Data protection law, once the preserve of tragic anoraks with too much time on their hands (in the words of one prominent practitioner) has in recent months become a powerful weapon in the arsenal of media lawyers. It has also become the new front line in the ongoing struggle between privacy and freedom of expression advocates on the one hand and the state and the individual on the other.
The judgment of the Court of Justice of the European Union (CJEU) in the Schrems case, invalidating the ‘Safe Harbour’ agreement by which many US companies secure the lawful transfer of personal data from the EU, is a landmark case with potentially enormous political and commercial implications. The detail of the judgment was explained thoroughly on the Blog here. In light of the judgment there are a number of points to be made.
Europe has little reason to feel complacent on the subject of state surveillance
You could be forgiven for thinking that Schrems is an instance of privacy-conscious Europe administering a rebuke to an intrusive and control-freakish United States. The reality is that European nations are in the midst of enacting a wave of legislation enabling extensive surveillance of electronic communications. France has recently passed one law permitting mass surveillance for the purposes of combating terrorism and is discussing passing another to permit its use for such nebulous objectives as “defending and promoting major foreign policy, economic and scientific interests”. Germany has recently passed a law requiring retention of data by communications service providers for ten weeks (down from six months). In Britain, the Home Secretary has unveiled the new Investigatory Powers Bill which contains broad powers and which may require companies to assist the security services in bypassing encryption. Austria, the Netherlands and Finland are all also considering new legislation and even constitutional amendments. Schrems, as is common with landmark cases, deals more with process than with substance, the focus being on ‘mechanisms’ for ensuring compliance with EU law.
This is not the end of EU-US data transfers
This is the end of the Safe Harbour scheme in its current form. But there are other mechanisms by which personal data may still be transferred to the US. Binding Corporate Rules, which are submitted by a data controller to a regulator are one way of doing this, Model Contract Clauses (boilerplate, EU-approved standard terms) are another (see these explanations of BCRs and MCCs from the British regulator, the Information Commissioner’s Office). The European Commission is currently in negotiations with the US Department of Commerce and other authorities to establish a new Safe Harbour. If agreement is not reached by the end of January 2016, when national data protection authorities have said they will start taking enforcement action against those who have not found a lawful alternative to Safe Harbour, then the situation may become very interesting indeed. Until then, the position remains stable and establishing a new Safe Harbour may prove quite manageable.
Schrems is still a milestone in the evolution of our concept of privacy
Whether or not Safe Harbour resurfaces with a different name and more safeguards, there is no doubt that the CJEU is ‘on manoeuvres’ on the battleground of privacy rights. This is the latest in a line of cases in which the Court has attempted to impose its will on the culture of the internet. Last April in Digital Rights Ireland, the Court invalidated the earlier generation of data retention legislation. Then in May it took on digital search engines in Google Spain, inventing the ‘right to be forgotten.’ Now the Court has issued a warning to the corporate world including digital economy giants such as Amazon and Facebook that mass surveillance will occur on its terms.
Whether these new terms drastically shift the balance back in favour of privacy rights seems doubtful. What we are likely seeing is the evolution of a system where there is nowhere (in terms of data) that agents of the state cannot go. It is instead a question of checks and balances. Which agents of the state? In what circumstances? Whose authority do they need? The final shape of the British Investigatory Powers Bill, when and if it eventually becomes law, will probably be the next major indication of where the balance lies.