On Monday I summarized the reasons that the European Court of Justice struck down the European Commission decision that permitted the transfer of personal data from the European Union to the United States. And yesterday I heard the plaintiff in that case, Maximilian Schrems, speak at NYU’s journalism school. He and Professor Ira Rubinstein (NYU Law) highlighted a critical portion of the ECJ’s judgment, but came to conflicting conclusions. The court decided that the protection of EU citizens’ privacy rights, as laid out in the European Charter of Fundamental Rights, could not be compromised. Merely “adequate” protection of personal data, as required by the Data Protection Directive, is not enough; the level of protection must be “essentially equivalent” to that provided by EU law.
Here’s the court:
73 The word ‘adequate’ in Article 25(6) of Directive 95/46 [the Data Protection Directive] admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. … [T]he third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. If there were no such requirement, the objective referred to in the previous paragraph of the present judgment would be disregarded …
74 It is clear from the express wording of Article 25(6) of Directive 95/46 that it is the legal order of the third country covered by the Commission decision that must ensure an adequate level of protection. Even though the means to which that third country has recourse, in this connection, for the purpose of ensuring such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from Directive 95/46 read in the light of the Charter are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.
In other words, the Commission would have to take into account US surveillance laws and practices. Facebook, Google, Microsoft and the telecoms could be perfect privacy angels—it wouldn’t matter if the data these companies collect is available to US intelligence.
Schrems is obviously ecstatic about this, Rubinstein more skeptical. In addition to concerns with the factual record relied on by the court, Rubinstein expressed a common complaint: the decision cloaks a double standard in respectable clothing. The EU member states, most notably the UK, are no privacy utopias; many of them surveil their own citizens and those of other countries. Why should the ECJ single out the United States when even the member states don’t respect these rights?
The response to this question is seemingly obtuse: the ECJ doesn’t have jurisdiction over member state’s national security policy. The ECJ can make rulings about the commercial use of data, but not about the collection of data by the member states national security institutions. But it can get at the commercial nexus linking commercial bulk data collectors to national intelligence agencies, i.e. where commercial entities hand data to governments. It seems perfectly reasonable to me for the ECJ to step in where it can to protect fundamental European rights—and thus lay claim to popular legitimacy. That the court can’t make its will felt everywhere can be no argument against this particular judgment.
But Rubinstein also raised a concern with what he later called the “logic” of the decision: if data can only be transferred to countries with data protection regimes “essentially equivalent” to that of the EU, then there’s a danger that the Internet will split into a set of national and transnational Internets with different barriers to data transfer.
“This decision creates an interesting conundrum,” Rubinstein said. “At some level its not the Safe Harbor or the transfer to the US, its the international flow of data that’s the problem. And there’s no reason to think that surveillance in countries that were formally evaluated as adequate is any more protective of privacy rights than in the US or any EU member state.”
Some argue that the ECJ’s stance on data privacy and the international backlash against US surveillance will undermine the openness of the World Wide Web. I like to think that the arrow points the other way: I hope that the ECJ’s stance on data privacy will discourage US mass surveillance by making US intelligence pay the cost of offending international sensibilities. If the Internet giants all hold onto their data in Europe without transferring it to the US, it will make the data that much harder for US intelligence to access; they’ll have shot themselves in the foot.
So far there’s no additional word on what the safe harbor replacement, EU-US Privacy Shield, will look like. I’m afraid I’m not so optimistic: How can the US can live up to the essential equivalency test without cutting back on mass surveillance? After all, it looks like the opposite is true. And if the US doesn’t budge on the substantive issue, it seems likely that all the changes will be merely cosmetic.
PS. I referred to the safe harbor arrangement as an “agreement” in my post Monday. This implies a higher degree of coordination between the US and EU authorities than appears to have been the case. The United States and the European Union did not sign a treaty on data transfer. Rather, the European Commission promulgated a decision in 2000 which permitted data transfers to the organizations in the US as long as they “self-certify” to the so-called safe harbor principles, a set of guidelines drawn up by the US Department of Commerce concerning EU privacy law and appended to the Commission decision. This self-certification process would ensure the “adequate protection” demanded in the Data Protection Directive.