Coming right on the heels of Advocate General (AG) Yves Bot’s opinion in the Max Schrems case, the news that the European Court of Justice (ECJ) plans to issue a final decision on October 6 raises the prospect of a swift “one-two punch” to the Safe Harbor arrangement. If the ECJ decision is along the lines of the Bot recommendation and the Court’s hearing, the outcome could throw the existing Safe Harbor framework into disarray and conceivably invalidate it.
Nevertheless, the Bot opinion provides a path forward for the European Commission and United States based on their ongoing negotiations for reform of the agreement.
The potential consequences
Make no mistake about it—a final opinion invalidating the framework approved in the Commission’s 2000 opinion would be seismic. The U.S. and EU have the largest trade relationship in the world; they account for over half of global GDP and almost one-third of global trade flows. As my Brookings colleague Joshua Meltzer has documented, these trade flows are supported by increasing flows of digital information in many sectors, for transactions, supply chain management, logistics, customer relations and workforce management. With more than 4,000 U.S. and European companies subscribing to its principles, the Safe Harbor agreement has been a vital enabler of these information flows.
Any decision adverse to this agreement will place a dark cloud of uncertainty over these data flows and potentially disrupt them. At a minimum, such a decision will magnify political pressure on the Commission to suspend the Safe Harbor Agreement. German Green MEP Jan Albrecht already called on the Commission to do so, based on the AG’s opinion and undoubtedly would be joined by others in renewing his call based on a final decision.
Any decision adverse to this agreement will place a dark cloud of uncertainty over these data flows and potentially disrupt them.
Moreover, the specific question referred by the Irish High Court is the authority of DPAs to investigate and suspend transfers under Safe Harbor. If, as the AG did, the ECJ finds that DPAs have that authority to suspend without limitation by the Commission, one can envision a tsunami of DPA actions to suspend data transfers or complaints asking them to do so.
Along with these, DPAs and the Commission can expect a rush of submissions of Binding Corporate Rules and Model Contract clauses as organizations that have relied on Safe Harbor look for alternatives (though Omer Tene has suggested these too may be subject to challenge on the rationale of an opinion like the AG’s).
Finally, a clear declaration that the Commission’s 2000 decision is invalid would nullify the legal basis for data transfers under the Safe Harbor framework unless the Court limits the scope or the effective date of such a ruling. The impact would fall not on the big Internet brand names that are often the objects of European angst, but on a great many smaller enterprises that lack choices for where to store data.
The consequences of suspending Safe Harbor are serious.
Not only does it put the companies that rely on the agreement in a difficult position and threatens to disrupt vital information flows, but it sends aftershocks into discussions of TTIP negotiations. Whatever the outcome of the ECJ decision, it will put urgent pressure on the Commission and U.S. negotiators to complete their work on a new Safe Harbor deal.
Reforming Safe Harbor
Since negotiations began, while I was still General Counsel at the U.S. Commerce Department, a lot of work has been done. Strengthening the administration of Safe Harbor was the easy part; the notion that companies that commit to Safe Harbor principles should be held to those commitments is not debatable.
In the two years since, a great deal of work also has been done to address points concerning law enforcement and intelligence access to transferred data. The U.S. and EU have initialed an “umbrella agreement” on the subject; the Judiciary Committee of the U.S. House of Representatives has given a favorable report to the Judicial Redress Act extending rights under the Privacy Act to certain non-U.S. citizens, a bill that—up to now anyway—has been uncontroversial, and the U.S. has gone a long way to make transparent and to limit the scope of foreign intelligence collection as well as to strengthen these limits.
At this point the ball is mainly in the Commission’s court, and the early issuance of an ECJ decision obviates a discussion within the Commission whether to wait and see what the Court says or to take the initiative on Safe Harbor before the ECJ acts.
The AG took note of the ongoing discussions for a strengthened Safe Harbor agreement. Although he took this as an admission that the existing agreement is inadequate, the opinion provides a pathway for a new agreement that addresses the concerns about U.S. intelligence access. This in fact is what the Commission has been doing by looking at how U.S. limits on intelligence and law enforcement collection, use and retention of data on EU citizens meets the principles of necessity and proportionality in EU fundamental law.
The Bot opinion found that access is “unrestricted” in violation of these principles. By arriving at this conclusion, the opinion reaches beyond the questions referred by the Irish High Court; indeed, that court stressed “that neither the validity of the 1995 Directive nor the Commission Decision providing for the Safe Harbor Regime are, as such, under challenge in these judicial review proceedings.” By presuming to address issues not raised by the referral, the AG’s analysis makes a series of astonishingly sweeping assumptions about the facts.
The opinion accepts the truth of allegations in the Schrems complaint and news reports of the Snowden leaks with no actual evidentiary record. The Irish Data Protection Commissioner found that the Schrems complaint was “unsustainable at law,” and therefore declined to conduct an investigation into the allegations. The High Court in turn chose “to proceed on the basis” that data transferred by Facebook is accessible by the NSA “in the course of mass and indiscriminate surveillance,” i.e. to accept the allegations for purposes of deciding the legal question even though the High Court also noted that the Irish Commissioner had established in an audit that Facebook did not provide U.S. security agencies with access to subscriber data “save by means of targeted requests which were properly and lawfully made.” In the Bot opinion, the Court’s arguendo assumption is treated as “findings of fact.”
On this basis, the opinion uncritically assumes the worst about U.S. intelligence, describing the PRISM program as having “unrestricted access” to the electronic communications of Europeans.
That is not the case.
In fact, as the U.S. Privacy and Civil Liberties Oversight Board (PCLOB) meticulously documented, the legal authority for the PRISM program, Section 702 of the Foreign Intelligence Surveillance Act, requires “targeting” of “a person” for the collection of foreign intelligence information, and this requirement is implemented with Foreign Intelligence Surveillance Court scrutiny of targeting procedures and data minimization requirements and targeting based on “selectors” such as a target email address or telephone number. Although the number of communications collected can run into the millions, the number of persons targeted by the PRISM program in 2013 was estimated at 89,138. Broad, but a long way from “unrestricted.”
It should be significant that both PCLOB and the President’s special review board on intelligence collection in 2013 both took a hard look at the Section 703 intelligence collection, and the PCLOB is also examining other foreign intelligence programs under the authority of Executive Order 12333. Both had unfettered access to classified information and both were independent boards with strong privacy bona fides that they demonstrated by finding that the Section 215 bulk collection of domestic telephone metadata was excessive and lacked actionable intelligence. Both reached the conclusion that the actionable intelligence produced under the Section 702 program justify its continuation.
The AG opinion also fails to apply critical thinking to the level of protection that EU citizens receive under Directive 95/46/EC. A running theme of the opinion is the “high level of protection” afforded by EU laws, and a core premise of Bot’s recommendation is that an adequacy finding under Article 25 must “ensure the continuity of the protection that is afforded by that directive where personal data is transferred to a third country.” But the opinion does not examine what level of protection EU law actually provides when it comes to specific issue in the case, access to personal by national intelligence agencies.
U.S. privacy protections as against the state (as opposed to companies) compare favorably to those of EU member states. That’s not something the AG recognizes.
Thus, while the opinion finds that EU citizens “have no effective right to be heard on the question of surveillance and interception of their data by the NSA and other United States security agencies,” EU citizens have no such right to be heard when it comes to surveillance by their own national intelligence agencies. When the Article 29 Working Party attempted in 2014 to review surveillance practices, the great majority of European intelligence agencies refused to cooperate with its inquiries on the basis that it was outside the competence of data protection authorities. The Working Party noted DPAs have little or no power as to intelligence agencies, that other oversight is weak, and that “surveillance programs run by the EU Member States will in general not be subject to EU law, following the national security exemption written into the European treaties” and into the Directive.
Contrast that to the unrestricted, independent and transparent oversight by the independent PCLOB and special review board, which comes on top of administrative, congressional and judicial oversight of intelligence collection at least as robust as anything the Working Party identified in member states. DPAs and European privacy advocates in civil society and Parliament recognize that the EU and its member states have a ways to go to get their own houses in order regarding transparency and oversight of intelligence agencies.
U.S. privacy protections as against the state (as opposed to companies) compare favorably to those of EU member states. That’s not something the AG recognizes.
Reaching A Stronger Agreement Based on Facts and Changes
The Safe Harbor agreement is too important to be thrown out on the basis of reactions to headlines.
Fortunately, the Commission has been engaged for two years in a more searching examination of the scope of U.S. intelligence collection. It has had the benefit of the PCLOB and review board reports as well as the Ad Hoc EU-US Working Group on Data Protection and the report of its EU co-chairs Viviane Reding and Cecilia Malmström in their previous capacities as Commissioners.
In addition, in the last two years the U.S. has taken additional steps to extend unprecedented protections to foreign citizens. In January 2014, President Obama issued a directive with force of law requiring intelligence and law enforcement agencies to extend foreign citizens equivalent protection to that given to U.S. citizens, a declaration EU Vice-President Andrus Ansip called “extraordinary.” Over the course of the following year, every agency put in place procedures to carry out this directive. The general effect of these is to require an articulated basis for collection of data and to impose limits on the scope and retention of that data.
All this furnishes an ample basis for the Commission to conclude for purposes of a new Safe Harbor agreement that the limits placed on American law enforcement and intelligence collection under U.S. law meet the standards of necessity and proportionality under EU law.
One challenge in doing so will be the prospect that, if the ECJ decision interprets Commission authority under the Directive in the same way as the AG, dozens of data protection authorities may reach different conclusions.
At a minimum, however, before doing so, these DPAs should use this authority to conduct investigations and make their decisions based on a factual record and not old headlines. In the longer term, the Commission and the negotiators in the Trilogue on the GDPR will need to take a careful look at the language of proposed Articles 41 and 57 to ensure that the language clearly assigns authority for adequacy determinations.
Moving forward with a new, reformed Safe Harbor agreement undoubtedly presents political challenges for the Commission. But so does jettisoning Safe Harbor.
Bot was correct in describing the Safe Harbor agreement as a “special system.” It is so because of the special relationship between Europe and the U.S., a strong and deep alliance based on shared security needs, economic interests and values, and because it is in the mutual interest of both regions to maintain transatlantic data flows.