Safe harbour, still waters? : the EU-US Safe Harbour Agreement and the invocation of national security

(1)

SAFE

HARBOUR,

STILL

WATERS?

The EU-US Safe

Harbour Agreement

and the invocation of

National security

(2)

2 University of Amsterdam Faculty of Law Master Informatierecht 2013-2014

M

ASTER

T

HESIS

Pieter L. Bijloo

2 June 2015

Studentnumber: 10616691 General information: Address Tel E-mail Field of study: Master Informatierecht Supervisor:

Prof. dr. N.A.N.M. van Eijk Numbers:

Pages: 58 Words: 14.437

(3)

3

LIST OF ABBREVIATIONS

CIA Central Intelligence Agency

DPD Data Protection Directive

ECJ European Court of Justice

ECHR European Charter of Human Rights

ECtHR European Court of Human Rights

EDPS European Data Protection Supervisor

EO 12333 Executive Order 12333

EU European Union

FAA FISA Amendments Act

FBI Federal Bureau of Investigation

FISA Foreign Intelligence Surveillance Act

FISC Foreign Intelligence Surveillance Court

NSA National Security Agency

PATRIOT Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

SHA Safe Harbour Agreement

TEU Treaty on European Union

TFEU Treaty on the Functioning of the European Union

US United States

(6)

6

I. INTRODUCTION

Safe harbour, still waters? Considering that ‘still waters run deep’ even harbours, presumably safe, may have dangers lurking in the depths.

The digital age brought forth a wave of consumers surfing the internet, sharing and searching information on a daily basis. However, not even the internet provides for a free lunch; trade and commerce largely impact the daily go-around of the internet. In return for the availability of free services companies have but one ‘humble’ request: The provision of information, albeit personal or otherwise.1 The rising tide of the internet led to massive commercial transborder data flows between the European Union (‘EU’ or ‘Union’) and United States (‘US’).2

To sustain their business model commercial companies like Google and Facebook3, need a way to transfer the personal data of European citizens to the US to analyse/process the data acquired for inter

alia advertisement-purposes. Data protection and privacy standards in the US, however, differ largely

from those provided in the EU and data acquired for commercial purposes may well be used for different goals. Commercial access therefore requires certain legal boundaries by which the personal data and privacy of European citizens are protected even when transferred to the US.

SAFE HARBOUR AGREEMENT

Addressing the legal differences between the EU and the US it can be noted that the former considers both privacy and personal data protection as autonomous fundamental rights following the Charter of Fundamental Rights of the European Union (the ‘Charter’).4 Moreover, the latter right to data

protection is strictly regulated by Data Protection Directive 95/46/EC (‘DPD’)5, limiting amongst others the transfer of data only to countries whose standards of data protection are considered adequate following Article 25-26 DPD.

The US, in contrast, takes a less restrictive approach to privacy and data protection which would not meet the Article 25-26 adequacy standards.6 Failing those standards could, under normal

circumstances, have an impact on trade relations and data transfers between the US and EU as the

1_{EDPS 2014a, para 10; COM(2013) 846, p. 3.} 2_{WP 29: 168, para 29.}

3_{Following Europarl Report 2014, para 35: “examples being Google, Microsoft, Yahoo!, Facebook, Apple and}

LinkedIn”.

4_{Charter of Fundamental Rights of the European Union, 2000/C 364/01, December 2000.}

5_{European Commission, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995}

on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31.

6_{WP 29: 12, p. 26; COM(2013) 847, p. 2: “As a result, the current Safe Harbour decision allows free transfer of}

personal information from EU Member States to companies in the US which have signed up to the Principles in circumstances where the transfer would otherwise not meet the EU standards for adequate level of data protection given the substantial differences in privacy regimes between the two sides of Atlantic.”

(7)

7 transfer of EU citizens’ personal data to the US would not be allowed.7 Therefore, not to impede trade relations and enable US companies to be economically active within the EU a solution was sought to allow collection, transfer and analysis of European consumers’ data. The European Commission (‘Commission’) thereto adopted Commission Decision 2000/520/EC, known as the EU-US Safe Harbour Agreement (‘SHA’).8

Normally the Commission may decide on a case by case basis that a third countries’ level of data protection is adequate and consequently allow for transfers of data.9 The SHA, however, is based on a legal ‘loophole’ allowing the transfer of data regardless of the lack of adequate protection within the US.10 This loophole, provided by Article 25(6) DPD, allows for an adequacy decision even when data protection in a third-country is unable to “offer adequate protection across the board”11.12

DEVELOPMENTS & DISCLOSURES

As it is, the SHA for the commercial acquisition, transfer, retention and processing of EU citizens’ data within the US, even though the latter’s data and privacy protection is considered lacking.13 Companies may, through a system of self-adherence to the SHA, consequently transfer and process data within the US under the provision of several data protection Principles.14 The SHA therewith aims to provide EU citizens with a level of data and privacy protection even when transferred to the US.15

Recalling, however, that data may equally be useful for different purposes than mere commercial gains it should be noted that protection of data transferred under the SHA may be limited; Annex I SHA allows limitations of the SHA Principles.16 One of these limitations is of particular interest to this thesis, providing: “Adherence to these Principles may be limited: (a) to the extent necessary to meet

national security, public interest, or law enforcement requirements (…)”.17 This broad national security exemption allows for a wide limitation of the SHA Principles and shall be the focus point of this thesis. Invocation of this exemption leads to a limitation of data protection standards for EU

7_{Rossi 2014, p. 72; Greer 2011, p. 144.}

8_{European Commission, Commission Decision pursuant to Directive 95/46/EC of the European Parliament and}

of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, 2000/520/EC, July 2000; WP 29: 12, p.

3. 9_{WP 29: 168, para 25; WP 29: 12, p. 5.} 10_{Rossi 2014, p. 71.} 11 WP 29: 12, p. 26. 12_{Supra note 10, p. 72.} 13_{Supra note 10, p. 72.}

14_{Annex I SHA, respectively: Notice, Choice, Onward Transfer, Security, Data Integrity, Access and} Enforcement; See further: WP 29: 12, p. 6; Long & Pang Quek 2011, p. 336.

15_{Annex I SHA, p. 4: “They are intended for use solely by U.S. organizations receiving personal data from the}

European Union for the purpose of qualifying for the safe harbor and the presumption of adequacy it creates.”

16_{WP 29: 288, p. 39-40.} 17

(8)

8 citizens’ data within the US and provides US intelligence and security services with a way to acquire and access EU citizens’ data, regardless of their initial purpose and protection standards.

Nota bene, the activities by US intelligence and security services generally fall under the national

security exemption, something which is not always the case when general law enforcement authorities (such as the police) fulfil similar tasks.18 The invocation of national security should in this respect be distinguished from law enforcement, although there is a fading line.19 When referring to ‘US authorities’ this thesis in principle refers to ‘US intelligence and security services’ unless otherwise provided.

Although the SHA legally allows for limitation of its Principles it was recently shown by Edward Snowden that the US, through mass surveillance programmes, has been invoking the Annex I national security exemption to an extent unforeseen by the EU.20 The level of data protection under the SHA had already been questioned ever since its entry into force and the Snowden disclosures have shown that the data highway created by the SHA, allowing for commercial access to EU citizens’ personal data on US soil, is being (wire)tapped through surveillance programmes to ensure US national security.21 As the Commission reported: “The large scale nature of these may result in data

transferred under Safe Harbor being accessed and further processed by US authorities beyond what is strictly necessary and proportionate to the protection of national security as foreseen under the exception provided in the Safe Harbor Decision.”22

US surveillance programmes appear both legit, following the invocation of the SHA national security exemption, but also for general national security purposes, arguably allowing for (illegal) access to foreign data without use of Directive 95/46/EC transfer tools or other legal alternatives.23 US

authorities were, with surveillance programmes such as PRISM24, able to gain unprecedented access to EU citizens’ data without using legal alternatives such as binding corporate rules25.26 US authorities may consequently retain and process the personal data of EU citizens, legally acquired by

18_{WP 29: 288, p. 24.} 19_Ibid.

20

Ibid., p. 6-7.

21_{Ibid., p. 40; McBride, Sotto & Treacy 2013, p. 3.} 22_{COM(2013) 847, p. 17.}

23_{Supra note 18, p. 37; WP 29: 215, ‘Executive summary’: “Neither Safe Harbor, nor Standard Contractual}

Clauses, nor BCRs could serve as a legal basis to justify the transfer of personal data to a third country authority for the purpose of massive and indiscriminate surveillance.”

24_{McBride, Sotto & Treacy 2013, p. 3: “(…) EU criticism has intensified following disclosure of PRISM, the US}

government's surveillance program, which reportedly gave the National Security Agency access to personal data that was transferred to online service providers in the US under the Safe Harbor.”

25_{Alternatives such as: MLATs, PNR or TFTP; following Europarl Report 2014, para 37; Hoboken, Arnbak &} Van Eijk 2013, p. 23; COM(2013) 846, p. 4; WP 29: 288, ‘Executive summary’; WP 29: 215, ‘Executive summary’.

26

(9)

9 companies, in a way incompatible with the grounds and purposes for which that data was originally collected and transferred under the SHA.27

Although the US is allowed to invoke the SHA national security exemption it cannot automatically be presumed that the US’ approach to ensuring national security is compliant with that which was intended by the Commission, as “large-scale access by US intelligence agencies to EU personal data

processed by Safe Harbour does not meet the criteria for derogation under ‘national security.”28 The European rights to data protection and privacy, respectively codified in Articles 8 & 7 of the Charter, may only under certain circumstances be limited, that is, only when considered necessary and proportionate following Article 52(1) of the Charter.

The Commission arguably failed to sufficiently clarify how the national security exemption should be limited in accordance with these European standards. As the US is not bound by such (unspecified) limitations the EU should have clearly specified the SHA limitations rather than providing for an openly formulated national security exemption. The question is therefore whether the US ‘legally’ invoked that exemption, i.e. whether the US invocation of national security coincides with what is considered necessary and proportionate in accordance with the EU Charter or if it stepped beyond European data protection standards.

This question as to the ‘legality’ of US national security invocation similarly follows from a recent case considering the data transfers from the EU to the US: C-362/14 Schrems.29

The questions raised principally asks whether the Irish Data Protection Commissioner is bound by the SHA or may conduct his own investigation on the legality of EU-US data transfers.30 There is, however, an underlying set of doubts expressed by Justice Hogan: Whether the ‘recent’ entry into force of the European Charter31 in combination with the Snowden disclosures has led to a lack of adequate protection under the SHA in the US.32 Accordingly it should be assessed whether the validity and effectiveness of the SHA, given its waiver of rights in Annex I, has been impeded to the extent that suspension or amendments are necessary in order to effectively provide for EU citizens’ data protection.

This thesis consequently intends to assess what the actual limits of the SHA national security

exemption should be light of Articles 7, 8 & 52(1) of the Charter and subsequently assess if or not the US invocation is limited to the European standards of proportionality and necessity. This shall

27_{COM(2013) 846, p. 4.}

28_{Europarl Report 2014, para 36; Reding 2014, p. 11; WP 29: 288, p. 26, footnote 71 referring to: C-300/11 ZZ} v Secretary of State for the Home department.

29_{This case, in short, constitutes a reference for a preliminary ruling by the Irish High Court in the case of} Maximillian Schrems who, as part of the movement Europe v Facebook, filed a complaint against the Irish Data Protection Commissioner claiming that the latter wrongly interpreted and applied the law governing the mass transfer of personal data of Facebook users to the US and subsequently the NSA; C-362/14 Maximillian Schrems

v Data Protection Commissioner [pending case].

30_{Irish High Court: Schrems [2014], para 71; C-362/14 Schrems, see ‘Questions referred’.}

31_{Which entered into force with the 2009 Lisbon Treaty, whereas the Safe Harbour Agreement stems from 2000.} 32

(10)

10 subsequently provide insight whether the SHA is still of adequate nature to protect the personal data of EU citizens.

The research question is therefore:

If or not the US invocation of national security, specifically as regards surveillance programmes, is consistent the EU national security exemption in light of the European limitations allowed under the fundamental rights to personal data protection and privacy as provided by the European Charter? Subsequent question is whether the Safe Harbour Agreement is still of adequate nature to protect the personal data of EU citizens in the US?

The first chapter shall thereto discuss the European requirements to any limitation of privacy and data protection in accordance with the Charter and European Court of Justice (‘ECJ’). For this the

requirements of Article 52(1) of the Charter are examined as it provides a proportionality-test applicable to any limitation of the rights to data protection and/or privacy. The second chapter shall thereafter examine the US national security framework and surveillance measures in light of the requirements distinguished in the previous chapter, after which a legal analysis is made in the third chapter.

Nota bene, under normal circumstances one cannot assess US legislation in light of European legal

requirements. However, the unique situation created by the SHA provides the handles to, to some extent, discuss the US national security framework as this may have an impact on the fundamental rights of European citizens through the limitation of the SHA Principles. Neither a negative nor a positive outcome to the research question can, in this respect, force the US to make legislative changes. Answering the question if or not the Safe Harbour Agreement is still of adequate nature to protect the personal data of EU citizens in the US may, however, have an impact on the SHA. It may lead to the conclusion that it would be necessary to amend or suspend the SHA because it lacks protection for European citizens’ data when transferred to the US.

Given the access by US authorities to personal data legally transferred under the SHA, as disclosed by Edward Snowden, one might be inclined to ask: Has the EU, by agreeing upon the Safe Harbour, sought out more treacherous waters than they intended? Given that still waters may run deep it would appear that the waters of the intended Safe Harbour have dangers lurking in the depths, which until recently have gone unnoticed.

METHODOLOGY

A question such as the one this thesis intends to answer could generally be considered very broad in its scope. Making an assessment of the entirety of the US national security framework in light of the European standards of necessity and proportionality would, if done to the fullest extent, lead to a dissertation too large in scope and size.

(11)

11 As a result choices had to be made. Through academic literature and case law several criteria and requirements for the European part of the assessment were sifted out which would, in my view, enable one to make an assessment of what was considered necessary and proportionate. The steps of Article 52(1) of the Charter were consequently discussed to an extent which would be both manageable in size but would equally allow me to make an assessment of the US national security framework in the subsequent chapter. Several factors, such as judicial oversight, were thereto distinguished which as part of the larger requirement, in this case access limitations, would be reviewed in the subsequent chapter. Although each of the requirements of Article 52(1) could be discussed even further in-depth the conscious choice was made not to, as the factors discusses in both chapters would suffice in making an assessment of the necessity and proportionality of the US national security invocation. The second chapter thereafter is for a large part based on reports of the EU and US and relies equally on academic literature to find exactly what comprises the US national security framework.

Considering the secretive nature of the US surveillance programmes it was clear that its specific legislation would not provide the insight needed to assess the proportionality and necessity of the US nationals security measures in light of the European standards. The research therefore largely relies on sources, reports and literature, each of which provides its respective extensive insight of the US legislation. By comparing those amongst one another I was able to gain insight in the US national security framework and discuss the requirements and factors distinguished in the first chapter. The third chapter thereafter relies largely on the sources used in the former two chapters and provides, to a limited extent, a comparison and analysis of the respective requirements and factors distinguished and examined in both previous chapters.

(12)

12

1. EUROPEAN DATA PROTECTION: APPLICATION &

LIMITATION

If the waters of the SHA are not as safe as intended, the question is how exactly the national security exemption should have been limited? Finding an answer to this question requires an assessment of the European data protection framework and more specific under which conditions a data protection limitation, in this case national security, may be invoked.

With the SHA’s open national security exemption and the US who has taken to itself to make use of it as broadly as possible it appears that theory and practice no longer run in sync. In theory the EU intended to provide a national security exemption with limited application compliant with Articles 7 & 8 of the Charter. Practice nonetheless shows an apparent open national security norm by which

protection of European citizens’ data within the US can be limited, allowing US national authorities to retain and process data arguably without the restraints of Article 52(1) of the Charter.

This chapter shall discuss the theory prong of national security, i.e. to what conditions a national security exemption should to adhere in accordance with the European data protection and privacy standards, following Article 52(1).

1.1. EU DATA PROTECTION

The European fundamental right to data protection ex Article 8 of the Charter provides individuals with an autonomous right, distinct from the right to privacy following Article 7 of the Charter, to the protection of their personal data.33 With the entry into force of the Lisbon Treaty the Charter has been recognized as primary European law34 and personal data protection is therewith considered a self-standing fundamental right.35

Article 8 of the Charter provides:

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

(…)

33_{Opinion AG Cruz Villalón: C-293/12 Digital Rights Ireland, para 55.} 34_{See in this respect: Article 6 (1) TEU.}

35

(13)

13 Personal data may accordingly be processed if certain essential requirements are fulfilled, although everyone enjoys the right to data protection.36 The right to data protection is as such not prohibitive by default, whereas the right to privacy following Article 7 is.37

By recognizing specifically a right to personal data protection and making it universally applicable the EU, as far as their jurisdiction goes, offers both EU and third country citizens access to data protection rights, effective remedies and even the possibility to claim protection even if data is processed outside the EU.38

The exercise of fundamental rights and freedoms recognized by the Charter may, however, be limited.39 To be considered compliant with the EU data protection framework a limitation must be precisely circumscribed and limited to what is strictly necessary following the requirements of Art. 52(1) of the Charter.40

Article 52(1) provides:

Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

Following Art. 52(1) one can assess if the rights derived under Articles 7 & 8 of the Charter have been unduly restricted by invoking a limitation.41 It should thereto be established whether a national

security exemption as limitation is proportionate to the aims pursued, necessary and genuinely meets objectives of general interest recognised by the EU.42

The Article 52(1) proportionality-test, however, still lacks clarity with respect to limitations of the rights derived under Articles 7 & 8. Until the ‘recent’ entry into force of the Charter the existence of an autonomous right to data protection was merely acknowledged without further in-depth

36_{WP 29: 288, p. 28.}

37_{C-543/09 Deutsche Telekom, para 52; Gonçalves & Jesus 2013, p. 260; Friedewald et al. 2010, p. 63; De Hert} & Gutwirth 2009, p. 1-2.

38_{WP 29: 168, para 23; DG Internal Policies 2013b, p. 33-34; Hoboken, Arnbak & Van Eijk 2012, p. 22; Bigo et} al. 2013, p. 5.

39_{Fuster & Gutwirth 2013, p. 533.} 40

WP 29: 288, p. 28; C-300/11 ZZ v Secretary of State for the Home department, para 51: “In particular, it

should be taken into account that, whilst Article 52(1) of the Charter admittedly allows limitations on the exercise of the rights enshrined by the Charter, it nevertheless lays down that any limitation must in particular respect the essence of the fundamental right in question and requires, in addition, that, subject to the principle of proportionality, the limitation must be necessary and genuinely meet objectives of general interest recognised by the European Union.”

41_{WP 29: 211, p. 11-12.}

42_{C-291/12 Schwarz, para 40; WP 29: 288, p. 26 referring to: C-300/11 ZZ v Secretary of State for the Home} department, para 51-58.

(14)

14 clarification of its limitations.43 That which is considered a proportionate and necessary limitation of the right of data protection is therefore still rather unclear. However, the ECJ in its recent Digital

Rights Ireland-case has been able to shed some light on these limitations by applying the Article 52(1)

proportionality-test to Articles 7 & 8 of the Charter combined.44 The Courts general application of Article 52(1) shall be discussed below.

1.2. PRELIMINARY POINTS

Considering the application and limitation of data protection there are some necessary preliminary points. First of all, as general right to privacy Article 8 ECHR provides the basis for EU data protection and privacy, the interpretation of the Article 52(1) proportionality-test should not create confusion with the protection afforded by the ECHR45 and adhere to the conditions set by the ECHR.46 Furthermore, following ECJ Eifert, the right to protection of personal data is not an absolute right, but should be considered in relation to its function in society.47 Limitations to Article 8 of the Charter are therefore allowed. However, following Bonnici it appears the Court has neither in Eifert nor in other cases addressed what this ‘function in society’ exactly means.48

Third, as emphasized by the European Parliament, the SHA may be limited to ‘the extent necessary to meet national security, public interest, or law enforcement requirement’. Any such limitation must, however, as an exception to a fundamental right “always be interpreted restrictively and be limited to

what is necessary and proportionate in a democratic society (…)”.49 The national security exemption should accordingly be interpreted restrictive following Article 52(1).

Fourth, Article 8 of the Charter has, on occasion, been regarded as a mere derivative of the right to privacy rather than as autonomous right since both originate from Article 8 ECHR.50 Data protection nonetheless differs to some extent from privacy; its scope of application being broader and more specific than the right to privacy.51 The right to privacy applies only if privacy is violated, whereas the right to data protection applies as long as its legislative conditions are fulfilled, i.e. when the

43_{See for instance: C-275/06 Promusicae, para 63; WP 29: 168, para 5; Lynskey 2014, p. 570.} 44

Joined cases C-293/12 and C-594/12 Digital Rights Ireland Ltd (C-293/12) v Minister for Communications,

Marine and Natural Resources and Others and Kärntner Landesregierung (C-594/12) and Others [2013] ECR

I___ (delivered April 2014).

45_{Europarl Report 2014, para AO; COM(2000) 644, p. 5.} 46

WP 29: 288, p. 21: “Any limitations to these fundamental rights can only be accepted when they meet the

conditions established by the ECtHR and are thus restricted to specific, well described and foreseeable situations.”

47_{C-92/09 and C-93/09 Eifert, para 48; C-543/09 Deutsche Telekom, para 51.} 48

Bonnici 2013, p. 133.

49_{Europarl Report 2014, para AO.}

50_{Supra note 48, p. 138; Fuster & Gellert 2012, p. 79; Lynskey 2014, p. 574; Opinion AG Cruz Villalón:} C-293/12 Digital Rights Ireland, para 62.

51

(15)

15 processing of data concerns ‘any information relating to an identified or identifiable individual’.52 The latter therewith does not require a violation of privacy.53

Additionally, the term ‘processing’ is applied broadly following Article 8 and acquisition of data is treated synonymous to the processing of data.54 The right to privacy in the case of data processing requires a context-dependant assessment of the data in question, i.e. whether an individual has an actual privacy interest.55 For example: A document containing personal data does not automatically imply that the privacy or integrity of persons concerned is affected.56 The right to data protection, in contrast, merely depends on whether the data involved leads to ‘an identified or identifiable person’.57 Notwithstanding, both the right to privacy and data protection are often read together in light of the Article 52(1) proportionality-test which I shall do similarly.58

1.3. INTERFERENCE

Now for the assessment of the limitation of fundamental rights, recalling the lack of in-depth clarification of Article 52(1), it shall be examined what the requirements are for a proportionate and necessary limitation following the ECJ. The recent cases of Schwarz59 and Digital Rights Ireland in

this respect allowed the ECJ to offer clarification on the application of the Article 52(1)

proportionality-test.60 The latter case is of specific importance as it considered the question whether a legislative act, the (abolished) Data Retention Directive61, had interfered in a way unjustifiable with the EU rights to privacy and data protection.

Following the Court there are several requirements to the Article 52(1)-test to assess whether a limitation is compliant and considered justifiable with the Charters’ rights. First, prior to the

assessment of the Article 52(1) conditions, it must be examined if there is an actual interference with one or more fundamental rights, for instance through a limitation of data protection based on national security.62 If so, the subsequent question is whether that interference is or not justified in accordance with Article 52(1) EU Charter.63

It should therefore first be examined what is considered an interference with the right to privacy and/or data protection. Following the ECJ, an interference with the right to privacy can be found regardless of

52

Article 2(1) Directive 95/46/EC; C-291/12 Schwarz, para 26; C-92/09 and C-93/09 Eifert, para 52. 53_{Friedewald et al. 2010, p. 63.}

54_{EU-US Working Group on Data Protection 2013, p. 9.} 55_{Lynskey 2014, p. 584.}

56 Ibid.

57_{See Article 2 (a) Directive 95/46/EC: “’personal data' shall mean any information relating to an identified or}

identifiable natural person”.

58_{WP 29: 211, para 2.1.} 59

C-291/12 Michael Schwarz v Stadt Bochum [2013] ECR I___ (delivered October 17, 2013). 60_{Supra note 58, para 3.30.}

61_{Data Retention Directive (‘Directive 2006/24/EC’).} 62_{Council Legal Service Judgment 2014, para 3.} 63

(16)

16 whether the information accessed is sensitive or whether the persons involved have been

inconvenienced in any way.64 Any access of national authorities to (stored) data should in this respect be considered to constitute an interference with the right to privacy.65 As regards Article 8 of the Charter, an interference is found if a legislative act provides for any processing of personal data within the sense of the EU data protection framework, for instance through acquisition or retention of data.66 The question whether the invocation of (US) national security is considered an interference shall be discussed in the third chapter. One may, however, by reason of analogy, consider upfront that the SHA national security exemption allows for an interference as data is retained and processed through wide-ranging surveillance.67 For the sake of this thesis US surveillance measures taken in light of their national security framework, considering they provide access to- or processing of data, shall be referred to as interference and/or interfering measures.

1.4. APPLICATION OF ARTICLE 52(1)

Considering there is an interference the subsequent step is an assessment of whether that interference, as limitation to a fundamental right, is justified following the requirements of Article 52(1).68

Accordingly any limitation of fundamental rights must, in addition to being provided for by law, adhere to the following:

i. respect the essence of the rights;

ii. and, in accordance with the principle of proportionality, be necessary, and

iii. genuinely meet objective of general interest recognized by the Union or the need to protect the rights and freedoms of others.69

Following these requirements it is possible to distinguish a procedural and a substantive phase to Article 52(1).70 The first examines whether there are adequate grounds for an interference, i.e. whether the interference can be justified by for instance the fight against serious and organised crime. The second examines whether the interference respects the essence of rights and whether the measures are appropriate in light of the objective and considered limited to what is strictly necessary, i.e. the proportionality-test.

64_{C-293/12 and C-594/12 Digital Rights Ireland, para 33; C-65/00, C-138/01 and C-139/01 Österreichischer} Rundfunk and Others, para 75.

65_{C-293/12 and C-594/12 Digital Rights Ireland, para 35.} 66_{Ibid., para 36; Case Law Dinner 2014, p. 1.}

67_{C-293/12 and C-594/12 Digital Rights Ireland, para 37, referring to: Opinion AG Cruz Villalón: C-293/12} Digital Rights Ireland, para 72, 79 & 80.

68_{Bonnici 2013, p. 135; WP 29: 211, para 3.30; Draft Charter of Fundamental Rights of the European Union} 2000, p. 10-11: Explanation on Article 8; C-92/09 and C-93/09 Eifert, para 50.

69_{C-291/12 Schwarz, para 34; WP 29: 211, para 3.30; Council Legal Service Judgment 2014, para 6.} 70

(17)

17

1.4.1. PROCEDURAL

For the procedural phase some legal aspects regarding the invocation of national security must be discussed. First of all, any limitation of fundamental rights should be ‘provided for by law’ and ensure a ‘quality of law’.71 The latter ‘quality’ may, in my view, be assessed in light of Art. 8(2) ECHR as legislation should have foreseeable consequences and be generally accessible.72 In other words: Measures enacted to ensure national security should have a solid legal basis, must be accompanied by a necessary degree of detail and should be sufficiently circumscribed.73

Article 52(1) furthermore requires a ‘legitimate aim’ for an interference to be justified, i.e. the invocation of a limitation of personal data protection should meet ‘objectives of general interest recognized by the Union’. The question therewith is whether a limitation based on national security can be considered an objective of general interest of the EU.74

Following Guild & Carrera an objective of general interest can be an “interference on the grounds of

its value in the fight against serious and organised crime, and against terrorism”, which may

encompass ‘national security’.75 Notwithstanding, a clear definition of national security is lacking therewith leaving it to the ECJ to further clarify the scope of the national security exemption.76 The latter has thereto emphasised that both the fight against international terrorism in order to maintain international peace and security as well as the fight against serious crime in order to ensure public security can constitute an object of general interest.77

1.4.2. ESSENCE & APPROPRIATENESS

Considering Article 52(1), with respect to the above, one cannot automatically presume that any interference is justified under the objective of national security; measures taken should equally comply with the substantive part of Art. 52(1). An interference should thereto respect the essence of the rights in question, i.e. data protection & privacy and, more important, should adhere to the proportionality-test, i.e. a substantive assessment whether the limitations placed on the right to data protection and privacy are proportionate to the aims pursued.

71

Opinion AG Cruz Villalón: C-293/12 Digital Rights Ireland, para 109.

72_{WP 29: 288, p. 16 referring to ECtHR Malone v United Kingdom, para 67: “According to Article 8(2) ECHR,}

an interference by a public authority with the exercise of right to respect for private life may only be admissible if such restriction: is in accordance with the law (which must have foreseeable consequences and be generally accessible (…).”

73_{WP 29: 211, para 3.4, referring to: ECtHR M.M. v United Kingdom; WP 29: 288, p. 33; Opinion AG Cruz} Villalón: C-293/12 Digital Rights Ireland, para 111.

74_{Irish High Court: Schrems [2014], para 55.} 75

Guild & Carrera 2014, p. 6. 76_{WP 29: 288, para 4.1.1.}

77_{C-293/12 and C-594/12 Digital Rights Ireland, para 41-42 and the case law referred therein: C-402/05 P and} C-415/05 P Kadi, para 363; C-539/10 P and C-550/10 P Al-Aqsa v Council, para 130; C-145/09 Tsakouridis, para 46-47.

(18)

18 As regards the ‘essence of rights’ a clear explanation appears lacking regarding the protection of data. Following the ECJ, the only clarification is that an interference should respect certain principles of data protection and privacy, provide for “appropriate technical and organisational measures are

adopted against accidental or unlawful destruction, accidental loss or alteration of the data” and

respect the conditions of Directive 95/46/EC.78 Related to the latter the processing should be ‘fair and lawful’, for ‘specified purposes’ and ‘individuals are entitled to access and rectification of

information’.79 These conditions provide limited insight and shall be further examined in the third chapter.

As for the proportionality-test, following the ECJ and considering proportionality a condition to any limitation of fundamental rights80, it must be ascertained “whether the measures implemented by that

regulation are appropriate for attaining those aims and do not go beyond what is necessary to achieve them”.81 Accordingly there are two parts to testing proportionality: First it should be considered whether the measures taken are appropriate for attaining the legitimate objectives pursued82 and second if the measures taken in this light do not go beyond what is necessary to achieve them.83 Regarding the first prong of the proportionality-test it must be assessed whether the measures taken in light of the national security objective are considered appropriate. Following the ECJ measures such as those taken in the light of public security and battling serious crime, may provide additional

opportunities to shed light on serious crime and as such constitute a valuable tool for criminal investigations.84 The Court therewith appears to weigh the objective of public safety against the right to privacy/data protection85 and considers measures taken to be appropriate. Similarly, in light of Article 8(2) ECHR, both national security and public safety are provided as legal interferences with the fundamental right to privacy and data protection.86 Considering thereafter Gonçalves & Jesus, appropriateness is found if and when an interference contributes to the realization of national security.87

1.4.3. NECESSITY

78_{C-293/12 and C-594/12 Digital Rights Ireland, para 39-40; C-291/12 Schwarz, para 39; Council Legal Service} Judgment 2014, para 7; EDPS 2014b, para 12 referring to: C-614/10 Commission v Austria, para 37; C-288/12 Commission v Hungary, para 48.

79

EDPS 2014b, para 12 referring to: C-614/10 Commission v Austria, para 37; C-288/12 Commission v Hungary, para 48.

80_{Opinion AG Cruz Villalón: C-293/12 Digital Rights Ireland, para 133-134.}

81_{C-291/12 Schwarz, para 40; C-92/09 and C-93/09 Eifert, para 74; C-293/12 and C-594/12 Digital Rights} Ireland, para 46; Opinion AG Cruz Villalón: C-293/12 Digital Rights Ireland, para 93.

82_{Council Legal Service Judgment 2014, para 9; C-293/12 and C-594/12 Digital Rights Ireland, para 46, 49.} 83_{C-291/12 Schwarz, para 40; WP 29: 211, para 3.31; Gonçalves & Jesus 2013, p. 259-260.}

84_{C-293/12 and C-594/12 Digital Rights Ireland, para 41-42, 49.} 85

Gonçalves & Jesus 2013, p. 259-260: “(…) proportionality in the narrow sense entails a comparison of the

weights of the competing principles in concrete cases”.

86_{Following Article 8 (2) ECHR.}

87_{Supra note 85: “The criterion of suitability requires that interference with a right contribute to the realization}

(19)

19 Proportionality is, however, equally dependant on the necessity of measures, i.e. whether they are limited to what is strictly necessary in attaining the objective of national security.88 Measures should thereto be sought which interfere the least with the rights to privacy and data protection but contribute effectively the same to the objective of national security, therewith applying the least restrictive measures possible to achieve the same results.89

The general approach of the Court in determining necessity is characterized by inter alia: The area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference.90 These factors provide some insight as to the appropriateness of measures, but more importantly help to assess what exactly is considered

‘necessary’ to attain the objective of national security measures. Some of these factors return in the three conditions which, in my view, allow for an assessment of the necessity of measures and which are discussed below. Although addressed separately these conditions may overlap and supplement one another.

Considering necessity, the ECJ acclaimed that the objective of fighting organised crime and terrorism, although important to ensure public security, does not in itself justify certain data retention measures and cannot be considered necessary for the purpose of that fight.91 As such it is necessary for measures to be limited one way or another, for instance through the provision of adequate safeguards.

1.4.3.1. PROCEDURAL: CLEAR, PRECISE RULES & SAFEGUARDS

Regarding the objective of ensuring national security, the applicable legislation should first and foremost lay down clear and precise rules which govern the scope and application of the data

protection limitation. Especially where processing is automated there is a significant risk of unlawful access and, where authorities gain access to ‘any and all’ personal data of EU citizens, there is an interference with the fundamental rights of practically the entire European population which cannot be considered necessary.92 Additionally, these clear and precise rules must be accompanied by minimum safeguards.93 These safeguards should guarantee protection against the risk of misuse, abuse and any unlawful access and use of personal data.94

In accordance with the ECtHR95, data must be “preserved in a form which permits identification of the

data subject for no longer than is required for those purposes”.96 Proportionality in the sense of the

88_{Council Legal Service Judgment 2014, para 19.} 89

C-291/12 Schwarz, para 46; Gonçalves & Jesus 2013, p. 259-260. 90_{C-293/12 and C-594/12 Digital Rights Ireland, para 47.}

91_{Ibid., para 51.} 92_{Ibid., para 56.} 93

Irish High Court: Schrems [2014], para 44.

94_{C-293/12 and C-594/12 Digital Rights Ireland, para 54-55; C-291/12 Schwarz, para 55; ECtHR Liberty and} Others v United Kingdom, para 62-63; ECtHR S. and Marper v United Kingdom, para 99.

95_{ECtHR S. and Marper v United Kingdom, para 102; Council Legal Service Judgment 2014, para 19.} 96

(20)

20 ECtHR requires safeguards to prevent any use of personal data which can be considered inconsistent with Article 8 ECHR.97 Following ECtHR Rotaru, data collection has to be relevant to amongst others the national security purpose pursued and the law should specify the kind of information that may be recorded and the people whom may be targeted98; the latter can equally be recognized in the

paragraphs discussed below.

The first factor of necessity consequently requires clear and precise legislation, accompanied by minimum safeguards and should provide inter alia for: Strict measures to protect data from abuse, clear delineation of all persons under surveillance, clear delineation of what type of traffic data is concerned and clear requirements for use of data obtained.

1.4.3.2. SCOPE OF DATA CONCERNED: DIFFERENTIATION, LIMITATION & EXCEPTIONS TO AN INTERFERENCE

As for the second criterion, building on the former, it should be examined whether the data acquisition is without differentiation, limitation or exception.99 Delineation of data is considered a necessary condition as (surveillance programmes based on) the indiscriminate, blanket collection of personal cannot be considered limited to what is strictly necessary nor proportionate.100 Legal limits to surveillance measures such as the scope of the data acquisition (e.g. what kind of data may be recorded) and specifying individuals whom may be targeted provide indicators of whether blanket surveillance is precluded.101 As for the scope of data concerned, any legislation covering ‘all public means of electronic communications’ and/or ‘all traffic data’ is considered too broad and without differentiation as regards the categories of persons affected and/or data retained.102

The ECJ has provided some clarification regarding the delineation of data acquisition. If for example an interference allows for the acquisition and processing of any personal information, regardless of whether there is reasonable suspicion of involvement in criminal matters, there is a lack of

differentiation. Thus when data is collected, stored or processed even if “there is no evidence capable

of suggesting that [a person’s] conduct might have a link, even an indirect or remote one, with serious

97

ECtHR S. and Marper v United Kingdom, para 103.

98_{WP 29: 288, p. 25, referring to ECtHR Rotaru v Romania, para 53-63: “In the Rotaru v. Romania case, the}

ECtHR ruled similarly that the data collected has to be relevant to the national security purpose pursued and that, even in a national security context, the law should define the kind of information that may be recorded, the categories of people against whom surveillance measures such as gathering and keeping information may be taken, the circumstances in which such measures may be taken or the procedure to be followed and lay down limits on the age of information held or the length of time for which it may be kept. It should also contain explicit and detailed provision concerning the persons authorised to consult the files, the nature of the files, the

procedure to be followed or the use that may be made of the information thus obtained.”

99_{C-293/12 and C-594/12 Digital Rights Ireland, para 56-57.} 100_{WP 29: 215, p. 8.}

101_{Supra note 98.} 102

(21)

21

crime” one can assume there is a lack of differentiation, casting serious doubts as to the necessity of

an interference.103

Furthermore, a lack of limitation can be found if, for instance, there is no (clear) relationship between the data acquired/processed and the invocation of, in this case, the safeguarding of national security.104 A clear relationship is therefore required between the processed data and a specific threat to national security. Data processed is therefore interdependent on limitations such as a time period, a

geographical scope, a particular circle of persons likely involved in a serious crime or to “persons who

could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.”105

As such the interfering measures should provide for a clear delineation of the data concerned and should thereto amongst others restrain the processing of data to specific cases/individuals and provide for a purpose limitation.

1.4.3.3. SUBSTANTIVE AND PROCEDURAL CONDITIONS TO ACCESS & OVERSIGHT

For the final factor it should be examined whether there are substantive and procedural conditions to data access for competent authorities. Applicable legislation should in this respect lay down an ‘objective criterion’ determining access limitations (e.g. regarding agency personnel), limits to the subsequent use of data acquired (e.g. limitation of use for the purpose for which it was acquired) and most important clearly limit the data retention period to what is necessary.106 This thesis shall focus on two of these access conditions which are, in my view, of specific importance: Judicial/executive oversight and the data retention period.

To ensure access limitations there should be sufficient judicial and/or executive oversight, subjecting data access to a prior review and limiting both access and use to what is necessary to attain the purpose of national security.107 Notably, mere referral to ‘national security’ is in this respect insufficient to justify an interference with either Article 7 or 8 of the Charter as it would fail to lay down an ‘objective criterion’. Furthermore, related to the previous condition108, the access and use of data by competent authorities should be restricted “to the purpose of preventing and detecting

precisely defined serious offences or of conducting criminal prosecutions relating thereto”.109 As such, data acquired for a different purpose cannot be used to ensure national security nor vice versa.110

103

C-293/12 and C-594/12 Digital Rights Ireland, para 58. 104_{Ibid., para 59.}

105_{Ibid., para 59.}

106_{Ibid., para 49, 51, 60-65; WP 29: 211, para 3.32; WP 29: 288, p. 37; Opinion AG Cruz Villalón: C-293/12} Digital Rights Ireland, para 159.

107_{Supra note 103, para 62.} 108_{Chapter 1.4.3.2.}

109_{Supra note 103, para 60-61.} 110

(22)

22 As for data retention periods, in accordance with the ECJ, data may only be retained for a specified purpose and must be limited to what is necessary, which encompasses an assessment of what data is retained and the data retention period.111 Regarding Digital Rights Ireland, retention for up to two years was considered unnecessary as the Court determined that an objective criterion limiting that period to what is strictly necessary was lacking and because there was no distinction being made between categories of data.112

1.5. ARTICLE 52(1): RECAP

In short, the application of Article 52(1) takes several steps to assess an invocation of national

security. Before applying Art. 52(1) it must be assessed if there is an actual interference with the right to data protection and/or privacy. If so, the requirements of Art. 52(1) should be examined to find if that interference can be justified because it is considered proportionate to the aims pursued and limited to what is strictly necessary.

Following Art. 52(1) the procedural phase requires a clear legal basis to the interference and

furthermore demands a clear objective of general interest, e.g. national security. As for the substantive part the interfering measures must respect the essence of the rights to data protection and privacy, should be appropriate in attaining the objective pursued and must be limited to what is strictly

necessary. The second chapter shall thereto examine the US national security framework in light of the Article 52(1) requirements with a specific view to the factors determining necessity.

Regarding the latter, in anticipation of the subsequent chapters, the US invocation of national security must thereto lay down clear and precise rules, accompanied by minimum safeguards, governing its extent of interference with the rights to data protection and privacy.113 Furthermore the invocation of a limitation should not allow blanket surveillance without delineation, therewith requiring i.a. a link between data processed and the person involved and/or a purpose limitation. Finally access

restrictions, especially as regards judicial and/or administrative oversight and the data retention period, are needed.

111

C-293/12 and C-594/12 Digital Rights Ireland, para 49, 51, 56, 62-65; see also: WP 29: 288, p. 25, referring to ECtHR Rotaru v Romania, para 53-63: “(…) the law should (…) lay down limits on the age of information

held or the length of time for which it may be kept.”

112_{Supra note 111, para 63-64.} 113

(23)

23

2. US NATIONAL SECURITY

Although the SHA provides for a national security exemption one cannot automatically presume that its invocation is considered proportionate in accordance with Article 52(1) of the Charter. As the invocation of national security can lead to the acquisition and retention of EU citizens’ data by US authorities it may be questioned how safe the SHA’s waters are.

The US has, in protecting itself against threats to its national security114, enacted multiple legislative acts laying the foundation for its surveillance programmes such as PRISM. US authorities are consequently able to acquire, store and process personal data of US and non-US citizens in a number of ways. For example, data may be acquired through foreign surveillance conducted abroad, by

accessing internet traffic running through cables beneath US soil (so-called ‘upstream collection’)115 or by acquiring it from US-based companies or companies economically active within the US.

This chapter aims to assess the US national security framework and examine their respective surveillance measures in light of the Article 52(1) requirements to find whether the US approach to national security, with a specific view to the protection of EU-citizens, coincides with the limitations intended by the European Charter, starting with the procedural aspects. However, before going in-depth one should have a clear understanding of the US approach to data protection.

2.1. US DATA PROTECTION

Notably, US data protection standards differ from the EU. The latter considers data protection and privacy universally applicable rights116 to be safeguarded by the government for the people117, whereas the US considers privacy a right to be safeguarded by the people from the government and which may be waived as one sees fit.118

To protect the privacy of its citizens, considering data protection as part of the right to privacy, the US relies on its Fourth Amendment.119 Privacy is therewith considered a constitutional right within the US

114_{NSA Report 2013, p. 11.}

115_{Following EU-US Working Group on Data Protection 2013, p. 4, para 2.1.1.: “The US also confirmed that}

Section 702 provides the legal basis for so-called "upstream collection"; this is understood to be the interception of Internet communications by the NSA as they transit through the US (e.g. through cables, at transmission points).”

116_{Chapter 1.1.} 117

Long & Pang Quek 2011, p. 331; Klein 2012, p. 625.

118_{Following <}_{http://www.law.cornell.edu/wex/fourth_amendment}_{> [as seen on 11-11-2014]: “The protection}

under the Fourth Amendment can be waived if one voluntarily consents to or does not object to evidence collected during a warrantless search or seizure.”; Long & Pang Quek 2011, p. 331; Klein 2012, p. 625

119

The Fourth Amendment provides:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches

and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”,

(24)

24 which provides citizens with a ‘reasonable expectation of privacy’.120 Any intrusion of privacy, such as access to personal data or communications121, is subjected to the issuance of a warrant which requires ‘probable cause’.122 The US constitution therewith aims to protect citizens from warrantless data acquisition. Notably, further data protection in the US is sector-based: Companies are left to provide ‘limited’ oversight through sectorial and corporate self-regulation to protect the privacy of US citizens, rather than having a single regulatory agency monitoring.123

Privacy protection under the Fourth Amendment is, however, limited. First there is the so-called ‘third-party doctrine’124 by which information relating to US citizens may be accessed and processed if there is no reasonable expectation of privacy.125 Moreover, the protection of the Fourth Amendment is merely aimed at the privacy of US citizens.126 Non-US citizens without previous significant voluntary connections with the US cannot invoke the Fourth Amendment as US privacy and data protection is limited to US-citizens and individuals within its territory.127 Foreigners outside of US territory therewith lack constitutional protection and receive little or no protection as regards their privacy or data.128

2.1.1. SCOPE OF DATA PROTECTION

Another aspect on which the EU and US differ is the scope of data protection, i.e. when data

protection applies. For the EU the acquisition of data is synonymous with the ‘processing’ thereof as data protection has a broad scope of application; data protection rights and obligations apply to all acquisition, retention and processing of data. The US in contrast considers not all acquisition of data to be processing, only when analysed by means of ‘human intervention’ the processing of data is

presumed and only then will data protection safeguards apply.129 The US therewith allows data acquisition without extensive safeguards, ‘additional’ data protection safeguards exist only when data is considered to be processed, i.e. by means of human intervention.130

120

Long & Pang Quek 2011, p. 331.

121_{PCLOB Report 2014b: Section 702, p. 88.}

122_{DG Internal Policies 2013a, p. 16: “meaning evidence of a 50% likelihood of criminality”; See also: EU-US} Working Group on Data Protection 2013, p. 3.

123

Rossi 2014, p. 72.

124_{US authorities may, following the ‘third-party doctrine’, access an individuals’ information without violating} the Fourth Amendment if that individual has voluntarily shared personal information with a third party, e.g. a bank or electronic communications service. US authorities consequently rely on this doctrine to obtain personal information relevant to criminal and/or national security investigations

125_{Podesta Report 2014, p. 33; DG Internal Policies 2013a, p. 16-17; Bigo et al. 2013, p. 5; Liu, Nolan &} Thompson II 2014, p. 6, referring to: US Supreme Court: Smith v Maryland.

126_{PCLOB Report 2014b: Section 702, p. 86-87; DG Internal Policies 2013a, p. 20.} 127

EU-EU-US Working Group on Data Protection 2013, p. 3, referring to: US Supreme Court: US v Verdugo-Urquidez.

128_{Hoboken, Arnbak & Van Eijk 2012, p. 28.}

129_{EU-US Working Group on Data Protection 2013, p. 9.} 130

(25)

25 The US consequently permits acquisition of personal data through surveillance without specific regulatory safeguards to data protection, whereas that acquisition according to European standards is considered ‘processing’ which must be subjected to strict regulation within the EU.

2.2. US NATIONAL SECURITY: PROCEDURAL

Now to address the heart of this chapter, addressing the US national framework, the first step

following Art. 52(1) is examining the procedural aspect and specifically the requirement of ‘provided by law’.

US national security has, in general, three legal bases providing national authorities with the handles for surveillance131: Section 702 of the FISA Amendments Act (‘FAA’), enacting §1881a FISA132; Section 215 of the Patriot Act, amending §1861 FISA 133 and Executive Order 12333 (‘EO 12333’)134. The first two are amendments of the US Foreign Intelligence Surveillance Act (‘FISA’)135, the latter is a presidential order.

The FISA allows US authorities to gather ‘foreign intelligence information’ to ensure national

security. Where this information relates to non-US persons it is defined as: “information that relates to

the ability of the US to protect against an actual or potential attack by a foreign power; sabotage, international terrorism (…)” or as information “that relates to the national defence or security of the US (…)”.136 US authorities may accordingly conduct electronic surveillance operations, acquiring communications such as the personal data of (EU) citizens.137

Each of these legal bases shall be discussed in short.

2.2.1. SECTION 702 FAA

Section 702 first of all empowers US authorities to acquire, through surveillance for national security purposes, ‘foreign intelligence information’ of non-US persons ‘reasonably believed to be located outside US borders’.138 It therewith, amongst others, allows US authorities to access and process EU

131_{COM(2013) 847, p. 17: “(…)a number of legal bases under US law allow large-scale collection and}

processing of personal data that is stored or otherwise processed companies based in the US. This may include data previously transferred from the EU to the US under the Safe Harbour scheme (…)”.

132_{United States Congress, Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, 122 Stat.} 2436, Public Law 110-261, July 2008.

133_{United States Congress, Uniting and Strengthening America by Providing Appropriate Tools Required to}

Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of 2001, 115 Stat. 272, Public Law 107-56, October

2001.

134_{Executive Order 12333, United States Intelligence Activities, as amended by Executive Orders 13284 (2003),} 13355 (2004) and 13470 (2008).

135

Foreign Intelligence Surveillance Act of 1978 (FISA), 92 Stat. 1783, Public law 95-511, 50 U.S.C. Chapter 36.

136_{PCLOB Report 2014b: Section 702, p. 22.} 137_{Arnbak & Goldberg 2014, p. 10.}

138

(26)

26 citizens’ data on US soil legally transferred under the SHA through its PRISM-programme.139 Through that programme the FBI and NSA are “tapping directly into the central servers of nine leading US

internet companies, extracting audio and video chats, photographs, e-mails, documents and

connection logs that enable analysts to track foreign targets (…)”.140 The FAA furthermore allows for the economic and political surveillance of i.a. foreign governments and citizens. Section 702

subsequently enables the warrantless surveillance of foreign communications on US soil as long as US-citizens are not ‘intentionally targeted’.141

2.2.2. SECTION 215 PATRIOT ACT

Section 215 secondly broadens the legal authority to i.a. conduct domestic surveillance on US soil for national security purposes.142 The power it provides is very broad: There is no need to specifically identify a target for investigation purposes and authorities are able to seek a wide range of business records.143 Furthermore, it permits the FBI to apply for a secret court order at the Foreign Intelligence Surveillance Court (‘FISC’), by which companies must produce business records such as “books,

records or documents, where the information sought is relevant for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities”.144 Notably, the NSA is similarly able to gain access to business records via Section 215.145

2.2.3. EO 12333

Thirdly EO 12333, which serves as the basis for national security surveillance at the discretion of the US President146 and provides inter alia the NSA with its primary legal authority.147 EO 12333 provides the principal authority for foreign intelligence activities not governed by FISA.148 Notably,

surveillance programmes enacted under the Order appear exempt from FISA safeguards altogether149, although not all would agree with this.150 In accordance with the Order any traffic data acquired on foreign soil is presumed to belong to non-US persons, regardless of their actual nationality.151

139_{EU-US Working Group on Data Protection 2013, p. 4, para 2.1.1.} 140_{Irish High Court: Schrems [2014], para 10.}

141

Arnbak & Goldberg 2014, p. 8. 142_{Ibid., p. 7.}

143_{Dhont, Asinari & Poullet 2004, p. 101; DG Internal Policies 2013a, p. 17.}

144_{Supra note 139, p. 7, para 2.2; MEMO/13/1059, p. 7; Dhont, Asinari & Poullet 2004, p. 101; PCLOB Report} 2014a: Section 215, p. 21, 41.

145_{PCLOB Report 2014a: Section 215, p. 8-10; Liu, Nolan & Thompson II 2014, p. 2.} 146_{Supra note 139, p. 8.}

147_{Supra note 141, p. 3, 12; Forgang 2009, p. 221.} 148

NSA Report 2013, p. 69.

149_{Hoboken, Arnbak & Van Eijk 2013, p. 6.}

150_{See for instance: Liu 2013, p.3: “The authority delegated by Executive Order 12333 must be exercised in}

accordance with FISA, but also extends to activities beyond FISA’s reach”.

151

(27)

27 Furthermore, a lack of clarity exists regarding surveillance programmes and limitative conditions enacted under EO 12333, which is why this legislative act can only be discussed to a lesser extent.152

2.3. US NATIONAL SECURITY: OBJECTIVE AND APPROPRIATENESS

Considering that, following the above, US national security is ‘provided by law’ it must be examined what the objective (i.e. legitimate aim) to the invocation of surveillance measures is and what

measures are taken, which makes it possible later on to asses if those measures taken may be considered appropriate in attaining their objective.

Following the preliminary reference of C-362/14 Schrems it appears that measures taken by the US in light of Annex I SHA have been applied under the guise of the ‘necessary and indispensable objective of maintaining and preserving national security and the prevention of serious crime’ and additionally ‘the prevention of terrorism’.153 Furthermore, all three legislative acts are based on the objective of battling national security threats. Combating such security threats, encompassing i.a. terrorism, is an objective shared with the EU and “processing of personal data for such purposes at least comes close

to what would generally be understood to be a national security purpose and apparently can be subject to rules agreed upon by the EU.” 154

The measures taken by the US to ensure that objective involve inter alia the acquisition of electronic communications data through surveillance programmes, the provision of access to US authorities and the retention of data.155 According to the Irish High Court one may presume that the US therewith has been able to save lives and that these measures have helped to ensure a high level of security.156 To this, the US emphasizes that its surveillance is necessary to assure “citizens at home and abroad and to

help protect the safety of our friends, our allies, and the many nations with whom we have cooperative relationships.”157 In other words, the invocation of national security measures is not merely aimed at the national security interest of the US but may also include that of EU Member States. Whether the objective and measures taken are appropriate shall further be discussed in the third chapter.

2.4. US NATIONAL SECURITY: NECESSITY

In examining the requirements of Article 52(1) the next step is to assess whether the US national security framework and the measures taken are limited to what is strictly necessary. The factors of necessity as distinguished in the previous chapter shall thereto be examined.

2.4.1.PROCEDURAL: CLEAR, PRECISE RULES & SAFEGUARDS

152_{EU-US Working Group on Data Protection 2013, p. 17; Arnbak & Goldberg 2014, p. 13; Donohue 2014, p.} 44.

153

Minbuza 2014, para 7 a). 154_{WP 29: 288, p. 23.}

155_{Minbuza 2014, para 7 a); Irish High Court: Schrems [2014], para 1, 5; Reding 2014, p. 2.} 156_{Irish High Court: Schrems [2014], para 5.}

157