Posted on September 2, 2020
Authored by Nikita Das*
The recent decision of the Court of Justice of the European Union (“CJEU”) invalidating the European Union-United States ‘Privacy Shield’ mechanism and contouring the applicability of the Standard Contractual Clauses in the Max Schrems Case is certainly hinting towards the dawning of a geopolitical phenomenon across the globe. It has opened a can of worms and brought ambiguity over how companies and organizations have to deal with the obligation in the short and long term and its economic impact on them. CJEU focused on the protection given to the individuals under the Charter of Fundamental Rights of the European Union (“EU Charter”) and based its decision on the inability of the United States to provide a level of protection which is equivalent to that guaranteed by the EU Charter. The problem arose from surveillance programmes in the US based on Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333. In particular, CJEU in its decision emphasized on couple of points:
1. Paragraph 176 of the court order states that a national/domestic legislation in question should meet the principle of “proportionality and necessity” as laid down in Article 52(1) of the EU Charter.
“Lastly, in order to satisfy the requirement of proportionality according to which derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary, the legislation in question which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary. The need for such safeguards is all the greater where personal data is subject to automated processing”.
2. Paragraph 192 of the order states that data subjects are not granted any rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy as required by Article 47 of the EU Charter.
“Furthermore, as regards both the surveillance programmes based on Section 702 of the FISA and those based on E.O. 12333, it has been noted in paragraphs 181 and 182 above that neither PPD‑28 nor E.O. 12333 grants data subjects rights actionable in the courts against the US authorities, from which it follows that data subjects have no right to an effective remedy.”
The question that arises here is that while CJEU expects non-EU countries to meet the proportionality and necessity prerequisite and provide actionable rights to individuals when their data is used for surveillance with respect to national security purposes, would the same standard be imposed on EU member states or UK? The following comparison of data surveillance laws applicable in some of the European countries like France, UK and Sweden will lend some perspective on it.
The surveillance activities undertaken for national security investigation purposes by local government, police officials or other law enforcement bodies (e.g., MI5, MI6) are governed by the Regulation of Investigatory Powers Act 2000 (“RIPA”).In an ideal scenario, a court should be providing a judicial warrant for the surveillance activities; however, under Part 1 of RIPA, an interception warrant is granted by the Home Secretary if he/she believes that the interception is necessary in the interest of national security. Section 15(2) obligates the Secretary to assess if the surveillance activity meets the necessity and proportionality requirement. Now, the question arises – if the individual has a right to challenge against the secret surveillance activities? The answer is in the negative as RIPA expects the interception warrant to be kept confidential and in fact considers it a criminal offense if anyone having knowledge of the issuance of an interception warrant fails to keep confidential all matters relating to it. So, there is no scope of challenging the intrusion when information about it is not provided to the individual at all.
The French law governing surveillance activities is Loi 2015–912 du 24 julliet 2015 relative au renseignement (Law No. 2015-912 of July 24, 2015 relating to intelligence). Article L.811.3 of the law provides a right to the specialised intelligence services for collection of personal data for multiple undefined purposes justifying surveillance such as “national security” and “major foreign policy interests”. It permits the internet service providers to install scanning tools (known as “black boxes”) that collect and analyse metadata of internet users. Moreover, the law allows the Prime Minister to authorize intrusive surveillance activities in consultation with the administrative authority responsible for the oversight of interception surveillance (National Commission for the Control of Intelligence Techniques), whose opinion is not binding on the Prime Minister. Like U.K, the French surveillance laws also do not provide citizens under surveillance to have any legal recourse against such actions.
The digital surveillance activities for defence intelligence activities conducted by the governmental bodies are regulated by the Svensk författningssamling [SFS] 2008:717 (Act on Signal Surveillance for Defence Intelligence Activities). This legislation, in particular, prescribes for the intrusions into any cross-border communications. In fact, the law specifically under Section 2(a) states that “Collection may not refer to signals between a sender and recipient who are both in Sweden” which implies that the personal data originating from foreign land can be accessed by the given bodies for national security purposes which makes the law comparatively similar to what is given under Section 702 of FISA. Although Sweden, under this law, has allowed only the surveillance activities to take place in case of a suspected serious crime and the judicial body (Defence Intelligence Court of Sweden) to authorize such collection of information, it does not really balance the privacy rights of Swedish and non-Swedish citizens as domestic surveillance is governed by a separate act Lagen om elektronisk kommunikation (SFS 2003:389)which is in line with the privacy protections required by General Data Protection Regulations.The 2008:717 does not allow for any appeal with respect to the decisions taken under the Act which jeopardizes the right of individuals to have a legal remedy against the surveillance.
In addition to above-mentioned legislations in the given countries, a report published by European Union Agency for Fundamental Rights (FRA) addressing a European Parliament request for in-depth research on the impact of surveillance on fundamental rights found out that there are some lacunas in the EU member states laws, including in terms of a need of oversight of the laws and ensuring transparency with the individuals.
Considering that the individual EU members states have different national laws regarding surveillance activities which do not always provide adequate protection to its own citizens and also to foreign nationals in certain cases when data is used for national security purposes, it would be rather discriminatory to expect the non-EU countries to amend their data surveillance laws in order to comply with the CJEU’s decision and provide required protection to EU data, if they wish to continue collecting or processing personal data of subjects in the EU. This also creates a huge challenge for individual companies and organisations to tackle the obligation put on them to ensure adequate safeguards in the event of conflict with a third country law in case of EU data flows, which is almost inevitable in most cases. Companies, as per the direction released by most of the Data Protection Authorities (DPAs), will need to wait for proper guidance from them before they can brain storm on implementing the necessary safeguards to deal with this complexity of global data transfers and national surveillance laws.
Regardless of the court decision or the national boundaries, it is essential for governments globally to be transparent with their people regarding use of personal data to promote accountability, respect privacy rights and build confidence. However, creating a perfect balance between the need to enhance national security and respecting fundamental human rights will be difficult considering that national security is a sensitive issue for all countries across the globe. One can only hope for mutual agreement between countries to deal with this matter which is the need of the hour for business continuity especially amidst this global pandemic.
* Nikita Das is a privacy attorney currently working with Cognizant Technology Solutions in Bangalore, looking into privacy compliances of the company. She is a privacy enthusiast trying to unravel the unique alliance between technology and the basic human right – the right to privacy.
 C‑311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems