“You Were Only Supposed to Blow the Bloody Doors Off!”: Schrems II and external transfers of personal data

Lorna Woods, Professor of Internet Law, University of Essex

The Court of Justice today handed down the much anticipated ruling on the legality of standard contractual clauses (SCCs) as a mechanism to transfer personal data outside the European Union.  It forms part of Schrems’ campaign to challenge the ‘surveillance capitalism’ model on which many online businesses operate: there are other challenges to the behavioural advertising model ongoing.  While this case is clearly significant for SCCs and Facebook’s operations, there is a larger picture that involves the Court’s stance against mass (or undifferentiated) surveillance. This formed part of the background to Schrems I (Case C-362/14, discussed here), but has also been relevant in European jurisprudence on the retention of communications data. This then brings us to a third reason why this judgment may be significant. The UK, like the US, has a system for mass surveillance and once we come to the end of the year data controllers in the EU will need to think of the mechanisms to allow personal data to flow to the UK. The approach of the Court to mass surveillance in Schrems II is therefore an indicator of the approach to a similar question in relation to the UK in 2021.

Background

The General Data Protection Regulation provides that transfer of personal data may only take place on one of the bases set out in the GDPR. The destination state may, for example, have an ‘adequacy decision’ that means that the state in question ensures an adequate (roughly equivalent) level of protection to the ensured by the GDPR (Article 45 GDPR).  The original adequacy agreement in relation to the United States (safe harbour) was struck down in Schrems I because it failed to ensure that there was adequate protection on a number of grounds, some of which related to the safe harbour system itself, but some of which related to the law in the US, specifically that which allowed mass surveillance.  While the safe harbour was replaced by the Privacy Shield under Decision 2016/1250 on the Privacy Shield (Privacy Shield Decision) which improved some of the weaknesses as regards the operation of the mechanism itself, including the introduction of an ombusdman system, little if anything has changed in relation to surveillance.

Another mechanism for transfer of personal data outside the EU is that of SCCs, which are private agreements between the transferor (data controller) and transferee. Article 46(1) GDPR states that where there is no adequacy decision “a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”. Article 46(2) GDPR lists possible mechanisms including standard data protection clauses. The Commission has produced a model form of these agreements in Commission Decision 2010/87 (SCC Decision). 

Following the outcome of Schrems I, Schrems reformulated his complaint to the Irish Data Protection Commissioner (DPC) about data transfers arguing that the United States does not provide adequate protection as United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) and the data is used in a manner incompatible with the right to private life, and that therefore future transfers by Facebook should be suspended.  These transfers are currently carried out on the basis of SCCs as approved by the SCC Decision.  The DPC took the view that this complaint called into question the validity of that decision as well as the Privacy Shield Decision, which moved the issue back into the courts. The Irish High Court referred the question to the Court of Justice and it is the outcome in this ruling that we see today.

The Judgment

The Advocate General in his Opinion (discussed here) suggested to the Court that the SCC Decision was valid; the problem was the context in which it operated. He took the view that the Privacy Shield’s validity should be considered separately. Crucially, he held that data controllers need to determine the adequacy of protection in the destination state. This in practice is difficult; while a data controller might have some control over what the recipient does with the data (how processed, data security etc), it would have little control over the general legal environment. In any event, data controllers would be required to make specific country assessments on this, which could be challenged by dissatisfied data subjects.  The Court took a slightly different approach. It agreed with its Advocate General that the SCC Decision was valid, but it struck down the Privacy Shield.

The Court made a number of findings. The first relates to the scope of inquiry and to competence. Given that national security lies outside the GDPR (and outside EU competence), should questions about the processing of data for purposes of public security, defence and State security be outside the scope of the GDPR rules. Following its position in Schrems I, the Court (like its Advocate General) rejected this argument [para 83, 86, 88]: the transfers of personal data by an economic operators for commercial purposes, even if that personal data is then processed by the authorities of the destination state for national security reasons, remains within the GDPR framework. Exclusions from the regime should be interpreted narrowly (citing Jehovan todistajat (Case C-25/17), discussed here).

In determining the level of protection the GDPR requires, the Court re-iterated its stance from Schrems I and following the reasoning of its Advocate General in this case held that we are looking for a level of protection “essentially equivalent” to that in the EU- and bearing in mind that the GDPR is understood in the light of the EU Charter.  So not only must the terms of the SCCs themselves be taken into account but also the general legal environment in the destination State.  The Court summarised:

…..the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of [the GDPR]. [para 105]

The Court noted that the national supervisory authorities are responsible for monitoring compliance with EU rules, and may check compliance with the requirements of the GDPR (following on from the position under the DPD established in Schrems I), and the national regulatory authorities have significant investigative powers. Where the SCCs are not complied with – or cannot be complied with – the national regulatory authorities must suspend or prohibit transfers and the Commission’s competence to draft SCCs does not restrict the powers of national authorities to review compliance in any way.  In this the Court’s approach is broadly similar to that of the Advocate General.  As regards an adequacy decision, a valid adequacy decision is binding, until such time as it may be declared invalid; this does not stop individuals from being able to complain.

Applying the principles to the SCC Decision, the Court noted that the standards bind only the parties to the agreement. Consequently, although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. [para 126]

Does this possibility mean that the SCC Decision is necessarily invalid? The Court held not. Unlike an adequacy agreement which necessarily relates to a particular place, the SCC decision does not. The SCCs therefore may require supplementing to deal with issues in individual cases.  Moreover, the SCC Decision includes effective mechanisms that make it possible to ensure compliance with EU standards [para 137].  Specifically, the SCC Decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected  in the third  country  concerned. The recipient of the data must inform the data controller of any inability to comply with the SCCs, at which point the data controller is obliged to suspend transfers and/or terminate the contract. The SCC Decision is therefore valid; the implications of this in practice for this case were not drawn out. The Court in the end held that

…. unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer [operative ground 3].

The existence of an adequacy decision is then key. Turning to the Privacy Shield Decision, the Court set the same analytical framework, emphasising the GDPR is understood in the light of the Charter and the rights to private life, to data protection and to an effective remedy. In assessing the decision, the Court noted that it awards primacy to the requirements of US national security, public interest and law enforcement, which the Court interpreted as condoning interference with the fundamental rights of persons whose data are transferred.  In the view of the Court, access and use of personal data by US authorities are not limited in a way that is essentially equivalent to EU law – the surveillance programmes are not limited to what is strictly necessary and are disproportionate. Further, data subjects are not granted rights to take action before the courts against US authorities. The Ombudsperson mechanism, introduced by the Privacy Shield Decision as an improvement on the position under safe harbour, is insufficient.  The Court therefore declared the Privacy Shield invalid.

Comment

The most obvious consequence of this ruling is that of how data transfers to the US can continue? The Privacy Shield is no more, and its demise has consequences for the operations of SCCs in practice. Given the weaknesses in the general legal system from the perspective of the Court of Justice, weaknesses over which the data controller/exporter can have little control, how can the requirements to individually assess adequacy be satisfied?  Are there, however, any other mechanism on which data transfers could be carried out?

In this context, we should note how the Court has interpreted the provisions of Chapter V to create a common baseline for standards, despite differences in wording between Arts 45 and 46 GDPR.  Article 45 deals with adequacy decisions and it requires that there is “an adequate level of protection”; Article 45(2) then lists elements to be taken into account – notably respect for the rule of law and human rights and “relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data”. It was this provision that was interpreted in Schrems I to require a level of protection that is ‘essentially equivalent’. Article 46(1) – which is relevant to the other mechanisms by which transfers may take place, including agreements between public authorities and binding corporate rules as well as SCCs – says something different. Article 46(1) requires “appropriate safeguards” and “enforceable data subject rights and effective legal remedies for data subject”. This is then not necessarily the same – at least in terms of simple wording – as Article 45(1). The Court however has read Articles 46 and 45 together so as to ensure that, as required by Article 44, data subjects’ rights are not undermined. This brings the essential equivalence test across to Article 46 [see para 96] and not just SCCs, but all the other mechanisms for data transfer listed in Art 46(2).  More specifically the factors to be taken into account when considering whether there are appropriate safeguards match the list set out in Article 45(2). 

The Court also emphasised that the requirements of the GDPR must be understood in the light of the EU Charter as interpreted by the Court itself [para 100].  In this context, the backdrop of the Court’s approach to fundamental rights – specifically the right to private life in Art 7 EU Charter – is significant.  The Court in a number of cases involving the bulk retention of communications and location data by telecommunications operators so that those data could be accessed by law enforcement and intelligence agencies found those requirements – because they applied in an undifferentiated manner irrespective of suspicion across the population – to be disproportionate (Digital Rights Ireland and Others, Cases C-293/12 and C-594/12; Tele2/Watson (Cases C-203/15 and C-698/15), discussed here and here). The Court has also criticised the use of passenger name records (PNR) data (Opinion 1/15 (EU-Canada PNR Agreement, discussed here)) and particular the use of automated processing.  The Court in its review of the facts referred to a number of surveillance programmes and that the referring court had found that these were not ‘essentially equivalent’ to the standards guaranteed by Article 7 and 8 EU Charter.  This would seemingly cause a problem not just for the adequacy agreement, but for an operator seeking to rely on SCCs – or on any other mechanism listed in Art 46(2).

This brings to the forefront Article 49 GDPR, referred to by the Court as filling any ‘vacuum’ that results from its judgment, which allows derogations for external transfers in specific situations, notably that the data subject has consented or that the transfer is necessary for the performance of a contract. While these might at first glance give some comfort to data controllers a couple of words of caution should be noted. First, these reflect the grounds for lawful processing and should be interpreted accordingly. Notably ‘explicit consent’ is a high bar – and all consent must be freely given, specific informed and unambiguous – and it should be linked to a specific processing purpose (on consent generally, see EDPB Guidelines).  The ground that something is necessary for a contract does not cover all actions related to that contract – in general a rather narrow approach might be anticipated (see EDPB Guidance). 

The final point relates to the UK. The UK perhaps infamously – also has an extensive surveillance regime which has been the subject of references to the Court of Justice (as well as a number of cases before the European Court of Human Rights). Crucially, the regime does have some oversight and there is an independent tribunal which has a relaxed approach to standing. Nonetheless, bulk collection of data is permissible under the Investigatory Powers Act, and it is an open question whether the Court of Justice would accept that this is necessary or proportionate, despite the changes brought in since the Tele2/Watson ruling on the communications data rules. Further, the UK has entered into some data sharing agreements with the US which have given rise to disquiet in some parts of the EU institutions. Whilst a member of the EU it benefitted in terms of data flows from not having to prove the adequacy of its safeguards. From 2021 that will change.  In the light of the approach of the Court of Justice, which can be seen as reemphasising and embedding its stance on surveillance, obtaining an adequacy agreement may not be so easy for the UK and given the similarity in approach underpinning Articles 45 and 46 GDPR, other mechanisms for data flow may also run into problems if this is the case. For now, the jury is out.

Photo credit: Security Dive

The Commission’s draft EU-US Privacy Shield adequacy decision: A Shield for Transatlantic Privacy or Nothing New under the Sun?

  

Dr. Maria Tzanou (Lecturer in Law, Keele University)

On 6 October 2015, in its judgment in Schrems, the CJEU invalidated the Commission’s decision finding that the US ensured an adequate level of protection for the transfer of personal data under the Safe Harbour framework on the basis that US mass electronic surveillance violated the essence of the fundamental right to privacy guaranteed in Article 7 EUCFR and the right to effective judicial protection, enshrined in Article 47 EUCFR (for an analysis of the judgment, see here).

             

On 2 February 2016, the Commission announced that a political agreement was reached on a new framework for transatlantic data flows, the EU-US Privacy Shield, which will replace the annulled Safe Harbour. On 29 February 2016, the Commission published a draft Privacy Shield adequacy decision followed by seven Annexes that contain the US government’s written commitments on the enforcement of the arrangement. The Annexes include the following assurances from the US: Annex I, a letter from the International Trade Administration of the Department of Commerce, which administers the programme, describing the commitments that it has made to ensure that the Privacy Shield operates effectively; Annex II, the EU-US Privacy Shield Framework Principles; Annex III, a letter from the US Department of State and accompanying memorandum describing the State Department’s commitment to establish a Privacy Shield Ombudsperson for submission of inquiries regarding the US’ intelligence practices; Annex IV, a letter from the Federal Trade Commission (FTC) describing its enforcement of the Privacy Shield; Annex V, a letter from the Department of Transportation describing its enforcement of the Privacy Shield; Annex VI, a letter prepared by the Office of the Director of National Intelligence (ODNI) regarding safeguards and limitations applicable to US national security authorities; and, Annex VII, a letter prepared by the US Department of Justice regarding safeguards and limitations on US Government access for law enforcement and public interest purposes.

Similar to its predecessor, Privacy Shield is based on a system of self-certification by which US companies commit to a set of privacy principles. However, unlike Safe Harbour, the draft Privacy Shield decision includes a section on the ‘access and use of personal data transferred under the EU-US Privacy Shield by US public authorities’ (para 75). In this, the Commission concludes that ‘there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the US to what is strictly necessary to achieve the legitimate objective.’ This conclusion is based on the assurances provided by the Office of the Director of National Surveillance (ODNI) (Annex VI), the US Department of Justice (Annex VII) and the US Secretary of State (Annex III), which describe the current limitations, oversight and opportunities for judicial redress under the US surveillance programmes. In particular, the Commission employs four main arguments arising from these letters to reach its adequacy conclusion: Firstly, US surveillance prioritises targeted collection of personal data, while bulk collection is limited to exceptional situations where targeted collection is not possible for technical or operational reasons (this captures the essence of the principles of necessity and proportionality, according to the Commission). Secondly, US intelligence activities are subject to ‘extensive oversight from within the executive branch’ and to some extent from courts such as the Foreign Intelligence Surveillance Court (FISC). Thirdly, three main avenues of redress are available under US law to EU data subjects depending on the complaint they want to raise: interference under the Foreign Intelligence Surveillance Act (FISA); unlawful, intentional access to personal data by government officials; and access to information under Freedom of Information Act (FOIA). Fourthly, a new mechanism will be created under the Privacy Shield, namely the Privacy Shield Ombudsperson who will be a Senior Coordinator (at the level of Under-Secretary) in the State Department in order to guarantee that individual complaints are investigated and individuals receive independent confirmation that US laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied.

The draft Privacy Shield framework may have been hailed as providing an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the US, but despite the plethora of privacy-friendly words (‘Privacy Shield’, ‘robust obligations’, ‘clear limitations and safeguards’) one cannot be very optimistic that the new regime will fully comply with the Court’s judgment in Schrems. A first problematic aspect with the US assurances is that they merely describe the US surveillance legal framework and the relevant safeguards that already exist. In fact, the only changes that were introduced in the US following the Snowden revelations was the issuance of Presidential Policy Directive 28 (PPD-28) (in January 2014) which lays down a number of principles on the use of signal intelligence data for all people; and the passing of the USA Freedom Act which modified certain US surveillance programmes and put an end to the mass collection of Americans’ phone records by the NSA (in June 2015).  Finally, in February 2016, the US Congress passed the Judicial Redress Act which was signed into law by President Obama. Given that one can reasonably assume that the Court was aware of these developments when laying down its judgment in Schrems in October 2015, it seems that, with the exception of the Ombudsperson, Privacy Shield does not change much in US surveillance law. In fact, the Commission has entirely based its draft adequacy analysis on a mere detailed description of this law without any further commitment that this will improve in any way in order to comply with EU fundamental rights as interpreted by the CJEU.

While the assurance that US surveillance is mainly targeted and does not take place in bulk is important, there is no reference to the fact that US authorities access the content of the personal data that was deemed to violate the essence of the right to privacy in Schrems. Furthermore, even if the US authorities engage only in targeted surveillance, the CJEU has held in Digital Rights Ireland that the mere retention of private-sector data for the purpose of making them available to national authorities affects Articles 7 and 8 EUCFR and might have a chilling effect on the use by subscribers of platforms of communication, such as Facebook or Google and, consequently, on their exercise of freedom of expression guaranteed by Article 11 EUCFR. Individuals, when faced with surveillance, cannot know when they are targeted; nevertheless, the possibility of being the object of surveillance has an effect on the way they behave. Insofar as Article 47 EUCFR and the right to effective judicial protection is concerned, the Commission itself notes in its draft adequacy decision that the avenues of redress provided to EU citizens do not cover all the legal bases that US intelligence authorities may use and the individuals’ opportunities to challenge FISA are very limited due to strict standing requirements.

The creation of the Ombudsperson with the important function of ensuring individual redress and independent oversight should be welcomed as the main addition of the draft Privacy Shield. Individuals will be able to access the Privacy Shield Ombudsperson without having to demonstrate that their personal data has in fact been accessed by the US intelligence activities and the Ombudsperson, who will be carrying out his functions independently from Instructions by the US Intelligence Community will be able to rely on the US oversight and review mechanisms. However, there are several limitations to the function of the Privacy Shield Ombudsperson. First, the procedure for accessing the Ombudsperson is not as straightforward as lodging a complaint before a national Data Protection Authority (DPA). Individuals have to submit their requests initially to the Member States’ bodies competent for the oversight of national security services and, eventually a centralised EU individual complaint handling body that will channel them to the Privacy Shield Ombudsperson if they are deemed ‘complete’. In terms of the outcome of the Ombudsperson’s investigation, the Ombudsperson will provide a response to the submitting EU individual complaint handling body –who will then communicate with the individual- confirming (i) that the complaint has been properly investigated, and (ii) that the US law has been complied with, or, in the event of non-compliance, such non-compliance has been remedied. However, the Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Ombudsperson confirm the specific remedy that was applied. Finally, Annex III stipulates that commitments in the Ombudsperson’s Memorandum will not apply to general claims that the EU-US Privacy Shield is inconsistent with EU data protection requirements. In the light of the above, the Privacy Shield Ombudsperson does not seem to provide the redress guarantees of a supervisory authority such as the DPAs as the AG had asked in his Opinion in Schrems.

Draft Privacy Shield is problematic for another reason as well: it puts together the regulative framework for commercial transactions with the regulation for law enforcement access to private sector data. These are, however, different issues and they should be dealt with separately. It is important to encourage and facilitate transborder trade, thus flexible mechanisms allowing for undertakings self-compliance with data protection principles should continue to apply. But, the challenges of online surveillance on fundamental rights are too serious to be covered by the same regime and some ‘assurances’ that essentially describe the current US law. Two solutions could possibly deal with this problem: Either the US adheres to the Council of Europe Convention No. 108 and abandons the distinction between US and EU citizens regarding rights to redress or a transatlantic privacy and data protection framework that ensures a high level of protection of fundamental rights and the transparency and accountability of transnational counter-terrorism operations (the so-called ‘umbrella agreement’) is adopted. Regrettably, the current form of the umbrella agreement is very problematic as to its compatibility with EU data protection standards- or even human rights standards in general, and, therefore, does not seem to provide an effective solution to the issue.

      

A recently leaked document reveals that the Article 29 Working Party has difficulties in reaching an overall conclusion on the Commission’s draft adequacy decision and supports the view that Privacy Shield does not fully comply with the essential guarantees for the transfer of personal data from the EU to the US for intelligence activities.

Should the Commission nevertheless decide to proceed with the current draft, it is highly possible that the CJEU will be called in the future to judge the adequacy of Privacy Shield in a Schrems 2 line of cases.

Photo credit: www.teachprivacy.com

Live. Die. Repeat. The ‘Privacy Shield’ deal as ‘Groundhog Day’: endlessly making the same mistakes?

Steve Peers

Love it, hate it, or spend an academic career analysing it, the USA is the best-known country in the world. Yet some of its traditions still puzzle outsiders. One of them, celebrated yesterday, is ‘Groundhog Day’: the myth that the appearance, or non-appearance, of the shadow of an otherwise obscure rodent on February 2nd each year will determine whether or not there will be another six weeks of winter. Outside the USA, Groundhog Day is probably better known as a movie: grumpy Bill Murray keeps repeating the same day, trying to perfect it and woo the lovely Andie MacDowell. Others have borrowed this basic plot. In Edge of Tomorrow, sleazy Tom Cruise keeps repeating the same day, trying to kill aliens and woo the lovely Emily Blunt. In the Doctor Who episode Hell Bent, angry Peter Capaldi keeps repeating the same day, trying to cut through a diamond wall and resurrect the lovely Jenna Coleman.

The basic idea is summed up in the advertising slogan for Edge of Tomorrow: Live. Die. Repeat. Groundhog Day in particular has attracted many interpretations. Of these, the most convincing is that the film’s story is a Buddhist parable: repeated reincarnation until we reach the state of enlightenment, or nirvana.

How does this relate to the new EU/US privacy deal, dubbed ‘Privacy Shield’? Obviously the deal involves the USA, and it was reached yesterday, on Groundhog Day. And it’s a new incarnation of a prior deal: ‘Safe Harbor’, killed last October by the CJEU in the Schrems judgment (discussed here). While the text of the new agreement is not yet available, the initial indication is that it is bound to be killed in turn – unless the CJEU, admittedly an increasingly fickle judicial deity, is willing to go back on its own case law. Goodness knows how many further reincarnations will be necessary before the US and EU can reach enlightenment.

Problems with the deal

The point of the new deal is the same as the old one: to provide a legally secure set of rules for EU/US data transfers, for companies that subscribe to a set of data protection principles. Failing that, it is possible to argue that transfers can be justified by binding corporate rules, by individual consent or (as regards US government access to the data) by a third State’s public interest. But as I as I noted in my blog post on Schrems, these alternatives are untested yet in the CJEU, and are possibly subject to legal challenges of their own. Understandably, businesses would like to make a smooth transition to a new set of legally secure rules. Does the new deal fit the bill?   

In the absence of a text, I can’t analyse the new deal much. But here are my first impressions.

According to the CJEU, the main problems with the previous deal were twofold: the extent of mass surveillance in the USA, and the limited judicial redress available to EU citizens as regards such government surveillance. It appears that the new agreement will address the latter issue, but not the former. There will be an ‘ombudsman’ empowered to consider complaints against the US government. While the details are unknown, it’s hard to see how this new institution could address the CJEU’s concerns completely, unless it is given the judicial power to order the blocking and erasure of data, for instance.   

Furthermore, there’s no sign that the underlying mass surveillance will be changed. Here, the argument is that the Court of Justice simply misunderstood the US system, or that in any event many EU countries are just as wicked as the USA when it comes to mass surveillance. These arguments are eloquently set out in a barrister’s opinion, summarised in this (paywalled) Financial Times story.

Facebook and the US government disdained to get involved in the Schrems case, and have no doubt repented this at leisure. The assumption here appears to be that they would participate fully in new litigation, and convince the CJEU to see the error of its ways.

How likely is this? It’s undoubtedly true to say that the CJEU gives an increasing impression that it willing to bend the rules, or double up on its own case law, in order to ensure the survival of an increasingly beleaguered EU project. In Pringle and Gauweiler, it agreed with harshly criticized plans to keep monetary union afloat. In Dano and Alimanovic, it qualified its prior case law on EU citizens’ access to benefits, in an attempt to quell growing public concern about this issue. In Celaj, it gave a first indication that it would row back on its case law limiting the detention of irregular migrants, perhaps in light of the migration and refugee crisis. The drafters of the proposed deal on UK renegotiation appear to assume that the Court would back away from even more free movement case law, if it appears necessary to keep the UK from leaving the European Union.

Once the Court reminded legal observers of Rome: the imperial author of uniform codes that would bind a whole continent, upon which the sun would never set. Now it increasingly reminds me of Dunkirk: the centre of a brave and hastily improvised retreat from impending apocalypse, scouring for a beach to fight its last stand. The Court used to straighten every road; now it cuts every corner.

Since the ‘Privacy Shield’ deal faces many litigious critics, it seems virtually certain to end up before the Court before long. Time will tell where the judgment on the deal will fit within the broader sweep of EU jurisprudence.

Photo credit: play.google.com