Facebook, the NSA and Data Protection: not so ‘frivolous and vexatious’ anymore? [i]

A look at the Advocate General’s opinion in Maximillian Schrems v Data Protection Commissioner.

Your average Facebook-using EU resident, whilst often being blissfully unaware of the laws that apply to his or her personal data acquired by Facebook, has probably shown some concern about privacy rights, especially since the 2013 Snowden revelations. Then a young Austrian law student, Maximillian Schrems decided to take this concern further and in 2013 lodged a complaint with the Irish Data Protection Commissioner about Facebook transferring EU residents’ personal data to the US, where, he asserted, it was insufficiently protected. The complaint was rejected, and the case went before the Irish High Court and eventually the Court of Justice of the European Union (CJEU). CJEU Advocate General Yves Bot (AG) issued an opinion on 23 September, advising the Court in how to decide upon the case. Privacy activists, including Schrems, have welcomed this opinion and commentators are now rushing to speculate what the consequences will be. Whatever the eventual outcome, the AG’s opinion is in line with recent CJEU decisions that emphasise the importance of the fundamental right to data protection over other rights, freedoms, concerns and/or interests.

Schrems’ Concerns

Schrems claimed US privacy laws offered no protection from security agencies using EU citizens’ data for mass State surveillance. He also sought to highlight the general failings of the 2000 US-EU Safe Harbour agreement at ensuring EU residents’ data adequate protection when processed in the US. The Safe Harbour agreement purports to ensure that US companies apply EU-level data protection standards, which are more stringent than those in the US, to EU personal data when it is exported to the US. US companies can join the Safe Harbour agreement voluntarily; they then self-certify their compliance with its provisions. It has always been controversial. In March 2014, the European Parliament called for its suspension. The European Commission is currently attempting to renegotiate the agreement.

The Advocate General’s Opinion

The AG considered two questions on (i) the powers of national supervisory authorities – those who monitor how Member States implement EU data protection law – and (ii) the validity of the Safe Harbour agreement.

Firstly, he argued that the relevant national supervisory authority can investigate and, if necessary, suspend transfers from the EU to a third State. The authority could do this based on the Data Protection Directive read in light of EU Charter on Fundamental Rights (Charter) provisions on the fundamental rights to privacy and data protection. The supervisory authority would have this power even if the European Commission had previously granted an adequacy decision, that is, if the Commission had decided the third State’s data protection levels were sufficient for data transfers.

Secondly, the AG focused on situations where the Safe Harbour agreement allows companies to derogate from its provisions to meet national security or public interest requirements. He found the Safe Harbour agreement and its application to constitute ‘a wide-ranging and particularly serious interference with those fundamental rights [to privacy, data protection and an effective remedy]’. He concluded that the agreement must be declared invalid.

Reception

The AG’s recommendations have been applauded by privacy and data protection activists. The opinion being important for many stakeholders, people have been quick to comment on the potential consequences for businesses, such as Microsoft, Google and Yahoo!, which all make use of Safe Harbour for data transfers. It has also since been argued that the AG arrived at the right conclusions in the wrong way. Without analysing the merits of the AG’s reasoning, and accepting that his conclusions are correct, it is interesting to speculate what this decision represents in terms of EU-US data sharing trends.

The AG emphasised that to determine the adequacy of a third State’s data protection framework, it was important to look at a range of factual and legal circumstances. We can use this approach to understand the context of his opinion. Since the Safe Harbour agreement was concluded in 2000, the 9/11 terrorist attacks have happened; other security threats have materialised; and mass surveillance by mostly US-based security bodies has been revealed. Legal developments in both the US and the EU have reflected these factual changes.

More specifically within the EU, the fundamental right to data protection has been enshrined in the now legally-binding EU Charter. The CJEU has also recently sidelined various rights, freedoms, concerns and interests, notably security concerns, in favour of safeguarding its citizens’ right to data protection. Data protection in Europe has become increasingly sophisticated, both factually and legally.

Two landmark CJEU data protection cases from 2014, Digital Rights Ireland and Google Spain exemplify this stronger pro-data protection line stemming from the EU. Digital Rights Ireland deemed blanket data retention of communications data for security purposes disproportionate and unnecessary. Google Spain confirmed the existence of a ‘right to be forgotten’, thereby empowering an EU data subject to request that a search engine delist search results about him or her. The AG’s opinion only serves to continue the Court’s love affair with the fundamental right to data protection, which sometimes comes at the expense of other fundamental rights and interests.

The AG’s opinion is not binding; indeed, the Court in Google Spain did not follow it. If it did follow his opinion, which is the most likely outcome, the Court’s decision could have notable consequences for other EU-US data sharing agreements that also attempt to balance the fundamental right to data protection with, for instance, other rights, economic interests and security concerns. These agreements include the Transatlantic Trade and Investment Partnership (TTIP), the Passenger Name Record (PNR) agreement, the Terrorist Finance Tracking Programme (TFTP) and the recently-concluded Umbrella Agreement. The result will be particularly significant for the ever-controversial EU-US data protection interface. Could it finally spur a viable solution for transatlantic data transfers that safeguards the fundamental right to data protection whilst satisfying the millions of stakeholders involved?

[i] The Irish Data Protection Commissioner qualified Schrems’ initial complaint as ‘frivolous and vexatious’, see Schrems v. Data Protection Commissioner [2014] IEHC 213 [2014], para. 32.

Addendum 08-10-2015:
On Tuesday 6th of October, the CJEU declared the Safe Harbour agreement invalid, in line with the AG’s opinion.  The Court ruled that national supervisory authorities may consider whether data transfers to a third State comply with the relevant DPD and EU Charter provisions, even if the European Commission has found that State to provide an adequate level of data protection.  Only the CJEU, however, may declare an adequacy decision invalid.

On the Safe Harbour agreement, the Court stated that the US needed to protect EU citizens’ fundamental rights to essentially an equivalent degree as in the EU.  This protection is required by the DPD read together with the EU Charter.  The Court found that the Safe Harbour agreement did not prevent US authorities from interfering with EU citizens’ fundamental right to data protection, especially as US security and law enforcement requirements overrule protections in the Safe Harbour agreement.  For this and other reasons, the Court declared the agreement invalid.

The case now returns to the Irish High Court and the Irish Data Protection Commisioner to decide whether the transfer of EU Facebook users’ data to the US is in line with the DPD, and whether these transfers should stop.  The immediate ramifications of the CJEU’s decision are for companies, particularly small and medium sized enterprises, that rely on the Safe Harbour agreement to transfer data abroad.