The European Courts of Justice and Data Protection
The 6th of October 2015, the European Union Court of Justice (EUCJ) has published the Schrems case of justice. With that decision, the Court considers that the European Union legislation does not offer an efficient protection for the personal data exported outside of the European Union territory.
That decision makes illegal numerous data transfers, especially from the EU data privacy to the United-States. Indeed, the Court pushed questions about interferences of fundamental rights to the persons whose personal data are exported.
The Working Party 29 (WP29), an institutional group of the European Union specialized in the personal data protection, decided to assess the consequences of the Schrems decision on the transfer of data. The WP29 then analysed the jurisprudence of the EUCJ related to the Charter of Fundamental Rights, as well as the decision of the European Court of Human Rights (ECHR), related to the European Convention of Human Rights.
This work can be summarized by the following sentence: a justified interference to the human rights, in a democratic society. The result of that study has been entitled by the WP29 “The four essential European guarantees” (the Guarantees).
We will in a first part focus on the interference to fundamental rights, and then on the Four Guarantees in a second part.
The interferences to fundamental rights
The Charter of Fundamental Rights establishes fundamental rights linked to private life. Data protection case law in the Schrems decision, the EUCJ considers that the EU legislation should both impose clear and precise rules governing the field of application of a measure, and a minimum protection. The purpose is that individuals possess enough guarantees to protect their personal data of any illegal abuse.
The European Court of Human Rights also proposed a protection of fundamental rights related to personal data. In the Zakharov decision, the 5th of December 2015, the Court considered the interferences to the right of a private life to be only justified if they are “respecting the law, with a legitimate and necessary purpose in a democratic society”.
The ECHR as well as the Charter both include a test of necessity and proportionality. The limitations are accepted if they are necessary and objectively recognized of general interest by the EU, or because they protect rights and liberties. The two courts of justice consider that every limitation or interference to the fundamental rights related to private life or data protection can only be justified if “strictly necessary in a democratic society”. The ECHR specifies that States have a substantial margin of appreciation in the choice of necessary measures to accomplish a legitimate goal of national protection. The collect of personal data for example can be a legitimate goal followed by a State.
In theory, the operations of data recovery or surveillance will all constitute an interference, especially when the data related to private life are recovered by a public authority.
However, the EUCJ and the ECHR both pointed out in a clear way that without their jurisprudential rules, the national authorities can freely decide for each individual case if the data collect will constitute or not the violation of a fundamental right.
The European Essential Guarantees
The WP29 analysed the jurisprudential decisions in order to define the European Essential Guarantees. The Guarantees shall be incorporated to ensure that there would be not interference related to the protection of data or private life in the Member States of the European Union.
Four guarantees have been developed:
– the process must be based on clear, precise, and accessible rules
– the measures shall be necessary and proportional
– an independent surveillance group in the Member States shall exist
– efficient remedies shall be available for each individual
The WP29 underlined that Guarantees are funded on fundamental rights, regardless the nationality of the persons. Besides, this group frequently asked to the Member States to adapt the national laws on the jurisprudences of EUCJ and ECHR.
The different decisions recently judged by the two European courts of justice in charge of the protection of fundamental rights are given in a context where protection of data and private life takes importance.
Indeed, the protection of private life and personal data by governments has always been a hot topic. For example, very recently the company Apple made an opposition against the FBI in the United States. The FBI wished to obtain data contained in a smartphone sold by Apple, on the purpose to fight terrorism. The company refused the FBI demands, which leaded to arguments between human rights protectors, and supporters of the legitimate intervention of government institutions for general interests.
The debate, which on a first sight seems only politically turned, in fact also affects the world of business. The GAFA companies (Google, Amazon, Facebook, Apple) are regularly accused by the European authorities to violate private life rights. This context may have leaded to the Schrems decision, since the data exported outside the EU territory weren’t protected enough once arrived on the US territory, where the GAFA is located.
The development of the jurisprudence of the courts and their power to impose decisions on Member-States shall lead to national legislations framing the use of personal data and the protection of private life by the governments and authorities.
However, we can question the rapidity of government to vote laws. Indeed, the States are already struggling to follow and frame the exponential evolution of the numeric fields.
As the constitutionalist Guy Carcassonne said “The problem of democracy is that it is slow to act”.