Why the invalidation of Safe Harbour by ECJ cannot be fixed with contracts?

In short: There are no model contract clauses that could even in theory make legal the transfer of personal data of EU citizens to companies operating under or within reach of the jurisdiction of the US courts.

Background:

The decision European Court of Justice (ECJ) gave on October 6th 2015¹ in case Maximillian Schrems vs. Data Protection Commissioner of Ireland has been widely discussed in media. In short, Mr. Schrems has sued Facebook because Facebook has been transferring user data to USA where intelligence organisations like NSA may access user data. Accessing data like this is against the privacy legislation of EU .² The decision ECJ gave on October 6th is an answer to the High Court of Ireland where the Data Protection Commissioner of Ireland has argued that Mr. Schrems' case should not at all be handled in court because the decisions EU has made on Safe Harbour framework between EU and USA guarantee that data transfers containing personal data can be made to USA. Mr. Schrems has argued that the foundations of Safe Harbour have fallen after we have learned through Ed Snowden's work that the intelligence organizations in USA are intercepting and storing huge amounts of user data including that of EU citizens.

ECJ has now stated that because of the fact that privacy EU user data is compromised by the intelligence activities of the USA, Safe Harbour does not guarantee the level of privacy it was meant to guarantee and is thus invalid. Mr. Schrems argument won and the High Court of Ireland can proceed with Schrems vs. Facebook.

The issue is not where the data resides

The majority of the discussion in media has concentrated on data transfers to USA. While it is very likely that most of the alleged mass surveillance done by the intelligence agencies of USA takes place in USA, we have also examples where the US government is also demanding to get information that is stored outside of USA. From a European perspective an interesting example is the case where the US Department of Justice (DoJ) is demanding Microsoft to hand over user data which is stored in data storage facilities located in Ireland.³ The argument of DoJ in this case is that ”US government has the (legal) right to demand the emails of anyone in the world from any email provider headquartered within US borders”. Microsoft is not willing to comply as it would have a significant negative impact businesswise and therefore the case is in court. Already in June 2011 Microsoft U.K.'s managing director Gordon Frazer admitted that Microsoft cannot guarantee that EU customer data residing in EU based data centers would not be is vulnerable to interception and inspection by U.S. authorities.⁴ Frazer said: ”Microsoft cannot provide those guarantees. Neither can any other company."

The problem is actually much worse than the US government just ”having a legal right to demand the emails of anyone in the world if the email provider is headquartered within US borders”. The problem is that the US government has a much wider range of legal tools to get a much wider range of people's data than that. To put it short: if a company operates in USA, or has US citizens as employees elsewhere, the US government can use FISA to claim data it wants. Also a subsidiary in USA opens this door to the US government. These warrants may also include a ”gag order”, they are to be kept in secret: an invidual who gets such a warrant may not express even getting such a warrant not to mention any details about it. This is presumably what happened to Lavabit, a company offering a fully encrypted email system.⁵

The outcome of all of this: even if we could and would trust the companies providing the services, there cannot be any privacy using their services in the sense EU privacy laws define it as long as the US government has a way to use the power of FISA legislation towards any employee of a company having a possibility of accessing the data. Caspar Bowden, former Chief Privacy Adviser of Microsoft pointed this out in 2011⁶, before Snowden leaked documents and details about PRISM and other mass surveillance done by US intelligence. ”Incidentally” Bowden was released from his duties at Microsoft 2 months after that.

Think about the possible strategies of an employee getting a FISA gag order warrant. Non-compliance would mean going to jail. On the other hand the warrant is so secret that it is very unlikely that one's superior ever gets to know about it. The optimal strategy is quite easy to see: comply and keep your mouth shut. This legislative trap the US government has made is diabolic by nature. It also explains why it really could have been the case that the top level executives of US companies did not know about their employees' part in giving customer data to the government. They kept arguing that their companies are not participating in PRISM or any such operation. What else could they have said in their position if they did not know about their employees' activities? And what would they be likely to say if they themselves are the ones who have received a warrant and a gag order?

This is about fundamental human rights

Whichever the case, the end result is the same for EU citizens. Even if we would trust the US companies themselves we cannot trust their services because the US government is intruding on our privacy in a way which is against EU privacy laws. The Article 8 of the European Convention on Human Rights is about right to privacy. This is about basic human rights. Saying so is not a mere opinion any more. It is the very rationale of the ECJ's decision.

One could argue that using strong encryption personal data can be considered safe in services the US intelligence organizations are able to disrupt. While good quality encryption makes technical interception much more difficult, it does not protect form legal procedures. It also should be noted that US intelligence organizations have been working to weaken encryption through participation in standardizing organisations pushing the wanted vulnerabilities into use internationally.⁷

One can also argue that there are other countries that pose a threat, too. For example the intelligence and cyberwar activities of Russia and China are a significant threat. However, I cannot see that, even if we in the EU, or other parts of the world, would think these countries represent a more serious threat, why would we accept USA intruding on our privacy?

Update October 14th: I have been asked to explain what FISA means. It is United States federal law titled Foreign Intelligence Surveillance Act. Wikipedia article on FISA law is a good introduction.

October 14th the Data Protection Authority of Schleswig Holstein in Germany has decided that data transfer on the basis of Standard Model Clauses is unlawful.

References:

1http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=129958

2http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046

3http://www.theguardian.com/technology/2015/sep/09/microsoft-court-case-hotmail-ireland-search-warrant

4http://www.zdnet.com/article/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/

5https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_order

6https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2527/original/The_Cloud_Conspiracy_-_31C3_Hamburg_-_27.12.14_-_Caspar_Bowden.pdf

7http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html