Protection of personal information in data transfers EU-US

*Follow up to “Facebook and data protection”. This is, however, a standalone piece.

These days many international companies have their headquarters in the US and require data to flow from their subsidiaries (in this case the EU) to the US to monitor activity, improve business models, etc. In that context, we are still uncertain of how much of our personal information is sent to the US and for which purposes. As such, protection of personal data is becoming increasingly a focal point for human rights protectors and a cause of concern for people with understanding of data transfer (mainly EU->US) even more after the allegations made by Edward Snowden as regards the use of personal data by the US and their national agencies. Those revelations have an important role to play in the outcome of the legal proceedings discussed in this article.

The Court of Justice of the EU (CJEU) is currently assessing the matter in case C-362/14 (reference under art 267 TFEU), brought before it by the Irish High Court. The request, submitted in proceedings between Mr Schrems and the Irish Data Protection Commissioner, relates to the latter’s refusal to investigate a complaint made by Mr Schrems regarding the fact that Facebook Ireland Ltd keeps its subscribers’ personal data on servers located in the US. The case is at Advocate General’s (AG) opinion stage.

The facts

Mr Schrems lodged a complaint with the Irish Commissioner, claiming in essence, that US law and practices offer no real protection of the data kept in the US against State surveillance. That stems from Snowden’s revelations regarding the activities of the US intelligence services, in particular those of the National Security Agency.

The Commissioner rejected the claim owing to the existence of the Safe Harbour scheme  (Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC – Decision 2000/520) on transfers of personal data from the EU to the US. The scheme (Decision) is based on the Data protection Directive 95/46/EC  and sets out the rules for the transfer of personal data to the US. It must be borne in mind that one of the main principles of the Directive is that data transfers to countries that do not ensure an adequate level of protection must be prohibited.

Mr Schrems brought proceedings before the High Court for judicial review of the rejection of his claim.

The Irish High Court asks for guidance from the CJEU on the matter and it seems there are good elements to find that the Decision no longer serves its purpose in light of the widely known US surveillance programmes. The main questions posed by the Irish Court relate to the investigative powers of the national supervisory authorities but the outcome will also be about the validity of the Decision itself.

The reference invites the CJEU to clarify the approach that the national supervisory authorities and the EU Commission must take when they face shortcomings in the application of Decision 2000/520. In addition, the Court will clarify how do certain provisions of the Charter of Fundamental Rights of the EU – the Charter – namely arts 7 (respect of private life and communications), 8 (protection of personal data) and 47 (effective remedy), interact with art 25(6) of the Directive and, in particular, with the Safe Harbour scheme.

The AG opinion

Under the reference procedure the designated AG must issue an opinion (analysis of the case and proposed solution) which the Court will assess before adopting its ruling. The Court tends to follow the AG’s proposed solution.

I. Powers of the national supervisory authorities

According to the Irish High Court, the accuracy of much of Snowden’s revelations is clear. Further, it concludes that, once personal data is transferred to the US, the NSA and other US security agencies such as the FBI are able to access it in the course of a mass and indiscriminate surveillance and interception of such data.

This case concerns the implementation and application of EU law (the Decision implements the Directive) and the legality of the Irish Commissioner’s decision should be assessed in light of EU law. The High Court observes that Mr Schrems’ objection is in reality to the terms of the Safe Harbour scheme itself rather than to the manner in which the Commissioner applied it, and emphasises that Mr Schrems has not directly challenged the validity of Directive 95/46/EC or of Decision 2000/520.

The High Court states that the essential question is whether, in light of EU law namely arts 7 and 8 of the Charter, the Commissioner is absolutely bound by Decision 2000/520 relating to the adequacy of the law and practice applicable to personal data protection in the US.

The real objection is not to the conduct of Facebook USA as such, but to the fact that the Commission has determined that US law and practice on data protection ensure adequate protection when it is clear from Snowden’s disclosures that the US authorities can have access on a mass and undifferentiated basis to personal data of the EU population. It is difficult to see how the Decision could in practice satisfy the requirements of arts 7 and 8 of the Charter, especially in light of the judgment in Digital Rights Ireland and Others (which invalidated the Data Retention Directive).

The Data Protection Directive seeks to ensure a high level of protection of fundamental rights and freedoms with respect to the processing of personal data in the EU and the supervisory authorities provided for in its art 28 are therefore the guardians of those fundamental rights and freedoms.

The requirement that compliance with EU rules on the protection of individuals with regard to the processing of personal data is subject to control by an independent authority derives also from primary EU law, in particular from art 8(3) of the Charter and art 16(2) TFEU. Furthermore, the establishment of independent supervisory authorities in Member States (MS) is an essential component of the protection of individuals with regard to the processing of personal data.

The powers of the national authorities to investigate, with complete independence, complaints submitted to them under art 28 of the Directive must be interpreted broadly, in accordance with art 8(3) of the Charter. Those powers cannot be limited by the powers which the EU legislature has conferred on the Commission under art 25(6) of the Directive to find that the level of protection ensured by a third country is adequate. If, on completion of its investigations, a national supervisory authority considers that the contested transfer of data undermines the protection which EU citizens must enjoy with regard to the processing of their data, it has the power to suspend the transfer of data in question, irrespective of the general assessment made by the Commission in its decision.

The assessment of whether or not the level of protection afforded by a third country is adequate may also give rise to cooperation between the MS and the Commission. Art 25(3) of the Directive provides that ‘MS and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2’. MS and the Commission have an equal role to play in identifying cases in which a third country does not ensure an adequate level of protection.

Directive 95/46/EC must therefore be interpreted in accordance with its objective of guaranteeing a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data within the EU.

MS must interpret their national law in a manner consistent with EU law but also make sure they do not rely on an interpretation of an instrument of secondary legislation which would conflict with the fundamental rights protected by the EU legal order or with other general principles of EU law.

As such, the AG thinks that the fact that the Commission has adopted an adequacy decision cannot have the effect of reducing the protection of EU citizens with regard to the processing of their data when that data is transferred to a third country by comparison with the level of protection which those persons would enjoy if their data were processed within the EU. The national supervisory authorities must be in a position to intervene and exercise their powers with respect to transfers of data to third countries covered by an adequacy decision. Otherwise, EU citizens would be less protected than they would be if their data were processed within the EU.

The EU legislators decided which powers were to devolve to national authorities. The implementing power conferred by the EU legislature on the Commission in art 25(6) of Directive 95/4/EC does not affect the powers which that legislature conferred on the national supervisory authorities in art 28(3) of the Directive ie the Commission is not empowered to restrict the powers of the national supervisory authorities.

Thus, art 28 of the Directive, read in light of arts 7 and 8 of the Charter, must be interpreted as meaning that the existence of a Commission decision based on art 25(6) of that Directive does not have the effect of preventing a national authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where necessary, suspending the data transfer.

In filing the complaint, Mr Schrems wished to challenge the terms and functioning of the Safe Harbour scheme itself on the ground that the mass surveillance of the personal data transferred to the US shows that there is no meaningful protection of that data in the law and practice in force in the US. The referring court thus indirectly casts doubts on the validity of Decision 2000/520.

In that regard, even where a request to the CJEU relates solely to the interpretation of EU law the Court may find it necessary to examine the validity of a piece of secondary law. The Court has jurisdiction to declare an EU act invalid in order to ensure legal certainty and the uniform application of EU law. In the absence of a declaration of invalidity by the Court or an amendment or repeal by the Commission, the Decision remains binding in its entirety and applicable in all MS.

The question of whether the US intelligence services’ generalised and untargeted access to the transferred data is capable of affecting the legality of Decision 2000/520 has been discussed before the Court in the context of the present proceedings. The validity of that Decision can therefore be assessed from that point of view.

II. Validity and adequacy of the Decision

As seen in Graz de France — Berliner Investissement in certain cases the validity of a measure might be assessed by reference to new factors arising after its adoption; this seems particularly relevant for the present case. Decisions adopted by the Commission on the basis of art 25(6) of Directive 95/46/EC are intended to assess whether or not the level of protection of personal data afforded by a third country is adequate. That assessment will necessarily evolve according to the factual and legal context prevailing in the third country.

The Decision, in force for over 15 years, demonstrates the Commission’s assessment in 2000. Given its nature, it must be regularly reviewed by the Commission. If, the Commission does not amend it is because it confirms implicitly the initial assessment (that the third country concerned ensures an adequate level of protection of the personal data transferred). It is then for the Court to examine whether that finding continues to be valid by reference to the current factual and legal context.

To attain a level of protection essentially equivalent to that in force in the EU, the Safe Harbour scheme – largely based on self-certification and self-assessment by the organisations participating voluntarily in the scheme – should be accompanied by adequate guarantees and a sufficient control mechanism. Within the EU the prevailing notion is that an external control mechanism in the form of an independent authority is a necessary component of any system designed to ensure compliance with the rules on the protection of personal data.

The MS and the Commission must be constantly alert to any change of circumstances that may call for reassessment of the level of protection afforded by a third country (art 25(1) and (3) of the Directive). By the same token, the obligation of the third country to ensure an adequate level of protection is ongoing. The power conferred on the Commission by the EU legislators in art 25(6) of the Directive to find that a third country ensures an adequate level of protection is expressly conditional on the requirement that the third country ensures such a level of protection, within the meaning of art 25(2).

If new circumstances call the Commission’s initial assessment into question, it should adapt its decision accordingly. The fact that the Commission has maintained Decision 2000/520, in spite of changes in the factual and legal position, must be understood as willingness on its part to confirm its initial assessment.

Let’s focus on the facts referred to by the Irish Court. As such, that personal data transferred by undertakings such as Facebook Ireland to their parent company established in the US is capable of being accessed by the NSA and other US security agencies in the course of a mass and indiscriminate surveillance and interception and, that EU citizens have no effective right to be heard regarding the surveillance and interception of their data by the NSA and other US security agencies. Keep in mind that those findings are supported by the statements of the Commission itself.

According to the AG, Decision 2000/520 does not contain sufficient guarantees since EU citizens cannot benefit from effective judicial protection. Hence, owing to that lack of guarantees, it does not satisfy the requirements of the Charter or of Directive 95/46/EC.

The US use of the derogations is further analised by the AG  in the context of Commission Communication ‘Rebuilding Trust in EU-US Data Flows’ (COM(2013) 846 final.

The allegations in the present case do not amount to a breach by Facebook of the Safe Harbour principles. If a certified undertaking, such as Facebook USA, gives the US authorities access to the data transferred to it from a MS, it does so to comply with US law. Since such situation is expressly accepted by Decision 2000/520, owing to the broad wording of the derogations contained in it, it is in reality the question of the compatibility of such derogations with primary EU law that is raised in the present case.

In Digital Rights Ireland the Court confirmed that authorising the competent national authorities to access such data constitutes a further interference with the fundamental right to EU citizens’ protection of personal data. In addition, any form of processing of personal data is covered by art 8 of the Charter and constitutes an interference with the right to the protection of such data. The access enjoyed by the US intelligence services to the transferred data therefore also constitutes an interference with the fundamental right to protection of personal data (art 8 of the Charter).

The derogation of general interest (paragraph 4 of Annex I to the Decision) is contrary to arts 7, 8 and 52(1) of the Charter since it does not pursue an objective of general interest defined with sufficient precision.

The AG believes the Decision must be declared invalid since the existence of a derogation which allows in such general and imprecise terms the principles of the Safe Harbour scheme to be disregarded prevents in itself that scheme to be considered as ensuring an adequate level of protection of the personal data transferred to the US from the EU. He also recalls many points of Digital Rights Ireland, in particular, the proportionality principle including the possible limitations to the fundamental rights of EU citizens protected by the Charter.

The access which the US intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued. That access covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security. Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by arts 7 and 8 of the Charter.

Since EU institutions and MS cannot adopt legislation contrary to the Charter, it must follow, that third countries cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of EU citizens where their law do in fact permit the mass and indiscriminate surveillance and interception of personal data.

In Digital Rights Ireland the Court stressed the importance of providing ‘clear and precise rules governing the extent of the interference with the fundamental rights enshrined in arts 7 and 8 of the Charter’. Such interference must be precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary. In addition, there must be sufficient safeguards to ensure effective protection of the personal data against the risk of abuse and against any unlawful access and use of that data.

Neither the Federal Trade Commission (public US body) nor the private dispute resolution bodies in the US have the power to monitor possible breaches of principles concerning protection of personal data by public actors such as the US security agencies. Such power is essential to guarantee in full the right to effective protection of that data. The EU Commission was therefore not entitled to find, in adopting Decision 2000/520 and maintaining it in force, that there would be adequate protection for all personal data transferred to the US of the right granted by art 8(3) of the Charter ie. that an independent authority would effectively monitor compliance with the requirements for the protection and security of that data. (Keep in mind that in 2000 the Charter was not legally binding- unlike now post-Lisbon, hence, it could have been taken into account by the Commission in the initial assessment but that was not a mandatory requirement).

The Foreign Intelligence Surveillance Act of 1978 does not offer an effective judicial remedy to EU citizens whose personal data is transferred to the US. The protection against surveillance by government services provided for in section 702 of FISC applies only to US citizens and to foreign citizens legally resident on a permanent basis in the US.

As stated by the Commission there are no opportunities for EU citizens to obtain access to, rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the US surveillance programmes. Further, Decision 2000/520 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in arts 7 and 8 of the Charter. It must be found that the Decision and the way in which it is applied entail a wide-ranging and particularly serious interference with those fundamental rights, without that interference being precisely circumscribed by provisions to ensure that it is in fact limited to what is strictly necessary.

Given such finding of infringement of EU citizens’ fundamental rights the AG considers that the Commission ought to have suspended the application of Decision 2000/520 (and either amend it or replace it).

The Commission has also stated that there is a substantial likelihood that adherence to the Safe Harbour Privacy Principles has been limited in a way that fails to comply with the strictly tailored national security exemption. It observes that Snowden’s revelations point to a level of surveillance of a massive and indiscriminate scale incompatible with the standard of necessity laid down in that exemption as well as, more generally, with the right to protection of personal data (art 8 of the Charter). The Commission itself has said, moreover, that ‘the reach of these surveillance programmes, combined with the unequal treatment of EU citizens, brings into question the level of protection afforded by the Safe Harbour arrangement’.

The Commission expressly acknowledged that, under Decision 2000/520 as currently applied, there is no guarantee that the right of EU citizens to protection of their data will be ensured. However, in the Commission’s submission, that finding is not such as to render that Decision invalid. While the Commission agrees with the statement that it must act when faced with new circumstances, it maintains that it has taken appropriate and proportionate measures by entering into negotiations with the US in order to reform the Safe Harbour scheme. (This may be a key element for the Court, if it decides to invalidate the Decision).

The Commission should have suspended the application of Decision 2000/520 while it conducts negotiations with the US in order to put an end to those shortcomings (see arts 25(4) and (5) of the Directive). The objective of protecting personal data pursued by the Directive and art 8 of the Charter places obligations not only on MS but also on EU institutions (art 51(1) of the Charter).

If the Commission decided to enter into negotiations with the US is because it considered beforehand that the level of protection ensured by that country was no longer adequate. It neither suspended nor adapted the Decision, allowing the continued breach of the fundamental rights of the persons whose personal data was and continues to be transferred under the Safe Harbour scheme. Such failure to act, which directly impairs the fundamental rights protected by the Charter, is an additional ground on which to declare Decision 2000/520 invalid in the context of the present reference for a preliminary ruling.

Conclusion

The AG has provided a good reading of the  powers of national supervisory authorities contained in the Data Protection Directive which would enable them to assess complaints and even suspend data transfers (if necessary) and sound legal grounds for the CJEU to invalidate the Safe Harbour Decision. As regards the latter those grounds not only prove the lack of adequacy in the level of protection of personal data in the US but, more importantly, have uncovered a real, present and continue breach of EU citizens’ fundamental rights that the Commission has decided to overlook. It is my opinion that the Court will uphold the AG’s opinion and possibly warn the Commission against such blatant omissions to act.

0 comments on “Protection of personal information in data transfers EU-USAdd yours →

Leave a Reply

Your email address will not be published. Required fields are marked *