In my last post, I said that the European Court of Justice decision in Maximillian Schrems v. Data Protection Commission ignores some inconvenient truths. US frustrations with European double standards on surveillance are understandable. They are also beside the point. The US must reform surveillance law – specifically, Section 702 of FISA – if it wants to restore safe harbor. Without safe harbor, personal data on EU citizens cannot be transferred easily to the United States, and this would seriously damage the global economy.
Just to be clear about the stakes – the US-EU safe harbor agreement is vital to transatlantic trade, and not just for big technology firms like Facebook and Google. Safe harbor involves over 4,000 companies. The demise of safe harbor may encourage firms to encrypt data stored in the cloud and take some steps to minimize unnecessary transfers of personal data. That is a good thing. Still, in the age of big data, it is unthinkable that the US and Europe can do business without routine transfers of personal data. The global economy depends on hammering out a new US-EU agreement that allows those transfers to take place – and that will stand up in European courts.
Sending a US delegation to Brussels to strike a deal with EU bureaucrats is not going to do the job without addressing US surveillance practices. No one in Europe can resurrect the safe harbor agreement without complying with the ECJ’s decision. The ECJ’s decisions on European law are final and binding, and its decisions on privacy and data protection are based on principles of fundamental human rights which do not afford EU officials much wiggle room.
Does this mean that either 1) the US and the EU lose safe harbor forever, or 2) the NSA and other intelligence agencies just have to keep their hands off European data, regardless of the cost to national security? Not necessarily.
The ECJ’s opinion suggests another solution. The opinion notes that the European Commission – the EU’s Executive Branch – did not believe the safe harbor agreement provides an “adequate level of protection,” given its concerns about government surveillance. ¶ 97. As a result, the court did not need to examine this issue for itself. ¶ 98. Lawfare’s Alex Loomis observes this could “punt” the issue back to the European Commission. I agree.
The ECJ has provided the European Commission a second chance to decide that US surveillance law lives up to European privacy rules. The European judges did not actually examine US surveillance programs or the legal basis for those programs, but instead relied on a highly critical European Commission report. As Bob Litt (the general counsel of the DNI) has explained in the Financial Times, the report is flawed in its analysis of US law. On this point, Bob Litt is correct. The report seems to conflate PRISM – a program based on Section 702 of FISA that permits surveillance of (an admittedly very large number of) specific targets – with different programs involving bulk collection of metadata. Those programs were based on entirely different provisions of FISA. In any event, bulk collection is coming to an end because of the reforms enacted in the USA FREEDOM Act.
So, perhaps all the US has to do is convince enough people that Bob Litt is right about PRISM, the European Commission is wrong, and the Europeans will say it was all a big misunderstanding? Not likely.
The ECJ’s decision lays out standards for surveillance law that Section 702 of FISA does not meet, even if correctly understood. The question is whether it is possible to amend US law to address the ECJ’s concerns without sacrificing national security. I will begin to tackle that question in my next post.