Earlier this year, the Court of Justice of the European Union (CJEU) ruled in the Digital Rights judgment against the validity of the EU’s data retention directive, on the grounds that it provided for mass surveillance without any effective safeguards. Subsequently it ruled against Google, in what has become known as the ‘right to be forgotten’ judgment.
What are the longer-term consequences of the Court’s ‘Privacy Spring’? An Irish court has already referred the ‘Europe v Facebook’ case (discussed here) to the CJEU, asking in effect whether the EU’s ‘Safe Harbour’ arrangement on data protection with the USA is compatible with the rights to privacy and data protection, in light of the Snowden revelations. Now the European Parliament (EP) has decided to refer the proposed EU/Canada agreement on passenger name record (PNR) data to the CJEU, asking if it is compatible with the rights to privacy and data protection in light of the Court’s recent case law. That judgment would implicitly determine whether the separate EU/USA and EU/Australia treaties on PNR data, and the proposed PNR Directive, violate those rights also. And if the PNR treaties breach the rights to privacy and data protection, it would then be more likely that the EU/USA treaty on banking data transfers also breaches those rights in turn.
So, are we at the start of a ‘domino effect’ of a series of EU laws and treaties being ruled in breach of the rights to privacy and data protection by the Court of Justice, all falling in sequence now that the data retention Directive has been overturned? Or are the features of the different measures different enough to avoid this?
There’s a little bit of déjà vu in today’s decision by the EP to ask the CJEU about the EU/Canada treaty on PNR. Back in 2004, it asked the Court to rule on the original EU/USA treaty on the same subject. The Advocate-General’s opinion in that case ruled against all of the EU’s arguments, including the right to privacy point. However, the Court’s 2006 judgment only ruled on one of the EP’s legal arguments – that the EU/USA treaty had the wrong ‘legal base’, and should have been approved by using a different procedure (relating to police cooperation, instead of the internal market). And that procedure meant that the EP had no role in the approval of the treaty, or any power to ask the Court of Justice about its compatibility with EU law.
Eight years later, the legal environment is quite different. Since the Treaty of Lisbon entered into force in 2009, the EP (or the Commission, Council or a Member State) can ask the CJEU for rulings on the compatibility with EU law of EU treaties with third States on police or criminal law cooperation. Indeed, this will be the first such ruling. And while waiting for the Court’s ruling, the EP can prevent the EU/Canada treaty from being concluded, since it now has the power of consent over such treaties (back in 2004, the Council circumvented a separate request by the EP for the CJEU to rule on the EU/USA PNR treaty by concluding that treaty without waiting for the Court’s opinion). Furthermore, the substantive legal environment has obviously been transformed by the Court’s ruling against mass surveillance earlier this year.
The CJEU had another chance to rule on the right to privacy in the international context when the Commission asked it to rule back in 2012 whether the international Anti-Counterfeiting Agreement (ACTA) violated EU law. However, the Commission left it too late to send its request to the Court, and the EP simply vetoed that proposed agreement before the Court could rule (the Commission then withdrew its case). So we should now get a long-awaited ruling from the Court on the compatibility of international data transfers with the EU rights to privacy and data protection – unless the EP can be talked into withdrawing its request to the Court.
The procedure which the EP has invoked today is a special process which allows the Court to rule on the compatibility with EU law of a draft treaty to be concluded by the EU (or by its Member States on behalf of the EU), before that treaty comes into force. (For Canadian readers: this process is broadly similar to sending a request to the Supreme Court to rule on the constitutionality of a draft law. The EU process only applies to treaties, though.) If the CJEU rules (probably in about 18 months’ time, unless the ruling is expedited) that the draft treaty is incompatible with EU law, either the draft treaty has to be amended to comply with the Court’s ruling, or (improbably) the EU Treaties themselves have to be amended to permit its ratification.
The EU/Canada PNR treaty is distinct from the EU/Canada treaty liberalising air transport (already in force), and the proposed EU/Canada free trade agreement (CETA) – although the latter treaty, along with the EU/USA free trade agreement now being negotiated, will be indirectly impacted by a pending case in which the EU Commission has asked the CJEU to rule on whether the EU/Singapore free trade agreement is compatible with EU law.
So does the EU/Canada PNR treaty violate the right to privacy? There’s a detailed analysis of the broader impact of the data retention judgment on other EU measures in a study by Boehm and Cole, published earlier this year. So this is only a short summary of the issues discussed further in that study. The starting point is how to interpret that judgment: does it rule out all mass surveillance, or just in cases where there are insufficient safeguards? In my view, it does indeed rule out all mass surveillance where it’s linked to EU law, and any draft treaty to which the EU is party would obviously be linked to EU law.
But there’s a prior question: when does a treaty with another State entail mass surveillance? The data retention case concerned collection of data on all phone and Internet use in the EU. This could be compared to the use of social media (in the pending Facebook case), or to international banking transfers, but it’s harder to argue that collection of data on all flights to a particular third country constitutes, by itself, mass surveillance. Having said that, the proposed PNR Directive, which would apply to all flights within the EU, would probably meet the criteria.
If (contrary to my interpretation) the Digital Rights judgment does permit mass surveillance, as long as there are sufficient safeguards, then what must these safeguards be? According to the judgment, there have to be: definitions of the ‘serious crimes’ or other purposes of the data exchange; rules on the subsequent access to the data; limits on the number of people who can access that data; independent control by a court or supervisory authority; strong rules on the data protection period; provisions on protecting data from unlawful access and use; and a requirement to retain the data within the EU only. Obviously, in the context of treaties with non-EU States, the latter requirement must be understood as an obligation to retain the data in the EU or that particular third country.
Do the EU’s treaties with third States meet these criteria? This has to be assessed on a case-by-case basis. At first sight, for example, the EU/Canada PNR treaty contains provisions addressing all of these safeguards issues except one: the transfer of PNR data to other countries, which is permitted (although subject to conditions). But it might be argued that in practice, the right to privacy and data protection is not protected as strongly under such treaties as it might first appear, due to inadequacies in national legislation or practice, such as NSA access to Facebook data or limitations on non-USA citizens claiming privacy rights in the courts.
Finally, there’s an important practical question here. Let’s imagine that the CJEU rules that the proposed EU/Canada treaty violates privacy and data protection rights; or that it approves that treaty, but its reasoning in that judgment casts doubt on the compatibility of other EU treaties with those rights. How can those other treaties be challenged, now that they are already in force?
Time has run out to bring annulment actions against those treaties, or to ask the CJEU for an advance ruling on their compatibility with EU law. But it is still possible for individuals to challenge the application of those treaties via the national courts (as in the Digital Rights and Facebook cases). Or the EP could argue that in order to secure effective protection of rights under the EU Charter of Fundamental Rights, the other EU institutions must take steps to denounce the treaties concerned. If they don’t do so, the EP can sue them for ‘failure to act’ as set out in the EU Treaties.