Case Watch: Will the EU’s Top Court Outlaw Mass Surveillance?
By Simon Cox
In our “Case Watch” reports, lawyers at the Open Society Justice Initiative provide analysis of notable court decisions and cases that relate to our work to advance human rights law around the world.
Next week, the Court of Justice of the European Union (CJEU) will decide whether EU fundamental rights law is violated by United States laws allowing security agency access to personal data.
The case of Schrems v. Data Protection Commissioner was referred to the CJEU by the Irish High Court to consider the European Commission’s safe harbor decision. This decision regulates data transfer from EU to the U.S. and is based on the understanding that U.S. laws and procedures provide adequate protection for that data.
The Irish court ruled that personal information sent to the U.S. by businesses like Facebook is open to access by U.S. intelligence agencies without effective legal controls or judicial protection. It queried whether this PRISM program, disclosed by Edward Snowden, denies EU residents their right to privacy. Last week, CJEU advocate-general Yves Bot gave his nonbinding opinion that these facts make the safe harbor decision legally invalid. The CJEU will give judgment on the case on October 6.
Commercial lawyers reacted to the advocate-general’s opinion with shock, claiming the reasoning would be a radical expansion of EU law, while the U.S. government warned that EU judicial review of safe harbor would jeopardize negotiated agreements.
However, Bot’s assessment is solidly based on the landmark judgment of the CJEU in Digital Rights Ireland which outlawed indiscriminate retention of data. At the tense hearing in Schrems, the European Commission accepted that the indiscriminate nature of U.S. mass surveillance was violating fundamental rights, but argued that the infringement of citizens’ rights should be balanced with the need to protect trade relations. The CJEU will almost certainly follow the opinion and strike down the safe harbor policy.
While the Irish court had refused Digital Rights Ireland’s request to ask the CJEU if the decision is valid, the European judges made clear at the March hearing they are considering validity anyway. They undoubtedly have this power. The commission and governments gave the court no legal reason to uphold the decision: the commission’s “trade” defence has no basis in the EU’s Data Protection Directive. Under the long-settled Foto–Frost doctrine, only the CJEU can decide the validity of a commission decision: it cannot pass that buck back to the Irish court. The U.S. government’s warnings seem unlikely to sway the court. The U.S. knew all along that the CJEU has power to invalidate commission decisions breaching fundamental rights laws, just as the U.S. Supreme Court could invalidate an unconstitutional agreement of the US government. Whatever the court rules about the other issues, such as the powers of European data protection authorities, the safe harbor decision is very likely dead.
If the court does kill safe harbor, it will do so on the basis that U.S. law and practice does not comply with the EU Charter of Fundamental Rights. Under Article 8, “Everyone has the right to the protection of the personal data concerning him or her”. This applies to everyone whose personal data is held in the EU.
A new safe harbor decision from the commission would require fundamental change to EU or US law. There is zero chance of the EU states amending the charter: that takes an EU treaty, and even then the CJEU may not uphold the attempt. Change by the U.S. doesn’t require a constitutional amendment, but meeting the concerns raised by Bot seems almost impossible for U.S. lawmakers. Despite lobbying by the internet industry, and discussions on an Umbrella Agreement covering data protection in EU-US law enforcement cooperation, a trans-Atlantic meeting of minds looks impossible.
Should the CJEU overturn the safe harbor decision, the outcome is likely to drive fundamental reform and new litigation in several areas, including:
- challenges to the use of mass surveillance of personal data within EU member states;
- an overhaul of the current EU system of “binding corporate rules,” to address intra-corporate data transfers within and outside the EU, which may leave that data open to spying;
- attempts in consumer contracts to use “unambiguous consent,” waiving EU protection under Article 26(1)(a) of the Data Protection Directive.
Meanwhile, the case has already shaken up the internet. Shortly after the Schrems hearing, Twitter moved its non–North American accounts from the United States to Dublin, and Dropbox followed.
The Open Society Foundations support the work of Digital Rights Ireland, one of the parties before the Court of Justice in this case.
Simon Cox is the migration lawyer for the Open Society Justice Initiative.