In Schremsthe Court of Justice of the European Union (ECJ) held that the EU Commission’s Safe Harbor decision was invalid because U.S. law does not protect the personal data of Europeans to an extent “essentially equivalent to that guaranteed in the EU legal order.” The ECJ held that U.S. law "authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made … and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data." 

But the U.S. is far from being the only country which requires that personal data be retained so it may be accessed by the State. Many EU member states require something similar; indeed new surveillance laws have been enacted by France and are being considered by the UK

In this context, it does not seem unreasonable for the U.S. to wonder exactly what the privacy protections guaranteed by EU law are. EU law, however, is completely clear.

In both Schrems and its earlier decision in Digital Rights Irelandthe ECJ held that “legislation permitting … public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” The ECJ went onto hold that this right to privacy may only be limited “in so far as is strictly necessary."  

So, EU law provides a clear prohibition on generalised surveillance and expects that there be limitations upon the surveillance of individuals.   

But EU law is not Europe’s only law. EU member states retain their own legal systems and national courts.

Where there is a conflict between EU law and the law of a member state, then the former will have supremacy, meaning that EU law will override the national laws of EU member states. A national court that has a question about EU law can refer that question to the ECJ for an answer, which is what happened in both Schrems and Digital Rights Ireland

But not every law of an EU member state will raise an EU law issue.

One area where EU law has quite limited application is that of national laws on crime and state security. Title V of the Treaty on the Functioning of the EU (TFEU) does create an EU “Area of Freedom, Security and Justice," but this cannot “affect the exercise of the responsibilities incumbent upon member states with regard to the maintenance of law and order and the safeguarding of internal security," according to the treaty's language. The EU must respect essential functions of its member states including “maintaining law and order and safeguarding national security.” 

This places many of the criminal and state security laws of EU member states outside the scope of EU law and so outside the jurisdiction of the ECJ. 

The EU Commission has clarified that it will not bring forward a replacement for the Data Retention Directive which was struck down in Digital Rights Ireland, stating that: “ … the decision of whether or not to introduce data retention laws is a national debate.” This may strengthen the argument that the surveillance laws of member states are national criminal laws, which may make it easier for member states to side-step the Digital Rights Ireland ruling by arguing that the ECJ no longer has jurisdiction.

But counter-arguments may be made that member states and the EU may share competence over surveillance which affects the EU’s internal market and trans-European networks; and data protection is an issue of general application to the EU, according to both the treaty and the EU Charter of Fundamental Rights. These are arguments that only the ECJ itself may have to resolve (though Article 276 of the TFEU will limit its ability to do so). Of course even if the ECJ were to conclude that it had jurisdiction, it may be argued that the surveillance laws of member states provide sufficient privacy protections. Both the recently enacted French surveillance law and the proposed United Kingdom law provide for judicial oversight of surveillance in some circumstances. 

Whatever arguments may be made about the surveillance laws of EU member states, there seems little doubt that the transfer of personal data from the EU to the U.S. falls within the jurisdiction of the ECJ.  

International trade is plainly within the scope of EU law, according to the treaty, as is the free movement of personal data. This is why some consider that changes in U.S. law are required to comply with Schrems.  

However it is not clear that the EU is asking that the U.S. amend its laws in discussions about Safe Harbor’s successor. What is being discussed? “Stronger oversight by the Department of Commerce, stronger cooperation with European DPAs and priority treatment of complaints by the Federal Trade Commission.” 

Whether oversight, cooperation and the priority treatment of complaints  will be sufficient to satisfy the ECJ remains to be seen, but the EU Commission is working with the U.S. to ensure that there are sufficient limitations and safeguards in place to prevent access or use of personal data on a "generalised basis" and to ensure that there is sufficient judicial control over such activities.”

photo credit: Dublin (46) via photopin (license)