Is there any point in worrying about privacy, when in this hyper-connected age we spend so much of our time creating and sharing data with others? Either shared through social media or given to advertisers in exchange for the free services we use, it almost seems absurd to argue for strong data protection and privacy laws while we give so much away.
But notions of privacy and personal data protection are still crucial in a sharing environment. In Europe the rights to privacy (defined in Article 8 of the European Convention of Human Rights and Article 7 of the European Charter of Fundamental Rights) and to data protection (in Article 8 of the Charter) clearly apply online, offering protection against systematic surveillance of communications by public and private entities. However while Europeans particularly care about privacy, ultimately there is no global agreement. The giants of the internet, for example, are generally US companies operating within a legal system without a harmonised and comprehensive data protection regime.
The conflicting nature of European and US privacy legislation has been highlighted in a court case between one of these giant firms, Facebook, and Austrian privacy activist Max Schrems. Schrems brought his complaint to the Irish Data Protection Commissioner (Facebook’s European base is in Dublin) over the firm’s sharing of his personal data with US authorities.
The commissioner originally rejected the complaint and the case has now escalated to the Court of Justice of the European Union (CJEU). That court’s ruling could upset a 15-year-old balancing act between EU and US laws. If the court finds in Schrems’ favour, this could have major implications in how most popular internet services – largely US firms – act in respect of their non-US users.
The Atlantic divide
The conflict stems from the EU’s comprehensive and relatively stringent data protection regime. In order for EU and US organisations to work together a set of standards needs to be agreed to ensure that European citizens’ data receives the same protection when transferred to other countries as it would within the EU. Over the years, the European Commission has recognised various countries as providing adequate data protection – including the US in 2000, for which transfers of data between the US and EU fall under the Safe Harbour Framework.
But the safe harbour principles include exclusions for “national security, public interest, or law enforcement requirements” – exclusions not taken into account in assessing legal protections in the US. As revealed by files released by Edward Snowden, US laws such as the Foreign Intelligence Surveillance Act (FISA) have opened the door since 2000 to mass surveillance of non-US citizens and the collection and storing of their personal data. Considering the review procedure for FISA authorisations is entirely secret, this is worrying for anyone without the constitutional protections afforded to US citizens.
While differing treatment of US and non-US citizens had been raised by privacy experts even before Snowden’s leaks, they revealed the capabilities of the US National Security Agency to collect and analyse vast amounts of internet communications and online browsing histories. It also made clear the extent to which internet giants such as Facebook, Microsoft and Yahoo complied with US requests for data. Suddenly the European Commission’s claim that US law offers adequate data protection seemed unfounded.
Facebook vs the people
In his case against the Irish data commissioner, Max Schrems attacks the commissioner’s refusal to investigate his claim. Schrems’ argument is that Snowden’s revelations show there is no meaningful data protection in US law as it allows bulk collection and retention of non-US citizens’ data even without a court order. The commissioner’s refusal could nonetheless be justified by the presence of the US on the European Commission’s list of approved adequate legal systems, however discredited that now seems.
In July last year, the Irish High Court referred the case to the CJEU, essentially to rule on whether a member state’s data protection agency such as the Irish Data Protection Commission is “absolutely bound” by the European Commission’s decision to declare the US a safe harbour for EU data.
The alternative would allow the commissioner to assess whether US law provides the protection expected by European citizens until the European Commission issues a new and valid decision. The CJEU has now heard arguments from both parties, with the advocate-general’s opinion expected in June.
The CJEU had already ruled in April 2014 that the European mass data retention scheme was invalid due to the absence of appropriate legal safeguards. Some expect the ruling will address the legality of the commission’s decision, although the question posed to the CJEU is not exactly framed in these terms.
So the CJEU’s ruling could affect the current safe harbour agreement between the US and EU, perhaps even raising the possibility it may be suspended. National data protection agencies may also be tempted to suspend data transfers to the US – something that could interrupt the reach of US-based online services to some member states. However, because the treatment of personal data for the purposes of national security falls outside the scope of EU law, the CJEU’s answer might not be that obvious.
Are we at an impasse? A recent study that compared international approaches to data protection has shown that the laws of many EU member states do not prohibit the bulk collection and retention of foreign data. But EU member states do not necessarily have the same capabilities as those of the US. If anything this tale reveals the need for minimum international standards as much as it demonstrates the legal complexities that arise from the lack of them.