By Peter Swire
On July 9, the Court of Justice for the European Union (CJEU) held eight hours of oral argument in hearing case C-311/18, on whether US surveillance practices violate the fundamental rights of EU citizens. This case could potentially rupture the mechanisms that allow personal data to flow across the Atlantic. Should the Court so decide, it would soon be illegal for companies and services we use every day to transfer personal data from the EU to the US. Such a determination, however, may result in an absurdity; EU citizens’ data could not travel to the US for fear of intrusive surveillance, but could flow unimpeded to China, a nation with surveillance practices ripped from the pages of a dystopian science fiction novel.
Although a cut-off of data flows may seem far-fetched, Austrian lawyer Max Schrems, the plaintiff in the case pending before the CJEU, won a similar earlier case in 2015 (previously discussed on this blog). That case concerned the EU/US “Safe Harbor,” the earlier version of today’s Privacy Shield, which permits entities in the US and Europe to exchange personal data across borders. In the earlier case, the Court invalidated the decision in which the European Commission found adequate protections for personal data sent to the US pursuant to the Safe Harbor
In the aftermath of the 2015 case, most companies that transfer data from the EU were left to rely on contract standards promulgated by the European Commission, called Standard Contractual Clauses (SCC). The SCCs set strict requirements for handling personal data by the company that transfers the data.
The legality of SCCs is now before the CJEU, with a similar challenge to Privacy Shield awaiting the outcome of the first case.
A CJEU decision that invalidates SCCs would result in the prohibition of most transfers of personal data from the EU to the US. The case primarily concerns the quality of legal safeguards in the United States for government surveillance, especially by the NSA. (Note – I was selected to provide independent expert testimony on US law by Facebook; under Irish law, I was prohibited from contact with Facebook while serving as an expert, and I have played no further role in the litigation.)
A decision invalidating SCCs, however, would pose a terrible dilemma to EU courts and decisionmakers.
At a minimum, the CJEU might “merely” prohibit data flows to the US due to a finding of lack of sufficient safeguards, notably an insufficient remedy for an EU data subject who makes a subject access request to the NSA. The EU on this approach would continue to authorize the transfer of personal data to countries not directly covered by the Court decision, such as, for example, China. This approach would be completely unjustified: it would prohibit transfers of data to the US, which has numerous legal safeguards characteristic of a state under the rule of law, while allowing such transfers toward China, where the protection of personal data vis-à-vis the government is essentially non-existent.
At the maximum, the Court could acknowledge that a cut-off of transfers to the US would also require cutting off transfers of personal data to China and the many other countries that allow government access to personal data without protections of the sort expected by Europeans. On this approach, which would seem legally more justifiable, the EU would really be creating its “Great Firewall of Europe,” under which the personal data of European citizens would (practically) no longer circulate, banning an enormous range of routine business practices that involve transferring personal data to other countries.
Our extensive research on China, published as an annotated bibliography for this post, shows intrusive government data collection categorically at odds with the privacy protections of the EU’s General Data Protection Regulation. Surveillance has become particularly pervasive in Xinjiang Province, especially targeted at the Uighur ethnic minority, which is primarily Muslim. Among many surveillance initiatives, China is deploying its Social Credit System, scheduled for full deployment in 2020, with constant assessment of each person’s “trustworthiness.” Indeed, Freedom House reported: “China was once again the worst abuser of internet freedom in 2018.” (The US ranked sixth best of the 65 countries surveyed.)
Chinese economic growth means that Europeans’ personal data is increasingly held by Chinese companies, and thus legally available to the Chinese government. The German government has reported “China is Germany’s top trading partner in the world.” A third of European smartphone purchases last year went to Chinese manufacturers, creating a pipeline of customer data. A recent New York Times story noted: “Products created for China’s vast surveilled and censored domestic market are increasingly popular overseas, where they are often cheaper and more appealing to consumers.” As previously discussed on this blog, Italy this past March joined China’s Belt and Road Initiative, designed among other goals to increase connectivity with China.
The legal protections for data in China are notably weak. One study found China to have the fewest protections against surveillance among the 13 nations examined, stating: “Chinese national security law allows for the inspection of electronic communication instruments belonging to ‘any organization or individual’ for purposes of state security with few if any limitations.” By contrast, a leading Oxford researcher examined US legal safeguards and concluded that “the US now serves as a baseline for foreign intelligence standards.” My work on President Obama’s NSA Review Group led to the same view, that US legal safeguards for surveillance are among the strongest in the world, especially in light of reforms enacted after Snowden.
The key difficulty is that the pending litigation challenges transfers to the US, where protections against government surveillance are notably in place. Prohibiting data transfers to the US while allowing transfers to the Chinese surveillance state would be unjust and entirely incongruous with the EU goal of protecting the privacy and security of its citizens’ data. Such a prohibition would also raise serious international trade issues by unfairly discriminating against one trading partner (US) while allowing worse abuses by another (China). On the other hand, if the Court strikes down transfers to all trading partners, then the economic and political consequences would be global.
The Court of Justice, and all the concerned European actors, should therefore consider these enormous practical consequences as the Court considers the case. The Advocate General for the case, Henrik Saugmandsgaard Øe, said he will give his non-binding opinion in the case December 12 this year, with a full decision expected by early 2020.
A version of this article was first published in French in Le Monde.