The Debate Post-Paris

Twelve days after the Paris attacks, I was waiting for a flight at London’s Heathrow Airport, which seemed to be running with its customary sedate orderliness despite Brussels being on “lockdown” and police raids still taking place in Paris and Belgium.  While checking online for the latest developments in the U.S. and EU’s negotiations for a replacement for the recently struck-down Safe Harbor program, I came across a notice that, due to security concerns, a prominent international privacy professionals’ organization had decided to cancel its annual European Congress scheduled to take place in Brussels beginning in late November. Notably, the cancelled congress was to have featured Max Schrems, the Austrian law student whose complaint to the Irish Data Protection Commissioner ultimately resulted in the Safe Harbor program being struck down by the Court of Justice of the EU (CJEU). The irony was palpable: Privacy advocates who had celebrated the CJEU’s decision that EU privacy rights trump mass surveillance-based intelligence activities were unable to gather safely in Brussels due to a state of emergency that the media, at least, were attributing, in large part, to failures of European intelligence to detect communications among terrorists that implicitly would have required some form of mass collection and analysis of personal data.

As many readers know, Schrems had complained that Facebook Ireland’s transfer of his personal data to the U.S. violated his privacy rights under EU law because, once in the U.S., his data was allegedly subject to access by the National Security Agency (NSA) via PRISM.  The CJEU agreed.  The precise reasoning of the Schrems decision may seem somewhat opaque to U.S. readers, however, because it is rooted in notions of “fundamental rights” under the EU’s Charter of Human Rights and prior case law elaborating limits on how such rights can be restricted.  Privacy is one of the fundamental rights under the Charter.