‘National security’, a carte blanche for mass surveillance

Dr Carlo Piltz, High Court of Berlin

PUBLISHED ON: 02 Apr 2014

How can the European Union react to the revelations of the inappropriate and unrestricted mass collection of personal data, whether by spying agencies from third countries or even by member states? Proposals range from being doomed to inactivity due to a lack of competence to the recommendation of the recently adopted report in the European Parliament to suspend Safe Harbor-based data flows to the United States of America. I suggest to give a more nuanced answer.  

For suitable solutions against an unjustified mass collection of personal data, we do not necessarily have to get back to the drawing board or cut off data transfers across-the-board. Already under existing EU legislation, a bulk collection of personal data cannot be justified per se by invoking the reason of ‘national security’. The protection of personal data is enshrined in Art. 8 of the Charter of Fundamental Rights of the European Union (Charter), in Art. 16 of the Treaty on the Functioning of the EU (TFEU) and also Art. 39 of the Treaty on the European Union (TEU).

Surveillance by EU member states’ agencies

When it comes to the question of the legitimacy of data processing activities by intelligence services of member states, many critics tend to fall back on one answer: “This is outside the scope of EU law“.1 On the level of primary European law it is true that, according to Art. 4 (2) of the TEU, “national security remains the sole responsibility of each Member State“. But we also have to keep in mind that the European Court of Justice (ECJ) clarified that “although it is for Member States to take the appropriate measures to ensure their internal and external security, the mere fact that a decision concerns State security cannot result in European Union law being inapplicable“.2 If a state would want to justify the recognition of the existence of a general exception for national security measures, regardless of the specific requirements laid down by the TEU, such a view would be liable to impair the binding nature of community law and its uniform application.3 Therefore, derogations from the duties under the TEU always have to be applied in a restrictive manner. Whilst Art. 51 (2) of the Charter admittedly allows limitations on the exercise of the rights enshrined in the Charter and therefore also limitations to the right to the protection of personal data, these limitations must in particular respect the essence of the fundamental right in question and requires, in addition, that the limitation must be necessary and genuinely meet the objectives of general interest recognised by the EU.4 The principle of proportionality has to be respected. Therefore, national security measures must necessarily be adequate. These requirements would not be met by suspicionless collecting large amounts of personal data, even if, in a further step, only a small part of this data is actually used or analysed. Furthermore, it is up to the member state to prove that national security serves as the basis of a particular surveillance measure.5

Exceptions for national security reasons also exist on the level of secondary European law, especially in the Data Protection Directive (Directive)6, which in general also applies to public authorities. According to Art. 3 (2) of the Directive, it shall not apply to the processing of personal data “in any case to processing operations concerning public security, defence, State security“. But then again, this exception cannot be used as a carte blanche. Just because a certain processing operation might have a connection to a national security interest, it does not mean that it automatically falls outside the scope of protection, offered by the Directive. With regard to national security exceptions under Art. 13 (1) of the Directive, the ECJ held that “the protection of the fundamental right to privacy requires that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary“.7 Again, the burden of proof lies with the member state respectively and the national authority. A suspicionless mass collection of personal data does not fulfil the existing requirements to be per se legally exempted from the protection standards.

Data collection measures by secret services might be necessary, but this does not exempt them from the requirement of proportionality. The general and unspecified collection of personal data by intelligence agencies of member states does therefore not automatically conform to the existing limits set out in primary and secondary European law8">http://europa.eu/legislation_summaries/institutional_affairs/decisionmaking_process/l14534_en.htm and the jurisprudence of the ECJ.

Transfer of personal data to the US under Safe Harbor

Edward Snowden’s revelations9 suggest that especially spy agencies from the US currently receive personal data of European citizens by forced cooperation with US companies. Private companies will be asked, under the veil of secret national security letters, to hand over the data, which previously have been transferred from European subsidiaries to their US parent companies.

Under the current Directive, data transfers to third countries, such as the US, in general are prohibited, if there are no safeguards in place that ensure an adequate level of protection for the transferred data.10 With regard to the US, the Safe Harbor decision (Safe Harbor)11 from 2000 constitutes an important and valuable basis of data transfer to US companies. Under Safe Harbor, US firms can self-certify specific principles laid down in the decision. The adherence to these principles is observed by the US Department of Commerce. By self-certifying, transfers of personal data to these companies are considered as protected by adequate safeguards in the sense of Art. 25 of the Directive.

These principles include requirements for onward transfer of personal data or also notice to individuals, when their data is processed and for what purposes the data is used. However, Annex I of Safe Harbor establishes an exemption from these principles “to the extent necessary to meet national security, public interest, or law enforcement requirements“. This limitation seems to form the basis for the legally forced cooperation between US companies and intelligence agencies in the US. Whilst the exceptional processing (‘to the extent necessary’) of data for the purposes of national security, public interest or law enforcement is therefore provided under Safe Harbor, a large scale access by intelligence agencies to data transferred to the US in the context of commercial transactions was not envisaged at the time of adopting the Safe Harbor.12 First of all, this conclusion already follows from the wording of the exemption itself, which provides access to data for reasons of national security only ‘to the extent necessary’. Furthermore, one has to keep in mind the purpose behind an adequacy decision under Art. 25 of the Directive. Already the term ‘adequate’ shows that the level of protection does not have to be equivalent to the one offered by the Directive, but similar or sufficient. The Article 29 Working Party highlighted that adequate protection consists of data protection ‘content’ principles and ‘procedural/enforcement’ requirements.13 In view of the ‘content’ principles, the Art. 29 Working Party acknowledged that exceptions to these principles (such as the purpose limitation principle) would be those necessary in a democratic society on one of the grounds listed in Art. 13 of the Directive,14 such as national security. As examined above, this exception is interpreted narrowly by the ECJ, in order to safeguard the fundamental right to data protection. A large scale and excessive access to personal data would therefore hardly meet the required criteria of being ‘necessary’.15

Obligations for European data protection authorities

National data protection authorities (DPAs), as public authorities, are bound to the rights and duties of the Charter, when they are applying European law. Regarding the transfers of personal data under Safe Harbor and the possible use of their oversight powers, these DPAs therefore have the obligation to take into account the protection of personal data enshrined in Art. 8 of the Charter. Decisions taken by national DPAs are by nature administrative rulings. These decisions have to take into account the principle of proportionality, especially safeguarding the rights of citizens. Art. 3 (1) of the Safe Harbor decision provides national DPAs with the possibility to suspend data flows to an organisation which is self-certified under Safe Harbor when a range of requirements are met.16 However, it is important to note that this suspension power explicitly refers to specific data flows to a single organisation and not to a suspension of Safe Harbor as such.

Nevertheless, as mentioned above, public authorities are bound to the duties deriving from the Charter. In cases of a collection in bulk or excessive (and therefore hardly proportional) access to personal data by third country authorities under Safe Harbor, these powers might be narrowed down to an obligation for the authorities to protect the personal data of European citizens by suspending the transfer to an organisation. Only such a measure would fulfil the obligation of member states and therefore also national authorities to fully respect and take into account the principles and rights arising from Art. 8 of the Charter.

Therefore, the decisions by two European DPAs (Ireland and Luxembourg), which refused to investigate the possible infringements of the Safe Harbor principles by the so called PRISM programme have to be denounced. The complaints were filed by the Austrian non-profit organisation Europe versus Facebook. According to the response by the Irish Data Protection Commissioner, the access of public authorities to personal data transferred under the Safe Harbor decision has been addressed and envisaged when the decision was taken.17 This reasoning has to be rejected. As mentioned above, it is highly unlikely that the European Commission as well as the Federal Department of Commerce in the US took the possibility of mass data access by national authorities into account. Apart from this, the Irish Data Protection Commissioner would be obliged to protect the rights of individuals originating from Art. 8 of the Charter and therefore would possibly have to suspend data transfers to an organisation or, at least investigate the circumstances. Nevertheless, the refusal by the Irish Data Protection Commissioner has been legally objected by Europe versus Facebook and is now examined by the Irish High Court.18

DPAs in other member states took the opposite position of their Irish and Luxembourgish colleagues. In an official press release, the Conference of Federal and State Data Protection Commissioners in Germany emphasised that from their point of view, a ‘substantial likelihood’ of a violation of the Safe Harbor principles has to be acknowledged.19 The German authorities concluded that "in a democracy, national security considerations cannot justify comprehensive access to personal data without reasonable suspicion".

Conclusion

Any data collection in bulk by intelligence agencies still has to adhere to the principle of proportionality and cannot be justified by a simple reference to the reason of ‘national security’. The EU and its member states have to move forward to strengthen existing safeguards where the privacy of their citizens is concerned. In mid-March, the German parliament approved to establish an NSA inquiry committee.20 By summer 2014, the US authorities have to present their remedies to fulfill 13 recommendations to improve Safe Harbor, which they received as a ‘real to-do list’ from the European Commission.21 In parallel, the US are currently undergoing different reform and review processes regarding surveillance activities and future privacy implications. In January 2014, US President Obama presented the outcome of ‘The President’s Review Group on Intelligence and Communications Technologies’ as well as a series of concrete reforms to include a majority of the group’s recommendations.22 Furthermore, by the end of April 2014, a working group on ‘Big data and privacy’ will present its report to the President.23 Governments realise that they have to take their citizens’ concerns seriously and recognise that their surveillance activities have gone out of control in recent years.24 On the other hand, global companies should not be stigmatised. As highlighted, deficiencies exist when it comes to the protection of personal data in international data flows. Tools for individual countermeasures are already often provided. For a complete and future-proof solution, these flaws should be resolved through a collective effort - without abolishing the system as a whole but with patches at the right spots. Carte blanche for the rule of law.

Footnotes

1. For a broader analysis on the question of surveillance activities of EU member states and their legitimacy under European law, see: Bigo/Carrera/Hernaz/Jeandesboz/Parkin/Ragazzi/Scherrer, Mass Surveillance of Personal Data by EU Member States and its Compatibility with EU Law, 06.11.2013, available at http://www.ceps.eu/book/mass-surveillance-personal-data-eu-member-states-and-its-compatibility-eu-law.

2. ECJ, C‑300/11, 04.06.2013, Para 38.

3. See ECJ, C‑387/05, 15.12.2009, Para 45; ECJ, C-239/06, 15.12.2009, Para 46.

4. ECJ, C-300/11, 04.06.2013, Para 51.

5. See also ECJ, C-300/11, 04.06.2013, Para 61; ECJ, C-239/06, 15.12.2009, Para 50, "prove that is necessary to have recourse to that derogation in order to protect its essential security interests."

6. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

7. ECJ, C-473/12, 07.11.2013, Para 39.

8. For a short description of sources of primary and secondary law, please visit: 9. With regard to the PRISM programme, see Washington Post, NSA slides explain the PRISM data-collection program, available at http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/; The Guardian, NSA Prism program taps in to user data of Apple, Google and others, available at http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data.

10. Art. 25 (1) Directive.

11. Commission decision of July 26, 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, 2000/520/EC.

12. Communication on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, 27.11.2013, COM(2013) 847 final, p. 16; Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament and the Council on "Rebuilding Trust in EU-US Data Flows" and on the Communication from the Commission to the European Parliament and the Council on "the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU", 20.02.2014, p. 7, available at https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-02-20_EU_US_rebuliding_trust_EN.pdf.

13. Article 29 Working Party, Working Document, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, WP 12, p. 5.

14. Article 29 Working Party, Working Document, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, WP 12, p. 6.

15. Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament, Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs, PE 526.085v03-00, 21.2.2014, p. 26; see also: Peter Hustinx, Contribution to the LIBE Committee Inquiry on electronic mass surveillance of EU citizens, 07.10.2013, available at http://www.europarl.europa.eu/document/activities/cont/201310/20131009ATT72609/20131009ATT72609EN.pdf.

16. Art. 3 (1) (a) the US Federal Trade Commission has determined that the organisation is violating the principles set out in Safe Harbor or (b) there is a substantial likelihood that the principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the member state have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

17. See the letters of the Irish DPC on the website of Europe versus Facebook, available at http://www.europe-v-facebook.org/DPC_PRISM_all.pdf.

18. Available at http://www.europe-v-facebook.org/PA_24_10_en.pdf.

19. Press Release: Conference of data protection commissioners says that intelligence services constitute a massive threat to data traffic between Germany and countries outside Europe, available at http://www.europarl.europa.eu/document/activities/cont/201310/20131009ATT72578/20131009ATT72578EN.pdf.

20. Deutsche Welle, German parliament confirms NSA inquiry, to start in April, available at http://www.dw.de/german-parliament-confirms-nsa-inquiry-to-start-in-april/a-17511518.

21. Speech by Viviane Reding, Vice-President of the European Commission, Mass surveillance is unacceptable – US action to restore trust is needed now, available at http://europa.eu/rapid/press-release_SPEECH-13-1048_de.htm.

22. Remarks by the President on Review of Signals Intelligence, 17.01.2014, available at http://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence.

23. Further information is available at http://www.whitehouse.gov/issues/technology/big-data-review.

24. “Data protection and privacy are to remain an important part of our dialogue”, EU-US Summit, Joint Statement, 26.03.2014, available at http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/141920.pdf.

Add new comment