Is the CJEU approach in Schrems ‘striking down’ the EU Safe Harbour rules

Is the CJEU approach in Schrems ‘striking down’ the EU Safe Harbour rules

Given concerns about US surveillance, are laws applicable to data transferred, the proper ones? In a thorough legal analysis, leading civil liberties Counsel suggests the requirement of equivalent protection is, in fact, met. Michael Drury writes.

 

In an opinion made public today – see http://on.ft.com/1ntWZbJ and a full version of which is posted here – leading human rights QC Geoffrey Robertson, has suggested that the Schrems ruling entirely accepted “facts” stated by the Irish High Court.  The Court had not examined US law but had endorsed the revelation by Edward Snowden that PRISM and other programmes had enabled the NSA to engage in bulk or “generalised” collection of such data without being bound by any laws or rules relating to data processing. As a consequence the Court of Justice of the European Union (“CJEU”) ruled that data transfers to a third country were prohibited under European law unless that country’s domestic law “ensured an adequate level of protection”, which is “essentially equivalent” to what it assumed to be a “high level of protection” guaranteed within the European Union by the Charter of Fundamental Rights. The ruling begs the question – which neither the Court nor its Advocate General addressed – of what “adequacy” means in terms of the actual protections, “essentially equivalent” to those in European law, which must be provided by US law before European data can ride safely at anchor on a server located in America.

Roberts‎on conducts a thoroughgoing analysis of US Foreign Intelligence Surveillance (“FISA”) legislation, including the FISA Amendment Act and its applicability, and charts crucial policy developments, including the US Presidential Policy Directive number 28 concerning the applicability of US safeguards to those outside the US.

‎Robertson concludes:

In sum, looking at the present position in relation to national security data collection in the US and comparing it with the European equivalent, Europeans have more real protection in the US than they do at home. For example, Europeans have very little protection against national security surveillance from the ECHR, given its ‘fairly wide’ margin of appreciation doctrine. European law does not necessarily require court approval for it, and European governments have no clear prohibition against spying on foreigners.  In some respects, US standards are not “essentially equivalent” but effectively superior.

The US has an impressive array of privacy safeguards, and it has even imposed new ones that protect citizens of every country. Despite their weaknesses, these safeguards are still the strongest in the world…the US government should urge other countries to follow its lead.

Although it is true that the European Union has more detailed rules concerning the processing of ordinary data than the US, in respect to intercepting and procuring data on national security grounds it offers very little protection, and these protections are (in France and the UK) likely to reduce even further. It is in the context of the national security exemption that the Schrems exercise must be conducted. It does not call for some general comparison between laws relating to privacy or to data protection generally: it requires a more sophisticated assessment of the adequacy of the law and practice relating to secret surveillance on the grounds of national security, taking into account the factors listed in Article 25(2) of Directive 95/46 which include the purpose of the operation (e.g. gathering information relevant to international terrorism), the nature of the third country (an ally in NATO, and in combating terrorism) and the “professional rules and security measures which are complied with” by virtue of PPD-28 and its associate regulations.

In this respect, European courts cannot ignore the importance of the US intelligence agencies to their own security.  International terrorism is a blight in Europe, as the Paris and Madrid atrocities demonstrate, and information from the NSA, which is usually volunteered to its European counterparts, may save lives.  Article 8 expressly permits derogation when this is necessary in the interests of national security and public safety.  The PCLOB report anxiously interrogated the value of PRISM …”.

The opinion also examines the other methods by which personal data can safely ‎be exported from the EU in accordance with Directive 95/46.

Robertson’s opinion provides a balanced and properly argued ‎approach to the vexed question of how data transferred outside the EU can be protected in accordance with EU law and yet properly be accessed where justifiable national security concerns are applicable. Whilst national security agencies within the EU member states are surely likely to be resistant to the notion that national laws within the EU do not provide sufficient protection, Robertson’s opinion poses a real alternative to the suggestion that the US does not offer adequate data protection in the national security context.

It provides real food for thought for the Irish Data Protection Commissioner and other data protection supervisors throughout Europe as they seek to give effect to the Schrems judgment.

Michael Drury, a partner at BCL, is an acknowledged expert on national security law and the law relating to interception. He has worked with many ‘tech companies’ in this field, including Facebook.