Ars Technica | 15 October 2015
Fallout from EU-US Safe Harbour ruling will be dramatic and far-reaching
by Glyn Moody
In the wake of last week’s dramatic judgement by the Court of Justice of the European Union (CJEU), which means that transatlantic data transfers made under the Safe Harbour agreement are likely to be ruled illegal across the EU, there has been no shortage of apocalyptic visions claiming that e-commerce—and even the Internet itself—was doomed. Companies are already finding alternative, if imperfect, ways to transfer personal data from the EU to the US, although a very recent data protection ruling in Germany suggests that one approach—using contracts—is unlikely to withstand legal scrutiny. But what’s being overlooked are the much wider implications of the court’s ruling, which reach far beyond e-commerce.
The careful legal reasoning used by the CJEU to reach its decisions will make its rulings extremely hard, if not impossible, to circumvent, since they are based on the EU Charter of Fundamental Rights. As the European Commission’s page on the Charter explains: "The Charter of Fundamental Rights of the EU brings together in a single document the fundamental rights protected in the EU." Once merely aspirational, the Charter attained a new importance in December 2009: "with the entry into force of the Treaty of Lisbon, the Charter became legally binding on the EU institutions and on national governments, just like the EU Treaties themselves."
By anchoring its ruling in the principles underlying the Charter, the CJEU has cleverly ensured that it cannot be overturned simply by bringing in new laws, since those laws must themselves comply with the Charter.
That fact also applies to other aspects of the EU’s rule-making. As Steve Peers, a law professor at the University of Essex, writes in a detailed legal examination of the Safe Harbour decision: "Since the Court [CJEU] refers frequently to the primary law rules in the Charter, there’s no real chance to escape what it says by signing new treaties (even the planned TTIP or TISA), by adopting new decisions, or by amending the data protection Directive."
That’s hugely important, because international treaties have become a way for governments to force through changes in domestic laws without any kind of democratic debate—the argument being that some international treaty "obliges" them to do so, and so discussion is pointless. For example, when the EU signed up to the WIPO Copyright Treaty, it was "obliged" to make circumvention of DRM illegal and so brought in the EU copyright directive, which required member states to pass the appropriate local laws. But as Peers points out, in the light of the Safe Harbour decision, the European Commission now knows that any such attempt to circumvent the ruling will also be struck down by the CJEU.
It’s not simply that TTIP or TISA cannot sneak Safe Harbour in by the back door: the CJEU ruling also means that they cannot contain any chapters on data flows across the Atlantic that do not address the deficiencies of Safe Harbour. That’s awkward, since securing EU commitments to ensure completely free data flow across the Atlantic—including for personal information—is one of the key objectives for the US in both TTIP and TISA, just as it was in the newly completed TPP agreement.
Back in July, Euractiv reported that US Secretary of Commerce Penny Pritzker emphasised how crucial some kind of Safe Harbour scheme was to the TTIP negotiations, calling it "a foundation [for TTIP] that’s important in terms of data flows and certainly in terms of time frame.” In other words, without Safe Harbour as a framework, it will be hard to include data flows in TTIP.
The same is true for TTIP’s sibling, the Trade in Services Agreement (TISA). The leak of a key section revealed the following wording proposed by the US as applying to the whole agreement: "No Party may prevent a service supplier of another Party from transferring, accessing, processing or storing information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business." That absolute prohibition on restricting data flows is incompatible with the CJEU ruling; leaving something like it in final text of the agreement would therefore see TISA ruled invalid by the court.
There is another major area where the CJEU ruling could have a big impact: on the regulation of surveillance within the EU. Professor Peers summarises the court’s views as follows:
The Court reiterates even more clearly that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. Indeed, as noted already, the Court ruled that mass surveillance of the content of communications breaches the essence of the right to privacy and so cannot be justified at all. (Surveillance of content which is targeted on suspected criminal activities or security threats is clearly justifiable, however).
The surveillance referred to in this case is being carried out by the NSA, but it applies more generally. In particular, it seems likely that it applies to GCHQ’s own mass surveillance programmes and to the many clear breaches of the right to privacy that we now know it has committed, thanks to Edward Snowden. In an earlier interview with The Guardian, Snowden declared: "It’s not just a US problem. The UK has a huge dog in this fight. They [GCHQ] are worse than the US."
Peers adds: "In addition to a ban on mass surveillance, there must also be detailed safeguards in place." These are signally lacking in the UK, where the government simply repeats its mantra: "Our work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate." The CJEU’s latest ruling, combined with its earlier bombshell declaration that the EU’s data retention directive was "invalid" because of the mass surveillance involved, therefore makes it highly likely that it would regard the UK’s spying activities as similarly illegal.