This article is written by Arnab Chakroborty, a 3rd year student of National Law University, Odisha.
The Court of Justice of the European Union (“CJEU”) issued its much anticipated judgement in the case of Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (hereinafter “Schrems II”), invalidating the EU-US Privacy Shield which had been the mode of transferring data from the European Union (“EU”) to the United States (“US”). The case involved an Austrian privacy advocate named Maximillian Schrems challenging the transfer of his personal data from Facebook Ireland to Facebook Inc. in the US due to concerns pertaining to the protection of his personal data. In 2015, the Schrems I judgement witnessed the dissolution of the Safe Harbour Arrangement, which was the primitive version of the Shield. The initial complaint was filed in 2013 after the Snowden revelations regarding the US mass surveillance regime. The revelations acted as a major breakthrough in the field of privacy rights across the world, leading citizens in the EU and US to question the data retention mechanism of mega data processors like Facebook and Google. Following this, the EU devised a comprehensive data protection structure in the form of the General Data Protection Regulation (“GDPR”) in 2016.
Surveillance Instruments: Overarching or Illegal?
GDPR requires third countries who act as potential recipients of data to be “data adequate” in order to receive data from the EU. Standard contractual clauses and binding corporate rules may also be used for such data transfers in order to preserve rights of data subjects. In this context, the level of protection should be “essentially equivalent” to that in the EU. The factor which played a massive role in the invalidation of the EU-US Privacy Shield is the inadequacy of protection owing to interference of US public authorities with the fundamental rights of data subjects through the PRISM and UPSTREAM surveillance programmes. These programmes are coherently aligned with Section 702 of the Foreign Intelligence and Surveillance Act (“FISA”) and Executive Order 12333 (“EO 12333”).
In the Schrems II judgement, the Court said that before an adequacy decision is reached, all the relevant legislation on national security and public authorities access to personal data, sectoral regulations etc. have to be duly balanced and thoroughly examined. EO 12333 fails to pass the “adequacy test” as it allows the National Security Agency (“NSA”) to access underwater cables on the floor of the Atlantic to collect data. Moreover, the activities pursuant to the said order are not governed by any Statute, thereby leading to a plethora of questions regarding its modus operandi.
The deployment of Section 702 of FISA also raises a few issues regarding its constitutionality. It forms the basis for PRISM and UPSTREAM, which are largely criticized on various fronts. This provision allows the Attorney General and the Director of National Intelligence to authorize jointly, the surveillance of non-US citizens to obtain ‘foreign intelligence information’. This information is further transmitted to the FBI and CIA to aid their investigation. It allows the government to retain content data as well as metadata, which simplifies their job of intercepting communication.
US surveillance regime’s most concerning dynamic is that although they are claimed to be targeted to eradicate terrorism and potential threats to the country, it has often gone beyond its scope leading to indiscriminate profiling. Foreign intelligence is cited as the reason for the same but it only acts as an imaginary veil for the US authorities to exercise their unhindered targeting of personal data. Presidential Policy Directive (“PPD-28”) is another instrument for the President to exercise its exclusive powers to arbitrarily conduct surveillance programmes through NSA and CIA. The privacy rights of citizens in the EU are sacrificed in the process, due to violation of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (“Charter”). To add insult to injury, their right to judicial redress is restrained as they do not have similar rights to an ordinary US citizen under the Fourth Amendment.
Judicial Remedy: A Myth in US Data Protection?
Internal transactions within the administration happen through classified documents, thereby limiting public knowledge about these surveillance orders. Putting flesh on the bones, lacking clarity and confined scope of the Judicial Redress Act prevents non-citizens to enforce actionable claims against the US government for breach of their most basic privacy rights. Even though Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes, it fails to provide rights to non-US citizens which are enforceable against the authorities in courts. Neither PPD-28 nor EO 12333 grant data subjects any right to pursue legal remedy for breach of their privacy rights, thereby violating Article 47 of the Charter.
Article 47 clarifies that data subjects have the right to an effective legal remedy before a tribunal in case of violation. The recourse provided to EU citizens in protecting their personal data must conform to the said provision of the Charter. However, there seems to be a lacuna in terms of judicial remedy afforded to EU citizens as the law does not levy any scope to enforce their claims against US authorities. Although the US government has proposed the appointment of a new oversight mechanism by employing an Ombudsperson as an independent authority, it does not address the issue at hand as Ombudsperson cannot be regarded as Tribunal. The “independent” role of the ombudsperson is also debatable as his responsibilities include reporting to the Secretary of State, who is an integral part of the State department. The process of Ombudsperson’s removal from office is also not adequately clear which further emasculates his appointment. Thus, these issues combine to substantiate that the legal remedy provided fails to satisfy the “adequacy” criteria.
The developments in the field of data protection have been immense and this only goes to prove that people have started realizing the importance of their rights over personal data. However, questions revolve around the potential impact this judgement might have on the international trading partners of the US. Since the Privacy Shield has been invalidated, it would be interesting to see whether companies resort to binding corporate rules, which is considered to be a more expensive and time consuming mechanism. Schrems III or an enhanced version of the EU-US Privacy Shield might be able to put these uncertainties to bed.