Making Privacy a Reality: The Safe Harbor Judgment and Its Consequences for US Surveillance Reform

Earlier this month, the Grand Chamber of the Court of Justice of the European Union (CJEU) issued its judgment in Schrems v. Data Protection Commissioner, in which it struck down the legal underpinnings of the EU-US Safe Harbor Agreement—the arrangement that enabled thousands of US companies to transfer EU users’ data to the US for processing and storage. Although the Court’s decision to invalidate the basis for Safe Harbor has placed a serious burden on transatlantic trade, the judgment makes clear and persuasive findings about the protections EU residents’ data must enjoy when transferred to the US. In doing so, it has provided a major impetus for reforms to Section 702 of the Foreign Intelligence Surveillance Act (FISA) — a law the NSA uses as the basis for some of the most egregious warrantless surveillance activities revealed by Edward Snowden, including PRISM and “upstream” collection.

Naturally, the CJEU cannot strike down US laws, nor did it seek to do so. In the absence of reforms to Section 702, however, any new data transfer agreements between the EU and the US are very likely to be invalidated by the Court. In order to avoid this and ensure that the US respects the human rights of people both within and outside its borders, Congress urgently needs to make thorough reforms to Section 702. Among others, these reforms include:

• prohibiting “upstream” surveillance;
• strictly limiting the purposes for which the US intelligence agencies may obtain personal data under Section 702;
• establishing stronger constraints on US officials’ ability to gain access to and use that data; and
• ensuring that anyone whose rights may have been violated in this context can obtain effective redress.

Origins of the Schrems case

The Schrems case had its origins in the strong and detailed EU laws that protect the privacy of personal data, particularly the 1995 Data Protection Directive. The Directive mandates that personal data may only be transferred from the EU to a non-EU country such as the United States if that country “ensures an adequate level of protection” of privacy and other individual rights. In 2000, the European Commission, the EU’s executive body, issued a decision effectively finding that the US offered an “adequate level of protection” and that it was therefore lawful under the Data Protection Directive for companies to transfer EU users’ personal data to the US. This decision was the legal basis for the Safe Harbor arrangement.

Following the Snowden revelations, Austrian student and social media user Maximillian Schrems filed a complaint with the national Data Protection Commissioner in Ireland, where Facebook’s international headquarters are located, alleging (among other things) that the US did not in fact provide an adequate level of data privacy protections, and asking the Commissioner to investigate whether Facebook should be allowed to transfer EU users’ data to the US. Ultimately, the High Court of Ireland decided to ask the CJEU whether the national Data Protection Commissioner had the power to carry out such an investigation notwithstanding the European Commission’s earlier decision that US data protections were
“adequate.” In doing so, the Irish court expressed grave concerns about certain US surveillance practices that Snowden had revealed.

NSA surveillance under Section 702 of FISA

The NSA surveillance program that was the main focus of the Irish High Court’s concern was PRISM, through which the intelligence agency issues warrantless “directives” forcing US companies to turn over communications or other data associated with certain accounts. As the CJEU’s judgment has made clear, the NSA’s “upstream” surveillance—which involves US government monitoring of virtually all Internet-based communications flowing into or out of the United States—is also a crucial subject of concern in this context.

The NSA conducts both of these programs on the basis of Section 702 of FISA, a federal surveillance law that allows the US to engage in warrantless “targeting” of people outside its borders (other than US citizens or permanent residents) in order to acquire “foreign intelligence information.” As described in this recent CDT-led explainer, Section 702 warrantless surveillance programs have a profound, detrimental impact on the privacy of Americans and people around the world, and are not subject to sufficient or transparent oversight.

Section 702, along with other parts of the FISA Amendments Act, is scheduled to expire on December 31, 2017, unless Congress renews it.

The CJEU’s findings

In Schrems, the CJEU began by answering the question the Irish High Court had asked: it found that national Data Protection Commissioners in the EU have the power (and, in fact, are obligated) to investigate complaints that a country that receives EU users’ data — such as the US — does not ensure adequate respect for privacy rights, even if the European Commission has previously decided otherwise. The Court then proceeded to address the substantive issue that underpinned Schrems’ original complaint: whether the European Commission decision underlying the Safe Harbor Agreement was valid. The Court concluded that it was not.

In reaching this holding, the Court did not criticize specific US laws or practices directly. Instead, it discussed the safeguards the European Commission (or, presumably, any other entity that is obligated to abide by the Data Protection Directive) must ensure are in place before deciding that a non-EU country “ensures an adequate level” of data protection in line with EU fundamental-rights laws. In essence, the Court indicated that in order for such a decision to be valid, the non-EU country — in this case, the United States — must provide rights protections that are “essentially equivalent” to those guaranteed in the EU under the Data Protection Directive and the Charter of Fundamental Rights of the European Union (which is akin to a “Bill of Rights” for the purposes of EU law and includes explicit rights to privacy and the protection of personal data). These rights must be not only enshrined in law but also effective in practice. Moreover, it is clear that where the “essential equivalence” test is concerned, what matters is the rights that EU law guarantees in theory; although some of the individual EU Member States may themselves engage in surveillance activities that do not meet these standards, this is a separate issue, and it will not be sufficient for a country such as the US to argue that its surveillance laws or practices are similar to those of certain EU countries.

Critically, the Court went on to indicate the specific types of privacy rights the US must guarantee, at least in respect of EU users’ data, in order for the EU to allow companies to transfer such data there. These findings point directly to Section 702 reforms.

Section 702 reforms necessitated by Schrems

To ensure that the CJEU does not strike down any future data transfer arrangements designed to allow companies to transfer data between the EU and the US, Congress must make certain Section 702 reforms a matter of priority. These reforms would also help the statute pass muster under the US Constitution, and Congress should adopt them regardless of the Schrems decision. They include:

• Prohibiting “upstream” surveillance, through which the US government temporarily seizes virtually all Internet-based communications flowing into or out of the United States. The Court found in Schrems that laws allowing government authorities to “have access on a generalised basis to the content of electronic communications” violate “the essence of the fundamental right to respect for private life.” Since “upstream” surveillance entails the seizure and searching of the content of communications, we believe the Court is unlikely to uphold any EU-US data transfer arrangements until Section 702 is amended to prohibit this type of activity.
• Strictly limiting the purposes for which the US may conduct surveillance under Section 702. The intelligence agencies should not have the power to conduct such surveillance unless they are seeking to investigate or prevent a limited set of specific dangers such as terrorism. This restriction would replace the vague and broad wording of the current law, which allows the government to engage in warrantless Section 702 surveillance as long as a “significant purpose” of that monitoring is to obtain “foreign intelligence information” — a term broad enough to include information that is merely relevant to US foreign affairs. The CJEU indicated that EU-US data transfers should not take place unless the US government can only gain access to (and use) the data “for purposes which are specific, strictly restricted and capable of justifying” the privacy intrusion involved.
• Strictly limiting the circumstances in which government authorities can gain access to and use surveillance data. The same passage from Schrems points to the need for this reform. The bodies that have the power to search or otherwise gain access to the data, as well as the circumstances under which they may do so and their transparency obligations, should be clearly set out in law and restricted to prevent abuses.
• Strengthening the authorization and oversight processes and making them more transparent, by requiring FISA Court or other independent approval of the specific terms the intelligence agencies use to search any captured data. The Schrems Court stated that limitations to EU users’ privacy rights must be “strictly necessary” and highlighted the need for strong safeguards against abuse, suggesting that US authorization and oversight processes must become more individualized and capable of imposing firm, clear, and consistent restraints.
• Giving individuals whose communications might be subject to secret surveillance a genuine ability to obtain redress for any abuses, such as by providing a right to “standing” (that is, the ability to bring a case in court) for people who provide evidence that they may have been unlawfully monitored or otherwise establishing a process that may ultimately lead to judicial review. The CJEU highlighted the need for the EU, in creating any new data transfer arrangements with the US, to ensure that “minimum safeguards” are in place “so that the persons whose personal data is concerned have sufficient guarantees enabling their data to be effectively protected against the risk of abuse.” The Court also emphasized the need for individuals to have some type of access to judicial review of decisions pertaining to their personal data.

In CDT’s view, these reforms are not only attainable but vital in any democracy that values individual liberties and the rule of law. Congress should act immediately to rein in the excessive and unaccountable NSA surveillance that originally gave rise to the Schrems case — not only because this is necessary to creating a new EU-US data transfer agreement, but because it is what fundamental rights require.