In Schrems, the Court of Justice of the EU (CJEU) found the Safe Harbor agreement, which enabled the transfer of personal data from the EU to the U.S., to be invalid. The EU Commission is trying to reach a new agreement with the U.S. government by this month’s end, although the incoming Dutch presidency has expressed doubts as to whether this deadline can be met. The significance of this deadline is that the EU’s data protection authorities have indicated that if such an agreement cannot be made by January 31, then they are: “… committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” This is why the EU Commission is under pressure to make a new agreement with the U.S.
Even if such an agreement can be made, it is not clear how robust it will be. Cases before both the EU and U.S. courts may redefine the application of privacy and surveillance laws to the global internet. The most prominent such case is probably Microsoft v Department of Justice, a challenge to a warrant issued and served in the U.S. requiring that Microsoft provide the U.S. government with emails and other content held on a server in Dublin, Ireland. This warrant has been upheld by the U.S. federal courts so far, but Microsoft has brought its challenge to the U.S. Court of Appeal, which may issue judgment soon.
The U.S. government may not be alone in seeking evidence in this way; EU member states may themselves be considering something similar. One of the conclusions reached by EU Heads of Government at a December meeting was: “To support criminal investigations, work will be taken forward on obtaining electronic evidence, especially when located abroad. This will include further engagement with the internet industry.”
And the U.S. courts are not alone in finding that U.S. laws may be applied globally. The EU’s Court of Justice CJEU has already gone a long way towards asserting EU law’s global reach. In Google Spain, it asserted jurisdiction over results generated by Google’s search engine, which is based in California. In Schrems, the CJEU suggested that “… legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” The president of the CJEU would subsequently explain to the Wall Street Journal that in doing so, the CJEU was “… not judging the U.S. system … we are judging the requirements of EU law in terms of the conditions to transfer data to third countries.”
It may be argued that in Schrems, the CJEU suggested that higher standards should apply to the processing of the personal data of EU citizens in the U.S. than apply to the processing within the member states of the EU itself. But the CJEU has jurisdiction only over EU law, not that of its member states. However, the CJEU is not Europe’s only court. There is also the European Court of Human Rights ECHR, which considers whether European states have breached the European Convention of Human Rights, Article 8 of which provides a right to privacy.
In December 2015, the ECHR found that the surveillance laws of Russia, one of the signatories to the convention, were in breach of Article 8 as they failed to provide the limitations and controls that the ECHR requires. The ECHR has been asked to hear a challenge to the UK’s surveillance laws, which may clarify whether the national laws of European States are to be held to a standard similar to that which the CJEU has applied to measures made by the EU.
Of course the U.S. is far from being the only country that monitors electronic communications. As both the U.S. Library of Congress and the EU’s own Fundamental Rights Agency have pointed out, many EU member states have electronic surveillance programs of their own. It seems likely that the CJEU will follow the ECHR approach of upholding laws that enable the targeted surveillance of suspected criminals or places that are at particular risk of crime. What European Courts find objectionable is mass surveillance without proper controls or limitations. Such a view is hardly alien to the U.S. courts, which have a long history of upholding privacy rights and opposing mass surveillance.
Arguably EU and U.S. privacy and surveillance laws are not be as fundamentally incompatible as they sometimes seem. It is quite possible that the EU and U.S. could develop common standards for electronic surveillance that enable intelligence agencies and police to do their job, whilst respecting the privacy rights of individuals. Such standards have already been agreed in relation to the exchange of information between tax authorities; only a few have questioned the privacy implications of this OECD agreement.
An EU/U.S. agreement on the surveillance of electronic communications may well be possible; it just may not be possible by the end of this month. In the absence of such an agreement the continuing balkanisation of the Internet may accelerate; already major providers of cloud services such as Amazon and Microsoft are pitching EU-only services to customers.
If you want to comment on this post, you need to login.