EU-US Data Protection Laws and Potential Impact on Transatlantic Relations

Lectio Magistralis: Should the EU Decide to Separate from the US Based on Data Protection Law? Peter Swire European Data Protection Supervisor January 22, 2018

Preface My thanks to Giovanni Buttarelli for the invitation to speak here today I provide my personal comments, based on over 20 years of working on EU/US data protection issues These are difficult issues, and I will speak frankly about some of my views None of my comments today concern GDPR The focus is on how to assess fundamental rights protections in the intelligence context

Introduction Consider the founding vision of Jean Monnet, about the many benefits of breaking down protectionist walls, for both economic and non-economic reasons My concern is that an incomplete analysis of fundamental rights law may create tall new protectionist walls, between the EU and the US, but also the EU and its other trading partners I am concerned that barriers to flows of personal data can foster a historic, and undesirable, separation of the EU and US, in both economic and non-economic ways My comments draw on my 300-page testimony (a book), avec le sommaire aussi en fran ais, at https://www.alston.com/en/resources/peter-swire-irish-high-court- case-testimony

Overview of the Talk Swire background Snowden and Trump Why Schrems II is potentially very different than Schrems I The NSA and Article 47 of the Charter Summary essays from Ireland testimony Systemic remedies in the US as a baseline for good practice Judicial oversight of US intelligence practices US remedies for privacy violations Broad effects beyond one country (US) and one legal basis (standard contracts) My request to this thoughtful and informed audience And, a side note

My Remarks Today I am here as a professor and long-time participant in these issues In Ireland case, I was selected as an independent expert on US law by Facebook, under strict Irish rules for independence I have no clients that I am representing on these issues

Swire Background: EU Data Protection Law and US Surveillance Law 1998 2013

December 2013: The Situation Room

Two Understandable EU Concerns About the US Snowden revelations (2013) EU concerns about violations of fundamental rights Since then, US bulk collection program shut down (Sec. 215) At least 27 surveillance reforms, including USA Freedom Act Swire 2015 testimony for EU on these Election of Trump I served in White House under Clinton & Obama, and disagree often with President Trump US retains independent judiciary, civil servants Continuity thus far on EU and Privacy Shield

Contrast of Late 1990s and Today 1990 s: Implementation of the Directive Swire book 1998; respect for EU laws on data protection, for companies that choose to do business in EU Apply the laws to both EU and US companies Swire part of negotiating team for 2000 agreement on Safe Harbor Companies can raise their standards to meet data protection requirements

Schrems Decision 2015 Scope of Schrems legal decision not entirely clear: Requirement to update adequacy determinations Emphasis on role of independent DPA s Concern about NSA surveillance and lack of individual remedy for that For the latter: Schrems claim is that the problem concerns the laws and actions of the US intelligence agencies In contrast to Safe Harbor, companies cannot take steps to ensure compliance Even if companies have world-class GDPR compliance, ban on export of personal data to the US Effect thus specifically on data export, and not on company compliance with data protection standards within EU

Do NSA Actions on Access & Redress Establish a Violation of Fundamental Rights? EU Fundamental Rights Agency reports 2015, 2017 on foreign intelligence activities of the EU Member States Very wide variety of legal approaches to oversight not even close to consensus on best structure for overseeing secret surveillance in an open society Even where have the theory of access and redress for intelligence records, the practice lags very far behind No discussion in Irish High Court of actual EU practices, to provide basis for assessing US practices The standard contract clause case thus raises the issue of finding a violation by the US on an issue where: No consensus standards for good practice by the Member States No clear rulings by courts on how these fundamental rights apply in this complex and important area of national security surveillance The US has more extensive safeguards then most Member States

Article 47 of the Charter: Remedies Focus of Irish Commissioner and High Court decision on Article 47 of the Charter, and individual right to a remedy My experience diplomatic mission 1997-98 to six EU countries to study Article 12 on access under the Directive No exception listed in text Numerous exceptions and limitations on full access in practice, many of which were included in Safe Harbor Derogations, such as under Art. 8 ECHR, not discussed in High Court opinion No discussion of national security limitation on access/redress No discussion of role of intelligence collection to preserve public order and do what is necessary in a democratic society (given need for secrecy) No discussion of ex ante protections rather than ex post individual remedies

Swire Short Essays Summarizing Testimony Role of ex ante systemic safeguards Oxford study led by Prof. Ian Brown, in Chapter 6 The US now serves as a baseline for foreign intelligence standards The legal framework for foreign intelligence collection in the US contains much clearer rules on the authorisation and limits on the collection, use, sharing and oversight of data relating to foreign nationals than the laws of almost all EU Member States. Ex ante safeguards protect individual, fundamental rights Analogy to the car want the ability to sue if there is an accident (ex post); also want a safe car, so fewer accidents and less harm (ex ante protections) Existence of these safeguards is relevant to determination of what is the least possible intrusion on fundamental rights

Judicial Oversight of Intelligence Chapter 5 on the Foreign Intelligence Surveillance Court (FISC) Composed of high quality independent federal judges, with life time tenure We reviewed all declassified documents since 2013 Findings: Overall, strict and effective judicial oversight Access to all classified information Has modified or closed down several surveillance programs New independent amici curiae, also with classified access, to litigate before the court

Essay 4: US Remedies for Privacy Chapter 7 provides 40 pages of discussion of existing US remedies for privacy violations, including Suits against service providers if they break the wiretap/stored communication laws Class-actions by plaintiffs, under lenient US rules for class actions, and no payment of other side s legal fees

Essay 5: Only US? Only Contracts? Major effects on data flows if only applies to the US for standard contract clauses Application to other countries Study of BRIC nations: Brazil, Russia, India & China; none come close to having stronger surveillance protections than the US Going forward, does the UK? Application to other legal bases for transfer Since the concern is about NSA surveillance, not clear why outcome any different for Privacy Shield or BCRs Once again, a company can t cure the concern, for exports of personal data, by its own actions. A legal holding of inadequacy requires judicial assessment of the laws and practices of the (often secret) actions of the other nation s intelligence services

Summarizing Legal Analysis As a law professor, it is possible that the ECJ will strike down standard contracts as it did Safe Harbor Irish High Court decision generally consistent with view of the Irish Commissioner, of a well-founded complaint Referral is to the same court (ECJ) that struck down Safe Harbor An uncertain legal basis, however, for such a finding: Far from clear fundamental rights are harmed when going from nations with fewer surveillance legal protections to the U.S., with stricter surveillance safeguards Far from clear what are established legal standards for individual access and redress for secret intelligence agencies

Effects of Striking Down SCCs As discussed, would seem to apply to the other major EU trading partners, and for all legal bases of transfer except where consent can be used Under Lisbon Treaty, no amendment process if the Commission, Council, and Parliament disagree with the ECJ on an issue of fundamental rights Effects on EU economy from cut-off of data flows, including possible challenge at the World Trade Organization Effects on EU anti-terrorism efforts if (as seems possible) the US decides to restrict intelligence sharing

My Request to This Thoughtful and Informed Audience Perform the full analysis of protection of fundamental rights, including ex ante protections and scope of derogations (not addressed by Irish High Court) Be very cautious about supporting a holding of US inadequacy on surveillance where independent Oxford experts have found the US protections stricter than in the EU Expand dialogue of EU experts about the scope and nature of possible legal holdings & answers of referrals to ECJ We discussed understandable concerns about Snowden and Pres. Trump If there are findings of violations of fundamental rights, are there judicially administrable ways to determine when and whether a foreign nation has sufficiently changed its surveillance practices? How can you maintain a role for the Commission and others to create solutions?

One Side Note Before Conclusion Panel at CPDP Thursday 8:30 a.m. Can citizenship of the target ever be a justified basis for different surveillance rules? Swire draft paper on this topic, presented at Privacy Law Scholars Conference- Europe, on Saturday morning Thesis there are surprisingly strong normative reasons to sometimes support having different surveillance rules concerning citizens and non-citizens Notably, protection of democracy and the rule of law supports having extra-strict protection against surveillance of domestic political opposition and the free press

Conclusion There are complex and challenging issues about how to protect fundamental rights in an open society against intrusions by often-secret intelligence agencies There are additional complex and challenging issues for courts to assess, and issue judgments on, the laws and practices of foreign nations in the surveillance realm The title of the talk is Should the EU Decide to Separate from the US Based on Data Protection Law? A holding of inadequacy on surveillance law cannot be cured by the companies actions There would be a large blockage of data flows, likely for many countries These barriers could be very difficult to change under a strict ECJ decision European experts should thoughtfully consider these issues