June 23, 2014
Recently, the Irish High Court requested that the Court of Justice of the European Union (CJEU) consider privacy law implications of the surveillance activities of the U.S. National Security Agency (NSA). This review could ultimately alter the existing “safe harbor” agreement between the United States and the European Union (EU) under which American organizations are permitted to access the personal information of EU residents.
The Austrian organization, Europe-v-Facebook asked the Irish Data Protection Commissioner (DPC) to investigate whether or not Facebook’s collection of personal information facilitates NSA access to that information, in violation of EU privacy laws. The DPC declined to initiate that investigation. Europe-v-Facebook then asked the Irish High Court to review the DPC decision not to investigate. The Irish High Court referred the issue to the CJEU.
The issue was raised in Ireland as Facebook’s collection of data associated with users outside of the U.S. and Canada is managed by the Facebook European subsidiary, which is registered in Ireland. Ireland’s DPC opted not to investigate, taking the position that Facebook’s data collection practices were governed by the safe harbor agreement established between the EU and the US.
EU privacy law requires that the personal information of EU residents can only be shared with parties governed by national laws deemed by the EU to be at least as rigorous as the privacy laws imposed by the EU. Although US privacy laws have not been certified by the EU, the negotiated safe harbor agreement permits exchange of EU personal information with parties in the US provided that the American parties contractually agree to be bound by terms consistent with the EU privacy requirements.
Europe-v-Facebook reportedly alleges that by collecting EU personal information despite widespread NSA digital surveillance, Facebook is violating EU privacy laws and its safe harbor commitments. Europe-v-Facebook argues that the DPC should review the situation to determine if privacy law violations have taken place.
This case has important implications extending far beyond its potential impact on Facebook. If the CJEU orders the DPC to conduct the review requested by Europe-v-Facebook, then the EU privacy law implications of NSA surveillance will be directly examined.
That examination will focus on the issue of the extent to which private parties can be held accountable, from a privacy law perspective, for the widespread surveillance activities of the NSA, and presumably other governmental authorities. This case would raise the question: Can private parties be held legally responsible when the security of personal information under their control is compromised by the activities of governments?
The issues raised by this case are timely and significant. If the investigation sought by Europe-v-Facebook is launched and if that investigation results in a determination that NSA surveillance and Facebook’s collection of personal data despite such surveillance are violations of EU privacy law, there will be profound consequences.
One such consequence is the likely determination that NSA surveillance programs have caused essentially all American organizations to be in violation of their EU safe harbor privacy obligations. Another likely consequence is establishment of a precedent holding private companies legally responsible for government actions that compromise the privacy of personal information under their control.
If European authorities conclude that American companies are legally accountable for privacy law violations caused by the US government, the adverse economic impact on those companies may be substantial. That adverse impact should be considered when authorities in the US assess the merits and value of large-scale surveillance programs.