PRISM scandal threatens EU-US ‘Safe Harbour’ agreement

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

CREDIT[Yuri Samoilov/Flickr]

New European legislation aims to strengthen the protection of personal data. [Yuri Samoilov/Flickr]

The European Court of Justice (ECJ) could be tempted to invalidate “Safe Harbour” agreements on data retention between the United States and the European Union because of the PRISM spying scandal, writes Yann Padova.

Yann Padova is a lawyer specialising in data protection. He is the former secretary general of the French Data Protection Authority (the CNIL).

After Directive 2006/24/EC on data retention, which the ECJ ruled to be invalid on April 8, 2014, will the Court invalidate  “Safe Harbour” agreements ? The question arises when one reads the preliminary question that the High Court of Ireland referred to the ECJ on last August 26 (Case C-362/14). 

The case at the heart of this referral was based on a complaint filed before the High Court by Mr. Max S, an Austrian national. 

Mr. S was challenging the Irish Commissioner’s (the Irish data protection authority) refusal to investigate his complaint against the Irish subsidiary of the American company Facebook. Mr. S alleged that, given the revelations of the NSA’s monitoring activities under the PRISM program, “the rights and practices of which [the United States], it is claimed, do not contain adequate protections” for the data subject against state surveillance as regards data that are transferred there from Europe. Consequently, Mr. S asked the Commissioner to suspend data transfers to the United States based on “Safe Harbour” agreements since the protection of such data was not guarantee.  Indeed national data protection authorities are enable to suspend transfers “to an organisation” whose behavior may violate the “Safe Harbour” principles.

The Commissioner justified his refusal to investigate Mr. S’s complaint by stating first that no evidence, but only allegations, were produced by the plaintiff against the company. Second, the Commissioner stated that the European Commission’s decision of July 26, 2000, on “Safe Harbour” agreements, acknowledged that this mechanism provided, “an adequate level of protection for personal data, so that, pursuant to the principle of the primacy of EU law over national law, he was bound by this decision.  Consequently, the Commissioner stated that he did not have the power to evaluate, and even less power to dispute, in a general and abstract manner, the degree of data protection provided by the European Commission’s decision.

Ruling on Mr. S’s complaint against the Commissioner’s refusal, the High Court of Ireland first pointed out that the Commissioner was “naturally bound” by the European Commission’s decision.  However, the High Court noted that the “critical issue” is the very “terms” of the Commission’s decision rather than “its application” by the Commissioner.  Indeed, Mr. S’s complaint disputes the very principle and effectiveness of “Safe Harbour”, and not a possible lack of application in a specific case by a particular “organisation“.  The High Court points out, in this respect, that new evidence had arisen since the 26 July, 2000 decision.  The High Court first mentioned the entry into force, after the decision, of Articles 7 and 8 of the European Union’s Charter of Fundamental Rights on the right to privacy and the protection of personal data, then the revelations regarding the PRISM scandal and, lastly, the recent decision of the ECJ on 8 April 2014.  As the High Court indicated, “in these circumstances“, it ruled that it was “appropriate” to refer the question of whether the Commissioner was “absolutely bound” by the Commission’s decision, which found that the United States offered an adequate level of data protection, or whether he, “may, or must, conduct his or her own investigation by ascertaining the manner in which facts have changed” since July 26, 2000.

This question referred to the ECJ has potentially serious legal and economic consequences, especially because it takes place within a particular European political context.  Indeed, “Safe Harbour” agreements are one of the legal instruments most widely used by companies established in Europe to transfer data to the United States.  From fewer than 400 in 2004, American companies registered as “Safe Harbour” members now number nearly 3,300.  According to a European Commission study, 51% of companies that are “Safe Harbour”-certified process HR data of employees residing in Europe.  Therefore, “Safe Harbour” is a legal mechanism used daily by a large number of European companies.  This is why, according to certain studies cited by the Commission, disrupting transatlantic data flows could have a recessionary effect of between -0.8% and -1.3% of the EU’s GDP.

However, the “Safe Harbour” mechanism is subject to a great deal of scrutiny in Europe that has grown substantially since the PRISM scandal.  In its communication on November 27, 2013, the Commission reiterated part of its previous findings and again made a series of 13 recommendations, some of which include the 2004 recommendations.  Faced with this situation, with the fact that the said recommendations were relatively ineffective and with the revelations of the PRISM scandal, the Investigation Committee of the European Parliament notably demanded earlier this year the “suspension” of “Safe Harbour” agreements by the European Commission.

Therefore, the preliminary question referred to the ECJ takes place within a context of transatlantic tensions and the European Parliament’s political pressure on the European Commission. The ECJ staked outs its position with conviction this year by ruling in favour of a strict reading of data protection.  In its Digital Rights Ireland decision on April 8, 2014, it ruled that Directive 2006/24/EC on data retention constituted disproportionate interference with the rights to privacy and to data protection.  In this important decision, paragraph 37 should be pointed out here. 

In it, the Court states as follows: “It must be stated that the interference caused by Directive 2006/24 with the fundamental rights laid down in Articles 7 and 8 of the Charter is, as the Advocate General has also pointed out […] wide-ranging, and it must be considered to be particularly serious. Furthermore, as the Advocate General has pointed out in paragraphs 52 and 72 of his Opinion, the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance” (author’s emphasis).  Moreover, in paragraph 68, the Court stated that the Directive, “does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured.

Yet, what is involved in the case referred to the ECJ if it is not “wide-ranging” surveillance conducted by the PRISM program, the “seriousness” of which is difficult to dispute? Because of PRISM, the European users, who are monitored against their will, may have indeed the “feeling that their private lives are the subject of constant surveillance“? The protection afforded by the Charter’s Article 8 and by the control of an independent authority are all but uncertain. Therefore, one does see, although, obviously, we cannot surmise what the ECJ’s decision will be in this case, the criteria that the Court laid down to invalidate Directive 2006/24 could very well apply to “Safe Harbour” agreements. 

The Court has several options. Either it rules that it is possible to interpret “Safe Harbour” agreements in light of the requirements of the Charter’s Articles 7 and 8, which should lead national data protection authorities, like the Commissioner, to conduct their own investigation. If this occurs, then a new period of legal uncertainty would begin within the European Union, as one could not rule out the risk of having differing interpretations being made by the 28 national data protection authorities. Or, the Court rules that such an interpretation is legally impossible. As national data protection authorities are bound by the Commission’s decision, they could investigate only specific companies’ known breaches and not violations committed by the American authorities. Another option would be that the Court, rephrases the question and takes the initiative in assessing the lawfulness of “Safe Harbour” agreements whereas it has only been required to review the interpretation thereof. It should be reminded that the ECJ has already taken such an initiative in the past.

Therefore, one must remain vigilant about this issue because its outcome will have significant repercussions on the legal regime for transatlantic data transfers and, moreover, on the political relationships between the US and the EU and, within the EU, between the Commission and the Parliament.

Subscribe to our newsletters