Steve Peers
Earlier this year, the Court of
Justice of the European Union (CJEU) ruled in the Digital Rights judgment against the validity of the EU’s data
retention directive, on the grounds that it provided for mass surveillance
without any effective safeguards. Subsequently it ruled against Google,
in what has become known as the ‘right to be forgotten’ judgment.
What are the longer-term
consequences of the Court’s ‘Privacy Spring’? An Irish court has already
referred the ‘Europe v Facebook’ case (discussed here) to the CJEU,
asking in effect whether the EU’s ‘Safe Harbour’ arrangement on data protection
with the USA is compatible with the rights to privacy and data protection, in light of the Snowden
revelations. Now the European Parliament (EP) has decided to refer the proposed
EU/Canada agreement on passenger name record (PNR) data to the CJEU,
asking if it is compatible with the rights to privacy and data protection in light of the Court’s
recent case law. That judgment would implicitly determine whether the separate EU/USA
and EU/Australia treaties on PNR data, and the proposed PNR Directive,
violate those rights also. And if the PNR treaties breach the rights to
privacy and data protection, it would then be more likely that the EU/USA treaty on banking
data transfers also breaches those rights in turn.
So, are we at the start of a ‘domino
effect’ of a series of EU laws and treaties being ruled in breach of the rights
to privacy and data protection by the Court of Justice, all falling in sequence now that the data retention
Directive has been overturned? Or are the features of the different measures
different enough to avoid this?
Background
There’s a little bit of déjà vu in
today’s decision by the EP to ask the CJEU about the EU/Canada treaty on PNR.
Back in 2004, it asked the Court to rule on the original EU/USA treaty on the
same subject. The Advocate-General’s opinion in that case ruled against
all of the EU’s arguments, including the right to privacy point. However, the
Court’s 2006 judgment only ruled on one of the EP’s legal arguments –
that the EU/USA treaty had the wrong ‘legal base’, and should have been approved
by using a different procedure (relating to police cooperation, instead of the
internal market). And that procedure meant that the EP had no role in the
approval of the treaty, or any power to ask the Court of Justice about its
compatibility with EU law.
Eight years later, the legal
environment is quite different. Since the Treaty of Lisbon entered into force
in 2009, the EP (or the Commission, Council or a Member State) can ask the CJEU
for rulings on the compatibility with EU law of EU treaties with third States on
police or criminal law cooperation. Indeed, this will be the first such ruling.
And while waiting for the Court’s ruling, the EP can prevent the EU/Canada
treaty from being concluded, since it now has the power of consent over such
treaties (back in 2004, the Council circumvented a separate request by the EP
for the CJEU to rule on the EU/USA PNR treaty by concluding that treaty without
waiting for the Court’s opinion). Furthermore, the substantive legal environment has obviously been transformed by the
Court’s ruling against mass surveillance earlier this year.
The CJEU had another chance to
rule on the right to privacy in the international context when the Commission
asked it to rule back in 2012 whether the international Anti-Counterfeiting
Agreement (ACTA) violated EU law. However, the Commission left it too late to
send its request to the Court, and the EP simply vetoed that proposed agreement
before the Court could rule (the Commission then withdrew its case). So we should
now get a long-awaited ruling from the Court on the compatibility of
international data transfers with the EU rights to privacy and data protection – unless the EP can
be talked into withdrawing its request to the Court.
The procedure which the EP has
invoked today is a special process which allows the Court to rule on the
compatibility with EU law of a draft treaty to be concluded by the EU (or by
its Member States on behalf of the EU), before that treaty comes into force. (For
Canadian readers: this process is broadly similar to sending a request to the
Supreme Court to rule on the constitutionality of a draft law. The EU process
only applies to treaties, though.) If the CJEU rules (probably in about 18
months’ time, unless the ruling is expedited) that the draft treaty is
incompatible with EU law, either the draft treaty has to be amended to comply
with the Court’s ruling, or (improbably) the EU Treaties themselves have to be
amended to permit its ratification.
The EU/Canada PNR treaty is
distinct from the EU/Canada treaty liberalising air transport (already
in force), and the proposed EU/Canada free trade agreement (CETA) – although the
latter treaty, along with the EU/USA free trade agreement now being negotiated,
will be indirectly impacted by a pending case in which the EU Commission has
asked the CJEU to rule on whether the EU/Singapore free trade agreement is
compatible with EU law.
Comments
So does the EU/Canada PNR treaty
violate the right to privacy? There’s a detailed analysis of the broader impact
of the data retention judgment on other EU measures in a study by Boehm and Cole,
published earlier this year. So this is only a short summary of the issues discussed further in that study. The starting point is how to interpret that
judgment: does it rule out all mass surveillance, or just in cases where there
are insufficient safeguards? In my view, it does indeed rule out all mass
surveillance where it’s linked to EU law, and any draft treaty to which the EU
is party would obviously be linked to EU law.
But there’s a prior question:
when does a treaty with another State entail mass surveillance? The data
retention case concerned collection of data on all phone and Internet use in
the EU. This could be compared to the use of social media (in the pending Facebook
case), or to international banking transfers, but it’s harder to argue that collection
of data on all flights to a particular third country constitutes, by itself,
mass surveillance. Having said that, the proposed PNR Directive, which would
apply to all flights within the EU, would probably meet the criteria.
If (contrary to my interpretation)
the Digital Rights judgment does permit mass surveillance, as long
as there are sufficient safeguards, then what must these safeguards be? According
to the judgment, there have to be: definitions of the ‘serious crimes’ or other
purposes of the data exchange; rules on the subsequent access to the data; limits
on the number of people who can access that data; independent control by a
court or supervisory authority; strong rules on the data protection period; provisions
on protecting data from unlawful access and use; and a requirement to retain
the data within the EU only. Obviously, in the context of treaties with non-EU
States, the latter requirement must be understood as an obligation to retain
the data in the EU or that particular third country.
Do the EU’s treaties with third
States meet these criteria? This has to be assessed on a case-by-case basis. At
first sight, for example, the EU/Canada PNR treaty contains provisions
addressing all of these safeguards issues except one: the transfer of PNR data
to other countries, which is permitted (although subject to conditions). But it
might be argued that in practice, the right to privacy and data protection is
not protected as strongly under such treaties as it might first appear, due to
inadequacies in national legislation or practice, such as NSA access to
Facebook data or limitations on non-USA citizens claiming privacy rights in the
courts.
Finally, there’s an important practical
question here. Let’s imagine that the CJEU rules that the proposed EU/Canada
treaty violates privacy and data protection rights; or that it approves that
treaty, but its reasoning in that judgment casts doubt on the compatibility of
other EU treaties with those rights. How can those other treaties be
challenged, now that they are already in force?
Time has run out to bring
annulment actions against those treaties, or to ask the CJEU for an advance
ruling on their compatibility with EU law. But it is still possible for
individuals to challenge the application of those treaties via the national
courts (as in the Digital Rights and
Facebook cases). Or the EP could argue that in order to secure effective protection
of rights under the EU Charter of Fundamental Rights, the other EU institutions
must take steps to denounce the treaties concerned. If they don’t do so, the EP
can sue them for ‘failure to act’ as set out in the EU Treaties.
No comments:
Post a Comment