Max Schrems, the 20-something law student whose lawsuit triggered the end of the “safe harbor” data transfer agreement between the European Union and the United States, is scheduled to speak tomorrow at NYU’s Arthur L. Carter Journalism Institute. Yesterday I scanned the opinion of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner in an effort to prepare myself for his talk. This was a labor for which I was not fully prepared. Nevertheless, here’s some detail on the decision that you won’t get in the news coverage—understandably because its complicated. Take a deep breath.
Schrems brought his lawsuit against the Irish Data Protection Commissioner, a national regulatory body that had been charged with overseeing the handling of personal data by companies based in Ireland. The EU member states were all obliged to create national bodies like the Data Protection Commissioner by a 1995 European Council directive (the so-called Data Protection Directive). These data oversight bodies are meant to protect EU citizen’s privacy and data rights. Unlike in the US, EU law grants basic rights of personal data protection under the European Charter of Fundamental Rights.
Here’s what it says about privacy and data:
Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and communications.
Protection of personal data
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
The Data Protection Directive also contains rules on the transfer of personal data to third countries, i.e. countries outside the EU who might not provide the same degree of protection for personal data. Article 25 of the Directive reads:
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
6. The [European] Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Against the dragnet
When the Snowden leaks revealed that the US engaged in almost indiscriminate electronic surveillance, Schrems asked the Commissioner to reexamine the then EU-wide determination (under a later European Commission decision, the so-called “safe harbor” agreement) that the US provided adequate protection of EU citizens personal data and privacy rights. The Commissioner refused on the grounds that this had already been decided by the Commission, so Schrems filed his suit. The suit eventually reached the Irish High Court which asked the European Court of Justice for a preliminary ruling (an interesting procedure in the EU legal system that I’ll write a post about later).
UPDATE 11:19 am February 22: I forgot to explain why this suit began in Ireland. Schrems is an Austrian national, but he is also a Facebook user, and it was the data that Facebook transfers back to the US that Schrems argued was inadequately protected. Facebook operates in Europe through a subsidiary that is incorporated in Ireland and is thus under the jurisdiction of Ireland’s personal data supervisory body, not Austria’s.
Facebook provided the nexus that Schrems needed for his case, but, as he told Ars Technica, “I could pretty much have chosen any other big company that was involved in PRISM [the NSA’s internet dragnet] and has a European headquarters. You just need a company that is here in Europe, and some element in the US, and straight away you have two jurisdictions colliding.”
The ECJ not only found that the Data Protection Commissioner could reexamine the adequacy of data protections in a third state, it also found invalid the Commission’s original finding that that data protection in the US was sufficient under EU law, insofar as that finding could restrict the national data oversight bodies. The Court found that
103 The implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 [the Data Protection Directive] does not confer upon it competence to restrict the national supervisory authorities’ powers referred to in the previous paragraph of the present judgment.
104 That being so, it must be held that, in adopting Article 3 of Decision 2000/520 [the safe harbor agreement], the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the Charter, and that Article 3 of the decision is therefore invalid.
After the fact, it isn’t hard to see that US surveillance programs are incompatible, or at the very least in tension, with the basic rights of EU citizens as laid down in the Charter. After this decision, the Commission and the US went into overdrive to negotiate a workaround. They missed a January 31 deadline, but on February 2 they announced an agreement. The new data transfer agreement will be called the “EU-US Privacy Shield”, but it isn’t clear to me how US surveillance practices will ever be compatible with EU data privacy rights.
The ongoing tiff between Apple and the FBI over the phone of San Bernardino shooter Syed Farook is a case in point. As is DOJ’s attempt to force Microsoft to hand over emails that are stored on a server in Ireland.
I haven’t gotten around to reading it yet, but the current issue of Foreign Affairs has an article about this battle: “The Transatlantic Data War”.
Some questions I’m expecting to ask on Tuesday:
- Could a EU-US agreement ever make US surveillance compatible with EU privacy rights?
- What do we know about the EU-US Privacy Shield so far? Anything more than the Commission said in its press release?
- If the US doubles down on mass surveillance (as it seems to be doing) what is the best option for Europe?
Space is limited at this event. If you want to come please RSVP to email@example.com.
Photo by Simon McGarr.