The challenge to Safe Harbour - a totem for something much more fundamental
01 October 2015
Max Schrems and Edward Snowden. What a combination. Two young men who have made indelible impacts on the world of data protection are the main protagonists in a landmark court case that has the potential to turn everything we know about data protection law on its head, while at the same time placing a great big question mark against the relevancy of the proposed EU General Data Protection Regulation before it is even adopted.
Last week the Advocate General (A-G) of the Court of Justice of the EU (CJEU) delivered his Opinion on the adequacy of the European Commission's Safe Harbour Decision. At the heart of this case is Mr Schrems' argument that Mr Snowden's disclosures about the NSA's mass surveillance programmes (inc. PRISM) render the Safe Harbour Decision utterly meaningless. This Decision is one of the key legal gateways that allows EU personal data to flow to the United States. It is meant to create protections in the U.S. for personal data that are equivalent to those in Europe, through a process by which U.S. data importers opt-in to an entirely voluntary scheme of self regulation. The purport of Mr Schrems' argument is that Safe Harbour delivers nothing like adequate protections for EU personal data. Exhibit 1: Mr Snowden's disclosures, which most people now accept are true.
So how did the case get to the CJEU? Well, relying upon Exhibit 1, Mr Schrems made a complaint to the Irish data protection regulator, asking him to investigate the lawfulness of transfers of his personal data by Facebook to the U.S.. The Irish regulator refused to investigate, with his position being that the lawfulness issue was settled by the Safe Harbour Decision. Mr Schrems made a Judicial Review application to the Irish High Court. The High Court Judge was plainly alarmed by what he was hearing, so he referred the case on to the CJEU for a preliminary ruling on whether the Safe Harbour Decision binds the Irish regulator's hands.
The role of the A-G is to provide an Opinion for the CJEU on how the law operates. Clearly, the A-G sees things the same way as the Irish Judge. The gist of the A-G's Opinion is that the Safe Harbour Decision cannot bind the national EU data protection regulators: the evidence against Safe Harbour is just too compelling to ignore. Instead, when faced with substantial challenges of this kind, the regulators have to look at things properly, for themselves on a first principles basis. The Commission cannot bind the regulators on matters of such fundamental importance.
So, what are the impacts? Some commentators are saying, "ah well, don't panic, it's only an Opinion, not binding on the CJEU". They're right of course, but that's only a holding position. It's good for about a week. Then what? Others are saying "it's an outrage to try and stop the natural flow of things over the web". Well, it might be, or perhaps not, but it doesn't help much with the actuality. Others are saying "no big deal, there are other transfer mechanisms". They're right, but if Safe Harbour is vulnerable, so are all the others. Model Clauses? BCR? What are they actually delivering that's so much better than Safe Harbour? Others are saying "if Safe Harbour dies, they'll simply revive it". Probably correct, but I expect that will just be another holding position. Others are saying "it's not fair on businesses, which need legal certainty". That's right, but it doesn't provide an argument for Safe Harbour, or any of the other mechanisms, just an argument for certainty.
I know this sounds odd, but in my view the Safe Harbour case isn't about Safe Harbour at all. Safe Harbour is a totem for something else, something much more fundamental. This topic under analysis could easily be about breach notifications, or registrations, or privacy policies, or whatever else is a pressure point of the day. There's a much bigger picture here and if you go down this path of analysis you see a different range of impacts and therefore a different range of solutions.
To me, this case is about who should be the supervisor, the quality of supervision and the steps that entities need to take to pass the tests of supervision at that level of quality. This becomes clear and obvious when you see the architecture and framework of the legal case:
1. Citizen complains to regulator > 2. regulator does not investigate > 3. Judicial Review of the regulator's decision > 4. referral to CJEU on point of law > 5. CJEU decision on point of law > 6. back to Judicial Review > 7. judgment on the regulator's decision not to investigate > 8. back to regulator for investigation of original complaint > 9. decision on whether there is adequate protection as a matter of fact.
Whether or not this case leads in victory for Mr Schrems, it's pretty clear that there is a hugely powerful constituency of people who agree that the European Commission cannot be the supervisor of substantial questions about what is or is not adequate. The Commission is a political institution, not independent enough or close enough to the facts in individual cases, so it can't provide the quality of supervision that's needed. Whatever it does will always be tainted by political considerations and remoteness and therefore susceptible to challenge (indeed, the Commission's track record on defending legal challenges to its big positions on data protection has been awful, i.e., PNR transfers to the U.S. and the Data Retention Directive so far). Therefore, we turn to the national regulators. But if they hide behind the Commission, they're susceptible to challenge, as Mr Schrems has proved beyond any doubt.
So, at that point the supervisors become the citizen and the judiciary. In this environment, where businesses are under determined challenge, supervision is an adversarial process, pure and simple. To win the argument you have to know your case, be able to prove it and then actually argue it. In a transfer situation to the U.S., if you are a business under challenge, what's your real case on adequacy? Your case - not the Commission's or the regulators - your case. In a factual sense, how do you prove adequacy? What are you going to say? "We're in Safe Harbour", or "we've got a BCR", or "we're using Model Clauses" are not the correct answers in a real challenge!
My message to businesses is don't fall into the trap that the Irish regulator fell into. Figure out for yourselves whether you have a defensible, winning position, for international transfers and everything else that you judge matters to you, your customers and stakeholders. Create your own certainty by building your own adequacy. If you avoid the substantive arguments and stand simply on the prior points of view of others, you are limiting your right of defence. If the Irish regulator had investigated the case on the facts, what would he have discovered? Would he have found robust protections for privacy "on the ground"? If you're a business and you are confident that you have those protections in place, would you not want to run them at an early stage, before things get out of hand?
This needs a change of mind-set at the business side and perhaps even a clear-out of advisors, with replacements who will push businesses hard where required, not always saying yes, or standing on dogma or "thought leadership". You can create your own, real Safe Harbours, if you put your minds to it.
As for the GDPR, it is so stacked full of compromises, that intelligent people will be able to pull it apart if they want to. Think again about BCR. It's argued that they are a good alternative to Safe Harbour and they're trumpeted by the GDPR as a good place to go. But why is that? What actual proof do we have that BCRs are delivering better adequacy than Safe Harbour? Who is actually testing them? Some people say that BCR are a good idea because they give you a "regulatory seal of approval", but they don't. The regulators are not yet going into businesses to test them out. They provide no greater assurance of adequacy than Safe Harbour. If Safe Harbour is vulnerable, so is BCR. In a more micro sense, the Commission's draft of the GDPR is full of "delegated acts" provisions, whereby the power to state points of detail on data protection is delegated to the Commission. The vulnerability there is obvious.
The heavy lifting for data protection is only just beginning. It's about to get much harder. But that's the price of certainty and the price of processing personal data. Entities that do the heavy lifting will come out on top in most challenging situations.