—Fiorella Dal Monte, Ca’ Foscari University of Venice
The concept of privacy and the tools available to protect it have come to represent a dividing line between the two sides of the Atlantic. In the Schrems case, the Court of Justice of the European Union (ECJ) very recently placed significant obstacles in the way of personal data transfers between the EU and the US.[1] Transnational legislators will now need to find a way of overcoming these new barriers.
The ECJ has, in fact, shed light on the need to better regulate and protect privacy concerns worldwide by indirectly suggesting that the level of protection offered by the US to EU citizens’ personal data is no longer adequate. As a consequence, it raised an interesting comparative issue, which will have to be addressed by international legislators and academics. In particular, the Court of Justice’s observations are likely to be crucial in the Transatlantic Trade and Investment Partnership (TTIP) negotiations between the EU and the US.[2]
Although nowadays privacy is widely recognized as a fundamental right, Western legal systems safeguard that right in different ways, thus balancing the needs of national security and individual protection differently. Indeed, since 9/11, there has been an ongoing and unresolved conflict between the fundamental right of the individual to feel secure in his own country and the individual’s right to feel protected in “his own home.” This conflict is even more difficult when transatlantic issues are at stake. EU academics have long been committed to searching for the optimal balance between the collective interest in defense and the protection of privacy. However, the question has proven difficult to resolve and it has now fallen to judges to find and decide which one of these interests should prevail.
Schrems is important because it deals with a leading American company, Facebook Inc., but the ECJ’s decision may have much broader effects on overall transatlantic economic relations. Indeed, in its judgment, the Court summarized a decade of privacy issues and attempts to make EU and the US legislation on privacy compatible, and ruled that the US level of privacy protection is not equivalent to that granted by the EU.
The ECJ interpreted the level of protection of personal data that must be extended by a third country according to article 25 of European Union Directive 95/46/EC. That provision governs general transfers of personal data, since data transferred for specific purposes such as counterterrorism and criminal investigations is governed by different provisions set out by individual international agreements between the EU and some third countries.[3] The Court held that an outside country need not provide identical protection to the EU, but it must provide an “essentially equivalent” level of protection (see point 73, recalling the conclusions of Advocate General Bot). The ECJ basically denied that the US met that standard in the storage of personal data by American companies even when those companies voluntarily adhered to the Safe Harbour privacy principles set out in a prior EU-US agreement and validated by European Commission Decision 2000/520/EC.[4]
As requested by the Irish High Court, which referred the case to the ECJ for a preliminary ruling,[5] the ECJ focused its analysis on the fundamental rights of EU citizens who are daily users of the social network Facebook and whose personal information would suffer from a potential breach.[6] After being transferred from the European subsidiary of Facebook in Ireland to the American parent company Facebook Inc., the Court noted that EU citizens’ personal data could be accessed even by the US Government and, in particular, by the National Security Agency for intelligence activities.[7]
The ECJ established that Decision 2000/520/EC of the European Commission, which recognized the level of protection provided for by the Safe Harbor agreement, was invalid. Thus, it held that national supervisory authorities must be granted more power. It recognized their right to verify the legitimacy of an extra-EU transfer of personal data case-by-case, so as to verify whether the level of extra-EU personal data protection is adequate. The Irish Data Protection Commissioner had not deemed it within the powers of a national supervisory authority to determine the adequacy of American legislation on personal data.
The ECJ has sent a warning signal that needs to be heeded at an international level. International players will need to find a satisfactory response so as to assure a sufficient – and enhanced – intensity of protection of the right to privacy. Authorities must now work for the creation of a common platform for the transatlantic transfer and processing of personal data.
As mentioned above, the TTIP negotiations could represent an interesting playing field in this sense. Moreover, since Decision 2000/520/EC has now been declared invalid, the European Commission will need to stipulate higher standards of protection in EU-US data transfers than the ones accepted in the signing of the previous EU-US agreements.
Nor should it be forgotten that this judgment is likely to have powerful implications for the EU e-economy. Facebook is far from the only major US company with a EU subsidiary. This leads to the obvious conclusion that more companies will need to comply with this decision and stop illegitimately sending data outside EU borders. National data protection authorities will be in a position to audit companies and compliance will be required when extra-EU protections of privacy are found inadequate.
To sum up, the ECJ has held that EU citizens must feel individually more protected, rather than collectively more secure, when communicating online.[8] What is more, the ECJ’s jurisprudence links this requirement to human dignity, understood in part as the fundamental right to be informed and to freely evaluate and make choices. What remains to be seen, of course, is whether the ECJ’s case law will indirectly improve data storage and privacy practices in the United States.
Suggested citation: Fiorella Dal Monte, Facebook Before the ECJ: The Clash between EU and US Conceptions of Privacy, Int’l J. Const. L. Blog, Nov. 6, 2015, at: http://www.iconnectblog.com/2015/11/facebook-before-the-ecj-the-clash-between-eu-and-us-conceptions-of-privacy/
[1] Judgment of the Court of Justice of 6 October 2015, Maximilian Schrems vs. Data Protection Commissioner, C-362/14 (ECLI:EU:C:2015:650), available at http://ipcuria.eu/details.php?t=1&reference=C-362/14.
[2] For more information on the TTIP, see http://ec.europa.eu/trade/policy/in-focus/ttip/.
[3] See, for instance, the Passenger Name Records agreements and the SWIFT agreement executed by the European Union and the United States of America in the aftermath of 9/11 terrorist attacks for counterterrorism purposes.
[4] The Safe Harbor Principles stem from the Safe Harbor Agreement, executed by the European Union and the United States in order to remedy an issue raised by article 25 of directive 95/46/EC. That directive stated in part that “the Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection….”. In light of that provision, the EU and the US agreed to standard minimum criteria of privacy protection so as to allow American companies which voluntarily agreed to comply with these criteria the opportunity to implement personal data protection transfers to the USA. In Decision 2000/520/EC of the European Commission, the Commission found that the EU had to recognize the adequacy of personal data protections established by American companies voluntarily adhering to the principles of the agreement.
[5] Article 267 of the Treaty on the Functioning of the European Union (TFEU) provides that “[t]he Court of Justice of the European Union shall have jurisdiction to give preliminary rulings concerning: (a) the interpretation of the Treaties; (b) the validity and interpretation or facts of the institutions, bodies, offices or agencies of the Union; Where such a question is raised before any court or tribunal of a Member State, that court or tribunal may, if it considers that a decision on the question is necessary to enable it to give judgment, request the Court to give a ruling thereon. Where any such question is raised in a case pending before a court or tribunal of a Member State against whose decisions there is no judicial remedy under national law, that court or tribunal shall bring the matter before the Court. If such a question is raised in a case pending before a court or tribunal of a Member State with regard to a person in custody, the Court of Justice of the European Union shall act with the minimum of delay.”
[6] See Schrems, points 37-66.
[7] See Schrems, points 28 and 30 and the relevant conclusions of Advocate General Bot, points 25, 35-36. Although it would be very interesting to analyze the specific differences in the EU and US legislation providing for privacy protection, it is not possible to analyze them in depth here. For an in-depth study, see, e.g., CHARLESWORTH A., Clash of Data Titans? US and EU Data Privacy Regulation, in European Public Law, 2000, vol. 6, 2, 253-274; HESS B., MARIOTTINI C. (eds), Protecting privacy in private international and procedural law and by data protection. European and American Developments, Ashgate, 2015.
[8] The Court is not alone in holding this view: see, inter alia, Opinion No. 4/2015, issued by the European Data Protection Supervisor on 11 September 2015 on Towards a new digital ethics, Data, dignity and technology. See also the Judgment of the Court of Justice of 8 April 2014,Digital Rights Ireland, C-392/12 (ECLI:EU:C:2014:238).
Comments