The horrifying tragedy of the bombings in Paris may well have an impact on the data protection legislative landscape within Europe in the foreseeable future.
At the heart of the CJEU judgment in case C-362/14 Maximillian Schrems v Data Protection Commissioner was the inherent conflict between Europe’s resistance to pervasive government surveillance of personal data, and the US commitment to it. The stance of the US is understandably driven by its obsession with counter-terrorism measures.
The Schrems decision effectively ruled that enrolment in the Safe Harbor programme (or the enrolment of any data processors in the programme) is no longer in itself sufficient to satisfy the statutory obligation on EU data controllers to ensure an ‘adequate level of protection’ of personal data that is exported to the US. The backdrop to this decision was the absence of protections in the US against wide-ranging government surveillance of personal data (brought to the fore following the Snowden enquiry) and how this conflicts with the privacy assurances required by the European Commission.
In the wake of Schrems, data controllers are obliged to use alternative means to ensure adequate protection of personal data exported to the US, namely EU standard model clauses or binding Corporate Rules. Are the EU model clauses sufficient to satisfy a data controller’s statutory obligations? For now, yes. But several businesses we advise have been nervous about relying on the model clauses on the basis that these would not take precedence over a statutory right of the US government to access personal data for anti-terrorism surveillance. The concern is therefore that the European Commission’s next adequacy decision might conceivably be to bin the model clauses by saying that until the US government changes tack then these too are insufficient to constitute adequate protection. Whilst there may be some merit to such concerns, the reality is that the commercial and political pressure to facilitate data flows between the US and EU is so immense that such data flows are I think unlikely to be restricted further by the Comission. In fact, the latest press release from the European Commission suggests that a new ‘safe harbor’ framework could be announced by as early as January 2016.
It is conceivable that the magnitude of the terrorist attack in Paris will influence on-going discussions as to what the new EU/US data protection framework will look like. It might event narrow gap between the EU and US position on what level of anti-terrorism surveillance is appropriate and the circumstances in which such surveillance may be justified.