Tuesday, October 06, 2015

CJEU Schrems, The Irish Data Protection Commissioner and Facebook

The Court of Justice of the European Union has today declared the EU-US Safe Harbour agreement, which  facilitates the transfer of personal data from the EU to the US, invalid.

The Court opens by highlighting the provisions of the 1995 Data Protection Directive
Object of the Directive
1. In accordance with this directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
Article 25 of the directive lays down the principles under which it may be permitted to transfer personal data to countries outside the EU, "a third country" (or countries), primarily that the 3rd country offer "an adequate level" of data protection. The European Commission has the power to declare 3rd countries compliant with EU standards but are obliged to engage in due diligence in accordance with procedures outlined in article 31 of the directive, to ensure the requisite checks and balances are in place.

Under article 26, EU member states can sanction personal data transfers to third countries not yet in possession of the Commission's seal of approval under a specific set of circumstances e.g. if the person whose data is to be transferred agrees to it.

From an initial scan of the decision, it seems that the Safe Harbour agreement of 2000, declaring the US a safe 3rd country for EU personal data transfers, has been declared invalid by the Court because the EU were not careful enough in checking out the US; and because untrammeled US mass surveillance practices would appear to make it an unsafe third country.

From paragraph 5, the Court outlines the Commission's Safe Harbour Decision 2000/520 (including principles and US organisations' self certification and dispute resolution processes) declaring the US a safe third country for personal data transfers. The agreement allowed for US law to override Safe Harbour obligations. So if US law explicitly imposes an obligation on US organisations to process or transfer data in ways that would breach the Safe Harbour principles it is ok for them to do so. The idea being to give US companies an exit when caught between complying with conflicting legal obligations.

At the time, privacy advocates were unhappy with the Safe Harbour decision, accusing EU negotiators of folding in the face of US demands. Several reviews of the agreement, including this one by a group of internationally renowned scholars, in the summer of 2007, have noted that the Safe Harbour scheme does not meet the requirements of the 1995 data protection directive or EU privacy standards. Documentary evidence, released to journalists by NSA whistleblower Edward Snowden in 2013, on the mass surveillance practices of the US and UK governments, have given weight to those conclusions.

The CJEU get to the Snowden revelations and the EU's response to these in paragraph 11 to 25 of the Schrems decision. In a kind of an 'ooops, oh dear, those nice US Safe Harbour compliant companies are doing things they shouldn't be with EU data; but let's not upset them because it's the government's fault' realisation, the Commission issued Communication COM(2013) 846 final and Communication COM(2013) 847 final; noting US mass surveillance (though they didn't call it that) "raises serious questions".

As our US cousins might say, you're darn tootin' it raises serious questions.

Paragraph's 26 to 36 deal with the Schems complaint about Facebook to the Irish Data Protection Commissioner and the Irish High Court.

Schrems asserted that Facebook's data transfers to the US undermined his fundamental rights to privacy and the protection of his personal data, guaranteed by articles 7 and 8 the Charter of Fundamental Rights of the European Union.

The Irish Data Protection Commissioner said not my job guv, get lost but even if it was, there was no specific evidence that the NSA had been playing with Mr Schrems's data.

Judge Hogan in the Irish High Court took a different view. Whilst accepting that electronic surveillance and interception "serve necessary and indispensable objectives in the public interest... the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies." [para 30 Schrems] Judge Hogan also noted that EU citizens have no effective right to be heard in relation to the "indiscriminate surveillance and interception" carried out on them on a large scale by US federal agencies like the FBI and NSA. Protections for privacy, fundamental rights and freedoms guaranteed by the Irish Constitution were essentially being undermined by indiscriminate and disproportionate mass surveillance by US authorities. On the basis of Irish law alone, the Irish Data Protection Commissioner was wrong to reject Mr Schrems complaint.

Judge Hogan's view, that then brings the Commission's Safe Harbour decision of 2000 into play. Does that decision, certifying the US as a safe place for EU personal data, bind member states, obliging them to accept that certification; or can a data protection authority of a Member State, independently examine the claim of a person concerning a breach of their rights by a third country, when the law and practices in the third country do not ensure an adequate level of protection? Additionally, given what we know from Snowden, Judge Hogan believes the Safe Harbour decision itself to be invalid - as the fundamental right to privacy would be rendered meaningless if "State authorities were authorised to access electronic communications on a casual and generalised basis without any objective justification based on considerations of national security or the prevention of crime that are specific to the individual concerned and without those practices being accompanied by appropriate and verifiable safeguards."

The Court's deliberations play out in paragraphs 37 to 107.

The fundamental rights to privacy and data protection have been affirmed and re-affirmed in the Court time and again (Österreichischer Rundfunk and Others, Google Spain and Google, Ryneš, Rijkeboer, Digital Rights Ireland and Others). The independence of national supervisory authorities is an important element in protecting those rights in practice. They are obliged, however, to balance those rights with the interests of those requiring free movement of data and have no power relating to the processing of data, once it is transferred to another country. They do have an obligation, under articles 25, 26 and 28 of the 1995 directive, to monitor the transfer of data to a third country and ensure it complies with EU standards. Transfers may only be effected where the country the data is being sent to offers an "adequate level of protection".

Member states or the Commission may assess and determine whether protections offered by a third country are adequate. When the Commission makes a decision that a third country provides adequate protections it is binding on member states, until it is declared invalid by the CJEU. But that Commission decision cannot prevent EU citizens from pursuing a claim through the national supervisory authorities and, if necessary, national courts, if they have reason to be concerned that their fundamental rights are being undermined by the transfer to and processing of their personal data in a third country. If the national courts consider the complaint well founded, as did Judge Hogan in the Schrems case, they must refer it to the CJEU.

Bottom line - even if the Commission white-lists a country like the US, it does not prevent national data protection authorities investigating and national courts hearing an individual's complaint. And if an individual, like Mr Schrems, has a legitimate complaint, then it may be referred to the CJEU and the Commission's decision approving the US as a privacy respecting jurisdiction, may itself be reviewed [exclusively] by the Court of Justice.
"66 Having regard to the foregoing considerations, the answer to the questions referred is that Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection."
Paragraphs 67 to 106 review the validity of the Commission's Safe Harbour decision and constitute another CJEU warning over US and UK mass surveillance practices and the tepid European Commission response to these, following in the tradition of the Google Spain and Digital Rights Ireland cases from 2014.

Short version: the Commission failed totally, in its obligation to ensure that the laws and international obligations of the US actively respected the privacy rights of EU citizens, when approving the US as a trusted data protection nation, in their Safe Harbour decision of 2000. US organisations were permitted approval under a Safe Harbour self certification scheme which had no effective US public authority or legislative oversight (the US Federal Trade Commission's oversight being restricted to commercial disputes relating to unfair or deceptive practices in or affecting commerce and not the legality of interference with fundamental rights) and no remedies for individuals concerned about the potential abuse or misuse of their personal data. Not only did it fail, the Commission didn't even bother to check but eventually did get round to admitting, once the Snowden revelations emerged, that there might be "serious questions" over the Safe Harbour agreement.

Additionally the Commission, in the Safe Harbour decision, exceeded its authority in attempting to nullify national data protection authorities' powers to enable individuals to raise concerns about the processing of data in Commission approved third countries like the US.
86 ... Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them. ...
88 In addition, Decision 2000/520 does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security.
89 Nor does Decision 2000/520 refer to the existence of effective legal protection against interference of that kind...
92 Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 52 and the case-law cited).
93 Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail ...
94 In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39).
95 Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter...
96 As has been found in particular in paragraphs 71, 73 and 74 of the present judgment, in order for the Commission to adopt a decision pursuant to Article 25(6) of Directive 95/46, it must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, a level that is apparent in particular from the preceding paragraphs of the present judgment.
97 However, the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. 98 Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid... 
99      ... national supervisory authorities must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in regard to the processing of personal data relating to him. That is in particular the case where, in bringing such a claim, that person raises questions regarding the compatibility of a Commission decision adopted pursuant to Article 25(6) of that directive with the protection of the privacy and of the fundamental rights and freedoms of individuals...  
102 The first subparagraph of Article 3(1) of Decision 2000/520 must ... be understood as denying the national supervisory authorities the powers which they derive from Article 28 of Directive 95/46, where a person, in bringing a claim under that provision, puts forward matters that may call into question whether a Commission decision that has found, on the basis of Article 25(6) of the directive, that a third country ensures an adequate level of protection is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
103 The implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 does not confer upon it competence to restrict the national supervisory authorities’ powers referred to in the previous paragraph of the present judgment.
104 That being so, it must be held that, in adopting Article 3 of Decision 2000/520, the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the Charter, and that Article 3 of the decision is therefore invalid.
105 As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety. 106 Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid."
The Court concludes that the Safe Harbour Decision 2000/520 is invalid.

I would just repeat paragraph 93 for emphasis: "Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail"

So, in summary, national data protection authorities and national courts can review claims of abuse of personal data by third countries and the Safe Harbour EU-US agreement, Decision 2000/520 is invalid.
"On those grounds, the Court (Grand Chamber) hereby rules: 1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
2. Decision 2000/520 is invalid."

Update: Peter Swire who was one of the US expert negotiators when the Safe Harbour provisions were agreed, yesterday criticised CJEU AG's opinion in the case, as suffering from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. He particularly emphasises changes to US law since the original Snowden revelations notes with approval the PRISM program is governed by Section 702 of the law enacted in 2008 to amend the Foreign Intelligence Surveillance Act. I suspect, given s702's 'guilty of being a foreigner' provisions Caspar Bowden would have had a few words to say on the subject.

The full court don't get into the intricacies of PRISM but it does hint strongly that Kafkaesque mass surveillance, without remedy available to those affected, undermines the rule of law.

Update 2: Daniel Solove does a really accessible analysis of the Court's decision and its possible implications. I suspect he over-estimates the likely impact of the coming revisions to EU data protection laws, given the giant privacy avoidance loopholes built into the draft general data protection regulations. But it is still essential reading.

Update 3: I also highly recommend Andres Guadamuz's analysis of the case.

Update 4: Some typos plus one error relating to FTC corrected. There follow links to EU Commission/Parliament reviews of Safe Harbour in 2002, 2004 and the post Snowden reviews of 2013 COM(2013) 846 final Rebuilding Trust in EU-US Data Flows and COM(2013) 847 final on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU