Schrems – towards a high standard of data protection for European citizens
It has been almost six weeks since the ECJ handed down its groundbreaking Schrems judgment. This post reflects upon the institutional practices and scholarly discussion following the judgment. The Court held the transfer of data to the US based on the Commission’s safe harbor decision illegal as it violates the essence of the right to privacy. It refrained from setting a grace period. As the judgment concerns many large companies, one might have expected to notice the practical consequences by now. By reflecting on the institutional implementation of the judgment, it becomes more clear why we have not yet noticed the judgment in our day-to-day Facebook, Google, Apple, and Microsoft life.
While applauded by the general public, the judgment has been received more critically in scholarly blogs. In particular, some argued that the ECJ was not democratically legitimized to render the judgment. However, the criticism fails to convince. The deficiencies of the democratic process in protecting the rights of European citizens called for judicial interference.
The Hesitant Implementation and its Discontents
In general, personal data from European citizens can only be transferred to a third country if this country guarantees an adequate level of data protection. The Commission had set up a complex mechanism known as safe harbor decision to allow for the transfer of data to certain US companies. As long as the companies stated to comply with certain privacy principles, the transfer was considered to be legal in light of the adequate standard of protection. The Court invalidated this decision in Schrems. Are all transfers to US companies therefore illegal?
Relying on the safe harbor decision is only one means to transfer data to third countries legally. Article 26 of the Data Protection Directive allows derogations from the principle. Consent, standard contract clauses, and binding corporate rules are the most common conditions to make the transfer possible to third countries which do not provide for an adequate level of protection. Whether these possibilities are also affected by the judgment has given rise to an extensive debate; the legality of current Facebook data transfers hinges on the outcome of this debate. The ECJ refrained entirely from addressing these instruments explicitly. This has been criticized. In light of the reference, however, the ECJ could not extend its judgment to these instruments; therefore, it acted correctly in exercising restraint.
The implementation of the judgment is now left to the data protection authorities. The so-called Article 29 Working Group has by now issued a statement on the implementation. This Working Group is the coordinating body for the national data protection authorities. The Group sets a grace period until January 2016 deviating from the ECJ. Apart from this, the declaration is kept very vague. The opinions of the national data protection authorities on the implications of Schrems on consent, standard contract clauses and binding corporate rules seem to diverge immensely. The authorities merely state that they will continue to analyze the judgment’s impact on these other instruments for transfer. According to the statement standard contract clauses and binding corporate rules can still be used as long as the authorities investigate their legality. The German data protection authorities take a slightly different approach: they state that the judgment has cast doubt on the other instruments. They will therefore, for the time being, not issue any new permissions for standard contract clauses and binding corporate rules.
It hardly seems conceivable to legally transfer data to the US based on standard contract clauses or binding corporate rules. Article 26 para 3 of the Directive states that fundamental rights must be respected when national data protection authorities grant permissions to companies. Companies would need to shield the transferred data from access by the US government, whereas US law requires the companies to grant access. Considering that in Schrems the ECJ found a violation of the essence of the right to privacy, transferring data on the basis of standard contract clauses or binding corporate rules violates European fundamental rights.
The only possibility left for a legal data transfer is therefore individual consent. Valid consent according to the Directive needs to meet strict requirements. General clauses as contained in the terms of Facebook and the like fail to comply with this standard (see Max Schrems for a short overview of the clauses). The precise requirements for valid consent are not yet settled and remain disputed among the data protection authorities. It is now up to the Irish Data Protection Authority to investigate whether the transfer in the case of Schrems was legal. As Ireland is not known for a high standard of data protection, we might end up with yet another ECJ case, this time on the feasibility of transfers based on clauses or consent.
The Democratic Critique and its Discontents
The judgment has been fiercely criticized for lacking democratic credentials. In an inspiring and witty post, Russell Miller has attacked the “god-like judicial power”. According to him, the reaction to the Snowden leaks ought to be left to the political institutions, particularly as national security issues are at stake.
There is indeed a worrying European trend towards debating central political decisions not in parliament but in court. Russell, however, picked the wrong judgment for his critique. The Schrems judgment was democratically legitimate.
The criticism misconstrues the judgment. It is presented as a judgment invalidating under all circumstances data collection by US authorities. The intensive debate on the other instruments for transfer shows that the discussion is far from over. The judgment is, therefore, far more restrained than the critics contend.
The legitimacy of constitutional courts has been subject to intensive debate. Representation reinforcement is still the leading scholarly concept. According to this theory, courts are justified to interfere whenever deficiencies in the democratic process occur. It is the task of constitutional courts to ensure that the democratic process is sufficiently inclusive. From a European perspective, the US legislative process concerning data collection by intelligence services suffers from severe flaws: while European citizens are significantly affected by the legislation, they do not have a say in the democratic process. Even after the reforms of the USA FREEDOM Act, European citizens lack even basic rights in the US. In this situation it seems more than legitimate for the ECJ to intervene on behalf of the European citizens. Furthermore, the ECJ did not act in a democratic vacuum. It is telling that the critics do not mention the European Parliament’s call to end safe harbor. In the European institutional balance, the ECJ uses the judgment to support parliamentary responses to the Snowden leaks. Is that really illegitimate given the current state of European democracy?
Additionally, rights can legitimize the action of constitutional courts. It is convincing to primarily leave the balancing of rights to parliaments. Cases of violations of the essence of a right, however, are prime examples of a situation in which courts ought to interfere. Critics might question whether the essence was really at stake in Schrems. The ECJ has been careful to limit the essence (para 94): the essence of the privacy right is only violated if access concerns the content instead of “merely” meta-data. Furthermore, the essence is only affected if the law granting access fails to set limits entirely. For example, the ECJ did not find a violation of the privacy right’s essence in its judgment Digital Rights Ireland concerning data retention.
The actions required by the US are anything but impossible. In the USA FREEDOM Act, the US has limited the access of intelligence services to data by US citizens. Extending that act to European citizens would bring US legislation closer to complying with the European standard. Is it too much to ask for US legislation not to discriminate against Europeans?
The ECJ hence convincingly protected the rights of European citizens. The judgment will keep lawyers occupied for some time. The Commission announced that it wants to negotiate a new safe harbor regime within three months. Will the US agree to effectively protect the rights of European citizens? Furthermore, the information revealed by Snowden has shown that the UK collects data without distinction. Will anyone dare to challenge the UK’s intelligence services and its 007 agents in times of BREXIT fear? Will the next James Bond end with a standoff in Luxembourg between judges in robes and secret agents?
Carlino Antpöhler is research fellow at Max Planck Institute for Comparative Public Law and International Law in Heidelberg.
Cite as: Carlino Antpöhler, “Schrems – Towards a High Standard of Data Protection for European Citizens”, Völkerrechtsblog, 18 November 2015, doi: 10.17176/20170925-173602.