After Snowden: Transfers of personal data and surveillance – what to learn from the EU approach


Michal Czerniawski

In this paper I argue that in a globalised world, with almost unlimited data flows between countries and within the cloud, new approach should be taken towards data transfers, in particular in the context of third country’s mass surveillance. The analysis is based on the European Union’s example. In the EU no explicit possibilities are foreseen in the legislation, which would allow for direct transfer of personal data held by private sector to third country law enforcement authorities or security services. Therefore, in the EU granting access to personal data stored on data controller’s server or handing over such data for third country’s intelligence services purposes violates law.
However, the issue of data transfers for surveillance purposes is a complex one. A data controller operating under several jurisdictions may be forced by national law to grant access to data to intelligence services of one of the countries he operates in. As a result, he might find himself in a position where by supplying personal data he violates the EU law, but by not supplying the data – breaches third country law. This is a problem data controllers face not only in Europe but also in Latin America and all the places around the world where international companies operate. There is still no good answer regarding how to address this issue. From the EU perspective, in any case, data protection authorities should be allowed to suspend, in accordance with data protection laws, data flows where there is a substantial likelihood that the EU data protection principles are being violated. In such case, third country’s law shall not be taken into consideration. Nevertheless, the problem exists. That is why so important is high transparency about cooperation between data controllers and intelligence services. Transparency may help in enhancing and restoring trust between citizens and governments and private entities. Transparency in the area of mass surveillance, among other things, should include better information to individuals when access to data has been given to intelligence services. When dealing with mass surveillance, the rights of a data subject need to be guaranteed to the maximal possible extent, while preserving the public interest at stake. Another important issue is raising awareness. Only data subjects aware of the consequences related with the use of electronic communication services can fully protect their data.
As I have already mentioned, it is not possible to invoke third country’s national security in order to avoid application of the EU data protection law. That is why third country surveillance programs often make use of data transferred from a data controller under the EU jurisdiction to a location outside of this jurisdiction. Such transfers in many cases rely on soft measures such as binding corporate rules, standard contractual clauses or the Safe Harbour Privacy Principles. All this instruments were created in order to facilitate data transfers between private sector data controllers, not to public sector authorities of third countries for surveillance purposes. That is why, the national security exceptions included in these instruments shall be interpreted restrictively and limited in scope. In the light of Edward Snowden’s revelations, there are ongoing works on modernisation of the Safe Harbour Privacy Principles, to increase security of personal data being transferred between private sector data controllers in the EU and USA.
The ongoing data protection reform in the EU might allow for a better protection of personal data transferred to third countries and limit third county’s mass surveillance in this respect. Under the new law, the territorial scope of application of EU data protection legislations will be much broader. The regulation will apply not only to processing of personal data within the European Union, but also to the processing by a controller which is not established in the Union but where the processing activities are related to (a) the offering of goods or services to data subjects in the Union or (b) the monitoring of their behaviour. Therefore, the new law will cover many data controllers from outside of the EU, including USA, China or Latin America. Moreover, at the moment the EU is discussing special instrument to be introduced in the regulation that directly relates to transfers or disclosures of personal data not authorised by the Union law. All this developments are aimed at fighting third country’s mass surveillance. However, in the context of surveillance, this instruments shall be seen as just supplementary to an effective and independent supervision on the intelligence services and proper enforcement of data protection laws.
In this paper I deal not only with the correlation between data transfers and third country’s mass surveillance, but also I address issue of “national security” in the information society. As regards “national security”, vast majority of data protection laws in the world includes exception for this purpose. We currently deal with various, legal terms such as internal security, national security, state security, public security and defence – where none of this terms is precisely defined. In my opinion the scope of the national security exemption should be clarified in order to provide more legal certainty and one, unified definition shall be adopted throughout the world. In particular, in this context respect for the basic data protection principles is crucial. “National security” exception constitutes a restriction to a fundamental right and as such should be interpreted restrictively. A mere reference to national security purpose should never constitute a sufficient basis for excluding application of data protection laws, in particular when we deal with alleged national security of a third country. It cannot form a basis for massive, structural or repetitive transfers of personal data. I argue that third countries' public authorities – including law enforcement authorities and intelligence agencies – willing to access data stored in an EU Member State or otherwise under EU jurisdiction, have to request mutual legal assistance to the national competent authorities through existing official channels such as Mutual Legal Assistance Treaties. These instruments need to take into account data subjects’ rights and data protection principles. Without transparency regarding access to data by public authorities and common understanding of “national security” term, fighting mass surveillance might end up being ineffective. In any case, as regards surveillance, there is the need for development of a global instrument providing for enforceable, high level privacy and data protection. And although the final solution has to be found on international level, there are still many things that we can do in order to improve protection of our data against mass surveillance.

Keywords: personal data, Europe, regulation, mass surveillance.