Joseph Cannataci: the new UN Special Rapporteur on the Right to Privacy.In an era of ‘big data’ and mass surveillance revelations, it appears that everything is data and data is everything.

Everyday activities, such as traveling or using different means of communication, may be accessed by law enforcement authorities, not only within the EU, but also shared with the US officials on the other side of the Atlantic.

It goes without saying that this ‘collect-it-all’ mentality, as Lyon puts it, places an enormous burden on the fundamental right to privacy, as enshrined in Articles 7 EUCFR and Article 8 ECHR), which according to some skeptics is already dead anyway.

In this context, we aim to highlight two main points: the emergence of a global level-playing field on privacy through the development of transatlantic agreements; and the challenges to such developments, including US efforts to circumvent data protection provisions with a view to expanding their extraterritorial reach. 

Transatlantic data exchanges: towards a global level-playing field on privacy

The long-standing viewpoint of the EU, now entrenched in Article 45 of the General Data Protection Regulation, is that transfers of personal data from the EU to third countries may take place solely if that country provides an adequate level of privacy protection.

With regard to the US, the traditional approach has been one of presumed trust, whereby both the EU and the US mutually recognise their privacy standards.

Nevertheless, this declaration of trust was challenged in Schrems, where the CJEU declared the invalidity of the EU-US Safe Harbor Agreement (EU-US Safe Harbor Commission Decision), which explicitly asserted that US data protection rules provide an adequate level of protection. Whilst not referring to the NSA revelations as such, the concerns stemming from the possibility of mass surveillance on behalf of the US underpin the Court’s reasoning. Firstly, the Grand Chamber provided a definition of the meaning of adequacy in EU law and by identifying the means of its assessment. It required a particularly high threshold in relation to the transfers of data, by proclaiming that the requirement of adequacy should be understood as requiring the third country to ensure a level of protection ‘essentially equivalent’ to that guaranteed under EU law (para 73). The Court of Justice of the European Union clarified that generalised, mass, and unlimited surveillance is contrary to privacy and data protection.

The Court explained that if there were no such requirement, the objective of ensuring a high level of data protection would be disregarded, and this high level of data protection could easily be circumvented by transfers of personal data from the EU to third countries for processing in those countries. Secondly, it affirmed that the adequacy decisions are subject to a rigorous periodical review, particularly if evidence gives rise to doubts that the level of protection remains adequate (para 76).

Of particular importance in this respect are any circumstances that may have arisen after the adoption of the decision (para 77). Based on these general principles, the Grand Chamber found that the level of protection in the US is inadequate, because public authorities could have access on a generalised basis to the content of electronic communications of all persons whose data has been transferred from the EU to the US without any differentiation, limitation or exception, which compromises the essence of privacy, as guaranteed by Article 7 of the Charter. By reiterating and expanding its Digital Rights Ireland proclamations, the CJEU clarified that generalised, mass, and unlimited surveillance is contrary to privacy and data protection.

Privacy Shield

The judgment in Schrems has made its way into jurisprudential history as a privacy victory resulting in the Safe Harbor Agreement being replaced by the substantially more detailed Privacy Shield, which was adopted on 12 July 2016.

The new framework brings more clarity as regards the data protection obligations on companies importing data from the EU (such as notice obligations, data retention limits, access rights and security requirements) and contains additional safeguards on US access to the data, as well as more effective protection and redress for individuals (to the companies or EU Data Protection Authorities) and annual joint review to monitor compliance with the Agreement that will be conducted by the Commission and the Department of Commerce. Whilst the Privacy Shield constitutes a significant improvement in comparison to the previous regime, privacy challenges remain. As the Article 29 Working Party has pointed out, specific rules on automated decisions and of a general right to object are missing, and stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism would have been appropriate.

Importantly, the key aspect of the Schrems judgment regarding bulk data access and indiscriminate surveillance has not been adequately addressed, due to a lack of concrete assurances on behalf of US officials. The key aspect of the Schrems judgment regarding bulk data access and indiscriminate surveillance has not been adequately addressed, due to a lack of concrete assurances on behalf of US officials.

Umbrella Agreement

The adoption of the Privacy Shield was not the sole development of last year in this field. The first text of a transatlantic agreement on privacy, known as the ‘Umbrella Agreement’, was concluded in December 2016 and entered into force on 1 February 2017, after four years of lively discussions.

The Agreement prescribes data protection standards for the transatlantic exchange of personal information in relation to the prevention, detection, or prosecution of criminal offences, including terrorism, with a view to ensuring ‘a high level of protection of personal information ΄whilst enhancing cooperation between the US and the EU and its Member States (Article 2). EU citizens will be entitled to seek the enforcement of their privacy rights before US Courts (Article 19).

A series of data protection safeguards are included such as a prohibition of data transfer to third parties without the consent of the relevant EU body (Article 7), and limits to the retention periods of the transferred data (Article 12). However, perhaps the most important safeguard – and one much negotiated – is the fact that EU citizens will be entitled to seek the enforcement of their privacy rights before US Courts (Article 19).

Although originally the US refused to grant judicial redress and insisted on administrative redress only, the Judicial Redress Bill successfully passed in October 2015. Even so, the ‘Umbrella Agreement’ seems to disregard the CJEU’s pronouncements in Digital Rights Ireland and Schrems, not only by maintaining the presumption that the US data protection regime complies with the EU one, but also by allowing the onward transfer of data with ‘other authorities’ including ‘authorities of constituent territorial entities of the Parties not covered by this Agreement’ (Articles 6(2), 14(1) and (2) and 20(1)(b)).

Furthermore, even though the Agreement refers to ‘effective oversight’, the US will meet this requirement ‘cumulatively’ – that is through more than one authority, which does not meet the independent supervision requirements of EU law, including the Charter of Fundamental Rights (Article 21(3)).

As for judicial redress, its availability is subject to any requirements that administrative redress first be exhausted (Article 19) and only to address violations of the Agreement, not to challenge the lawfulness of data processing as a whole. Besides, judicial redress is applicable only to citizens of the parties to the agreement, which falls short of the ECHR.

Mass surveillance moves in

The aforementioned developments highlight three interrelated issues; first, the emergence of the CJEU as a quasi-constitutional court and a guardian of privacy and data protection rights, with a key role in establishing a global privacy regime embracing high-standard characteristics; secondly, be that as it may, the role of the Court is not enough, since the legislation adopted in the aftermath of judgments such as Schrems, though constituting a noticeable improvement, still falls short of EU privacy standards; and third, a recurring competition between the EU and the US to impose their privacy standards has resulted in the EU privacy regime being sidelined in lieu of the US model which is based on mass surveillance and bulk processing of data in a generalised manner.

This highly permissive model is also highlighted by the US practice to bypass existing arrangements in order to have direct access to personal data held by private entities in the EU.

Extraterritorial access to private companies’ data by law enforcement authorities

A key case for understanding how the US authorities have attempted to bypass the already relaxed data protection provisions with a view to having access to private data is the Microsoft Corp. v United States saga.

The case arose in 2013 when Microsoft refused to disclose the contents of an email account to the US authorities, despite being mandated by a search warrant, on the basis that the US court could not compel Microsoft to do so because the data were stored in Ireland and in any case the data were owned by the email user, rather than the company as such.

The US government argued that there was no conflict of laws and that the US retains the authority to order an entity within its jurisdiction to repatriate records. According to this view, Microsoft, as a US-based company, enjoys a “corporate citizenship” which involves some responsibilities, including the duty to comply with a disclosure order issued by a US court. In May 2014, a federal magistrate judge disagreed with Microsoft and ordered it to turn over the emails, but Microsoft won the appeal before the District Court for the Southern District of New York. Although the Government requested a second hearing, the end of the Microsoft saga was marked in January 2017 with the denial of the request.

Undoubtedly, the fundamental problem with the US approach lies in the fact that it completely disregards and circumvents the formal and mandatory procedure of a mutual legal assistance request, as prescribed in the dedicated legal instrument, the EU-US Mutual Legal Assistance Treaty (MLAT), signed in 2003 alongside a parallel transatlantic Agreement on extradition, which must be interpreted in conformity with the Charter and the Court's case-law in Digital Rights Ireland, Schrems and Watson.

As Digital Rights Ireland Limited has eloquently pointed out:  

‘[a]dopting the US position would allow the US government unilaterally to substitute US court compulsion for the balancing process represented by the MLAT information request procedures’.

The US counter-arguments in this respect are that using MLATs would not be effective, as the data could quickly be moved to a different country and because mutual legal assistance procedures are lengthy and do not result in a prompt disclosure of records.

Remarkably, by opting for direct access to the data, the US authorities wish to circumvent an agreement which is problematic on its own merit, with rather weak provisions on data protection and privacy. For example, Article 9 aims at facilitating the exchange of data between the US and the EU to the broadest extent possible, despite their differences in privacy protection. Furthermore, key principles of data protection law, such as the purpose limitation, are nullified due to the broadly worded purpose of the Agreement. Another point of concern involves Article 9(4), which allows a State to apply the use limitation provision of the applicable bilateral mutual legal assistance treaty instead of Article 9 of the Agreement, when doing so will result in less restriction on the use of information.

To conclude

This briefing attempts to highlight the ongoing tension between the need to ensure effective law enforcement whilst safeguarding the privacy of individuals to the greatest extent possible on the basis of the high EU standards.

We want to draw attention not only to the legitimisation of the American model of surveillance through transatlantic cooperation, but to the current struggle taking place – even with a little help from the Courts – to provide an effective protection of privacy.

A meaningful legal response in this respect would be the establishment of global privacy standards, in the form of a ‘new universal law on surveillance’[1], as the UN Special Rapporteur on the Right to Privacy in a Digital Age, Joseph Cannataci, frames it. Undoubtedly, EU law and case law could provide a guiding light in this respect, by requiring the prohibition of mass and indiscriminate surveillance already from the stage of data collection, and mandating a comprehensive legal framework regarding the extraterritorial reach of the State and the extraterritorial application of human rights.

[1] Digital Surveillance ‘worse than Orwell’, says new UN privacy chief, the Guardian, 24 August 2015.