On Dec. 19, Advocate General (AG) Henrik Saugmandsgaard Øe issued a long-awaited initial opinion in the “Schrems II” case before the Court of Justice of the European Union (CJEU). The case concerns the legality of transferring personal data from the European Union to the United States under two of the most important legal mechanisms for transfer: standard contractual clauses, which exist where a company contractually promises to follow EU-level privacy standards once the personal data arrive in a different country, and the Privacy Shield, which the EU and the U.S. negotiated in 2016 for transfers of personal data specifically to the United States.
Based on an initial review of the 96-page opinion, this post first provides background on the Schrems litigation. It then gives a brief summary of what American lawyers might call “holdings” of the case if it were the decision of the court. Under the court’s procedures, the AG opinion is not a binding decision of law; however, it is generally considered an important prediction of the actual decision, which is expected in the first quarter of 2020. This post then examines in more detail some important new jurisprudence about how the EU may look at foreign intelligence surveillance, notably including Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333.
Background of the Schrems Litigation
The decision this week is the latest milestone in the long-running litigation by Austrian lawyer Max Schrems against Facebook, challenging the latter’s ability to transfer personal data from the EU to the United States. Previously, Schrems challenged the EU/U.S. Safe Harbor, which was an agreement signed in 2000 that set standards for lawfully transferring personal data from the EU to the United States. The core legal claim is that the U.S. lacks “adequate” safeguards for protection of privacy and, thus, the transfers should not be allowed under EU privacy law. Schrems’s specific claim is that he lacks the ability to gain access to the files that the National Security Agency (NSA) may have about him and lacks legal redress for any violation of his rights under EU law. (For the purpose of full disclosure, I served as an expert witness in the case, submitting more than 300 pages of testimony. I was selected by Facebook but under Irish rules was an independent witness.)
In 2015, the CJEU struck down the Safe Harbor in what is now called “Schrems I.” The actual holding concerned flaws the court found in the EU’s assessment of the adequacy of Safe Harbor. The context, however, was concern after the Snowden revelations about surveillance by the NSA, which the advocate general in that case called (incorrectly, in my view) “unrestricted access to mass data.”
After Schrems I, many companies that had used the Safe Harbor adopted standard contractual clauses as the legal basis for transferring data. Meanwhile, the EU and U.S. completed negotiations in 2016 of the Privacy Shield as a successor to the Safe Harbor. The Privacy Shield contained a number of provisions that were stricter than the earlier Safe Harbor and included letters explaining U.S. surveillance law safeguards from the general counsel of the Office of the Director of National Intelligence.
Schrems then initiated another round of litigation in Ireland, where Facebook has its European headquarters. In this “Schrems II” case, he challenged the adequacy of standard contractual clauses. Similar to the earlier case, he claimed that he lacked sufficient redress under EU law when his personal data were transferred to the U.S., with the difference that this time the data were transferred using standard contractual clauses. The suit resulted in a lengthy trial in the Irish High Court. The High Court ruled for Schrems and certified 11 broad questions to the CJEU. The AG opinion published this week concerns this appeal in Schrems II from the Irish High Court.
Transfers Under Standard Contractual Clauses Can Continue, Subject to Case-by-Case Challenges
The key recommendation of the AG opinion is that his review found “nothing to affect the validity” of the commission’s 2010 approval of standard contractual clauses (¶ 5). This means that the clauses, used for approximately 90 percent of data transfers out of Europe, continue in effect, despite concerns that the entire standard contractual clause approach might be struck down. This positive recommendation about data flows, however, is subject to the continuing power of European privacy regulators to examine the lawfulness of the use of standard contractual clauses on a case-by-case basis (¶ 126).
The fate of the Privacy Shield is less clear in the AG opinion. The CJEU decided to hear oral arguments last summer concerning the lawfulness of the Privacy Shield, even though the Shield was then being prepared for trial in a lower EU court. Given that procedural posture, the AG opinion states that “the resolution of the dispute in the main proceedings [about standard contractual clauses] does not require [the court] to settle” the issue of the Privacy Shield’s legality (¶ 6). The AG suggests that the CJEU avoid the issue but sets out, “in the alternative, the reasons that lead me to question the legality” of the commission’s decision to approve the Privacy Shield. The AG’s questions primarily concern the lawfulness of U.S. foreign intelligence surveillance, discussed below.
The opinion addresses numerous other issues of EU law, including that EU law applies to transfers of data from the EU to a third country such as the United States. EU law applies even for processing of personal data done in a country such as the U.S. “to protect the national security of that country” (¶ 110).
In contrast to this relatively broad view of the scope of EU law to national security investigations occurring in the U.S., the AG opinion notably avoids addressing many of the 11 broad questions referred to the CJEU by the High Court of Ireland (¶ 167). These questions raised knotty problems such as how national security surveillance powers of EU member states should be assessed by the courts, in light of the EU treaty exemption of EU authority over the member states’ national security. Given the significant doubts about the CJEU’s authority to review the national security surveillance powers of its own member states, its assumption of the power to review those of the United States continues to raise questions about unfair treatment. Perhaps reflecting those concerns, what I found interesting here was that the AG opinion took care to avoid going more broadly than necessary. The style reminded me of reading Alexander Bickel’s classic text, The Passive Virtues, when I was in law school. To date, there have been criticisms of the CJEU for asserting broad powers, including concerning privacy, since it acquired the power to issue binding opinions on the member states in 2009. The tone of the AG’s opinion perhaps is a sign of a new caution. The opinion cites the former leading European privacy regulator, Peter Hustinx, in saying:
My analysis as a whole will be guided by the desire to strike a balance between, on the one hand, the need to show a “reasonable degree of pragmatism in order to allow interaction with other parts of the world,” and, on the other hand, the need to assert the fundamental values recognised in the legal orders of the Union and its Member States, and in particular in the Charter.
Observers of the CJEU will be interested to see the extent to which this “pragmatism” will be evident in the court’s binding decision, due in 2020.
Some Nuance About Foreign Intelligence Surveillance
The AG’s opinion offers at least three findings that appear to provide stronger legal ground for foreign intelligence surveillance. First, the opinion appears to show some jurisprudential room, within the AG’s view of EU law, for bulk collection for national security purposes. The discussion appears in the analysis of what constitutes the “essential content, or the very essence, of the right to respect for private life” (¶ 282). If an interference compromises the essence of such a right or freedom, then the interference is so serious that “no legitimate objective can justify it” (¶ 272). The opinion appears to conclude that bulk collection should be assessed on a case-by-case basis, rather than being categorically unlawful.
In discussing bulk collection, the AG’s opinion appears to be closing the gap between the relatively ideologically pure CJEU and the relatively pragmatic European Court of Human Rights (ECtHR) described last year by Théodore Christakis. Although earlier CJEU cases might be read to condemn bulk or “generalised” collection, the AG’s opinion cites favorably to two recent ECtHR opinions, Big Brother Watch and Centrüm för Rättvisa. In explaining why there should be a regime-by-regime analysis of bulk collection, the AG’s opinion notes that the ECtHR has found bulk collection regimes lawful “provided that they are accompanied by a number of minimum guarantees” (¶ 282).
Second, the opinion takes a more positive view than one might have anticipated for the sort of data collection under Section 702’s upstream program. As described, for instance, by the Privacy and Civil Liberties Oversight Board, the upstream program has access to the “telecommunications backbone.” It filters a large volume of communications down to the much smaller subset of communications that have individual “selectors,” such as a specific email or telephone number. Significantly, the communications that lack such selectors are never stored by the government—picture, perhaps, a flow of water diverted through a filter but then allowed to continue downstream without ever being stored.
In previous testimony to EU privacy regulators and the Irish High Court, I have supported the view that this type of filtering is targeted rather than bulk—as only the individually targeted communications are available for analysis. The AG’s opinion support this view and the view of the EU Commission that “temporary access by the intelligence authorities to all the content of the electronic communications for the sole purpose of filtering...cannot be treated as equivalent to generalised access to that content” (¶ 276, emphasis in original). In short, such filtering can be justified, depending on the applicable safeguards. In my view, this is a welcome legal conclusion. It also encourages surveillance regimes to get credit, before the courts, by effectively filtering out all communications except the far smaller subset of relevant communications.
On a third topic, the AG’s opinion offers some doctrinal support for the U.S. legal approach to foreign intelligence surveillance. The opinion begins by stating that it is “common ground that the protection of national security is a legitimate objective that may justify” exceptions to European privacy rules (¶ 285). Schrems and others, however, criticized the U.S. for surveilling based on the broader purpose of “foreign intelligence information,” which includes the “conduct of foreign affairs.” The opinion rejects that argument: “To my mind,” says the AG, “the perimeter of national security may include, to a certain extent, the protection of interests relating to the conduct of foreign affairs” (¶ 286). While I agree with that conclusion, I remain concerned that the jurisprudential approach lacks sufficient appreciation of how much national security surveillance should be able to change when done during wartime, in near-war conditions or in connection with a foreign adversary.
These three doctrinal statements—bulk collection, filtering and lawfulness of surveillance for foreign affairs—together provide a strengthened CJEU legal rationale for foreign intelligence surveillance. With that said, the AG’s opinion expresses a number of specific concerns about the safeguards currently in effect for Section 702 and Executive Order 12333. Without going into great detail, these include concerns that were litigated in detail before the Irish High Court, including lack of standing to sue in U.S. courts, lack of prior judicial authorization for each individual targeted under Section 702, lack of notice after the fact that an individual was targeted by the NSA, and concerns that the ombudsperson redress mechanism in the Privacy Shield lacks sufficient independence.
The AG’s opinion offers heartening news for continued global data flows. The opinion gives a basis for believing that standard contractual clauses will continue to be a lawful basis for transfer, avoiding the enormous practical problems that would otherwise result. The opinion recommends leaving the Privacy Shield in place and offers some interesting new jurisprudential support for foreign intelligence surveillance, at least where sufficient safeguards are in place.
At the same time, the opinion would affirm the power of EU privacy regulators to make case-by-case decisions to block transfers that use standard contractual clauses, based on the regulators’ view of protections in the country receiving the data. Such case-by-case decisions may apply to transfers to the U.S. but also to countries such as China that lack legal safeguards against excessive surveillance. The opinion also shows continued skepticism about whether the specific safeguards in the Privacy Shield are sufficient under EU law.
In the coming few weeks or months, we will see the full CJEU decision, which may vary from this week’s opinion in important respects. Finally, whatever the outcome in Schrems II, new EU legal challenges to foreign intelligence actions will likely continue, creating ongoing risks of disruptions in global data flows.