Category Archives: Europe

Section 3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing

(Section 3 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

In order to answer the first question raised by the Parliament in the proceedings before the Court – whether the Agreement complies with EU Primary law, and in particular with Articles 7 and 8 of the Charter, AG Mengozzi follows the classical test: is there an interference?[1] And if so, is the interference justified?[2]

Analyzing separately Articles 7 and 8 of the Charter, still a challenge

Even if the Court has recently started to analyze separately the rights protected by Article 7 (to respect for private life) and by Article 8 of the Charter (to the protection of personal data) – see the judgments in DRI and Schrems, the AG seems to hesitate again between the two rights. He starts his analysis on whether there is an interference with the two rights (§170) by recalling the older case-law of the Court which stated that the right to the protection of private life and the right to the protection of personal data are “closely connected” (Schecke, §47; ASNEF, §41).

First he finds that the PNR data “touches on the area of the privacy, indeed intimacy, of persons and indisputably relates to one or more identified or identifiable individual or individuals” (§170). Thus, in the same sentence, the AG brings PNR data within the scope of both Article 7 and Article 8 of the Charter. He further identifies different treatments of the data under the terms of the Agreement (§170):

– systematic transfer of PNR data to the Canadian public authorities,

– access to that data,

– the use of that data,

– its retention for a period of five years by those public authorities,

– its subsequent transfer to other public authorities, including those of third countries,

The AG states that all of the above are “operations which fall within the scope of the fundamental right to respect for private and family life guaranteed by Article 7 of the Charter and to the ‘closely connected’ but nonetheless distinct right to protection of personal data guaranteed by Article 8(1) of the Charter and constitute an interference with those fundamental rights” (§170).

Therefore, the AG does not differentiate here between what constitutes interference with the right to respect for private life and what constitutes interference with the right to the protection of personal data.

However, in the following paragraph, the AG does make such a differentiation, but only because he restates the findings of the Court in Digital Rights Ireland, even if this partly repeats some of the findings in §170: “the obligation to retain that data, required by the public authorities, and subsequent access of the competent national authorities to data relating to a person’s private life also constitutes in itself an interference with the rights guaranteed by Article 7 of the Charter (he refers here to §34 and §35 of DRI in a footnote). Likewise, an EU act prescribing any form of processing of personal data constitutes an interference with the fundamental right, laid down in Article 8 of the Charter, to protection of such data (he refers here to §29 and §36 of DRI)” (§171).

There is not a lot of clarity transpiring from these two paragraphs, especially considering that §170 in fact refers to interference only with the first paragraph of Article 8 and not with the entire Article 8 (See also Section 4 of this analysis for additional comments prompted by this differentiation).

What is certain is that indeed there is an interference with both rights. The AG further notes the seriousness of that interference, indicating that he is fully aware of its severity:

“The fact nonetheless remains that the interference constituted by the agreement envisaged is of a considerable size and a not insignificant gravity. It systematically affects all passengers flying between Canada and the Union, that is to say, several tens of millions of persons a year. Furthermore, as most of the interested parties have confirmed, no one can fail to be aware that the transfer of voluminous quantities of personal data of air passengers, which includes sensitive data, requiring, by definition, automated processing, and the retention of that data for a period of five years, is intended to permit a comparison, which will be retroactive where appropriate, of that data with pre-established patterns of behaviour that is ‘at risk’ or ‘of concern’, in connection with terrorist activities and/or serious transnational crime, in order to identify persons not hitherto known to the police or not suspected. Those characteristics, apparently inherent in the PNR scheme put in place by the agreement envisaged, are capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects” (§176).

Even though at this stage the AG acknowledges the severity of the interference with fundamental rights of PNR schemes, he deems it to be justified by necessity (See Section 5 of this analysis).

Finally, it is also notable to mention that the AG found that the procedures for collecting the data come within the competence of the air carriers, “which, in this regard, must act in compliance with the relevant national provisions and with EU law” (§178). He concludes that “the collection of the PNR data therefore does not constitute a processing of personal data entailing an interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter that results from the agreement envisaged itself. In the light of the limited power of the Court in the context of the opinion procedure, that operation will therefore not form the subject matter of the following developments” (§179).

 

……………………………………………………..

[1] Dealt with in this section.

[2] Dealt with in Sections 4 and 5 of this analysis.

Section 4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1) Charter

(Section 4 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After establishing that the EU-Canada PNR Agreement allows for a particularly serious interference with the rights to respect for private life and to the protection of personal data, the AG goes on to analyze whether this interference is justified.

First, he establishes that neither of the two rights “is an absolute prerogative” (§181), meaning that their exercise can be limited. The AG recalls that “that limitations may be placed on the exercise of rights such as those enshrined in Article 7 and Article 8(1) of the Charter, provided that those limitations are provided for by law, that they respect the essence of those rights and that, subject to the principle of proportionality, they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others” (§182).

Again, just like in §170, the AG refers only to limitations of the first paragraph of Article 8. Moreover, he specifies in the following paragraph that “Article 8(2) of the Charter permits the processing of personal data ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’” (§183). He follows this only by stating that “with regard to one of the conditions set out in Article 8(2) of the Charter … the agreement envisaged does not seek to base the processing of the PNR data communicated to the Canadian competent authority on the consent of the air passengers” (§184).

This is why paragraph 188 comes as a surprise, because, after finding the essence of the two rights is not touched (see below), the AG states that “It is therefore necessary to ascertain whether the other conditions of justification provided for in Article 8(2) of the Charter and those laid down in Article 52(1) thereof, which, moreover, overlap in part, are satisfied” (§188).  

To my knowledge, it is for the first time an Advocate General, or the Court for that matter, refers to the second paragraph of Article 8 of the Charter as prescribing “conditions for justification” of interferences with the right to the protection of personal data and equals them to those laid down in Article 52(1) of the Charter.

Such a hypothesis is not without merit from the outset, but it would need a more in depth justification than simply stating a couple of paragraphs above that Article 8(2) of the Charter only allows processing of data only for specified purposes and if it is based on consent or has another legitimate basis laid down by law. For instance, if indeed we were to consider that any processing of personal data constitutes an interference with Article 8 (this finding by the Court in DRI has some faults worthy of academic attention, but for the moment we have to work with it), then it would make sense to see the conditions for having a lawful basis for processing as being conditions for justifying the “interference” with the right to the protection of personal data.

Moreover, a separate analysis of whether the conditions in Article 8(2) are satisfied does not follow. The AG merely states in §189 that the conditions from Article 52(1) for the interference to be provided for by law and to meet objectives of general interest are equivalent with the “expression used in Article 8(2)” – having a “legitimate basis”, and they are “manifestly satisfied” (§189).

As for the essence of the two rights, the AG recalls that neither of the parties did not invoke before the Court that the interference harms the essence of the two fundamental rights (§185).

With regard to the essence of Article 7, he further explains that “the nature of the PNR data forming the subject matter of the agreement envisaged does not permit any precise conclusions to be drawn as regards the essence of the private life of the persons concerned. The data in question continues to be limited to the pattern of air travel between Canada and the Union” (§186). The AG also refers in this context to the “masking” and gradual “depersonalization” of the data as guarantees to preserve private life (§186).

With regard to the essence of Article 8, the AG mentions that “under Article 9 of the agreement envisaged, Canada is required, in particular, to ‘ensure compliance verification and the protection, security, confidentiality and integrity of the data’, and also to implement ‘regulatory, procedural or technical measures to protect PNR data against accidental, unlawful or unauthorised access, processing or loss’. In addition, any breach of data security must be amenable to effective and dissuasive corrective measures which might include sanctions” (§187). Unfortunately, the AG does not expand on the concept of the essence of the right to the protection of personal data and does not depart from what the Court indicated in Digital Rights Ireland at §40, restricting the essence of Article 8 mainly to the presence of data security measures.

Concluding that the essence of the two rights is not touched upon, the AG further analyzes the proportionality and the necessity of the interference.

Section 5. The awkward two level necessity test that convinced the AG PNR schemes are acceptable

(Section 5 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

After he establishes that the Court should carry out “a strict review of compliance with the requirements resulting from the principle of proportionality, and more particularly, from the adequacy of the level of protection of the fundamental rights guaranteed in the Union when Canada processes and uses the PNR data pursuant to the agreement envisaged” (§200), the AG further assesses if the interference is “strictly necessary”.

He considers the “strict necessity” test as a component of the proportionality test, together with “the ability of the interference to achieve the ‘public security’ objective pursued by the Agreement”.

With regard to the latter criterion, the AG does not believe “there are any real obstacles to recognising that the interference constituted by the agreement envisaged is capable of attaining the objective of public security, in particular the objective of combating terrorism and serious transnational crime” (§205). “As the United Kingdom Government and the Commission, in particular, have claimed, the transfer of PNR data for analysis and retention provides the Canadian authorities with additional opportunities to identify passengers, hitherto not known and not suspected, who might have connections with other persons and/or passengers involved in a terrorist network or participating in serious transnational criminal activities” (§205).

In addition, the AG finds the statistics provided by the Commission and the UK relevant to find that “the data constitutes a valuable tool for criminal investigations” (§205). He reaches this conclusion in spite of the fact that at §151, when summarizing the contributions of the parties before the Court, the AG recalls that “The Commission accepts that there are no precise statistics indicating the contribution which PNR data makes to the prevention and detection of crime and terrorism, and to the investigation and prosecution of offences of those types.”

With regard to the strict necessity of the interference, the AG establishes that its assessment “entails ascertaining whether the contracting parties have struck a ‘fair balance’ between the objective of combating terrorism and serious transnational crime and the objective of protecting personal data and respecting the private life of the persons concerned” (§207), by making a reference to §77 of the Schecke judgment. That paragraph in Schecke seems to me to establish a different principle – namely that, when balancing two opposing rights, one of which is the right to the protection of personal data, it must be taken into account that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”[1].

Notwithstanding, the AG follows by stating that “the terms of the agreement envisaged must also consist of the measures least harmful to the rights recognised by Articles 7 and 8 of the Charter, while making an effective contribution to the public security objective pursued by the agreement envisaged” (§208). He explains:

“That means that it is not sufficient to imagine, in the abstract, the existence of alternative measures that would be less intrusive in the fundamental rights at issue. Those alternative measures must also be sufficiently effective, that is to say, their effectiveness must, in my view, be comparable with those provided for in the agreement envisaged, in order to attain the public security objective pursued by that agreement” (§208).

In quite a big leap, AG Mengozzi relies for this twofold test for necessity on a paragraph in the Schwartz judgment, §53, which states that “the Court has not been made aware of any measures which would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognised by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints.”

This twofold test is not used in any of the most recent landmark judgments of the Court – DRI, which relies greatly on the analysis of the condition of “necessity”, and Schrems. However, looking at strict necessity through this lens of proportionality and equivalent effectiveness persuaded the AG to conclude that PNR schemes, even if they constitute the kind of interference he accurately described in §176, are acceptable.

Comparing the wealth of PNR data to data collected usually for border control purposes by immigration authorities, including Advance Passenger Information and information collected by Canadian authorities for their eVA program, the AG concluded that “data of that type (API, eVA – my note) does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API and the data required for the issue of an eVA are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged” (§214).

The AG further justifies that PNR data of all passengers are transferred to the Canadian authorities, “even though there is no indication that their conduct may have a connection with terrorism or serious transnational crime” (215) by arguing that “as the interested parties have explained, the actual interest of PNR schemes, whether they are adopted unilaterally or form the subject matter of an international agreement, is specifically to guarantee the bulk transfer of data that will allow the competent authorities to identify, with the assistance of automated processing and scenario tools or predetermined assessment criteria, individuals not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security and who are therefore liable to be subjected subsequently to more thorough individual checks” (§216).

He finds at §244, referring to the fact that the Agreement involves transfers of data of all passengers between the Union and Canada, irrespective of whether they are suspects or not, that no other measure which, while limiting the number of persons whose PNR data is automatically processed by the Canadian competent authority, would be capable of attaining with comparable effectiveness the public security aim pursued by the contracting parties has been brought to the Court’s attention in the context of the present proceedings”.

The AG therefore concluded that “generally, the scope ratione personae of the agreement envisaged cannot be limited further without harming the very object of the PNR regimes” (§245).

Another characteristic of PNR schemes that is generally considered questionable – the lack of an ex ante control of access to PNR data, is found justifiable by the AG in the light of the “fair balance” test for strict necessity: “the appropriate balance that must be struck between the effective pursuit of the fight against terrorism and serious transnational crime and respect for a high level of protection of the personal data of the passengers concerned does not necessarily require that a prior control of access to the PNR data must be envisaged” (§269).

Therefore, the idea of PNR schemes seems to be compatible with the fundamental rights to data protection and respect for private life, in the view of AG Mengozzi. However, the list of conditions he develops for the Agreement in the current case to be fully compliant with EU primary law is quite long and quite strict and it bears bad news for other similar arrangements.

 

……………………………………………

[1] §77 of Schecke states this: “It is thus necessary to determine whether the Council of the European Union and the Commission balanced the European Union’s interest in guaranteeing the transparency of its acts and ensuring the best use of public funds against the interference with the right of the beneficiaries concerned to respect for their private life in general and to the protection of their personal data in particular. The Court has held in this respect that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (Satakunnan Markkinapörssi and Satamedia, paragraph 56).”

Section 6. The list of reasons why the EU-Canada PNR Agreement is incompatible with the Charter and the Treaty

(Section 6 of the Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter)

AG Mengozzi divides his Conclusions on the compatibility of the EU-Canada PNR Agreement with EU primary law into two lists.

The first list contains 11 improvements that can be made in order for the Agreement to be compliant with Articles 7, 8 and 52(1) of the Charter and Article 16 TFEU (see paragraph 2 of the Conclusions)

A. Sensitive data must be outside the scope of PNR schemes

Notably, sensitive data must be excluded from the scope of the Agreement. The AG found that the Agreement “goes beyond what is strictly necessary by including in its scope the transfer of PNR data that is apt to contain sensitive data, which in material terms allows information about the health or ethnic origin or religious beliefs of the passenger concerned and and/or of those travelling with him to be disclosed” (§221). He follows by stating that “the risk of stigmatising a large number of individuals who are not suspected of any offence which the use of such sensitive data entails strikes me as particularly worrying and prompts me to propose that the Court should exclude data of that type from the scope of the agreement envisaged” (§222).

B. Transparency requirements

In addition, the agreement should expressly specify “the principles and rules applicable to both the pre-established scenarios or assessment criteria and the databases with which the Passenger Name Record data is compared in the context of the automated processing of that data, in such a way that the number of ‘targeted’ persons can be limited, to a large extent and in a non-discriminatory manner, to those who can be reasonably suspected of participating in a terrorist offence or serious transnational crime” (4th subparagraph of §2 of the Conclusions).

C. Article 8(3) of the Charter on independent supervision, fully applicable in the light of “essentially equivalence”

Another important condition to achieve compliance with EU primary law is that the agreement must systematically ensure “by a clear and precise rule, control by an independent authority, within the meaning of Article 8(3) of the Charter of Fundamental Rights of the European Union, of respect for the private life and protection of the personal data of passengers whose Passenger Name Record data is processed” (10th subparagraph of §2 of the Conclusions).

In this regard, the AG found that “control by an independent authority, required in particular by Article 8(3) of the Charter, is fully applicable in the present case” (§310), in the light of the fact that the intention of the contracting parties is “to ensure a level of protection that is intended to be ‘substantially equivalent’ to that which individuals would enjoy if their personal data were processed and retained within the Union” (§309).

The AG further found that the “independent supervision” condition is not fully complied with because of the alternative wording of Article 10(1) of the agreement, which gives the impression that the processing of PNR data by the Canadian authorities might also be wholly assumed by the ‘authority created by administrative means that exercises its functions in an impartial manner and that has a proven record of autonomy’ – the Recourse Directorate of the Canadian authority receiving the data, instead of the Privacy Commissioner of Canada (§314).

While nobody questioned the independence of the Privacy Commissioner (§312), the AG found that “irrespective of the guarantees … from the Mission of Canada to the European Union, according to which the Recourse Directorate of the CBSA will receive no directions from the other operational bodies of the latter, that directorate, like all the other bodies of the CBSA, continues to be directly subordinate to the responsible Minister, from whom it may receive directions. Since it is liable to be subject to influence of, in particular, a political nature on the part of the authority to which it is responsible or more generally the Executive, the Recourse Directorate of the CBSA cannot be regarded as an independent supervisory authority for the purposes of Article 8(3) of the Charter” (§315).

This finding, if upheld by the Court, is perhaps the most relevant one that could apply, mutatis mutandis, to an eventual challenge of the EU-US Privacy Shield arrangement, in particular with regard to the independence of the Ombudsman.

D. It must be possible that data subjects exercise their rights from the EU

 Another notable improvement that must be done in order for the Agreement to be compliant with EU primary law is that it should make clear that “requests for access, rectification and annotation made by passengers not present on Canadian territory may be submitted, either directly or by means of an administrative appeal, to an independent public authority” (last subparagraph of §2 of the Conclusions).

The second list of the Conclusions contains 5 reasons why the Agreement is incompatible with EU primary law (§3 of the Conclusions):

  1. “Article 3(5) of the agreement envisaged allows, beyond what is strictly necessary, the possibilities of processing Passenger Name Record data to be extended, independently of the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime”;

The AG found that according to that article, “the processing of PNR data is ‘also’ permitted, on a case-by-case basis, in order to comply with the subpoena or warrant issued, or an order made, by a court, although it is not stated that that court must be acting in the context of the purposes of the agreement envisaged. That article therefore appears to allow the processing of PNR data for purposes unconnected with those pursued by the agreement envisaged and/or possibly in connection with conduct or offences not coming within the scope of that agreement” (§236).

  1. Article 8 of the agreement envisaged provides for the processing, use and retention by Canada of Passenger Name Record data containing sensitive data;
  2. Article 12(3) of the agreement envisaged confers on Canada, beyond what is strictly necessary, the right to make disclosure of information subject to reasonable legal requirements and limitations;

Paragraph 3 of that article extends the possibilities of access to the PNR data and information extracted from it “to anyone, without any specific guarantees being laid down” (§293). “Article 12(3) of the agreement envisaged authorises Canada to ‘make any disclosure of information subject to reasonable legal requirements and limitations …, with due regard for the legitimate interests of the individual concerned’. However, neither the recipients of that ‘information’ nor the use to which it is put is defined in the agreement envisaged. It is therefore quite possible that that information may be communicated to any natural or legal person, such as a bank, for example, provided that Canada considers that the disclosure of such information does not exceed ‘reasonable’ legal requirements, which, moreover, are not defined in the agreement envisaged” (§293).

  1. Article 16(5) of the agreement envisaged authorises Canada to retain Passenger Name Record data for up to five years for, in particular, any specific action, review, investigation or judicial proceedings, without a requirement for any connection with the purpose, stated in Article 3 of that agreement, of preventing and detecting terrorist offences and serious transnational crime;

The AG criticized that pursuant to Article 16(5) of the Agreement “sensitive data of a Union citizen who has taken a flight to Canada is liable to be retained for five years (and, where appropriate, unmasked and analysed during that period) by any Canadian public authority, for any ‘action’ or ‘investigation’ or ‘judicial proceeding’, without being in any way connected to the objective pursued by the agreement envisaged, for example, as the Parliament has pointed out, in the event of proceedings related to contract law or family law. The possibility that such a situation will arise prompts the conclusion that on this point the contracting parties have not struck a fair balance between the objectives pursued by the agreement envisaged” (§224).

  1. Article 19 of the agreement envisaged allows Passenger Name Record data to be transferred to a public authority in a third country without the Canadian competent authority, subject to control by an independent authority, first being satisfied that the public authority in the third country in question to which the data is transferred cannot itself subsequently communicate the data to another body, where relevant, in another third country. (For the relevant analysis, see §300 to §304 of the Opinion).

Why (I think) the WP29 Statement on the Privacy Shield is not really a ‘carte blanche’ for one year

The Plenary of the Article 29 Working Party (composed of national Data Protection Authorities – DPAs – in Europe and the European Data Protection Supervisor) met on 26 July to discuss, among other topics, the adopted text of the EU-US Privacy Shield and its accompanying adequacy decision issued by the European Commission  on 12 July.

The Group adopted a Statement concerning its assessment of the adopted version of the Privacy Shield. To make a long story short, WP29 issued an Opinion on the Privacy Shield  on 13 April, containing concerns, some of which outstanding, about the level of protection afforded by the Privacy Shield to personal data transferred from the EU to the U.S.. This, together with a later Opinion issued by the European Data Protection Supervisor, prompted the Commission to go back to the negotiation table with representatives of the U.S. government in order to alleviate these concerns. On 12 July, after passing through the vote of the Article 31 Committee, the final text of the Privacy Shield was adopted by the Commission.

The Statement issued by WP29 is meant to address the changes brought to the text of the Privacy Shield after the last rounds of negotiations. Have the two negotiating parties addressed the concerns raised by DPAs? Have they provided the requested clarifications?

WP29 stated that:

‘a number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.’

The WP29 statement is very brief – so the Group preferred not to launch in an extensive legal analysis of the changes brought to the text. This would have required more time and the benefits of a detailed analysis at this stage, after the text has just been adopted, are few. However, the messages are very clear in the one-pager statement and they are quite critical.

The DPAs highlight three key issues that were not solved regarding transfers in the commercial area (and they mention these three as an example, suggesting thus that there are more ‘concerns’ which have not been dealt with):

  • the lack of specific rules on automated decisions (profiling)
  • the lack of a general right to object
  • the fact that it remains unclear how the Privacy Shield Principles apply to processors

WP29 also refers to two issues that are not entirely solved regarding access by law enforcement to the transferred data:

  • the guarantees concerning the independence and the powers of the Ombudsperson mechanism are not strict enough
  • the lack of concrete assurances that such practice does not take place (while, at the same time, noting ‘the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data’ – yes, collection and not use)

At least the two last points stand right at the essence of the right to personal data protection and, respectively, the right to respect for private life. The first one has the ability to trigger a breach of Article 8(3) of the Charter of EU (independence of supervisory authorities) and the second one could amount to ‘legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications’. And, as the CJEU found, such legislation ‘must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter’ (para 94 of the Schrems judgement).

Moreover, even the former three identified points of concern could be understood as lacking to implement the general obligation to protect personal data from Article 8(1) of the Charter, were they to be analysed by a Court. (For a similar reasoning, but concerning the rules on international data transfers, see para 72 of the Schrems judgment.)

So, why do I think WP29 did not give a ‘carte blanche’ or a ‘green light’ for the application of the Privacy Shield?

First, because it is not in its competence to do so. According to Article 29(1) of Directive 95/46, the WP29 ‘shall have advisory status’. Article 30 of the Directive enumerates all the competences and powers of the Working Party – giving opinions, informing the Commission, issuing recommendations, advising the Commission. WP29 is not a Court. It is not even an administrative body that can deal with complaints and issue enforceable decisions to solve them. It cannot simply decide that a legal act issued by the European Commission (such as an adequacy decision) will be disapplied. Or, even more so, annulled.

The CJEU was more than clear in Schrems when stating that ‘the Court (of Justice of the EU – my addition) alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly’ (para 61 of the judgment).

WP29 could not challenge the Privacy Shield in Court, either. It does not have this competence.

The ones that could indeed challenge the validity of the adequacy decision are the individual members of the Article 29 Working Party, the national DPAs – and only those whose national law gives them the legal standing to go to their national Courts (the others could also initiate such proceedings, if they would know how to directly invoke in front of the national courts the provisions of Directive 95/46 granting them this competence – third indent of Article 28(3); but this is another EU law discussion).

However, just as the CJEU points out in the Schrems judgment, court proceedings initiated by the DPAs are most likely to be possible only in situations where a complaint was made by an individual  (this also depends on national procedural laws of EU Member States) and the DPA happens to agree with the complainant.

‘where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) of the Charter, be able to engage in legal proceedings‘. (CJEU, para. 65 of Schrems)

Perhaps it is not a coincidence that the only concrete immediate step mentioned by the WP29 in its Statement is the commitment of its members to ‘proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints‘.

Another concrete step the WP29 can do about the level of protection of the safeguards contained in the Privacy Shield is, indeed, focusing on the first Joint Annual Review. The Review will probably be done at the beginning of Summer in 2017, close to the 1 year anniversary of its adoption – and it is the quickest way to have the adequacy decision of the Privacy Shield to be suspended or repealed (see paragraphs 150 and 151 of the adequacy decision), if it indeed does not provide for an adequate level of protection.

In the meantime, the members of the WP29 can very well use as guidance the complex analysis in the 58 pages of the Opinion on the draft Privacy Shield issued on 13 April when they will be dealing with complaints.

This is why I think that yesterday’s Statement is not the ‘carte blanche’ or ‘the green light’ almost everyone thought it was.

***

If you want to read more on the topic:

EU privacy watchdogs keep open mind on new U.S. data privacy pact (Reuters)

EU watchdogs permit Privacy Shield to run for one year (BBC)

EU Privacy Regulators Give Green Light to Data-Transfer Pact with U.S. (WSJ)

EU privacy watchdogs vow to thoroughly frisk Privacy Shield next year (Arstechnica)

Les gendarmes européens de la vie privée critiquent l’accord Privacy Shield (Le Monde)

EDPS issues guidelines on how to ensure confidentiality of whistleblowers

The European Data Protection Supervisor issued today (18 July 2016) Guidelines addressed to the EU institutions and bodies on how to deal with whistleblowers in a way that is compliant with the data protection requirements in Regulation 45/2001.

The first thing you need to know is that the EU Staff Regulations contain an obligation for staff members and other persons working for the EU institutions and bodies to report in writing any reasonable suspicion of illegal activities to the hierarchy or to the European Anti-Fraud Office (“OLAF”) directly.

EU institutions are required to manage whistleblowing reports and ensure the protection of personal information of the whistleblowers, the alleged wrongdoers, the witnesses and the other persons appearing in the report.

According to the EDPS, “the most effective way to encourage staff to report concerns is to ensure them that their identity will be protected. Therefore, clearly defined channels for internal and external reporting and the protection of the information received should be in place. The identity of the whistleblower who reports serious wrongdoings or irregularities in good faith should be treated with the utmost confidentiality as they should be protected against any retaliation”.

Here is a list with the main recommendations from the Guidelines:

1. Implement defined channels for internal and external reporting and specific rules where the purpose is clearly specified.

2. Ensure confidentiality of the information received and protect the whistleblowers’ identity and all other persons involved.

3. Apply the principle of data minimisation: only process personal information, which are adequate, relevant and necessary, for the particular case.

4. Identify what personal information means in this context and which are the affected individuals to determine their right of information, access and rectification. Restrictions to these rights are allowed, as long as the EU institutions are able to provide documented reasons before taking such a decision.

5. Apply the two-step procedure to inform each category of individuals concerned about how their data will be processed.

6. Ensure when responding to right of access requests that personal information of other parties is not revealed.

7. Assess the appropriate competence of the recipient (internal or external) and then limit the transfer of personal information only when necessary for the legitimate performance of tasks covered by the competence of the recipient.

8. Define proportionate conservation periods for the personal information processed within the scope of the whistleblowing procedure depending on the outcome of each case .

9. Implement both organisational and technical security measures based on a risk assessment analysis of the whistleblowing procedure in order to guarantee a lawful and secure processing of personal information.

“The EU-US interface: Is it possible?” CPDP2015 panel. Recommendation and some thoughts

The organizers of CPDP 2015 made available on their youtube channel some of the panels from this year’s conference, which happened last week in Brussels. This is a wonderful gift for people who weren’t able to attend CPDP this year (like myself). So a big thank you for that!

While all of them seem interesting, I especially recommend the “EU-US interface: Is it possible?” panel. My bet is that the EU privacy legal regime/US privacy legal regime dichotomy and the debates surrounding it will set the framework of “tomorrow”‘s global protection of private life.

Exactly one year ago I wrote a 4 page research proposal for a post-doc position with the title “Finding Neverland: The common ground of the legal systems of privacy protection in the European Union and the United States”. A very brave idea, to say the least, in a general scholarly environment which still widely accepts  Whitman’s liberty vs dignity solution as a fundamental “rift” between the American and European privacy cultures.

The idea I wanted to develop is to stop looking at what seems to be fundamental differences and start searching a common ground from which to build new understandings of protecting private life  accepted by both systems.

While it is true that, for instance, a socket in Europe is not the same as a socket in the US (as a traveller between the two continents I am well aware of that), fundamental human values do not change while crossing the ocean. Ultimately, I can convert the socket into metaphor and say that even if the continents use two very different sockets, the function of those sockets is the same – they are a means to provide energy so that one’s electronic equipment works. So which is this “energy” of the legal regime that protects private life in Europe and in the US?

My hunch is that this common ground is “free will”, and I have a bit of Hegel’s philosophy to back this idea. My research proposal was rejected (in fact, by the institute which, one year later, organized this panel at CPDP 2015 on the EU-US interface in privacy law). But, who knows? One day I may be able to pursue this idea and make it useful somehow for regulators that will have to find this common ground in the end.

You will discover in this panel some interesting ideas. Margot Kaminski (The Ohio State University Moritz College of Law) brings up the fact that free speech is not absolute in the US constitutional system – “copyright protection can win over the first amendment” she says. This argument is important in the free speech vs privacy debate in the US, because it shows that free speech is not “unbeatable”. It could be a starting point, among others, in finding some common ground.

Pierluigi Perri (University of Milan) and David Thaw (University of Pittsburgh) seem to be the ones that focus the most on the common grounds of the two legal regimes. They say that, even if it seems that one system is more preoccupied with state intrusions in private life and the other with corporate intrusions, both systems share a “feared outcome – the chilling effect on action and speech” of these intrusions. They propose a “supervised market based regulation” model.

Dennis Hirsch (Capital University Law School) speaks about the need of global privacy rules or something approximating them, “because data moves so dynamically in so many different ways today and it does not respect borders”. (I happen to agree with this statement – more details, here). Dennis argues in favour of sector co-regulation, that is regulation by government and industry, to be applied in each sector.

Other contributions are made by Joris van Hoboken, University of Amsterdam/New York University (NL/US) and Eduardo Ustaran, Hogan Lovells International (UK).

The panel is chaired by Frederik Zuiderveen Borgesius, University of Amsterdam  and organised by Information Society Project at Yale Law School.

Enjoy!

CJEU: CCTV camera in family home falls under the Data protection directive, but it is in principle lawful

CJEU gave its decision today in Case C-212/13 František Ryneš – under the preliminary ruling procedure. The press release is available here and the decision here.

Facts

A person who broke the window of the applicant’s home and was identified by the police with the help of the applicant’s CCTV camera complained that the footage was in breach of data protection law, as he did not give consent for that processing operation. The Data Protection Authority fined the applicant, and the applicant challenged the DPAs decision in front of an administrative court. The administrative court sent a question for a preliminary ruling to the CJEU.

Video image is personal data

First, the Court established that “the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned” (para. 22).

In addition, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.

Household exception must be “narrowly construed”

According to the Court, as far as the provisions of the Data protection directive govern the processing of personal data liable to infringe fundamental freedoms, they “must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68)”, and “the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed” (para. 29).

In this sense, the Court emphasized the use of the word “purely” in the legal provision for describing the personal or household activity under this exception (para. 30).

Such processing operation is most likely lawful

In one of the last paragraphs of the decision, the Court clarifies that “the application of Directive 95/46 makes it possible, where appropriate, to take into account — in accordance, in particular, with Articles 7(f), 11(2), and 13(1)(d) and (g) of that directive — legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself, as in the case in the main proceedings” (para. 34).

This practically means that, even if the household exception does not apply in this case, and the processing operation must comply with the requirements of the Data protection directive, these requirements imply that a CCTV camera recording activity such as the one in the proceedings is lawful.

NB: The Court used a non-typical terminology in this decision – “the right to privacy” (para. 29)

What Happens in the Cloud Stays in the Cloud, or Why the Cloud’s Architecture Should Be Transformed in ‘Virtual Territorial Scope’

This is the paper I presented at the Harvard Institute for Global Law and Policy 5th Conference, on June 3-4, 2013. I decided to make it available open access on SSRN. I hope you will enjoy it and I will be very pleased if any of the readers would provide comments and ideas. The main argument of the paper is that we need global solutions for regulating cloud computing. It begins with a theoretical overview on global governance, internet governance and territorial scope of laws, and it ends with three probable solutions for global rules envisaging the cloud. Among them, I propose the creation of a “Lex Nubia” (those of you who know Latin will know why 😉 ).  My main concern, of course, is related to privacy and data protection in the cloud, but that is not the sole concern I deal with in the paper.

Abstract:

The most common used adjective for cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals. Regulating a “model” of “ubiquitous network access” which relates to “a shared pool of computing resources” (the NIST definition of cloud computing) is perhaps the most challenging task for regulators worldwide since the appearance of the computer, both procedurally and substantially. Procedurally, because it significantly challenges concepts such as “territorial scope of the law” – what need is there for a territorial scope of a law when regulating a structure which is designed to be “abstracted”, in the sense that nobody knows “where things physically reside” ? Substantially, because the legal implications in connection with cloud computing services are complex and cannot be encompassed by one single branch of law, such as data protection law or competition law. This paper contextualizes the idea of a global legal regime for providing cloud computing services, on one hand by referring to the wider context of global governance and, on the other hand, by pointing out several solutions for such a regime to emerge.

You can download the full text of the paper following this link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2409006

How the ECHR defended the freedom of speech of a whistleblower who warned of illegitimate wiretapping by a secret service

It took the European Court of Human Rights 11 years to give its judgment in the case of Bucur and Toma v. Romania, the case of a whistleblower from the Romanian Intelligence Service (SRI) who warned the public in 1996 about the arbitrary wiretapping of journalists and other people by the service (Bucur) and one of the wiretapped journalists and his daughter (Toma and Toma).

The facts of the case have certain similarities to the “Snowden revelations” situation, in that it involves a whistleblower from a secret service which has powers in the field of national security, who warned the public that the service was arbitrarily interfering with the private life (especially, but not only) of journalists, businessmen and politicians, by wiretapping their phones. The decision of the ECHR is interesting because it is dual: it analyzes the situation of the whistleblower, as well as the situation of two individuals who were arbitrarily wiretapped.

ECHR gave its judgment on January 8, 2013, while the request was sent in 2002 (No. 40238/02). It found that, by sentencing Mr. Bucur to 2 years of imprisonment for his revelations for breaching the national security law, Romania had breached Article 10 – freedom of expression, of the European Convention of Human Rights. In addition, the Court found that by allowing the arbitrary wiretapping of Mr. Toma and his daughter, according to Mr. Bucur’s revelations, Romania had breached Article 8 – the right to private life, of the Convention.

Following the decision of the Court, Mr. Bucur received 20.000 EUR as a compensation for moral damages, and Mr. Toma and his daughter each received 7.800 EUR.

What did Mr. Bucur’s revelations say?

Mr. Bucur was an employee of SRI, responsible for monitoring and recording the wiretapped telephone communication of persons listed on a certain registry.

Within the framework of his activity, Mr. Bucur observed several irregularities: pencil was used to write in all the sections of the registry, a registry which was not complete; the real names of the wiretapped persons did not appear in the registry, nor the number of the order to wiretap issued by the prosecutor, the location of the wiretapped telephone, and the purposes of the wiretapping (para. 8). He also observed that the name in the registry did not always indicate the actual owner of the telephone (para. 8). “Furthermore, a considerable number of journalists, politicians and businessmen were wiretapped, especially with regard to resounding stories published by the press” (para. 8 – my translation).

Mr. Bucur took the issue to the head of the department, who reprimanded him: “(the head of the department) had advised him to give up his allegations and reminded him he had other problems and had children to raise, and he reportedly said: <<it is not us who will change how things are>>” (para. 9 – my translation).

Mr. Bucur further took the issue to a member of the Parliamentary Commission of the Control of SRI, who advised him that the best and quickest means to inform the public with regard to these issues is to hold a press conference (para. 10), which Mr. Bucur did on 13 May 1996.

Justification of his actions

According to the Court, he justified his actions by his wish to have Romanian laws complied with, and especially the Constitution. He mentioned that the disclosed information was not state secret, but the proof that SRI was involved in activities of political police, by order of the service’s chief, during a year of parliamentary and presidential elections. He also said that the beneficiaries of the arbitrary wiretapping were only the governing political party, and other political parties for their internal affairs. (para. 10).

Who is Mr. Bucur?

Unlike Mr. Snowden, Mr. Bucur had considerable experience for working in a secret service and surveilling people. He was 44 years old at the time of the revelations. Before working for SRI, he was an employee of the former Securitate forces under the Communist regime of Nicolae Ceauşescu, which was replaced in 1989 by a democratic regime after the Revolution.

In a 2009 interview for the French newspaper L’Express, he admitted that he decided to give this information to the public because he felt that the surveillance in 1995 Romania was even more arbitrary than what happened during the Communist regime: “In 1995 I woke up when I saw the name of many journalists, working for the daily newspapers “Ziua”, “Evenimentul Zilei”, on the list of persons whose conversations were listened to. In 1989, when I was listening to a sportsman, I had to ask for 5 authorizations, I had to make tones of administrative paperwork… In 1995, there was no more such an official aspect (of surveilling – my note): they would give me a piece of paper with the name of the person written with a pencil”.

What did the Court say with regard to Mr. Bucur’s freedom of expression?

The Decision of the Court is ample – having 182 paragraphs, and it is only available in French and Romanian. I will only point out to a few highlights.

-> In deciding whether the interference with Mr. Bucur’s right to freedom of expression was necessary in a democratic society, the Court applied the criteria with regard to public servants whistleblowers, developed in its Guja v. Moldova case (No. 14277, from February 12, 2008, paras. 70-78). The criteria are (NB: this is my translation, not an official one):

a) whether the applicant had other means to make the revelations

b) whether the information revealed was in the public interest

c) whether the information revealed is authentic

d) whether the information revealed caused “considerable damage” to the institution

e) whether the whistleblower acted with good faith

f) whether the sanction brought by the state against the whistleblower was severe

-> The Court found, regarding the public interest of the revelations, that: “the information revealed by the applicant is undoubtedly of public interest. The interception of telephone communications is particularly important in a society which has experienced during the communist regime a close surveilling by the secret services. This [the public interest – n.] is also proven by the fact that the press conference of 13 May 1996 was the subject of extensive media coverage, as evidenced by the documents filed by both the applicant and the Government. In addition, civil society was directly affected by the information disclosed, as anyone could have their telephone calls intercepted”. (para 101, my translation).

-> The Court, on the damage brought to the institution, balanced against the public interest: “the Court considers that the public interest in the disclosure of unlawful acts within the activity of SRI is so important in a democratic society that it outweighs the interest to maintain the trust of the public in this institution. The Court recalls in this regard that the free debate on issues of public interest is essential in a democratic state and it is important notto  discourage citizens to decide on such issues (Barfod c. Denmark, 22 February 1989 § 29, Series A No. 149)” (para. 115, my translation).

-> Conclusion of the Court: “Recognizing the importance of the right to freedom of expression on matters of public interest, the right of civil servants and other employees to signal unlawful conducts and actions observed within their working place, the duties and responsibility of employees owed to their employers and the right of the latter to manage their staff, the Court, after weighing in the other interests involved, concludes that the interference with the right to freedom of expression of the applicant, in particular his right to communicate information, is not “necessary in a democratic society. Accordingly, there has been a violation of Article 10 of the Convention” (para 120, my translation).

What did the Court say with regard to the right to private life of the wiretapped journalist and his daughter?

The Court only declared admissible the request of Mr. and Ms. Toma with regard to the storage of the files containing recorded telephone conversations (tapes) by SRI, and not the request regarding the wiretapping itself, which was found to have been filed too late, outside the 6 months term required by the Convention.

The Court recalled that “the telephonic communications are comprised in the notions of <<private life>> and <<correspondence>> as enshrined in Article 8(1) of the Convention, their interception, their storage in a secret file, and the communication of data related to the private life of an individual amount to an <<interference of a public authority>> in the exercise of the right guaranteed by Article 8 (see, among others, Dumitru Popescu v. Romania (No. 2), para. 61). For such an interference not to breach Article 8, it should be afforded by law, pursue a legitimate aim in accordance with Article 8(2) and, in addition, it must be necessary in a democratic society to achieve this aim” (para. 162 – my translation).

Among other things, the Court found that although SRI had some procedures regarding the time when a wiretapped conversation will be destroyed when it no longer serves a purpose, the procedures allowed a substantial risk that the conversations would not be destroyed and, thus, could be easily accessible at a later time (para. 164, as synthesized by right2info.org).

The Court considered that the applicants did not enjoy “a sufficient degree of protection against arbitrariness, as requested by Article 8 of the Convention” (para. 165 – my translation).