Wednesday 20 November 2019

Europe has failed in duty to protect citizens over web privacy threat

Max Schrems
Max Schrems

TJ McIntyre

The landmark ruling handed down yesterday by the European Court of Justice in the Schrems case - striking down the Safe Harbour decision - has mostly been analysed in business and consumer terms.

But what does it mean for technology firms headquartered in Ireland? How can those firms now transfer data to the United States?

Will it mean that firms have to set up European data centres to handle data from their European customers?

While these are important questions, they are also a distraction from the wider fundamental rights issues that the case presents.

In particular, the Schrems case is not a stand-alone decision, but has to be seen as the third leg in a trilogy of bold judgments from the European Court of Justice which together will shape internet privacy for decades to come.

In the first case, brought by Digital Rights Ireland, the court struck down a European law which required telecoms companies and Internet Service Providers (ISPs)to track details of their customers' phone calls, text messages, emails and locations and to store that information for up to two years.

The second - a case against Google Spain - established a "right to be forgotten" which enables individuals to remove search results for their names, where those results disclose personal information which is excessive, irrelevant or out of date.

This latest instalment arises out of the Edward Snowden revelations and holds that the Safe Harbour Agreement - allowing transfer of personal data to the US by firms such as Facebook - is invalid as it does not provide adequate protection against mass, indiscriminate surveillance by US authorities.

What these cases have in common is a wide understanding of privacy as a safeguard against both state surveillance and private sector abuses.

They identify privacy as a fundamental right for everyone, not just those who are especially vulnerable.

And they reflect Mr Snowden's comment that: "When you say I don't care about the right to privacy because I have nothing to hide, that is no different than saying I don't care about freedom of speech because I have nothing to say."

These cases also establish core principles to control the use of state surveillance.

First, the European Court of Justice has held that surveillance must be targeted and focused - the indiscriminate collection of data on the entire population is not compatible with European law.

Secondly, access to data on an individual's communications should normally be on the basis of a court order - not an internal administrative procedure.

Thirdly, individuals must be able to bring a court action challenging surveillance in cases of abuse.

These principles will tie the hands of the European Commission in negotiating a replacement to the Safe Harbour Agreement, and will require significant amendments to US law to ensure that any replacement agreement meets the criteria set out by the European Court of Justice.

There is an ongoing debate within the US on reform of surveillance - consumer pressure since the Snowden revelations has prompted firms such as Apple, Google, Microsoft, Yahoo, Facebook and Twitter to form a coalition demanding fundamental change - and yesterday's decision will add a strong commercial imperative for further reform.

So, what happens next?

Until a replacement agreement is in place, there will be significant compliance costs and business uncertainty, falling mostly on US technology firms.

However the Schrems case is not only about practices in the US, the judgement must be seen as having a message for European states also.

The United Kingdom and France already have laws allowing for similar forms of mass surveillance - with significantly less oversight than the US - and legislation is currently on the table in Denmark, Finland and the Netherlands which would further increase surveillance powers without adequate judicial controls.

There is, to put it mildly, an inconsistency in preventing the transfer of data to the US while tolerating similar practices within Europe.

The European Court of Justice may or may not have jurisdiction to invalidate these national surveillance systems - as 'national security' measures they generally fall outside the scope of European law.

However, yesterday's decision will nevertheless be influential with other courts hearing challenges to these laws.

A final aspect of the Max Schrems case also needs to be highlighted.

Why did it take an individual Austrian law student to force some action on the Safe Harbour Agreement after the Snowden revelations?

Why didn't any national governments or the European Commission act after it became clear that Safe Harbour was being abused and after the European Parliament called for it to be suspended?

European countries - including Ireland - have failed in their duty to protect the rights of citizens in this area.

When the Snowden revelations first emerged, the only formal response of the Irish government was a promise by the then Minister for Justice Alan Shatter to assist in his extradition should he ever land here.

Two years later, too little has changed.

Dr TJ McIntyre is a lawyer, lecturer in the UCD Sutherland School of Law and chairman of Digital Rights Ireland

Irish Independent

Today's news headlines, directly to your inbox every morning.

Don't Miss