The European Court of Justice has found that U.S. surveillance breaches the fundamental rights of European citizens.
This is the clearest and most important implication of the ruling. The court’s fundamental problem with the Safe Harbor arrangement is that there aren’t any real protections for European citizens under U.S. law. When European citizens’ personal data is transferred to the United States, U.S. authorities have “access on a generalised basis” to it, without any opportunities for European citizens to control how they use it or seek redress in the courts. The Safe Harbor arrangement specifically says that when U.S. laws (such as laws allowing U.S. authorities to demand access to foreigners’ data) conflict with the Safe Harbor, the Safe Harbor loses. Hence, from the court’s perspective, Safe Harbor doesn’t provide any protection against U.S. government measures that compromise “the essence of the fundamental right to respect for private life.” This means that the European Commission was acting beyond its powers when it agreed to Safe Harbor in the first place.
European citizens and privacy officials can challenge international privacy deals.
One of the key issues in the case that led to the ruling was the refusal of Ireland’s “data protection commissioner” — the official effectively charged with protecting the privacy of European citizens who use Facebook, Google, etc. — to consider whether or not Safe Harbor broke European privacy law. The commissioner claimed that Irish legislation prevented him from doing so. The European Court of Justice didn’t like this — at all. It has laid out a clear pathway through which European privacy officials and European citizens can challenge commission decisions (e.g. on whether a third country has sufficiently high privacy standards). If a citizen objects, she can bring her complaint to the relevant data protection commissioner. If the commissioner agrees with her objection, he can seek court action that will allow the European Court of Justice to consider the complaint. If the commissioner disagrees, the citizen should be able to appeal to the courts, again allowing the European Court of Justice to consider the complaint (and whether to declare the decision invalid).
The United States, anticipating this decision, has already complained that this reasoning would “undercut the ability of other countries, businesses and citizens to rely upon negotiated arrangements with the European Commission.” For sure, it will make future agreements on privacy harder to reach. The European Court of Justice has confirmed its strong commitment to privacy rights and also effectively appointed itself as a key veto player on future deals.
Any new deal will have to have a strong legal basis.
The court has not only effectively announced that it will police future privacy deals — it has implicitly set out some of the conditions that a new deal with the United States would have to meet. The Safe Harbor was (as described in earlier research on it) a rickety institution; formally, it was not even an agreement between the E.U. and United States, but an exchange of letters. The European Court of Justice will clearly not accept a deal with shaky foundations; it wants law. The judgment suggests that the basis for evaluating privacy deals in the future is to assess whether they provide more or less “equivalent” protections to the protections offered by the E.U., whether these protections are guaranteed either by domestic law or an international treaty, and whether there is some opportunity for European citizens to have judicial redress if they feel that their rights are being trampled on.
As it turns out, the European Union and the United States have recently completed negotiations on a so-called Umbrella Agreement, which is supposed to lead to new laws in the United States that would provide some protections and judicial redress for European citizens. The New York Times incorrectly claims that this would provide the kind of legal recourse that the court is looking for. In fact, it addresses a different set of questions about different kinds of personal data. Nonetheless, it could provide a model for a different or greatly expanded E.U.-U.S. agreement.
The ruling doesn’t only affect the United States.
Other spy agencies — including spy agencies within Europe — will be reading the court’s ruling with a great degree of trepidation. It strongly suggests that their activities against the citizens of other European countries is illegal under the Charter of Fundamental Rights, the basic constitutional document governing rights in the European Union. For example, Britain’s GCHQ (their equivalent of the U.S. National Security Agency) has been engaged in all sorts of surveillance, both together with their colleagues in the United States and on their own initiative. There is a clear pathway toward a court case against GCHQ, and good reason to believe that GCHQ would lose.
More generally, this ruling will lead to new pressures to limit the kinds of indiscriminate surveillance against citizens that many countries — not just the United States — have engaged in over the last 15 years. There will be a push for a transatlantic deal limiting surveillance and bringing it into a clearer international order. This is undoubtedly a product of former NSA contractor Edward Snowden’s revelations (Snowden is cited in the ruling, as well as the rulings that led up to it). It would be impossible to imagine this having happened had Snowden not forced states and courts to pay attention to surveillance and privacy issues. Recently, Snowden, Glenn Greenwald, Laura Poitras and others have argued for an international treaty protecting privacy as a fundamental right. The European Court of Justice ruling has made a substantial push toward getting some parts of that agenda going.