“Let justice pierce the mountain” is a Jewish Talmudic saying, referring to a strict, unforgiving, literal interpretation of the law. The opposing view promotes compromise, asserting: “Where there is strict justice there is no peace, and where there is peace, there is no strict justice” (Babylonian Talmud, Sanhedrin 6b). This week’s opinion from Yves Bot, Advocate General (AG) of the European Court of Justice (ECJ) leaves little room for compromise. It is high on principle and low on practicalities.
In many ways, it is detached from technological and business realities.
At a time when Europe is debating a new General Data Protection Regulation and the European Commission is negotiating amendments to the Safe Harbor with the United States, the AG opinion calls into doubt the cross-Atlantic data relations writ large. First, the AG states that national data protection authorities can never defer to the European Commission in assessing the adequacy of privacy protections afforded to data transfers outside of Europe. Second, the AG asserts that the national security exemption to the Safe Harbor renders it manifestly unfit to protect the privacy of European data subjects, particularly in light of the Snowden revelations about the data appetite of U.S. intelligence agencies. The opinion is deeply imbued in language of fundamental rights, scolding any attempt of European bureaucrats to negotiate away the privacy of citizens or gloss over the stiff obligations of the European data protection framework.
At a time when Europe is debating a new General Data Protection Regulation and the European Commission is negotiating amendments to the Safe Harbor with the United States, the AG opinion calls into doubt the cross-Atlantic data relations writ large.
To be sure, these principles are admirable. Privacy and data protection are enshrined in the EU Charter of Fundamental Rights and buttressed by decades of jurisprudence of the European Court of Human Rights. Alas, it is not clear that these lofty values are well served by the AG’s approach. Fundamental rights are difficult to export across borders. Consider the aspiration of American tech firms to apply U.S.-styled freedom of speech on European soil. This approach was met by stiff resistance from the CJEU, as evidenced by its right to be forgotten decision. The AG’s principles are unlikely to fare better on foreign soil.
If the CJEU adopts the AG’s approach, as it typically does, and the Safe Harbor is annulled, would Europeans benefit from more privacy protection? In fact, they would most likely end up with less. To begin with, all of the other data transfer mechanisms would immediately be called into doubt. If the European Commission’s decision to approve Safe Harbor is subject to second guessing by 28 national regulators, why not its decision to whitelist certain countries (e.g., Canada, Israel, New Zealand) as “adequate”? And what about the Standard Contractual Clauses, which have been adopted as European Commission decisions? Those too would lose their vigor and become subject to case-by-case review by regulators – in Ireland, Latvia, Slovenia and more – who have different approaches, agendas and resources. So much for streamlining data protection standards across the continent.
I hasten to predict that regardless of the result of the case, the Internet will not break.
But that’s not all. For not only Safe Harbor but also Binding Corporate Rules, Standard Clauses – indeed the European Data Protection Directive itself – fall prey to the AG’s second line of reasoning. All of them have glaring exemptions for national security purposes. The Directive, which Safe Harbor is intended to extend to American soil, does not even apply to “processing operations concerning public security, defense, state security … and the activities of the State in areas of criminal law.” Of course, the American NSA was caught red-handed scooping up data from acquiescent businesses. But so was the UK’s GCHQ, a veritable European intelligence agency, and for all we know – and we don’t know much because European laws on national security are extremely opaque – French, German and other continental intelligence agencies acted similarly, including collaborating closely with their American counterparts.
Brought to its logical conclusion, the AG’s opinion proves too much. It would result in a complete unraveling of any semblance of harmonization of European law. It would discredit any mechanism for transferring data across borders as a ruse for government access, ultimately undermining not only the data transfer limitations but also the European data protection regime itself.
I hasten to predict that regardless of the result of the case, the Internet will not break. European governments will not pull the master switch to prevent data from traveling across borders. European consumers will continue to use Facebook and Google, and European companies will transfer data across borders not only to the U.S. but also to India and China. If the AG’s opinion, which pierces the mountain with justice, will break anything, it is, unfortunately, European data protection law.
If you want to comment on this post, you need to login.