It is not always easy to see a clear line in the difficult relationship Europe maintains with its core values and data protection policies. The current development aims to point out contradictions on the European fight for increased data protection and to give a sense of responsibility to our governments when it comes to protecting democracy and fundamental rights. But first, let’s start off with something positive. The EU Court of Justice rendered a remarkable decision on October 6th 2015, invalidating the Safe Harbor principles. The Safe Harbor Privacy Principles allow US companies to register their certification if they meet the European Union requirements in order to transfer and process data collected from Europe to the United States. Facebook, Google and many more depend on this certification as under European law, companies are not allowed to send personal data to countries outside the European Economic Area unless they guarantee adequate levels of protection.
At the beginning of the litigation stands Mr. Schrems, an Austrian national, who lodged a complaint with the Irish data protection authority (the Data Protection Commissioner) against Facebook Ireland. He claims that, in the light of the PRISM revelations made in 2013, the Safe Harbor certification offers no real protection against mass surveillance of the data transferred to the United States and thus is contrary to the 1995 EU directive on data protection. The Irish authority rejected the complaint, on the ground, in particular, that in a 2002 decision the Commission considered that, under the Safe Harbour scheme, the United States ensures an adequate level of protection of the personal data transferred.
The European Court of Justice ruled on October 6th that the transatlantic Safe Harbour agreement is invalid as it does not guarantee sufficient data protection to EU citizens. Indeed, the 1978 Foreign Intelligence Surveillance Act as well as broad claims of national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme and thus oblige US based companies to comply with their national law. The Court noted to this end that United States authorities were able to « access the personal data transferred from the Member States and to process it in a way incompatible, in particular, with the purposes for which it was transferred (…). »
The European Court of Justice reinforces with this judgement the European position on the necessary protection of private data. By doing so, the cancellation of the Safe Harbor agreement is the only possible consequence, mostly after the PRISM scandal revealed the inefficiency of this particular contract.
Is data transfer from Europe to the US endangered with this decision?
Absolutely not. EU law contains in itself significant exceptions that allow data transfer to third countries and thus derogate from the protective regime. For example, Article 26 of the 1995 EU data protection directive states that exceptions to data protection can be granted in different cases as for instance a public interest ground (a very broad term), defense of legal claims or simply by recovering the concerned person’s consent (the famous small boxes giving us the choice between « agree to terms or conditions » or don’t use my service).
Is the Court of Justice ruling going to have no effect at all considering data protection?
Not exactly. Even if this ruling has to be complimented per se, it is however very improbable that it is going to have a great positive impact on the protection of personal data. Besides the confusion it creates for multinational enterprises or even smaller start-ups operating both in Europe and in the United States, facing a significant legal vacuum, it is not very likely to have great effect in the US, whose officials already expressed their disappointment with this decision. The battle Europe is fighting against the United States on this particular point for many years, and probably for many more, is an ideological battle between two antagonistic positions. European authorities defend a very individualistic and intimate approach to personal data whereas overseas data are rather considered to be purely merchandisable information. If European authorities can impose their point of view on US companies operating within the EU, the possibility to have them complying fully with European law is, however, more than doubtful.
Sovereign data storage as a solution?
Lately, more and more recommendations arise proposing to have data of European citizens stored within the territory of the European Union to see European law applying to these data. However, Google’s data center in Finland or Microsoft’s data center in Ireland is not going to prevent these companies from transferring data to the United States in case their national law requires them to do so. The ongoing Microsoft case in the United States opposing the Department of Justice to the giant of the Internet has granted the DOJ in the first instance the right to demand emails of anyone in the world from any email provider headquartered within US borders. The case concerned an email account of Microsoft stored in Ireland which the DOJ claims to have a right to access to analyse suspicion of narcotics. The locality of the data centers is thus not as such a guarantee to have a unique law frame applying. Indeed, if the US Department of Justice requires private data to be analysed and is granted a legal right to do so, tech companies, even if their data centers are located outside US boundaries, will not be able to refuse and in these conditions it is going to be difficult for European law to be applied and to sanction companies for the violation of private data in case of a US legal obligation.
The Court of Justice ruling is, however, important for one main reason. If the data transfer is not going to be affected by the European Court of Justice ruling, US mass-surveillance of the data stored within Europe could be inhibited. Why? Simply because European authorities, aware of NSA spying practices, have power to control the flow of data transferred from Europe to America and thus to put pressure on the American government to stop mass surveillance of European citizens or of any data located within the European Union.
Europe is not credible when talking about the necessity to protect private data
However, Europe is losing credibility when it comes to giving lessons of morality to the United States for mass surveillance practices. If article 8 of the European Convention on Human Rights claims the right to respect for private and family life, recent laws within the EU seem to derive significantly from this ideal. For instance, the recent French surveillance law (loi sur le renseignment) enables French intelligence agencies to spy on nearly everything without any serious legal challenges to overcome. Indeed, the bill sets up a special commission, (the CNCTR) supposed to arbitrate on surveillance of citizens. However, this independent instance is not granted sufficient powers to oppose itself to surveillance the government thinks is necessary as the latter can simply ignore the commission by invoking any broad argument of threat.
On top, the section on international surveillance, which has been invalidated by the French constitutional court earlier this year, is now envisaged again within a new law, under which almost all internet communications can be approved by the French authorities, without any form of meaningful checks and balance. “Allowing for such extensive, intrusive and indiscriminate mass surveillance is a flagrant violation of people’s right to privacy and freedom of speech,” states Sherif Elsayed-Ali, Deputy Director of Global Issues at Amnesty International.
While the « loi sur le renseignement » adopted in July 2015 already gives the government the authority to use mass surveillance techniques to combat terrorism, the new bill goes a step further and explicitly allows for mass surveillance techniques in the pursuit of a long and undefined list of objectives, including defending and promoting major foreign policy, economic and scientific interests and without any strict legislative control nor any other constraining control from another authority.
If Europe wants to have a credible voice in this ideological fight on data protection, it, first of all, has to protect its citizens from broad government surveillance. There is no trustworthiness in claiming the importance of the protection of personal data and at the same time allowing secret services to spy à la carte on whoever they desire. There is a difference between what is needed to monitor a few thousand dangerous individuals and allowing mass-surveillance of several millions of people. It is important to trace a line and to distinguish what needs to be distinguished not to authorise every justification on mass surveillance for vague reasons of threat. The desire of power to control everything is far more threatening than the individual danger we have to face.
In France, where the concept of the « Republic » is used over and over again in the public debate to revive controversies on French identity and immigration, it is rarely pointed out that these laws are everything but “Republican”. Article 16 of the Declaration of the Rights of Men and of the Citizen, the founder text of the values of the French Republic, states that: “Any society in which the guarantee of rights is not assured, nor the separation of powers determined, has no Constitution”.
Less verbal reassurances, more credible actions
It is time for European governments to take responsibilities and to stick to the values they claim, and are bound, to represent. We do not want the end of surveillance agencies, but we want them to stick to rules, determined and controlled by the legislator, and not the executive, and we don’t want mass surveillance of European citizens by their governments. And very incidentally, to come back to the beginning, only this can bring back legitimacy to the European fight for private data protection.
To this end, we need public awareness and an appropriate debate on the extent of necessary surveillance. A debate involving every actor within our society, not only governments, and which comes back to the most basic democratic rule: the control of our institutions by the sovereign people and not the control of the sovereign people by the institutions.
This post was published on RudeBaguette on October 14th 2015.