Is a country’s privacy regime adequate? To people who are not privacy professionals, this question may seem odd. What does adequacy of a legal framework mean? Is being “adequate” even a good thing?
But for privacy professionals, the context is clear. European law allows the transfer of personal data to non-European countries only if they “ensure an adequate level of protection.” The U.S.-EU Safe Harbor framework was believed to provide such adequate safeguards, but, in its October 2015 decision in Maximillian Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the framework. In the background were Edward Snowden’s revelations about the prevalence of access to private communications data by the U.S. government, particularly the NSA.
Commentators warned that the Schrems decision could have profound implications for much more than just the Safe Harbor. The logic underlying that decision could easily extend to undermine transfers to other “adequate” countries, including Five Eyes members like Canada and New Zealand, or U.S. intelligence partners such as Israel, as well as alternative transfer mechanisms, such as standard contractual clauses and binding corporate rules.
Sure enough, in December 2015, Schrems himself amended his original complaint to the Irish Data Protection Commissioner, challenging the validity of Facebook Ireland’s alleged transfer of his data to the U.S. based on the European Commission approved standard contractual clauses (Schrems 2.0). The Irish DPC held that the complaint is well founded, but in line with the CJEU’s Schrems decision, petitioned the Irish High Court asking to refer the matter for ruling by the CJEU on the question of whether the European Commission’s standard contractual clause decisions are valid under European law. Under Schrems, “the [CJEU] alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid.”
In Schrems, the CJEU delivered its decision based on the thinnest of factual bases, relying on the European Commission’s failure to examine “rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States.”
In Schrems, the CJEU delivered its decision based on the thinnest of factual bases, relying on the European Commission’s failure to examine “rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States.” The CJEU’s most elaborate factual finding was a reference to the Irish High Court’s, noting that “revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies.” In contrast, in Schrems 2.0, the Irish High Court set out to explore the surveillance oversight laws of the U.S. This is a monumental task. A court’s thorough assessment of its own country’s surveillance laws is rare enough, let alone the laws of another country, and even more so a country like the U.S., which quite possibly has the most detailed, elaborate and transparent legal framework applicable to intelligence gathering by domestic and foreign surveillance agencies.
Are U.S. surveillance laws adequate? Like the classic Twilight Zone episode, it all depends on the eye of the beholder when the bandages are pulled off. The collection of opinions we have collected here, by experts on both sides of the litigation, helps shed light on some of its intricacies. Georgia Institute of Technology Professor, and Alston & Bird Counsel, Peter Swire, selected by Facebook, concludes that “overall intelligence-related safeguards for personal data held in the U.S. are greater than in EU Member States.” Conversely, analyzing the same laws, ACLU Staff Attorney Ashley Gorsky, selected by Schrems, states “U.S. surveillance law is extremely permissive, as the government claims broad authority to acquire the communications and data of non-U.S. persons located abroad.”
Other resources exist, though are not plentiful. A recent Oxford University Press book edited by Fred Cate and Jim Dempsey, assesses systematic government access to private-sector data in a dozen jurisdictions, including the U.S., France and Germany, Brazil, Japan, Korea and even India and China. In an article recently published by the Wisconsin International Law Journal, Gabe Maldoff and I examine the adequacy of Canada’s surveillance laws.
In the next few years, the debate will continue to rage. As the U.K. breaks ranks with its EU partners, its laws too could be deemed “inadequate.” In fact, while not subject to the jurisdiction of the European Commission, national security regimes of European Member States are drawing wide criticism for being overly lenient, cryptic and opaque. To perhaps avoid widely divergent opinion on the relative beauty or ugliness of U.S. surveillance law, this collection will help inform the conversation and ground it in solid facts.
Photo credit: Video still courtesy Daily Motion.