While Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (October 2015) immediately invalidated the U.S.-EU Safe Harbor program, a key holding from the case left the door open for even more uncertainties in the future. It is now possible for other third countries that have been previously deemed to provide adequate data protection by the EU Commission to have their status reexamined and invalidated. With the new criteria set forth by the Court of Justice for the European Union and the Article 29 Working Party, New Zealand and countries with issues similar to those that sunk Safe Harbor may be at risk.
Backstory
When Schrems lodged his original complaint with the Irish Data Protection Commission, he asserted that given the Snowden revelations about United States government surveillance, there was no way the U.S. Safe Harbor program could provide “adequate protection” for data subjects as required by EU law.
Despite a formal decision from July of 2000 in which the EU Commission stated that the U.S. Safe Harbor program did in fact provide EU data subjects with adequate protection, Schrems was steadfast with his complaint. The Irish DPC maintained that under Article 25(6) of the Data Protection Directive, it did not have the authority to question an adequacy finding of the EU Commission and that it was bound by this decision.
But in Schrems, the CJEU held that nothing in Article 25(6) prevented data protection authorities from examining claims that questioned the EU Commission’s adequacy findings. Accordingly, national data protection authorities now find themselves tasked with a new responsibility: If faced with a complaint, they must examine the EU Commission’s third country adequacy decision with “all due diligence.”
Third country adequacy decisions: Challenges on the horizon?
The EU Commission has only issued adequacy decisions for the following countries: Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
The new investigative power that the CJEU provided under Schrems raises an interesting question: Could another one of the adequacy findings withstand a challenge?
In Schrems, the CJEU provided some guidance for data protection authorities to follow when tasked with examining a third country’s adequacy. While the court stressed that EU fundamental rights must be guaranteed in light of foreign intelligence activities, it did not clearly delineate which criteria were determinative, if any. The Article 29 Working Party later issued a statement condensing European jurisprudence in light of Schrems that provided four “essential guarantees” for third country intelligence activities.
New Zealand’s adequacy post-Schrems
The most recent adequacy decision, implemented by the EU Commission in December of 2012, is that for New Zealand. Given the language from Schrems and the Article 29 Working Party’s statement, could New Zealand’s domestic law also leave its adequacy status vulnerable to a challenge?
“Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred.”
This was the first “essential guarantee” the Article 29 Working Party said must be respected whenever personal data are transferred from the EU to a third country. The CJEU also held that “[a]dequate protection must take into account the country’s domestic law (para. 71).” In addition “there must not be limitations based on national security, public interest, or law enforcement requirements that give third country law primacy over EU law (paras. 85-87).”
The EU Commission adequacy decision for New Zealand states: “[t]he legal standards for the protection of personal data in New Zealand are primarily set out in the Privacy Act [of 1993] … The legal data protection standards applicable in New Zealand cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exceptions and limitations in order to safeguard important public interests.”
While the Privacy Act on its face appears to ensure a high level of protection, there is a notable exception. In particular Section 57 is worthy of close scrutiny. It states: “Nothing in principles 1 to 5 or principles 8 to 11 applies in relation to information collected, obtained, held, used, or disclosed by, or disclosed to, an intelligence organization.” Principles 1 through 5 cover limitations on purpose, source (origin), consent, manner by which information is collected, and storage and security of personal information. Principles 8 through 11 cover accuracy, retention, use limitations, and disclosure.
If intelligence organizations are exempt from key principles that govern data processing, how could the CJEU consider the criteria in New Zealand’s Privacy Act clear, precise, and accessible? In invalidating Safe Harbor, the CJEU noted that the Safe Harbor principles were only applicable “to self-certified United States organizations receiving personal data from the European Union, and the United States government are not required to comply with them (para. 82).” The court also held that “the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred … (para. 90).”
However, doesn’t Section 57 of the Privacy Act permit New Zealand intelligence organizations to do the same?
Further, it would appear that Section 57 of the Privacy Act creates a similar limitation based on national security, public interest, and/or law enforcement requirements that gives New Zealand law primacy over EU law. While private entities and certain arms of government in New Zealand must adhere to principles 1 through 5 and 8 through 11, New Zealand intelligence organizations are not required to comply with them.
The data processing principles that New Zealand intelligences organizations are exempt from mirror almost all of the Safe Harbor principles that the United States government was not bound by – a lethal blow to any hope for Safe Harbor’s adequacy. How does New Zealand’s “adequacy” provide data subjects any more legal protections from government surveillance than Safe Harbor did?
“Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual”
This was the second “essential guarantee” laid down by the Article 29 Working Party. The CJEU further held that “above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary” (para. 92) and “legislation permitting the public authorities to have access on a generalized basis the content of electronic communications must be regarded as compromising the essence of the right to respect for private life (para. 94).”
But, documents show that New Zealand’s government conducts indiscriminate mass surveillance. While reports provide evidence that New Zealand’s Government Communications Security Bureau (its equivalent to the NSA or GCHQ) has engaged in mass surveillance, they also show that these activities are directed towards neighboring South Pacific nations. Snowden has also stated “[t]he GCSB, ... is directly involved in the untargeted, bulk interception and algorithmic analysis of private communications sent via internet, satellite, radio, and phone networks” in New Zealand as well. Further, it is well known New Zealand is a member of the Five Eyes surveillance network, along with the United States, Australia, Canada, and the United Kingdom. According to the New Zealand Herald, the GCSB provides the NSA “en masse” information on emails and Internet browsing habits that it intercepts.
In Schrems, the court found it was inconsequential whether or not Schrems’ personal information had actually been obtained or used by the NSA. It said that the language of the Safe Harbor decision “enables interference, founded on national security and public interest requirements or on domestic legislation … with the fundamental rights of persons whose personal data is or could be transferred from the European Union to the United States (para. 87).” In addition, “to establish the existence of an interference with the fundamental right to respect for private life, it does not matter … whether the persons concerned have suffered any adverse consequences on account of that interference (para. 87).” What was important was that Schrems’ data was made available under U.S. law thereby triggering his rights under the EU Charter. The same logic follows with New Zealand.
In 2013, New Zealand amended the Government Communications Security Bureau Act of 2003 to expand the surveillance powers of the GCSB. Pursuant to Section 8 of the act, the government may surveil New Zealanders and foreigners (i.e., EU citizens). Section 15 permits both interception warrants and access authorization warrants to be obtained for “communications that are sent from, or are being sent to, an overseas country.” Section 16 allows the GCSB, without a warrant, to intercept information about EU residents so long as the surveillance activities meet a few criteria. In doing so, GCSB “may co-operate with, and provide advice and assistance to, any public authority (whether in New Zealand or overseas) and any other entity authorised by the minister for the purposes of this subsection.” This is especially interesting given New Zealand’s participation in the Five Eyes network.
Thus, under the second criteria set forth by the Article 29 Working Party, New Zealand law provides another parallel to a flaw that sunk Safe Harbor.
“An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks.”
This was the third criteria issued by the Article 29 Working Party.
The Office of the Privacy Commissioner is tasked with handling inquiries and investigations pursuant to the Privacy Act of 1993.
The Schrems court stated the Safe Harbor decision did “not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interferences which the State entities of the country would be authorised to engage in when they pursue legitimate objectives such as national security (para.88).”
Here, the United States is significantly deficient. Article III standing is a hurdle that nearly all plaintiffs cannot overcome when pursuing the sort of redress at issue in Schrems. Furthermore, while the Federal Trade Commission was tasked with aspects of handling Safe Harbor complaints, these were limited to commercial disputes. Safe Harbor itself offered no redress against the U.S. government.
However, New Zealand’s procedure for investigating complaints relating to intelligence organizations is also significantly limited compared to other complaints filed under the Privacy Act. If the commissioner receives a complaint and believes that an intelligence organization is unlawfully interfering with the privacy of an individual, he may present the intelligence organization with recommendations. The commissioner may request a report that indicates what steps the intelligence organization will take to implement the commissioner’s recommendations. If the commissioner deems that no adequate steps are taken, he or she may then refer a copy of the report and the recommendations to the prime minister who then may put that information before the House of Representatives.
While New Zealand does have an independent oversight mechanism, the next section will illustrate that the powers held by this office may be inadequate in practice.
“Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body”
This was the fourth and final essential guarantee required by the Article 29 Working Party. In its 2012 New Zealand adequacy decision, the EU Commission stated, “any interested party is entitled to seek judicial redress for compensation for damages suffered as a result of the unlawful processing of his personal data." However, it appears that, due to carveouts for intelligence organizations and national security, EU data subjects are afforded very minimal recourse.
While the Privacy Act does allow EU residents to make subject-access requests regarding the personal information collected on them, Section 27 allows the New Zealand government to deny such a request if it prejudices “the security or defence of New Zealand or the international relations of the Government of New Zealand.”
EU citizens may file a complaint under the Privacy Act. But just as the Privacy Act has general carveouts for intelligence organizations, any complaints filed regarding intelligence organizations also have exceptions. Section 81(6) states: “Nothing in section 76 or section 77 or sections 82 to 89 shall apply in relation to any complaint made under this Part in relation to any action of an intelligence organisation, or in relation to any investigation under this Part into any such action.”
Sections 76 and 77 allow the privacy commissioner to call a compulsory conference between the parties at issue in the complaint and also to secure a settlement for an aggrieved data subject. Sections 82 and 83 allow for a privacy complaint to be referred to the Human Rights Tribunal. Notably, Sections 84-88 allow the Human Rights Tribunal to award equitable and legal remedies to data subjects. However, given the carveouts detailed above, none of these legal rights are guaranteed to EU citizens aggrieved by New Zealand intelligence organizations.
The process for handling claims against intelligence organizations under the Privacy Act does not seem up-to-par with to the language in Schrems. There the court stated, “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of data, does not respect the essence of the fundamental right to effective judicial protection (para. 95).” In addition, “… Article 47 of the Charter requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article (para. 95).”
There is no guarantee that an EU citizen can access personal data relating to him or her collected by a New Zealand intelligence organization. Section 27 of the Privacy Act allows the government to flatly deny such a request. Likewise, there is no guarantee of rectification or erasure of data. If intelligence organizations may withhold data they have collected on an individual, there is no way one can have it rectified or have it erased. In addition, per Section 81(6), data subjects filing a complaint against an intelligence organization are not guaranteed a public hearing, legal, or equitable remedies as the Charter and Schrems set forth.
Conclusion:
It is somewhat ironic to consider that when the EU Commission implemented New Zealand’s adequacy decision it referred to the Privacy Act’s exceptions as “a few specific public interest exceptions that one would expect in a democratic society” and also stated that “the exceptions reflect the principles laid down in Directive 95/46/EC.” Yet now when viewed in light of the Schrems decision, these exceptions could put New Zealand’s adequacy finding in jeopardy.
Because New Zealand intelligence organizations are exempt from key processing criteria, it cannot be said that their activities are based on clear, precise and accessible rules. Moreover, the exceptions intelligence organizations are granted do not allow a reasonably informed individual to foresee what would happen to their data. In addition, there appears to be a limitation that gives New Zealand domestic law primacy over EU law for matters of national security, a significant issue in Schrems. Further, there are credible reports that New Zealand engages in mass surveillance and the law permits surveillance of EU citizens. New Zealand does have an independent oversight mechanism, but is it effective? There have been no cases addressing this, but the carveouts for intelligence activities appear to leave EU citizens almost no guaranteed redress against New Zealand intelligence organizations.
Many critics have cried foul at the CJEU’s Schrems ruling, stating the EU member states themselves have surveillance practices similar to the ones that are rightfully being scrutinized in the United States. The defenses mounted from the EU have been those of civil procedure: that the CJEU does not have jurisdiction over the surveillance practices of member states and member states' surveillance activities are exempt from the Directive 95/46/EC. However, while this is true, per Schrems the CJEU does have jurisdiction over New Zealand’s adequacy decision that would allow it re-examine that country’s law and surveillance practices. It remains to be seen how adequate an adequacy decision really is in a post-Schrems world.
photo credit: de Morgan rule via photopin(license)