Readers of this blog will almost certainly be aware that the European Union (EU) was the first regional organisation on the international stage to adopt a comprehensive, and relatively stringent, data protection regime. Yet, as the Internet is a global communications infrastructure, the EU has had to find ways to dialogue with non-EU (‘third’) countries to make sure minimum standards of data protection are respected when the personal data of European citizens are transferred to their jurisdictions. Hence, the EU-US Safe Harbour Framework found its roots in the Data Protection Directive of 1995.
The underlying rationale for the creation of the EU-US Safe Harbour Framework is the principle in Article 25(1) of the Directive that only transfers of personal data to third countries ensuring an adequate level of protection are possible. As it may not be obvious whether third countries do in fact ensure an adequate level of protection, it is further provided in the Data Protection Directive that the European Commission may take the initiative to identify such third countries… which is exactly what the Commission did in its US-EU decision of 26 July 2000… i.e. before the events of 11 September 2001 in the US and before the adoption in Europe of the Charter of Fundamental Rights of the EU in December 2000 and its entering into force in December 2009.
On 26 July 2000 the European Commission officially found in this decision that “the transfer of data from the Community to the United States …should be attained if organisations comply with the safe harbour privacy principles for the protection of personal data transferred from a Member State to the United States…and the frequently asked questions [“FAQs”]…providing guidance for the implementation of the Principles issued by the Government of the United States on 21st July 2000”.
The Safe Habour scheme consists of a set of principles and FAQs (which set out broadly equivalent rules for processing of personal data to those in the Data Protection Directive). The Safe Harbour Principles were issued by the US Department of Commerce on 21 July 2000 and deal with matters such as notice, choice, onward transfer, security, data integrity, access, and enforcement. Organisations willing to adhere to the Principles must self-certify to the US Department of Commerce that they do so, select the data categories in respect of which they will follow the Principles, and renew their participation annually. Failure to comply with the principles is then actionable by the Federal Trade Commission (FTC) as a deceptive or misleading trade practice.
This said, compliance with the Safe Harbour Principles “may be limited [in particular] to the extent necessary to meet national security, public interest, or law enforcement requirement”. Said otherwise, these exempt categories are not taken into account as part of assessing whether the ‘safe harbour’ standard of data protection adequacy is met under US law.
Yet, the US Foreign Intelligence Surveillance Act (FISA), for example, gives the US Attorney General or the Director of Surveillance the power to authorise “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information”. This, in effect, makes it possible for US authorities to authorise the bulk collection and retention of non-US citizens’ data for intelligence surveillance purposes. .
Following the Snowden revelations, several EU institutions have taken a more critical approach to the Safe Habour. For example, in November 2013, the European Commission published a Communication, Rebuilding Trust in EU-US Data Flows, in which it called for a more robust safe harbour framework between the EU and the US. More currently, the Court of Justice of the European Union (CJEU) is expected imminently to rule on a reference from the Irish High Court in the case of Schrems v Data Protection Commissioner  IEHC 310, which is directly pertinent to the question whether the EU-US Safe Harbour is compatible with the Charter of Fundamental Rights of the EU. The case relates to data exports by Facebook – allegedly aiding ‘mass surveillance’ of EU citizens for intelligence purposes by the US National Security Agency (NSA) – and is brought by Max Schrems (a law student and privacy activist) against the Irish Data Commissioner.
In his case, Schrems does not directly attack the validity of the Commission’s decision of 2000 but rather the refusal of the Irish Data Commissioner to investigate further his claim that “Snowden revelations regarding the Prism programme demonstrated that there was no meaningful protection in US law or practice in respect of data so transferred so far as State surveillance was concerned”. In particular, he alleges that this is evidenced by the fact that “the US law enforcement agencies could obtain access to such data without the need for a court order, or, at least, a court order showing probable cause that a particular data subject had engaged in illegal activities or stood possessed of information which would be of genuine interest to law enforcement bodies”.
The Irish Data Commissioner’s refusal could be justified by the fact that the European Commission, by deciding that US law ensured an adequate level of protection, had pre-empted any independent national assessment of this type. This is expressly recognised by the Irish judge in its reference for a preliminary ruling dated 25 July 2014, in which the Irish High Court asks the CJEU whether EU national data protection agencies are bound by the Safe Harbour decision adopted by the Commission or whether, in the light of the information that has come to light about mass surveillance of EU citizens by US agencies, national data protection authorities may conduct their own investigation of relevant data flows.
More specifically, the Irish High Court asks the CJEU whether a national data protection agency such as the Irish Data Protection Commissioner is “absolutely bound” by the Commission’s decision or whether it may and/or must it try to assess the adequacy of US law in the light of the European Charter of Fundamental Rights entered into force after the Commission’s decision…[which could make sense given the fact that national security matters do not fall within the competence of the EU and Article 6 of the Treaty on European Union provides that “[t]he provisions of the Charter shall not extend in any way the competences of the Union as defined in the Treaties”.].
On 24 March 2015, the CJEU started to hear arguments from both parties and the Advocate General’s Opinion is expected to be issued before the end of June.
Could the CJEU refuse to address the issue of the validity of the Commission’s decision? Probably not. Could it invalidate the Commission’s decision by taking into account subsequent foreign intelligence laws? This is where it gets trickier as the EU is not competent in this field.
Moreover, despite Snowden’s revelations, at a national level intelligence laws are gaining popularity.
For example, the French Intelligence Bill of 19 March 2015 (subsequently amended by parliamentary commissions) and in the process of being adopted by the Assemblée Nationale is quite astonishing [or not at all, you might say, being a bit more cynical!] for those interested in parallels with UK law and, in particular, with the on-going review of the Regulation of Investigatory Powers Act 2000. Under the French Bill, no court orders are required for both interceptions and acquisition of data for intelligence surveillance purposes. It is the Prime Minister (after the issuance of an advisory opinion by an “independent” administrative authority for internal communications and internal communications only) who authorises the “implementation of intelligence-gathering techniques” such as security interceptions or acquisitions of “connection data” (The French version of communications data). Besides, for the purposes of terrorism prevention the Prime Minister can oblige Internet access providers and hosting providers to further process the “connection data” of their users they already “process” on their networks in order to identify patterns revealing terrorist threats. What is this? Bulk processing of metadata as well as privatisation of some public functions?