Not everyone in politics and government are fools, any more than in the private sector. Many must have known about the U.S. National Security Agency (NSA) and its partner agencies' surveillance activities for the 30 to 40 years since they entered the public domain. Yet last week, the European Court of Justice (ECJ) invalidated the Safe Harbor decision, apparently because of the NSA post-Snowden.
Or so we have been told many times by many people, not least by Max Schrems. Some are even encouraging us to believe that all we have to do is tell the NSA to play nice and everything will sort itself out with a "Safe Harbor 2.0" agreement.
This is a serious logical disconnect, exacerbated in the adequacy context when you consider the well-known fact that the EU member states do not come with anything close to clean hands. Something does not compute here. So let us go beyond the rhetoric.
Of the final two paragraphs set out in the ECJ judgment, the second is uninteresting, merely invalidating Safe Harbor. The first paragraph, however, sets out the nominally procedural judgment, in a nutshell, that member states and their regulators can challenge any European Commission decision that might conflict with the European Charter of Fundamental Rights. This mirrors Advocate General (AG) Yves Bot’s opinion (paragraphs 98, 116).
Fundamental rights always have been a part of European law, embedded albeit vaguely in the treaty itself. However, between 1999 and 2007 they were consolidated and codified as coming into force with the Treaty of Lisbon in December 2009. They effectively imported Winston Churchill's European Convention on Human Rights, to which the EU recently had become signatory. Unlike the Convention, whose effect is only "vertical," against governments, the Charter also can be used "horizontally" in the private sector.
The significance of this goes far beyond the Schrems case and indeed Safe Harbor, which could be only one of the casualties.
The regulators and courts in member states now will be able to review all adequacy decisions—by implication this would include the "approved" nation list, such as Canada, New Zealand, Israel, Uruguay, etc. As the AG put it (paragraph 104), such decisions may be no more than "presumptions" which are "rebuttable." On the other hand, alternative regimes such as Binding Corporate Rules, standard clauses and seals should be quite survivable against most regulators, if only because they come "pre-loaded" with considerable regulatory endorsement. Of course they will not necessarily survive private court challenges on a company-by-company basis.
Conceptually, the Charter's privacy components could be seen as symbolizing the merger of the business and government strands of privacy thinking originally initiated by Louis Brandeis in 1890 and Churchill in 1948. However, it has extraordinary power. Reviewing some of the data protection track record of the Charter's Articles 7 and 8:
- In 2014, the ECJ struck down an entire enactment of the European Parliament: the Data Retention Directive;
- In 2015, the Court of Appeal of England and Wales (EWCA) struck down, in effect, an entire Act of Parliament: the Data Retention and Investigatory Powers Act 2014, the 2014 UK attempt at a "snooper's charter" following the demise of the Directive;
- In 2015, in the horizontal Vidal-Hall v Google case, the EWCA also struck down s.13(2) of the Data Protection Act 1998, obstructing plaintiffs from seeking damages for non-pecuniary/unquantifiable loss (note this is subject to appeal);
- In Vidal-Hall, the EWCA also "discovered" the tort of misuse of private information, bypassing all adequacy regimes (permission to appeal refused);
- Now we have Schrems, a kind of horizontal case with a vertical digression, in which the ECJ has struck down the EC's Safe Harbor decision.
Prima facie, it appears the factual scope of the Schrems procedural appeal was limited to the NSA revelations. However this is misleading.
As the AG said, “Not all aspects of the functioning of the safe harbour scheme have been discussed in ... (these proceedings), and for that reason I do not consider it possible to embark here on an exhaustive examination of the shortcomings of that scheme.” Perhaps he was hinting at a whole succession of public- and private-sector privacy events post-9/11.
For example, the passenger name record (PNR) arrangements imposed by the U.S. forced European airlines to choose, per flight. between committing hundreds of criminal offences in Europe or paying $5,000 per passenger, opening both a comity gap and a "trust gap," which has only widened. The U.S. was always well aware of this; for instance, I was invited to brief a congressional committee chairman on that very point following my speech at a security conference more than 10 years ago. If anything, the NSA is merely the final, minor straw. In passing, PNR now may expect a Schrems-like challenge: Arguably, PNR was always on flimsier ground than Safe Harbor.
Is Safe Harbor 2.0 possible? Of course.
But as a matter of logic and law it must go the same way as the first, until and unless the substance—as distinct from the label—of the regime complies with the Charter. See the AG's comments at 224-5.
It seems to me that the Charter is being wielded by courts in Europe in similar ways to courts in the U.S. wielding the Constitution: that is, to strike down noncompliant decisions of the executive and noncompliant acts of the legislature. This is unprecedented, especially for the UK, in which the last time someone challenged the supremacy of Parliament, 370-odd years ago, they cut his head off.
For avoidance of doubt, nothing said above is legal advice.
photo credit: The Sweepstakes Shipwreck 1 via photopin (license)