Published by The Lawfare Institute
in Cooperation With
On Thursday, Dec. 19, the Court of Justice of the European Union (CJEU) issued a long-awaited preliminary opinion on whether U.S. surveillance laws violate the fundamental rights of individuals whose personal data are transferred across the Atlantic for commercial purposes, such as for cloud services, finance and consumer transactions. The views expressed by Advocate General (AG) Henrik Saugmandsgaard Øe of Denmark in the case of Data Protection Commissioner v. Facebook Ireland should generate equal measures of relief and alarm for the U.S. government and for companies dependent on data transfers. A final judgment from the CJEU, which may or may not follow the advocate general’s recommendations, is expected in a few months.
The opinion constitutes the European court’s most in-depth look to date into whether U.S. privacy protections for intelligence collection against foreigners meet European Union standards. Observers of U.S. national security law may be surprised to learn that EU privacy law can have such a broad extraterritorial effect, extending into granular questions such as the provision of notice and redress for EU nationals who are the subject of U.S. surveillance.
From Ireland to Luxembourg
The current case grows out of a long and tangled history of litigation in Europe instigated by Maximillian Schrems, an Austrian privacy activist. Schrems took Edward Snowden’s revelations about the expansive scope of U.S. national security surveillance activities as evidence that Facebook could be ordered to send his personal information to the National Security Agency. In a 2015 judgment, the CJEU found that the existing transatlantic privacy protections, in the form of the U.S.-EU Safe Harbor Framework, did not measure up to the requirements of the EU’s Charter of Fundamental Rights, and the court effectively invalidated the agreement.
A year later, the two governments put in place a successor, the Privacy Shield Framework, with privacy protections strengthened to meet the CJEU’s criticisms. Today, more than 5,000 companies, European as well as American, rely on Privacy Shield as the legal basis for their data exports to the United States. Undeterred, European privacy activists in October 2016 filed a CJEU challenge to Privacy Shield that has yet to be decided.
In parallel, Schrems launched a judicial attack in Ireland against the principal alternative legal mechanism for data transfers—standard (or model) contractual clauses. These clauses are widely used in global commerce to ensure that recipients of personal data outside the EU respect the protections individuals’ data would enjoy within the union. Schrems asserted that Facebook’s reliance on standard clauses was just as vulnerable to U.S. intelligence community demands as data transferred pursuant to the intergovernmental Safe Harbor Framework had been.
Thus, the Luxembourg-based EU courts were presented with nearly simultaneous challenges to both major data-transfer mechanisms in use with the United States, each case posing similar questions about U.S. surveillance law and practices. In view of the commonality, the lower-instance EU General Court decided to temporarily postpone proceedings in the Privacy Shield matter, pending resolution of the standard clauses case by the CJEU itself.
At the CJEU’s hearing this past summer on Schrem’s follow-up case, the reporting judge, Thomas von Danwitz of Germany, went beyond standard clauses to question the validity of the Privacy Shield as well. The stage was set for a CJEU ruling with potentially enormous consequences for transatlantic digital commerce.
Saugmandsgaard Øe Opines on Standard Contract Clauses
Advocate General Saugmandsgaard Øe’s 97-page opinion attempts to steer a middle course in this charged political and economic environment. He offers the judges a coherent, well-reasoned theory for separating their consideration of issues relating to standard clauses from the similar ones posed in the Privacy Shield case. But he then goes on to offer an alternative analysis of whether the Privacy Shield comports with EU privacy law, in case the court decides to widen the judgment to address both data-transfer contexts.
The advocate general first suggests that EU privacy law should apply to the transfer of personal data to the United States by companies located in Europe, while excluding subsequent treatment of such data by U.S. intelligence agencies from the reach of EU law. He urges that contractual privacy safeguards not be judged by precisely the same standard that the CJEU had previously used to invalidate the Safe Harbor Framework. Although both mechanisms were designed to preserve the continuity of privacy protection when data move outside EU territory, they address different transfer scenarios, Saugmandsgaard Øe notes. Specifically, the safeguards embedded in commercial contracts were specifically designed by the EU legislature to operate in circumstances where the European Commission had not reached an omnibus finding that the foreign jurisdiction’s laws protecting privacy were essentially equivalent to the EU’s.
Importantly, the AG rejects the argument that contractual safeguards, which do not bind a foreign government or directly constrain its data demands, in principle could never be sufficiently protective of individual privacy. Indeed, he notes that the European Commission’s 2010 decision approving the use of standard clauses expressly contemplated that a data importer could be ordered to turn over data for national security reasons. However, the European data exporter, once notified by the foreign importer of the governmental demand, could ask the relevant EU member state data protection authority (DPA) to prohibit the affected data transfer outside the union from taking place at all.
The advocate general urges that the CJEU not take the “somewhat precipitous” step of prejudging how a DPA would evaluate the sufficiency of contractual privacy protections in a particular case by leaping to broad conclusions about whether the provisions of the separate Privacy Shield Framework relating to foreign surveillance comport with EU privacy law—despite the similarity of the analysis required in both contexts.
Whither Privacy Shield?
Saugmandsgaard Øe’s pragmatic decision to focus solely on the validity of standard clauses constitutes only the first half of his opinion, however. The remainder proposes an analysis in the alternative of the validity of the Privacy Shield itself. In doing so, he appears to be acknowledging the possibility—if not likelihood—that von Danwitz, who has a history of authoring robust judgments expanding the reach of EU privacy law, will persuade his colleagues on the court to issue one sweeping ruling assessing U.S. surveillance law in both data-transfer contexts.
EU law stipulates that safeguarding national security is the sole responsibility of its member states, which at a minimum sharply limits the extent to which the CJEU may examine their surveillance laws in light of EU-level privacy rights. But nothing in EU law expressly prohibits the CJEU from examining a non-EU country’s surveillance laws against a European standard. The relevant standard of comparison, the advocate general suggests, is provided in part by EU law and in part by the member state’s own laws and international obligations it has taken on under the separate European Convention on Human Rights (ECHR).
The complexity of relevant European law in turn yields a curiously bifurcated set of conclusions about U.S. surveillance law. In circumstances where the United States compels private companies to produce personal data for national security purposes, as it does pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA), those data transfers must be measured against EU privacy law. At the same time, where U.S. security agencies instead acquire data without the agency of private companies, as occurs in surveillance conducted under the separate authority of Executive Order 12333, only the more forgiving standards of the ECHR would be relevant.
The European Commission, in its 2016 endorsement of the adequacy of privacy protections contained in the Privacy Shield, had validated the safeguards provided specifically under FISA Section 702. In the advocate general’s view, however, the court is free not only to reexamine the commission’s decision on Section 702 but also to scrutinize safeguards for intelligence activities authorized by Executive Order 12333—a subject that the commission had addressed only indirectly. Saugmandsgaard Øe notes that the executive order is not a statute, and that its attendant privacy protections are contained in a Presidential Policy Directive (PPD-28) that likewise may be revoked or amended by the U.S. executive at any time. He concludes that these latter two authorities therefore do not afford the degree of legal foreseeability that EU law requires.
In a small victory for the U.S. government—one of its few in the portion of the opinion dealing with the Privacy Shield—the advocate general considers FISA Section 702 not to allow “generalised access” to the content of electronic communications, since it requires the use of selection and filtering criteria before intelligence officials may access personal data. A contrary finding would have meant that Section 702-based surveillance violated the essence of EU privacy rights. Nor does Saugmandsgaard Øe propose that Executive Order 12333-based surveillance offends ECHR standards that would apply to similar activity by EU member states.
In other respects, however, the advocate general finds inadequacies in U.S. surveillance under these legal authorities. Neither allows for judicial or independent administrative review of data selection criteria. PPD-28’s promise that surveillance will be “as tailored as feasible” falls short of EU law’s requirement of “strict necessity.” It also fails to offer individuals a judicial remedy to object to surveillance conducted on the basis of the executive order. He concludes by expressing doubt that the commission’s adequacy finding for Privacy Shield-based transfers measures up to EU privacy rights.
Finally, the advocate general finds deficiencies in the mechanism created in the Privacy Shield for U.S. government review of complaints lodged by Europeans against surveillance activities. Recourse to the State Department ombudsperson, a senior official given this responsibility by the agreement, cannot be deemed to be an effective judicial remedy as defined in EU law. He does not enjoy independence from the executive branch, and he is precluded from advising a complainant whether he or she has in fact been surveilled or how a violation of Privacy Shield standards has been remedied.
Judgment Day Coming
If the CJEU follows the advocate general’s urging to limit its forthcoming judgment to the sufficiency of contractual clauses to protect individual privacy interests, and also accepts that contractual provisions enforced by European data protection authorities can remedy foreign sovereign demands, one of the major mechanisms for transatlantic data transfers will have been salvaged—for now. There have been signs that the court may be looking to preserve the validity of the contractual privacy regime. Notably, CJEU President Koen Lenaerts of Belgium, during the oral hearing this summer, acknowledged the commercial importance of standard clauses across the globe, and the advocate general opinion notes that as well.
Saugmandsgaard Øe’s alternative approach—deciding the validity of the Privacy Shield’s surveillance-related protections as well—may be hard for the court to resist, however. His close analysis of U.S. surveillance law as it applies in both transfer contexts lays a foundation for a far-reaching court judgment sweeping in the Privacy Shield, even if that is not the AG’s preferred approach.
American surveillance law experts surely will conclude that the advocate general doesn’t do full justice to our system of privacy protections. For example, the advocate general underestimates the extent to which U.S. nonstatutory executive measures can have durable legal effects. Attempting to plumb the depths of a foreign legal system is dangerous territory for the European court, well beyond its customary role of pronouncing on the meaning of EU law.
Under either judicial scenario, the path ahead remains troubled for the companies that depend on transatlantic data-transfer mechanisms. After the CJEU rules, the Irish data protection commissioner might well quickly rule against Facebook’s reliance on standard clauses, as its previously preliminary consideration of the matter suggested. Similar complaints about other U.S. companies’ reliance on standard clauses likely would proliferate across Europe, generating a series of fragmented, case-by-case national decisions, unending litigation, and substantial legal and business confusion.
The consequences of invalidating the commission’s decision in favor of the Privacy Shield would be more immediate, particularly if the CJEU—as it did in the Safe Harbor case—were not to allow an interval for renegotiation before its judgment takes effect. Companies would need to promptly restructure their legal arrangements for transferring data to the United States from Europe to rely exclusively on standard clauses. In addition, U.S. and European Commission officials who hoped that the Privacy Shield Framework would be a lasting reconciliation of U.S. national security and European privacy imperatives would be forced to confront the specific deficiencies in U.S. surveillance law that the CJEU identifies. And the U.S. government would be forced to consider whether it is willing to make changes in domestic law in response to foreign dictates. In Washington and Brussels, the holiday season will include contingency planning for yet another transatlantic data crisis.