Needles in Haystacks: The Coming Threat to Trans-Atlantic Data Transfer Agreements

Over the past fifteen years, an uneasy trans-Atlantic equilibrium between U.S. law enforcement and security agencies’ collection of personal information, sometimes on a bulk basis, and European privacy protection imperatives has prevailed—even despite Edward Snowden's disclosures. Most notably, beginning in the immediate post-9/11 era, international agreements enabling U.S. access to Europeans’ airline passenger name records (PNR) and international bank transaction data were reached, and have been quietly functioning.

Now the question of bulk data collection is about to be addressed by the European Court of Justice in two cases due to be decided in the fall. Neither involves the United States: one is a challenge to the Canada-European Union PNR Agreement and a second involves the data retention laws of the United Kingdom and Sweden. But either, or both, could endanger the bulk data truce between Brussels and Washington, and potentially doom the 2011 Passenger Name Record (PNR) and the 2009 Terrorist Finance Tracking Program (TFTP) Agreements between the United States and the EU.

Both agreements grew out of the U.S. practice of international collection of personal data on persons who are not necessarily subjects of suspicion, for future scrutiny for counter-terrorism purposes. The impetus for negotiation of the PNR Agreement was European consternation over a provision in the 2001 USA Patriot Act that required airlines transporting passengers to the United States to provide the Department of Homeland Security with an array of personal data that they collect in the course of ticket sales. The TFTP Agreement grew out of a (once-)secret U.S. Treasury program requiring providers of international bank transfer services, most notably SWIFT, a Belgian company, to provide transactional metadata in bulk to the Treasury’s Terrorist Finance Tracking Program, pursuant to administrative subpoena.

The U.S. Government’s pursuit of data on ‘innocent’ persons world-wide met particular resistance in Europe, which generally holds to the traditional law enforcement model of collecting information on a more targeted basis, only after an individual has come to be a suspect. As Sophie in’t Veld, a fiery Dutch civil libertarian, pointedly asked during the European Parliament’s debate on approving the PNR Agreement, “Why do we have to give the Americans the haystack so they can find the needle?”

European security agencies, of course, also recognize the value of bulk data analysis in preventing and prosecuting crimes including terrorism. In 2006, the EU, in the aftermath of the London and Madrid attacks, adopted a directive obliging telecommunication providers to retain metadata on their users’ communications, so that national authorities subsequently could access it for criminal investigations. And the EU followed up on its PNR agreement with the United States by later reaching similar deals with several other non-EU countries, including Canada and Australia.

The EU’s 2014 PNR Agreement with Canada largely followed the model of its agreement with the United States. Since Canada’s privacy laws resemble Europe’s much more closely than America’s do, and since the Agreement’s use restrictions and retention limits are stricter than those the EU negotiated with the United States, one might have imagined that this Agreement would have met with greater favor when it arrived at the European Parliament last year for approval. Instead, the Parliament deferred action, asking the European Court of Justice first to rule on whether such bulk collection of data comported with its fundamental rights jurisprudence.

In an April oral hearing in the case, the court displayed considerable skepticism about the agreement, with key judges firing hostile questions at the Commission, and Commission lawyers stumbling in their responses. The court repeatedly questioned the purposes for which Canada would use PNR data, the possibility it would access sensitive data, and potential profiling of passengers. A preliminary ruling is expected by the end of June, with the final judgment likely to follow within a few months.

The EU’s data retention directive also spawned litigation before the Luxembourg court. First, in 2014, Digital Rights Ireland (DRI), an Irish NGO, alleged that the Union’s 2006 Data Retention Directive failed to comport with European fundamental rights guarantees of “necessity and proportionality”. The ECJ made clear in its judgment its discomfort with the concept of storing bulk data on innocent persons, finding that the breadth of information collected under the Directive, as well as the flexibility given member states to determine the purposes for which retained data could be used and the length of retention, failed to meet the necessity and proportionality test. And, in a sharp signal of its displeasure, the ECJ invalidated the Directive with immediate effect, not even granting EU law-makers a chance to conform it to judicial requirements.

The DRI case also was the first opportunity for the ECJ to take note of the Snowden revelations, and the court did not shy from it—even though the subject of the case was bulk data-gathering for criminal law rather than intelligence purposes. The judges observed that the retention directive caused individuals to believe that “their private lives are the subject of constant surveillance.” They also pointed out that the directive did not require that personal data collected for use by European law enforcement authorities be retained within the European Union, where it would be subject to the control of EU data protection law. The court’s distaste at the possibility of trans-Atlantic bulk data transfers for security purposes was hard to miss.

The DRI judgment caused legal confusion across Europe, as member state governments scrambled to evaluate the national data retention laws they had enacted on the basis of the EU directive. Some responded by hastily adopting their own successor legislation, such as the United Kingdom’s enactment of the Data Retention and Investigative Powers Act. In other countries, such as Sweden, the national laws were not changed, but telecommunications providers stopped retaining data, on grounds that continuing to do so would be inconsistent with the DRI holding.

Now the UK and Swedish laws are themselves being examined by the ECJ, in joined cases that were argued just one week after the court took up the EU-Canada PNR Agreement. While the questions in the Canada PNR and UK/Sweden cases are not identical, both afford the tribunal an opportunity it may well take to extend the fundamental rights critique of bulk data collection it laid out in DRI.

The DRI case also inspired Austrian privacy activist Max Schrems’ successful 2015 challenge to the 2000 U.S.-EU Safe Harbor Framework. Schrems complained, on the strength of the Snowden disclosures, that the NSA could have accessed his Facebook account when the company transferred his information back to its servers in the United States. He pointed out that the Safe Harbor contained a plenary exception permitting access to exported personal data for national security reasons.

Neither the Irish High Court nor the ECJ had trouble accepting the proposition that Schrems’ notional injury gave rise to jurisdiction. On the merits, the ECJ also agreed with him, holding that the national security exception, unlimited on its face, went beyond “what is strictly necessary where it authorizes on a generalized basis, storage of all the personal data of all the persons whose data has been transferred from the European Union without any differentiation….” This wasn’t the only defect the ECJ found with the Safe Harbor Framework, but it was an important one.

In the aftermath of the Schrems ruling, as U.S. and European Commission negotiators hastily sought to complete a revised Safe Harbor framework, the ECJ’s holding on bulk data access presented a substantial challenge. The EU’s negotiators believed they had a popular and judicial mandate to rein in U.S. security agencies. The United States, for its part, was firm that the Privacy Shield had to contain a national security exception comparable to its predecessor. In the end, the security exception survived, but the United States, under pressure, did go to unusual lengths to explain how its signals intelligence activities are closely regulated under U.S. law, limited to specified purposes, and contain privacy protections.

In an exhaustive eighteen-page letter attached to the text of the Privacy Shield, Office of the Director of National Intelligence General Counsel Robert Litt made the case that U.S. signals intelligence collection is “as tailored as feasible and [that] signals intelligence collected in bulk can only be used for specific enumerated purposes.” Litt concluded with a blunt appeal to European sensibilities: the U.S. intelligence community “does not engage in indiscriminate surveillance of anyone, including ordinary European citizens….U.S. intelligence agencies do not have the legal authority, the resources, the technical capability or the desire to intercept all of the world’s communications. Those agencies are not reading the emails of everyone in the United States, or of everyone in the world.”

Litt’s detailed letter is a crucial part of the European Commission’s ongoing efforts to persuade EU member states to approve the Privacy Shield on the basis that the possibility of NSA access to data transferred under the Privacy Shield nonetheless squares with the ECJ’s necessity and proportionality standard. The Commission’s proposed finding of ‘adequacy’ for the Privacy Shield—the key step in the EU approval process—cites Litt’s statement that bulk collection of internet communications by U.S. signals intelligence operates on only a very small proportion of the Internet, adding delicately that this “also covers possible access to the transatlantic cables (which the U.S. government neither confirms nor denies is taking place).”

However, as recent pronouncements have made evident, European privacy regulators and the European Parliament insist on casting the issue as whether the United States engages in ‘massive and indiscriminate’ collection of personal data. Transparently, they are looking to the upcoming U.K and Swedish cases, and to the Canada PNR case, as opportunities for the ECJ to restrain the practice of bulk data collection.

A judicial challenge to the Privacy Shield itself in coming months is also quite likely, and the issue of the necessity and proportionality of U.S. national security bulk collection practices almost inevitably will be part of the case. The detail provided in the Litt letter should force the ECJ to go beyond its broad-brush characterization in Schrems that U.S. national security access to communications occurs “on a generalized basis,” and to dig into the reality of the U.S. legal framework for signals intelligence collection.

In the end, the issues that the ECJ will decide in all these cases are very similar to those that the U.S. Supreme Court has grappled with in its evolving 4^th Amendment jurisprudence involving digital data. But while the Supreme Court has begun to adjust its doctrine in light of technological changes in law enforcement techniques, the judgments coming from the European Court of Justice so far have had a formalistic, almost hermetic quality to them. It’s time for Europe to acknowledge that bulk data collection and privacy are not utterly in conflict, and to find a way out of the thicket in which it is increasingly entangled.