Twelve days after the Paris attacks, I was waiting for a flight at London's Heathrow Airport, which seemed to be running with its customary sedate orderliness despite Brussels being on "lockdown" and police raids still taking place in Paris and Belgium. While checking online for the latest developments in the U.S. and EU's negotiations for a replacement for the recently struck-down Safe Harbor program, I came across a notice that, due to security concerns, a prominent international privacy professionals' organization had decided to cancel its annual European Congress scheduled to take place in Brussels beginning in late November. Notably, the cancelled congress was to have featured Max Schrems, the Austrian law student whose complaint to the Irish Data Protection Commissioner ultimately resulted in the Safe Harbor program being struck down by the Court of Justice of the EU (CJEU). The irony was palpable: Privacy advocates who had celebrated the CJEU's decision that EU privacy rights trump mass surveillance-based intelligence activities were unable to gather safely in Brussels due to a state of emergency that the media, at least, were attributing, in large part, to failures of European intelligence to detect communications among terrorists that implicitly would have required some form of mass collection and analysis of personal data.
As many readers know, Schrems had complained that Facebook Ireland's transfer of his personal data to the U.S. violated his privacy rights under EU law because, once in the U.S., his data was allegedly subject to access by the National Security Agency (NSA) via PRISM. The CJEU agreed. The precise reasoning of the Schrems decision may seem somewhat opaque to U.S. readers, however, because it is rooted in notions of "fundamental rights" under the EU's Charter of Human Rights and prior case law elaborating limits on how such rights can be restricted. Privacy is one of the fundamental rights under the Charter.
The CJEU concluded in Schrems that "protection of the fundamental right to respect for private life at EU level" requires laws that limit privacy "to apply only in so far as is strictly necessary" (para 92). The CJEU went on to say, in effect, that laws that authorize mass surveillance of personal data transferred to the U.S. fail this test, because the laws lack objective criteria for the storage and use of personal data that are "specific, strictly restricted and capable of justifying the interference" with the individuals' privacy rights. (Schrems para 93). The CJEU also found that U.S. surveillance laws lacked a means for EU residents to challenge the collection of their personal data and obtain redress. In other words, to be legitimate under European law, surveillance would need to be narrowly targeted and contain safeguards and remedies for individuals; mass surveillance violates the EU's fundamental right of privacy.
The Schrems decision set off a mad scramble on the part of many of the over 4,000 U.S. companies that had relied on it to make their data transfers from the EU legal. It also accelerated the negotiations, which had started after the Snowden disclosures in 2013, between US and EU representatives for a new Safe Harbor program. But following Schrems, the EU Commissioner leading the negotiations, Vera Jourova, has far less room to maneuver. The Schrems decision relied on—and even quoted—key criticisms made by the Commission in an earlier official "communication" to the U.S. following Snowden's disclosures, effectively turning those criticisms, which may not have reflected a fully informed understanding of PRISM and the safeguarding role of the FISA Court, into law. Even if the Commission's views have evolved through its ongoing discussions with the U.S., the Commission, like the rest of us, is stuck with a binding legal standard that will make the negotiation of conditions for the transfer of personal data from the EU to the U.S. extremely difficult unless the U.S. forswears any form of mass surveillance involving data of EU origin.
And the Commission will be held to the Schrems standard immediately, since Schrems also confirmed that Commission decisions affecting the fundamental right of privacy must be open to challenge by individuals at the national level through local data protection authorities and courts, even if the CJEU retains the ultimate authority to invalidate the Commission decision. Safe Harbor II, whenever we get it, will most likely come under immediate attack to test whether the new balance of privacy versus security (as well as other interests that have faded into the background) will pass the stringent Schrems standard.
The further irony is that, post-Paris, several EU national governments are trending towards domestic laws permitting various forms of mass surveillance. It is not entirely clear from a legal perspective whether those national laws can be challenged on the grounds of EU fundamental rights. Although Americans tend to view the Schrems case in isolation, it flows in good part from an earlier and purely intra-EU case, Digital Rights Ireland and Others (C293/12 and C594/12, EU:C:2014:238; decided April 8, 2014) that invalidated the 2006 Data Retention Directive and cast doubt on all mass data collection activities mandated by EU legislation, and – as further developed in Schrems – possibly also those mandated by national laws. On November 20th of this year, the British Court of Appeal referred to CJEU the vital question of whether Digital Rights Ireland applies to national data retention and access by authorities (Davis et al, [2015] EWCA Civ 1185). The Court of Appeal also referred a related question as to whether Digital Rights Ireland was intended to set out mandatory requirements for national surveillance laws. If so, a number of EU countries may face what would essentially be the Schrems standard applied to their own national laws. The EU and U.S.'s fraught negotiation of the balance between privacy and security would then become as much of an internal European issue as it is currently an international one.
