On September 23th, one of the most eagerly awaited ECJ Advocate General’s legal opinion, has finally been pronounced and it has been warmly welcomed by the whole community of data protection and privacy supporters and activists. “After fifteen years of criticism from academics, from privacy advocates and from independent studies, the Advocate General of the European Court of Justice has confirmed what we already knew”, Heini Järvinen stated on European Digital Rights.
The opinion concerns the controversy among Europe and Facebook, embodied in Max Schrems’ case. Not an ordinary court case, but to a great extent a political one, definitely triggering reactions not only by the parties directly involved, but also by the digital community and the European institutions. A case that will certainly have an impact on the trialogue phase of the Data Protection Reform that is currently going on in the EU and that will have far reaching consequences on EU-US relations. The two partners already undertook negotiations in order to review and and update the “invalid” system. A system that was already claimed by the Parliament to be suspended one year and a half ago.
How will the Commission behave after this preliminary, non-binding opinion that, nevertheless, confirms the Parliament position on Safe Harbor?
“The Commission ought to have suspended the decision” has been stated by the General Advocate in his advise.
The Safe Harbor system
According to the european law, and especially with regards to art. 25 of the chapter IV of the EU Data Protection Directive, “the transfer to third countries of personal data .. may take place only if … the third country in question ensures an adequate level of protection of such data”. The directive also states the prohibition of the transfer to those countries that do not provide such level of protection. The required adequacy, of non-EU third countries, has to be decided by the Commission.
By pursuing the dispositions of this directive, in the year 2000, the Commission adopted the Safe Harbor Decision, automatically recognizing as effectively “adequate protection” the guarantees provided by all the american companies sining up and committing to the agreed Safe Harbor principles. The decision thus, provides a legal basis, allowing free transfer of commercial data to the US by those companies that commit and self-certify their compliance with the principles ruled by the decision. “Safe Harbor Privacy Principles, implemented in accordance with the guidance provided by the frequently asked questions, are considered to ensure an adequate level of protection for personal data transferred from the European Union to undertakings established in the United States” states art. 1 of the Decision.
Moreover according to the principle of onward transfer, information can be transferred to their parties only if they fulfill the requirements of adequacy envisaged by the Decision, as well. The principles of Notice and Choice need to be applied. Individuals must be informed by the organization about the purpose for collection and use of data, as well as the type of third parties to which information is disclosed and they should be given the option to choose whether their personal information is to be disclosed to a third party or to be used for a different purpose.
The adherence to the principles of the Safe Harbor can be limited for purposes of “national security”, or for “statutory law”, that create conflicting obligations or explicit authorizations, provided that, the exercise of such authorization is limited to meet the legitimate interests.
The sign up by American companies occurs on a voluntarily basis and once subscribed, the rules are binding.
Among the companies who signed the principles and are actually considered as safe and respectful partners: Facebook, Microsoft, Google, Yahoo, Youtube. Companies that, holding or not european subsidiaries, collect data and information within the EU and outsource them to the US. Companies that, according to E. Snowden revelations, were involved in PRISM surveillance system, built up by the american NSA that, on the basis of a public-private partnership, enjoyed unrestricted access to mass data, collected and stored on those companies’ servers.
Companies that, however, in line with the Commission Decision, provide adequate protection to citizens’ exported data, since they self-certify their conformity to Safe Harbor Privacy Principles. Clearly, we are in front of two evidences that openly clash.
Maximillian Schrems
Since 2011, Max Schrems, an Austrian Facebook user, has filed a series of complaints with the Irish Data Protection Commissioner. According to Schrems’ opinion, “Facebook is simply ignoring European laws.”
All non-US and Canada citizens, when opening a personal account on Facebook, sign a contract with “Facebook Ireland Limited”, subsidiary of the american company “Facebook Inc” and based in Dublin, therefore subject to Irish and European law. “Facebook Ireland”, actually, does not operate any data processing, since all the European users’ data are outsourced and processed by “Facebook Inc”, based in Menlo Park, California.
“I was studying at the US and met with guys from Facebook in law school. Their understanding of the European privacy law was very different from what Europeans understood under our law … I wrote a paper on privacy and Facebook and, after I came back to Europe, I agreed with a couple of friends that we should have sent my findings on the authority of Ireland.”
“We also got copy of our user data … I filled out the online form and had to insist on getting a copy. After a couple of e-mails we got a CD each, from California. There was a simple PDF file on them, that had up to 1.200 pages … Facebook is tracking your hardware, keeping deleted friends or calculating your last location. You never see this information on facebook.com.” In the documents Schrems went through, he found a lot of apparently deleted data. “Facebook is holding a list of removed friends or it is keeping all deleted messages and deleted wall posts. Some of the messages include very sensitive information. I think it is a scandal that they tell users that they can easily remove all content if they wish to do so, but in fact they’re still keeping it.”
Schrems filed complaints about pokes, shadow profiles, tagging, deleted postings, messages, privacy policy and consent, deleted tags, data security and much more.
On June 25th 2013, he filed the so called “PRISM” complaint, affirming that “Facebook Ireland”, by forwarding data to the NSA, via “Facebook Inc”, is violating the European rule of law, allowing data export only if there is an “adequate protection”. Schrems essentially claimed that, in line with E. Snowden revelations and the leaked documents published by the Guardian and the Washington Post in June and July 2013, the protection of data provided by the US does not comply with the Irish Data Protection Acts and the European Law.
As stated in the text of the complaint, the use of commercial data for investigative purposes constitutes a breach of the principle of purpose limitation, while the generalized data transfer, not restricted to suspicious persons and on a case by case basis, clashes with the principle of proportionality.
With regards to the exceptions envisaged by Safe Harbor system, moreover, the definition of “national security” is too wide and it lacks clear limitations, that are fundamental for the necessary balance, that has to be made between the derogation and the respect of fundamental rights (right to privacy, right to data protection). Thus, making any form of onward mass transfer of personal data, from an american processor to US authorities, totally legal under European law. “Such mass surveillance would also be legal without any reasonable suspicion, without judicial overview and without any adherence to the fundamental rights.”
Indeed, there seems to be a formal legal basis in the US, authorizing such operations, on the basis of “national security” purposes. The Section 702 of Foreign Intelligence Surveillance Amendments Act (FISA) of 2008, allowing the “acquisition of any type of information on persons reasonably believed to be non-US persons overseas”, constituted the authority for PRISM program. It is on the base of this provision that the National Security Agency, under certification of the FISA court, was enabled to “target any non-US citizen or non-US legal resident located outside the territory of the US for surveillance”. The surveillance carried out by the NSA relies on a large percentage of internet traffic that is directly collected at the base roots of the communication infrastructures, while the remaining data are collected through extraction from private companies’ servers.
Thus, it is not difficult to outline the general picture: transfer and extraction in bulk of European users’ data, without their consent, knowledge nor authorization and under a legal framework lacking of judicial remedies.
The relevant issue here, leading us to discover the core paradox of the question, is that the Irish Data Protection Commissioner refused to investigate the case. According to the national authority, Schrems’ complaint was “unsuitable in law”, since the authority itself turns out to be bounded by the Commission Decision on Safe Harbor scheme, under which the US are considered to provide an adequate level of protection.
“We consider that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data to the U.S. if the U.S. based entity is ‘Safe Harbor’ registered”, the Data Protection Commissioner stated.
But, if US employ data for mass surveillance, this is not very what should be ment for “adequate protection”. Doesn’t it sound like a perverse dynamic?
The refusal of the Data Protection Commissioner, that came despite some legal arguments were made by other EU data protection authorities and also by the European Parliament, was then challenged by the plaintiff at the Irish High Court. The Court, in June 2014 referred the case to the European Court of Justice.
The Irish Court asked whether the Commission Decision on the adequacy of the US data protection regime, had a binding or non-binding effect on the independent national authorities in charge of data protection, as the Irish one is. The core question, therefore, was if the Decision could prevent those actors from investigating and suspending the transfer of data, actually challenging the Commission assessment.
The General Advocate of the European Court of Justice delivers his opinion
The opinion of the Advocate General, Yves Bot, proposes that the Commission decision, definitely does not prevent any national independent authority from investigating complaints and deciding whether to suspend the transfer of data, if necessary.
The power of national supervisory authorities can not be eliminated nor reduced: “if the national supervisory were absolutely bond by decisions adopted by the Commission, this would inevitably limit the total independence to which they are entitled under the directive”, the Advocate clarified.
Striking down the paradox of the system, he added: “ A Commission decision, does, admittedly, play an important role in ensuring uniformity in the conditions governing transfers that are applicable within the Member States, but that uniformity can continue only while that finding is not called into question”.
The Irish Data Protection Commissioner as well as all the equal National Independent Authorities have the duty to investigate and the faculty to suspend the transfer of european Facebook users’ data to the US.
The Advocate General, then, went forward in his opinion, stating that “the Commission decision is invalid”. Schrems’ case makes the headlines, while the relations among the two transatlantic partners, as well as the european inter-institutional dynamics, stagger.
“It is apparent from the finding of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection. Those findings of fact demonstrate that the Commission decision does not contain sufficient guarantees.”
The problem arises mainly from the use made by United States Authorities’ of the derogations provided in the Decision. The “wording is too general”, thus allowing an implementation of the derogations, without any limit to what it is strictly necessary. Moreover EU citizens “have no appropriate remedy against the processing of their personal data for purposes other than those for which it was initially collected and then transferred to the US”.
As a matter of fact, European Facebook users’ personal data are currently being transferred to the US on the base of a system, whose implementation does not fit the principles of the European Directive on Data Protection and of the European Charter of Fundamental Rights. The application of the derogations to the Safe Harbor Privacy principles, indeed, interfere with European law provisions, given the large number of users concerned, the quantity of data transferred, the secret nature of the US authorities access to those data and the fact that citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data.
The Advocate , in particular, made reference to art. 7 and 8 of the charter, stating the principles of respect for private and family life and protection of personal data, as well as to art. 47, establishing the right to an effective remedy and to a fair trial for everyone.
The Advocate General’s Opinion is not binding on the Court of Justice. In most of the cases, however, the Court judgments are in line with the Advocate’s opinions.
The European Commission: a hard blow to its credibility?
After E. Snowden disclosure, the Commission was immediately invited to suspend Safe Harbor. A formal invitation came by the European Parliament in March 2014, through the approval of its resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs.
“Suspending Safe Harbor, until a full review has been conducted and current loopholes are remedied”, was one of the action of the so called ‘European Digital Habeas Corpus – protecting fundamental rights in a digital age’ that the Parliament launched together with many other recommendations included in the resolution text.
In January 2015, however, Claude Moares’ Working Document on the follow-up of the LIBE Inquiry on Electronic Mass Surveillance of EU Citizens, not only remarked the effective and active maintenance of the system, but also the long delay of the negotiation process undertaken by the Commission in order to revise the system.“The suspension of the Safe Harbor is an option considered by the Commission if there is no satisfactory solution to problems identified by the Commission”, the Document stated, by reporting the words of the Vice-President designate Ansip, during a parliamentary hearing.
The reform of the system, requiring the implementation of 13 Safe Harbor recommendations, elaborated by the Commission in a memorandum that dates back to November 2013, is still under negotiations with the US. In June, the Commission declared that much progress were achieved on the commercial aspect of the agreement, while the EU was still waiting for further clarifications on the role of the Intelligence Services, and their prerogatives of accessing data. For obvious reasons, the most controversial aspect of the question.
The Commission only briefly responded to the Advocate’s conclusions, by remarking its will to finalize the reform as soon as possible. Still, no formal proposal for the suspension was advanced.
As reported by the Parliament magazine, Christian Wigand, European Commission spokesperson for justice, did not comment on the substance of the case, but affirmed that the Commission is “working tirelessly with the US, to reach an agreement under which all exchanges of personal data for law enforcement purposes will be governed by strong data protection rules”.
MEPs’ and Digital Europe reactions
Jan Philippe Albrecht (Green/EFA), a vice-president of the LIBE committee and rapporteur of the Data Protection Reform, warmly welcomed the advise of the General Advocate, hoping that it could provoke an immediate response by the relevant authorities in Europe. “It is unacceptable that the European Commission has ignored this demand for a year and a half. It is now time for the Commission to finally suspend Safe Harbor”, the deputy affirmed in a press release, on the same day. He directly called into question also the Irish Data Protection Commissioner, that “must immediately move to prevent any further data transfers to the US by Facebook”.
The need of more clear and robust rules for data protection enlightened by the deputy, was shared by Timothy Kirkhope (ECR). On the same line are the declarations made by Sophie in’ t Veld (ALDE), who urged the Commission to present to the Parliament a response to the opinion of Advocate General Bot.
Within the european political environment, a general support was given to the conclusions of the Advocate, while DIGITALEUROPE, that represents the digital technology industry, expressed its concerns about the possible disruption of international data flows under Safe Harbor system, that is used by about 4.500 companies. “It would also frustrate the creation of the Digital Single Market in Europe because it would fragment Europe’s approach to data flows out of the EU”, Director General of DIGITALEUROPE said.
At what price and to what extent are we willing to sell our rights to privacy, to data protection and right to be forgotten?
After 9/11, Intelligence Services have seen their powers and scopes gradually increase, also thanks to the key role of new and modern technologies, that have contributed to the digitalisation of human activities and enlarged the magnitude of surveillance.
As it has been stated in a study of the Policy Department of the European Parliament, the FISA court, a formal judiciary body originally conceived to counterbalance the prerogatives of the american Intelligence Services, has seen its powers being significantly reduced, after the launch of the war on terror. Moreover, the court prerogatives remains narrowly restricted to the protection of US-citizens. “The current PRISM and other NSA activities and their relations with private companies in the US further illustrates the limitations of powers of the judiciary over the intelligence activities, as well as the difficulty to implement parliamentary oversight over such activities, including the participation of private actors having a global reach in surveillance.”
In this process of evolution, limitation in time, scope and principle of proportionality remain fundamental and imperative elements for the fair functioning of surveillance systems. Still, democratic and judicial control lay at the core basis of Intelligence Agencies’ activities and powers in democratic regimes, where those who are controlled (citizens) necessarily needs to keep their eyes on the controllers. “It is precisely the purpose and the scale of surveillance that differentiates democratic regimes from police states.”
Data protection, right to privacy and national security are not mutually exclusive and this is a matter of fact under the european state of law. Article 6 of the European Charter of Fundamental Rights, indeed, put the principles of liberty and security next to each other, by stating that “everyone has the right to liberty and security of person”. Then, it is only a question of striking the right balance.
Paola Tavola
For further information
– . MAX SCHREMS N’EST PLUS SEUL :CINQ AUTORITÉS NATIONALES ENQUÊTENT SUR FACEBOOK ! http://europe-liberte-securite-justice.org/2015/04/20/max-schrems-nest-plus-seul-cinq-autorites-nationales-enquetent-sur-facebook/
-. Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce
(EN) http://eur-ex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML
(FR) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:FR:HTML
-. Safe Harbor privacy principles
http://www.export.gov/safeharbor/eu/eg_main_018475.asp
-. Opinion of Advocate General Bot 23 Septembre 2015 – Case C362/14 Maximilian Schrems v Data Protection Commissioner
-. Press Release on the Advocate General’s Opinion in Case C-362/14, Maximillian Schrems v Data Protection Commissioner
(EN) http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106en.pdf
(FR) http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-09/cp150106fr.pdf
-. National programmes for mass surveillance of personal data in EU Member States and their compatibility with EU law
(EN)http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/493032/IPOL-LIBE_ET(2013)493032_EN.pdf
(FR) http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/493032/IPOL-LIBE_ET(2013)493032_FR.pdf
-. The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU(2015)519215_EN.pdf
-. The High Court Judicial Review between: Maximilian Schrems and Data Protection Commissioner, Record No. 20131765/JR http://europe-v-facebook.org/JR_Grounding_Documents.pdf
-. Complaint against Facebook Ireland Ltd – 23 “PRISM” http://www.europe-v-facebook.org/prism/facebook.pdf
-. Legal Procedure against “Facebook Ireland Limited” http://europe-v-facebook.org/EN/Complaints/complaints.html
-. DPC cannot identify legal basis to deny PRISM investigation http://www.europe-v-facebook.org/DPC_PRISM_all.pdf
-. Data protection/Facebook ‘Safe Harbor’ must be immediately suspended by EU Commission http://www.greens-efa.eu/data-protectionfacebook-14532.html
-. DIGITALEUROPE reaction to the Advocate General’s opinion in the case Schrems Vs the Irish Data Protection Commissioner http://www.digitaleurope.org/DesktopModules/Bring2mind/DMX/Download.aspx?Command=Core_Download&EntryId=1015&PortalId=0&TabId=353
-. EU court threatens US-EU data sharing agreement https://www.theparliamentmagazine.eu/articles/news/eu-court-threatens-us-eu-data-sharing-agreement
-. WORKING DOCUMENT on the Follow-up of the LIBE Inquiry on Electronic Mass Surveillance of EU Citizens Committee on Civil Liberties, Justice and Home Affairs Claude Moraes http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/9_1046563/9_1046563en.pdf
-. COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL – Rebuilding Trust in EU-US Data Flows http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf