Schrems v. Data Protection Commissioner: Some Inconvenient Truths The European Court of Justice Ignores

Today’s decision by the European Court of Justice on safe harbor – Maximillian Schrems v. Data Protection Commissioner, ably summarized by Lawfare’s Alex Loomis – ignores some very inconvenient truths about surveillance and privacy on both sides of the Atlantic. In this post, I explain what the ECJ ignores. In my next post, I will argue that if the US and the EU are willing to acknowledge those truths – and make some very painful compromises – the decision offers a unique opportunity for global surveillance reform.

First, a word about safe harbor. European law provides privacy guarantees to data subjects, and prohibits transfers of data to countries outside the EU unless those countries offer an “adequate level of protection.” The US-EU safe harbor scheme, administered by the US Department of Commerce, is supposed to satisfy this standard for participating companies. Companies agree to follow required privacy principles by signing up to the scheme.

Although signing up is voluntary, the promises, once made, are enforced by the Federal Trade Commission. So, if Facebook violates a promise to its EU users under its safe harbor commitments, the FTC can hear complaints by EU citizens and offer redress. Against companies, these protections are more than theoretical – the FTC has taken many enforcement actions under the safe harbor scheme, as FTC commissioner Julie Brill explained in Brussels last January in a discussion with Paul Nemitz of the European Commission.

The big disconnect is that while the US has viewed the data privacy issue mainly as a matter of commerce, the EU views it as a matter of fundamental human rights. At least, in theory it does. In practice, it’s rather different – but I’m getting ahead of myself.

The sticking point, after Snowden, is that the safe harbor agreement does nothing to restrict US government surveillance. Instead, it says that companies must obey US law, even if doing so would otherwise violate the commitments those companies have made under safe harbor. This includes, for example, section 702 of the Foreign Intelligence Surveillance Act (FISA), which provides authority for the NSA’s PRISM program.

So, while an EU citizen like Max Schrems may challenge how Facebook is handling his data under the safe harbor principles, if Facebook gives his data to the NSA under the PRISM program, he has no meaningful recourse against either Facebook or the NSA. The ECJ has decided the failure of the safe harbor agreement to provide any limits on national security surveillance means it violates EU law. The US finds this argument maddening, and for good reason. It ignores two very inconvenient truths.

First, Max Schrems’s Facebook data actually has more protections in US law when it is on a server in the US than when it is in the EU. As I explained earlier this year in TechCrunch, offshoring data won’t protect it from the NSA, and neither will keeping data in Europe. When content is located inside the United States, it cannot be collected except by order of the Foreign Intelligence Surveillance Court (FISC). The court imposes detailed oversight and auditing requirements, and has enforced those rules with threats of contempt of court. When such data about non-US citizens is located outside the United States, the NSA needs no court order to collect it, and the limited privacy rules it offers to non-US citizens under Presidential Policy Directive 28 (PPD-28) are not enforced by any oversight mechanism outside the Executive Branch.

Second, for the NSA to obtain Max Schrems’s Facebook data in the US, the NSA will face more legal scrutiny under US law than most intelligence services in the world, including in EU countries, ever will. As I’ve explained before on this site, many European countries do not require judicial orders for intelligence surveillance. Of four European countries included in the Center for Democracy and Technology’s comparative analysis of surveillance laws, only Italy requires a court order for national security surveillance. France, Germany, and the United Kingdom do not.

The bottom line is that, if the fact that a country provides broad legal authority for national security surveillance means that the EU doesn’t consider it a safe jurisdiction for storing data about its citizens, it might want to take a good long look at the laws of its own member states. The EU may also want to look at the laws about national security surveillance of many other countries, starting with those it has determined provide an “adequate level of protection” for personal data. Israel is on that list. It will not surprise you to learn that Israel does not require a court order for national security surveillance.

And that’s where this decision by the ECJ offers an extraordinary opportunity for global surveillance reform. If the ECJ is serious about subjecting national security surveillance laws to real scrutiny, it could build serious momentum for reform of those laws – and not just in the United States.