In its statement in response to the announcement of the new EU-U.S. Privacy Shield, the Article 29 Working Party enunciated “four essential guarantees,” derived from “jurisprudence,” that it is using to assess the protections provided to ensure intelligence surveillance respects fundamental rights. These are:
- Processing should be based on clear, precise and accessible rules: This means that anyone who is reasonably informed should be able to foresee what might happen with their data where it is transferred;
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: A balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual;
- An independent oversight mechanism should exist, that is both effective and impartial: This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
- Effective remedies need to be available to the individual: Anyone should have the right to defend her/his rights before an independent body.
These four standards are almost identical to the essential safeguards under the EU legal order used in the Sidley Austin report, “Essentially Equivalent: A comparison of the legal orders for privacy and data protection the European Union and United States,” as a basis to compare surveillance laws in the United States and eight illustrative EU member states. As articulated in our report, these safeguards are:
- Specific legal authority. Surveillance measures must be based on clearly stated legal authority. The legal bases or purposes for surveillance must be clearly spelled out. These purposes must be for legitimate aims of a serious nature with an objective reasonable basis in facts. There must be objective criteria by which to limit the discretion of authorities.
- Limited scope. The amount of data collected or subject to retention requirements must not go beyond what is necessary to accomplish the purpose of the surveillance and cannot be generalized or indiscriminate. Discriminants (or particular search terms, “keywords,” or “selectors” for surveillance purposes) must be established with due care and be consistent with the specified purposes for surveillance. The period of retention must be reasonable and finite.
- Oversight. There should be some combination of executive, legislative, judicial and expert oversight for approval and review of surveillance measures.
- Legal remedies and redress. The public should be informed about surveillance laws and have some opportunity for access and rectification, and for judicial redress. If necessary for legitimate aims of surveillance, surveillance can be secret, in which event greater oversight or more general legal redress is necessary.
Conceptually, the two sets of standards are the same. With regard to the first criterion, our report also looks at the degree to which clarity and precision not only provide notice to citizens, but also constrain the discretion of officials. Our report frames the second standard in different terms, but the same principles of necessity and proportionality are applied in conducting the comparison under this criterion, and our report looks at specific ways that EU national laws as well as laws in the U.S. ensure proportionality by limiting the use, sharing and retention of information collected through surveillance.
It would be nice to claim credit for the Working Party’s framing of its criteria. But it is evident that both sets of criteria are derived from the same body of case law, and that the Article 29 Working Party has looked beyond the generalities of the Schrems judgment to the jurisprudence of the European Court of Human Rights. Indeed, the European Union Agency for Fundamental Rights (FRA) adopted a similar framework in its November 2015 report “Surveillance by intelligence services: Fundamental rights safeguards and remedies in the EU - Mapping member states’ legal frameworks.”
Analysis of the interferences with fundamental rights certainly can begin with Articles 7 and 8 of the Charter of Fundamental Rights, as it did in Schrems. But in too many political discussions, the analysis ends there.
The “EU legal order” against which U.S. data and privacy must be measured is far more complex than that. Thus, the EU legal order must take into account Article 6 of the charter, which guarantees to each EU citizen the right to “security of person,” which right must be protected by member states; Article 4(2) of the Treaty on European Union, which provides that national security remains the sole responsibility of each member state; Article 52(1) of the charter, Articles 3(2) and 13 of Directive 95/46/EC, which provide that data privacy rights may be balanced with other rights, in particular the protection of the rights and freedoms of others; and, last but not least, Article 52(3) of the charter, which provides that the scope and meaning of the rights set out in the charter shall be the same as the corresponding rights set out in the European Convention on Human Rights (ECHR).
The most important provision in this respect is Article 8 ECHR, which provides that member states may interfere with the right to respect for private and family life if that interference is in accordance with the law and “necessary in a democratic society in the interests of national security, public safety … for the prevention of disorder or crime … or for the protection of the rights and freedoms of others.” Indeed, in Digital Rights Ireland, the CJEU cited and quoted repeatedly from ECtHR case law relating to Article 8 ECHR. Consequently, the case law of the ECtHR under Article 8 ECHR is crucial in the interpretation and application of Articles 7 and 8 of the Charter, and of Directive 95/46/EC which must be “read in light of the Charter”, as the CJEU clarified in Schrems. Moreover, as the CJEU noted in its Volker und Markus Schecke GbR judgment in 2010, “the right to the protection of personal data is not, however, an absolute right, but must be considered in relation to its function in society …”
The criteria in our "Essentially Equivalent" report are a synthesis of those articulated in both the CJEU’s Schrems and Digital Rights Ireland judgments and in the case law of the ECtHR under Article 8 ECHR. Several aspects of this case law require specific attention in the coming weeks and months ‒ in particular the ECtHR’s holistic approach. Rather than condone or condemn specific surveillance methods as such, the ECtHR assesses whether the methods are intrusive and prone to abuse; the higher the risks, the stronger safeguards against abuse must be. The ECtHR thus considers interferences and safeguards “as a whole.”
The Article 29 Working Party indicated that the four “essential guarantees” must be respected by EU member states, as well. Indeed, the key criterion in the Schrems judgment – whether the level of protection of data will continue when the data is transferred to the U.S. – cannot be answered without reference to EU member state laws. Broadly, the consensus among member states ultimately determines the level of protection required under Article 8 ECHR, and thus the benchmark for the level of protection under the EU legal order. In all individualized essentially equivalent tests carried out under Articles 25(2) and 26 of Directive 95/46, the level of protection in the particular exporting member state is a key factor in determining whether the level of protection will be reduced when the data is transferred to the U.S. Moreover, compliance by the EU and its member states with international trade laws also requires reference to the laws of the member states.
The Working Party may lack the competence to set the direction of member state laws on national security and public safety, but it has the capacity to establish what those laws are, just we and the FRA did, and the Working Party itself began to do in 2014.
It may be that the EU has work to do to bring its own house in order with a firm consensus on how the principles of necessity and proportionality apply to member state protection of the right to security under Article 6 of the charter. But that is a project of years, if not decades of give and take in jurisprudence, legislation and political discourse. In the meantime, "essentially equivalent" protection in the United States can hardly mean a higher standard of protection for personal data than the standard actually applicable under the EU legal order.
If you want to comment on this post, you need to login.