TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Not everyone in politics and government are fools, any more than in the private sector. Many must have known about the U.S. National Security Agency (NSA) and its partner agencies' surveillance activities for the 30 to 40 years since they entered the public domain. Yet last week, the European Court of Justice (ECJ) invalidated the Safe Harbor decision, apparently because of the NSA post-Snowden.

Or so we have been told many times by many people, not least by Max Schrems. Some are even encouraging us to believe that all we have to do is tell the NSA to play nice and everything will sort itself out with a "Safe Harbor 2.0" agreement.

This is a serious logical disconnect, exacerbated in the adequacy context when you consider the well-known fact that the EU member states do not come with anything close to clean hands. Something does not compute here. So let us go beyond the rhetoric.

Of the final two paragraphs set out in the ECJ judgment, the second is uninteresting, merely invalidating Safe Harbor. The first paragraph, however, sets out the nominally procedural judgment, in a nutshell, that member states and their regulators can challenge any European Commission decision that might conflict with the European Charter of Fundamental Rights. This mirrors Advocate General (AG) Yves Bot’s opinion (paragraphs 98, 116).

Fundamental rights always have been a part of European law, embedded albeit vaguely in the treaty itself. However, between 1999 and 2007 they were consolidated and codified as coming into force with the Treaty of Lisbon in December 2009. They effectively imported Winston Churchill's European Convention on Human Rights, to which the EU recently had become signatory. Unlike the Convention, whose effect is only "vertical," against governments, the Charter also can be used "horizontally" in the private sector.

The significance of this goes far beyond the Schrems case and indeed Safe Harbor, which could be only one of the casualties. 

The regulators and courts in member states now will be able to review all adequacy decisions—by implication this would include the "approved" nation list, such as Canada, New Zealand, Israel, Uruguay, etc. As the AG put it (paragraph 104), such decisions may be no more than "presumptions" which are "rebuttable." On the other hand, alternative regimes such as Binding Corporate Rules, standard clauses and seals should be quite survivable against most regulators, if only because they come "pre-loaded" with considerable regulatory endorsement. Of course they will not necessarily survive private court challenges on a company-by-company basis.

Conceptually, the Charter's privacy components could be seen as symbolizing the merger of the business and government strands of privacy thinking originally initiated by Louis Brandeis in 1890 and Churchill in 1948. However, it has extraordinary power. Reviewing some of the data protection track record of the Charter's Articles 7 and 8:

  • In 2014, the ECJ struck down an entire enactment of the European Parliament: the Data Retention Directive;
  • In 2015, the Court of Appeal of England and Wales (EWCA) struck down, in effect, an entire Act of Parliament: the Data Retention and Investigatory Powers Act 2014, the 2014 UK attempt at a "snooper's charter" following the demise of the Directive;
  • In 2015, in the horizontal Vidal-Hall v Google case, the EWCA also struck down s.13(2) of the Data Protection Act 1998, obstructing plaintiffs from seeking damages for non-pecuniary/unquantifiable loss (note this is subject to appeal);
  • In Vidal-Hall, the EWCA also "discovered" the tort of misuse of private information, bypassing all adequacy regimes (permission to appeal refused);
  • Now we have Schrems, a kind of horizontal case with a vertical digression, in which the ECJ has struck down the EC's Safe Harbor decision.

Prima facie, it appears the factual scope of the Schrems procedural appeal was limited to the NSA revelations. However this is misleading.

As the AG said, “Not all aspects of the functioning of the safe harbour scheme have been discussed in ... (these proceedings), and for that reason I do not consider it possible to embark here on an exhaustive examination of the shortcomings of that scheme.” Perhaps he was hinting at a whole succession of public- and private-sector privacy events post-9/11.

For example, the passenger name record (PNR) arrangements imposed by the U.S. forced European airlines to choose, per flight. between committing hundreds of criminal offences in Europe or paying $5,000 per passenger, opening both a comity gap and a "trust gap," which has only widened. The U.S. was always well aware of this; for instance, I was invited to brief a congressional committee chairman on that very point following my speech at a security conference more than 10 years ago. If anything, the NSA is merely the final, minor straw. In passing, PNR now may expect a Schrems-like challenge: Arguably, PNR was always on flimsier ground than Safe Harbor.

Is Safe Harbor 2.0 possible? Of course.

But as a matter of logic and law it must go the same way as the first, until and unless the substance—as distinct from the label—of the regime complies with the Charter. See the AG's comments at 224-5.

It seems to me that the Charter is being wielded by courts in Europe in similar ways to courts in the U.S. wielding the Constitution: that is, to strike down noncompliant decisions of the executive and noncompliant acts of the legislature. This is unprecedented, especially for the UK, in which the last time someone challenged the supremacy of Parliament, 370-odd years ago, they cut his head off.

For avoidance of doubt, nothing said above is legal advice.

photo credit: The Sweepstakes Shipwreck 1 via photopin (license)

3 Comments

If you want to comment on this post, you need to login.

  • comment Michael Hopp • Oct 21, 2015
    Thanks for a great article. 
    
    You mention that standard clauses should be survivable against most regulators. Have you considered that standard clauses come with built-in right for nation DPAs to prohibit transfers based on the standard clauses, see article 4 (1) (a) of the Commission decisions regarding C2C as well as C2P standard clauses, if 
    
    "it is established that the law to which the data importer or a sub-processor is subject imposes upon him requirements to derogate from the applicable data protection law which go beyond the restrictions necessary in a democratic society as provided for in Article 13 of Directive 95/46/EC where those requirements are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses".
    
    The same issue is dealt with in clause 5 of the standard clauses, see for example clause 5(b) of the C2P standard clauses: 
    
    "The data importer agrees and warrants: ... (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract"
    
    It will be interesting to see national DPAs enforce these provisions against transfers to a number of third countries, including India and China.
  • comment Stuart Ritchie • Oct 22, 2015
    @Michael: thanks for your comments on standard clauses (sometimes misleadingly called "model" clauses). I agree. You are quite right and this in part is what makes standard clauses "survivable", as they always provided wiggle room for the regulators. The Charter of course raises the bar, making intervention a little more likely, most especially from aggrieved DPAs responsible for affected data subjects away from the company's forum-shopped main European establishment (the erstwhile "one-stop-shop"). As for other "survivability" attributes, standard clauses go some way to covering off other Directive objectives, such as data subject remedy (the seventh Safe Harbor principle usually honored only in the breach). Interestingly, Jon Neiditz has inferred that the protections of standard clauses indirectly may extend beyond the EU (https://www.linkedin.com/pulse/how-safe-harbors-death-empowers-non-europeans-spawns-jon-neiditz)
    
    (Likewise the reason that BCRs seem survivable is that they require DPA unanimity prior to approval, thus only changes in law or regulator attitudes should imperil them)
    
    In general I would expect regulatory challenge to companies using the standard clause regime, at least in the early stages, to focus on the low-hanging fruit, as it were: those companies attempting to use it to self-certify while ignoring their substantive obligations. It seems likely the regulators will be able easily to identify these by randomly piggybacking on private court cases or news reports. In the short term it might seem viable to hide in the forest. However, with fines multiplying approximately a hundredfold in two years time (the GDPR) this may not be a good time for businesses to establish a bad track record.
  • comment Teresa Schoch • Oct 23, 2015
    Thank you, Stuart. I really appreciate how you can cut right through to the important aspects of EU privacy protective measures that can really only be understood by framing them within their historical references. I will be citing this work frequently.