Paris, 24 September 2015 — The Advocate General of the Court of Justice of the European Union (CJEU) published on 23rd September his conclusions in the case “Maximilian Schrems against Data Protection Commissioner”. The Advocate General, Yves Bot, recommends an invalidation of the Safe Harbor agreement which regulates the transfer of personal data of European citizens by online services like Facebook, to the United States. The Advocate General considers that the surveillance carried out by US intelligence services hinders fundamental rights of European citizens. La Quadrature du Net welcomes these clear and protective conclusions, and hopes that the EU Court of Justice will have the courage to follow him in challenging Safe Harbor as demanded by civil society since the first Snowden revelations. Additionally, putting Safe Harbour aside, his analysis of the NSA’s practices should also apply to mass surveillance by European governments, such as France.
The case “Maximilian Schrems against Data Protection Commissioner” is related to the transfer of personal data of European citizens towards the United-States in the use of services such as Facebook. As revealed by Edward Snowden, these data are then available for the US intelligence services through programs such as PRISM. The issue at hand is the competence of national supervisory authority, and the role of the Safe Harbor agreement that regulates the personal data transfers of EU nationals when they use services hosted in the US since 2000. Safe Harbor is supposed to guarantee a similar level of protection of personal data in the US to the one present in Europe for EU citizens. Called the “security sphere” between Europe and United States, it allows a very high circulation of personal data. Safe Harbor concerns companies such as Google, Facebook, Amazon, Twitter, Apple (all companies which are an essential element of the NSA’s PRISM program).
Yves Bot, Advocate General of the CJEU, examines in his conclusions few fundamental questions:
- What is the role and what are the competencies of a national supervisory authority against EU agreements such as the Safe Harbor? Does the authority have the ability to investigate and act upon the companies covered by this kind of agreement?
- What happens when the agreement, signed 15 years ago (Safe Harbor is in effect since 2000), has not been revised since though it was publicly known that personal data processing was done out of the purposes of the agreement?
- Shall we consider that US intelligence services accessing European citizens data respect the principles of proportionality and the explicit purposes judged necessary to the respect of fundamental rights in Europe when they are invoked through national security reasons?
- How to respect EU citizens rights when there is no possibility of an effective remedy respecting the EU standards in the country receiving the personal data?
- Could the European Commission suspend the transfer of personal data or periodically revise the Safe Harbor in order to verify if the criterias of conformity provided at the origin are still respected?
To those questions, the Advocate General answers that:
- A national supervisory authority has the right and the duty to defend the citizen even in the presence of a EU agreement;
- The European Commission should periodically verify the conformity of the Safe Harbor to the EU standards of data protection;
- the conditions respecting the principles of proportionality and the explicit purposes are not respected by the US intelligence services;
- EU citizens do not have the necessary guarantees to exercise their rights against the processing of their data by the intelligence services
- by consequences, the Safe Harbor must be invalidated and suspended
These conclusions are very important because they justify the concerns raised by many citizens and organizations about the Safe Harbor, which, for years, has made easier the access to the personal data of European citizens to US intelligence services. In spring 2014, MEPs have requested its suspension. The European Commission suggested a revision which is still ongoing. Meanwhile, the personal data of European citizens continue to fuel US surveillance programs.
These conclusions follow a plea introduced in June 2013 by Austrian activist Max Schrems, and provide a once-in-a-lifetime opportunity to redefine the general framework for personal data transfers, especially after the Snowden revelations. This means that the existence of surveillance programs and massive data collection through internet services and suppliers, both in the US and Europe, must be taken into account. In his conclusions, the Advocate General condemns the use of national security as the ultimate reason to bypass the fundamental rights of citizens, and refers to the Digital Rights decision of 2014 on data retention that establishes very clear principles that really protect citizens.
Hence, these conclusions fall right within the approach promoted by Civil Rights associations, and as such, La Quadrature du Net applauds the work and reasoning shown in the Advocate General’s conclusions.
“The Court of Justice will give its decision in few weeks. It must follow the conclusions of the Advocate General, so as to allow for a thorough overhaul of the framework around EU-US data transfers. However, for this decision not to lead to a fool’s game through a simple data relocation — which would facilitate their surveillance by the EU intelligence services —, judges must also ensure that the applicable laws on this side of the Atlantic fully respect privacy and reject the principle of large-scale surveillance. At a time when countries such as France, the United Kingdom or the Netherlands are legalising mass surveillance practices deployed in the past few years by their national intelligence agencies, jurisdictions such as the ECJ must also be quick to stand firm against them as well. In this regard, Yves Bot’s conclusions also hint at how the case-law around secret surveillance should adapt so as to rule out unacceptable laws which, like the bill on international surveillance currently debated in the French Parliament, are modelled after the NSA. There is still a long way to go, but these conclusions are a step in the right direction”, said Félix Tréguer, co-founder of La Quadrature du Net.