The Rapporteur for the EU Data Protection Regulation in the European Parliament, MEP Jan Philipp Albrecht, relesead today a concise and clear opinion on the link between US Surveillance leaks and the ongoing reform process of the EU data protection reform.
Among other comments, he also underlined that “The leaks hit the public in the middle of ongoing negotiations and debates in the European Parliament on the Data Protection Regulation. The draft of this regulation, sent in November 2011 by Justice Commissioner Viviane Reding to her colleagues, already contained a provision that would make it a condition for the disclosure of user data to authorities in third countries to have a legal foundation such as a mutual legal assistance agreement and an authorisation by the competent data protection authority.This Article disappeared after strong lobbying from the US administration, and only a very weak Recital remained.” Which is a valid point. You can read all of his statement HERE.
My problem with this debate in general is that, legally speaking, if the state in this mass surveillance revelations were a EU member state, and not the US, we (EU citizens) could have little to argue against it based on current (and future, for that matter) EU law. Article 3(2) of Directive 95/46 on the protection of personal data states that:
2. This Directive shall not apply to the processing of personal data:
– in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.
A similar provision exists in the proposed draft Regulation, at art. 2:
This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;
You could argue that Directive 95/46 is the framework Directive (applying only on matters which used to fall under the former first pillar of the communities) and that in criminal law matters (the former third pillar) the current EU legal framework is defined by Council Framework Decision 2008/977/JHA. And indeed this is true. However, the material scope of the Decision is defined as follows, in art. 1:
4. This Framework Decision is without prejudice to essential national security interests and specific intelligence activities in the field of national security.
And if you think that in the proposed directive for data processing in criminal matters, which will replace the framework decision, the national security rule is sweetened in favor of the data subject with additional safeguards, think again (and read art. 2):
3. This Directive shall not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;
But, you would say, these are only secondary sources of EU law. We could look higher for protection. We have a fundamental right to private life and a fundamental right to the protection of personal data, guaranteed in the European Charter of Fundamental Rights, which from December 1, 2009, has binding effect on the EU Member States. That is also true. However, the scope of the Charter, according to art. 51, is limited to situations in which Member States are implementing Union law (such as transposing a directive, applying the resulted national law, or applying a regulation). Moreover, to make things clearer, art. 51(2) provides that “this Charter does not establish any new power or task for the Community or the Union, or modify powers and tasks defined by the Treaties”. And national security measures of a Member State are definitely outside the powers of the EU. So, even if the institutional system of the EU goes upside down and we would be able to file complaints directly to the Court of Justice of the European Union, as individuals, the Court would have little to say about the conformity of such surveillance practices with the Charter.
What to do then? We should leave the EU system of protection and look towards the one created by the Council of Europe. Article 8 of the European Convention on Human Rights protects the right to respect for private life. However, Article 8(2) states that:
“There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
The national security exemption, all over again. But don’t get too disappointed. The ECHR, at least from what I’ve read in their up to date case-law on Article 8, would never find mass surveillance a proportionate measure, and hence would never declare it as necessary in a democratic society. In fact, there are several decisions made by the ECHR against CoE member states in the context of their intelligence activity and its clash with art. 8 of the Convention (see, for instance, Rotaru v. Romania).
Great. But how could you get your case in front of the ECHR? First, you would have to file a complaint against the institution which breaches your fundamental right to private life in one of your national courts, basing your claim in a national provision. Only if your national court does not give a favorable decision, and after that you exhaust all the national judicial review possibilities, you would be able to go to the ECHR and complain that your state has not respected your fundamental right to private life. If the ECHR finds in your favor, then you would probably be compensated with an amount of money (which usually does not exceed 10.000 euro). But that would only be your individual case. There are no class cases before the ECHR. And there is no competence of the ECHR to invalidate a national law. A change in the national law could happen only if the state will want to make it. Thus, it is difficult to predict whether it would happen or not. And the whole process I described usually lasts several years (4-5-6).
Oh, remember, the whole analysis from above was made considering the state with mass surveillance habits is a member of EU and a member of CoE! If it is a third country and if it operates trough legal persons under its own jurisdiction and while only your data find themselves in an extraterritorial position, then, legally speaking, your actual actions are most likely “frozen”. {This is why clouds must be approached by themselves, from a regulatory perspective, establishing their own architecture as a territory to be subject to a certain law. But even if such an idealistic thing would happen, national security (just like that, without further safeguards or proportionality provisions) is always an exception. The analysis we went through together showed that this kind of mass surveillance can be sanctioned only for not being proportional with the aim it pursues. But for that to happen, we would need a court to decide so. A recognized court by all the parties involved, which can make enforceable decisions in such a context. Global governance sounds all of a sudden more interesting and ever closer to you, doesn’t it?}
A comment
It is important to note that the national security exemptions in data protection law, as long as the intrusions are proportionate and necessary in a democratic society, are accepted by the people as part of their social contract with their state. What makes the people (at least in Europe) uncomfortable about the whole Prism story is that the processing of their data under the national security exemption is performed by a state with whom they do not have a social contract. What are they getting back in exchange for their privacy? They look at their “states” for protection (by which I mean the national state and EU), but which are the mechanisms for their states to afford such a protection in the international law paradigm?
Conclusion?
Should the national security exemption be reconsidered, especially with regard to surveillance? Should it be made subject to safeguards such as proportionality embedded in the law? Is that too dangerous? Or is that necessary to protect personal freedom? Should such rules be constitutionalized? And if so, at what level should them be constitutionalized? And which court or which other mechanism should safeguard its “constitutionality”? I think this can be the effective part of the debate we should have after the recent developments. And we should also work on finding better questions to answer within this debate.
(Source of the photo: http://3.bp.blogspot.com)
pdpEcho 
Court of Justice of the EU: Member States are not obliged to provide for exceptions in the application of data subjects’ rights
The Court of Justice of the European Union ruled on November 7, in Case C-473/12 IPI v. Geofrey Engelbert, that Article 13(1) of Directive 95/46, providing for exceptions in the application of the rights of the data subjects, “must be interpreted as meaning that Member States have no obligation, but have the option, to transpose into their national law one or more of the exceptions which it lays down to the obligation to inform data subjects of the processing of their data”.
Article 13(1) has the following content:
Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:
(a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; (e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters; (f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e); (g) the protection of the data subject or of the rights and freedoms of others.’
It must also be noted that these exemptions apply to: – the principles relating to data quality enshrined in Article 6(1) of the Directive; – the right to information, in Articles 10 and 11(1) of the Directive; – the right to access personal data, enshrined in Article 12 of the Directive, a provision which also contains the right to rectification, erasure and blocking of data (Article 13(2)); -publicizing of processing operations, enshrined in Article 21 of the Directive.
By identity of reason, one can conclude that the decision of the Court in IPI v. Engelbert, applies also to the other provisions to which Article 13(1) refers, not only to Articles 10 and 11. The latter were relevant in this particular case.
The conclusion of the Court is rather interesting. It is a well known fact that “Directive 95/46 amounts to harmonisation which is generally complete“, as the Court itself notes in para. 31 of the Ipi v. Engelbert decision, citing Case C‑101/01 Lindqvist[2003] ECR I‑12971, paragraphs 95 and 96, and Huber, paragraphs 50 and 51. How does the idea of non-compulsory exemptions and restrictions provided for in Directive 95/46 fall within the concept of “generally complete harmonisation”?
To justify this approach, the Court added in para. 31 that “the provisions of Directive 95/46 are necessarily relatively general given that it has to be applied to a large number of very different situations, and that the directive includes rules with a degree of flexibility and, in many instances, leaves to the Member States the task of deciding the details or choosing between options”, citing Lindqvist, para. 83.
The most compelling reason for the Court to decide so must have been an argument it brought in para. 28 of the IPI Decision: “It is apparent from recitals 3, 8 and 10 of Directive 95/46 that the European Union legislature sought to facilitate the free movement of personal data by the approximation of the laws of the Member States while safeguarding the fundamental rights of individuals, in particular the right to privacy, and ensuring a high level of protection in the European Union.”
It appears that the Court is more likely to interpret the provisions of Directive 95/46 through the “high level of protection” criterion, rather than the “generally complete harmonization” one.
The IPI Decision raises several questions:
* Do Member States have the liberty to provide for no exemptions and restrictions derived from Article 13(1) of the Directive at all?
*If this is not the case, what are the criteria to decide which are the minimum exceptions that must be regulated?
*Is the list of exemptions and restrictions enshrined in Article 13(1) of the Directive limited? In other words, taking into account that the generally complete harmonisation allows Article 13(1) to be interpreted in a flexible manner, can the state provide for additional exceptions?
One last remark is that the question of exemptions and restrictions of data protection law is sensitive, only if one takes into account the national security exception often invoked for interfering with the privacy of electronic communications. In this regard, see also THIS older post on pdpEcho.
Share this:
Like this:
Leave a comment
Posted in Comments, News
Tagged Case C-473/12, CJEU case private detectives, directive 95/46, exceptions to data protection law, Institut professionnel des agents immobiliers, IPI case, national security and privacy, national security exemption, private detectives and data protection case