket fashion or whether a case-by-case analysis would be required, so it might be helpful for the Court to opine on that if it goes this route.)
Or, the judges could go the other way entirely, e.g., by ruling that it’s up to the European Commission to decide whether to suspend Safe Harbor. The Commission had an opportunity to do so in 2013 and didn’t take it, though it could ostensibly do so pursuant to Article 4 of the 2000 Decision itself:
This Decision may be adapted at any time in the light of experience with its implementation
and/or if the level of protection provided by the Principles and the FAQs is overtaken by the
requirements of US legislation.
It will be interesting to see how the Court rules and how the ruling plays out in the business world. (Although it’s more expensive and intrusive, companies depending on EU-US data flows may be wise to start preparing binding corporate rules, an alternative avenue for certifying DPD compliance.) I’m also curious to see whether the Umbrella Agreement is affected—and what Snowden has to say.
Charles J. Borrero, Esq.
New York City
September 24, 2015