The Surveillance Elephant in the Room…


Yesterday’s decision in the Court of Justice of the European Union (CJEU) in what has been dubbed the ‘Europe vs Facebook’ case was, as the Open Rights Group puts it, a ‘landmark victory for privacy rights’. Much has already been written about it. I do not propose to cover the same territory in any depth – the Open Rights Group blog post linked to above gives much of the background – but instead to examine the response of the European Commission, and the elephant in the Commission’s room: surveillance.

The judgment was published yesterday morning, and its essence was very simple. The ‘safe harbor’ agreement, which effectively allows personal data to be transferred from the EU to the US by some 4,000 or so companies, was declared invalid, because though under the agreement the relevant US companies promise to provide protection for that data in many ways – security, promising not to repurpose it, misuse it, hold it longer than necessary and so forth, essentially along the lines of European Data Protection law – there was one thing that it could not provide protection from: surveillance by the US authorities.

As the CJEU put it (paragraph 94 of the ruling):

“…legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life…”

This is where the European Commission comes in. It was the Commission that made the ‘safe harbor’ decision, setting up the safe harbor system, which should, in accordance with data protection law, have ensured that data was adequately protected in the US. The Commission did not ensure that – and did not even state that it did – primarily because the state of US surveillance law (and, as far as we know, US surveillance practice) could not allow it. US surveillance law means that ‘national security, public interest, or law enforcement requirements’ override privacy and other rights where non-US citizens are concerned, and EU citizens have no form of protection against this, or legal remedies available.

The Elephant in the Room

This, it must be clear, is a fundamental issue. If the US can do this, without control or redress, then whatever systems are in place, whatever systems are brought in to replace the now invalidated ‘Safe Harbor’, will similarly breach fundamental privacy rights. No new ‘safe harbor’, no individual arrangements for particular companies, no other sidestepping plans would seem to be possible.  Unless US surveillance law – and, US surveillance practice – is changed, no safe harbor would seem to be possible.

The Commission, however, does not seem willing – or perhaps ready – to confront this issue. Their brief statement in response to the ruling, published yesterday afternoon, does not mention surveillance even once. That in itself is quite remarkable. The closest it gets to accepting what is, in fact, the essence of the ruling, is a tangential reference to ‘the Snowden revelations in 2013’ without mentioning anything about what those revelations related to. There is no mention of US surveillance law, of the NSA, of national security or of anything else relating to it. The surveillance elephant in the room looms over everything but the Commission seems to be pretending that it does not even exist.

The US authorities, however, are quite aware of the elephant – in a somewhat panicky press release last week, between the opinion of the Attorney General that presaged the CJEU ruling, the ‘US Mission to the European Union’ said that the ‘United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens‘. They do not, however, seem to have convinced the CJEU of this. Far from it.

Heads in the sand

In a way it should not be a surprise that the Commission seems to have their heads in the sand about this issue. It is not at all easy to see a way out of this. Will the US stop or change its surveillance practices and law? It is hard to imagine that they would, particularly in response to a ruling in a European court. Can they provide convincing evidence that they are not engaging in mass, indiscriminate surveillance? Again it seems unlikely, primarily because the evidence points increasingly precisely the opposite way.

There are big questions about what actually constitutes ‘surveillance’ – does surveillance occur when data is ‘collected’, when it is accessed automatically or analysed algorithmically, or when human eyes are involved? The US (and UK) authorities suggest the latter, but the European Courts (both the CJEU and the European Court of Human Rights) have found that privacy rights are engaged when data is gathered or held – and rightly so, in the view of most privacy scholars. There are many reasons for this. There is a chilling effect of the existence of the surveillance apparatus itself and the ‘panopticon’ issue: we alter our behaviour when we believe we might be being watched, not just when we are watched. There is the question of data vulnerability – if data has been gathered, then it might be hacked, lost or leaked even before it is analysed. The very existence of the Snowden leaks makes it clear that even the NSA isn’t able to guarantee its data security. Fundamentally, where data exists, it is vulnerable. There are other arguments – the strength of algorithmic analysis, for example, may well mean that there is more effective intrusion without human involvement in the process, the importance of meta-data and so forth – but they all point in the same direction. Data gathering, despite what the US and UK authorities might wish to say, does interfere with our privacy. That means, in the end, that fundamental rights are engaged.

What happens next?

That is the big question. The invalidation of safe harbor has huge repercussions and there will be some manic lobbying taking place behind the scenes. The Commission will have to consider the surveillance elephant in the room soon. It isn’t going away on its own.

And behind that elephant there are other elephants: if US surveillance and surveillance law is a problem, then what about UK surveillance? Is GCHQ any less intrusive than the NSA? It does not seem so – and this puts even more pressure on the current reviews of UK surveillance law taking place. If, as many predict, the forthcoming Investigatory Powers Bill will be even more intrusive and extensive than current UK surveillance laws this will put the UK in a position that could rapidly become untenable. If the UK decides to leave the EU, will that mean that the UK is not considered a safe place for European data? Right now that seems the only logical conclusion – but the ramifications for UK businesses could be huge.

More huge elephants are also looming – the various world-wide trade agreements currently being semi-secretly negotiated, from the TPP (Trans-Pacific Partnership – between the various Pacific Rim countries including the US, Australia, NZ, Japan) to the TISA (the Trade In Services Agreement), TTIP (Transatlantic Trade and Investment Partnership – between the EU and the US) and CETA (Comprehensive Economic and Trade Agreement – between Canada and the EU)  seem to involve data flows (and freedom from government interference with those data flows) that would seem to fly directly in the face of the CJEU ruling. If data needs to be safe from surveillance, it cannot be allowed to flow freely into places where surveillance is too indiscriminate and uncontrolled. That means the US.  These agreements would also seem likely to allow (or even require) various forms of surveillance to let copyright holders ensure their rights are upheld – and if surveillance for national security and public safety is an infringement of fundamental rights, so would surveillance to enforce copyright.

What happens next, therefore, is hard to foresee. What cannot be done, however, is to ignore the elephant in the room. The issue of surveillance has to be taken on. The conflict between that surveillance and fundamental human rights is not a merely semantic one, or one for lawyers and academics, it’s a real one. In the words of historian and philosopher Quentin Skinner “the current situation seems to me untenable in a democratic society.” The conflict over Safe Harbor is in many ways just a symptom of that far bigger problem. The biggest elephant of all.

54 thoughts on “The Surveillance Elephant in the Room…

  1. Hi Paul, interesting analysis. I presume what you say about the UK equally applies to most (if not all) EU countries. I am quite sure the EU intelligence agencies would also hinder creation of a safe harbor… and, I think there is another elephant by the same name but with a different background: surveillance and data brokering by companies. There is a lot to be done in this area.

    1. Yes, but in the case of many EU countries (possibly including the UK) it can be argued that we do at least have legal mechanisms to address the issue – taking cases to the CJEU or the ECtHR for example. Part of the problem with the US is that for EU citizens there’s no protection and no route to protection. This needs much more work and analysis I think!

  2. From what I can see, the solution looks more likely to come from the direction of having the US give EU citizens some right of legal redress, rather than having the US agree to cease surveillance of EU citizens’ data. That would bring the US in line with the UK which, as we know, also conducts surveillance; as, I expect, do most other EU countries. The difference being that under EU data protection legislation, there is a right of challenge and redress.

    As to what might happen if the UK left the EU, the expectation (among UK politicians at least) seems to be that we would remain in the EEA. If so, then the implicatins of the 8th data protection principle would not kick in, as personal data transferred between countries in the EEA is deemed to offer an adequate level of security. So long as our domestic data protection legislation broadly kept pace with that of the EU, then I would not foresee a problem such as you describe.

    1. Even giving EU citizens a right of redress would be a big move in some ways, and I’m not sure it would cover all the bases. I’ll be interested to see if it works that way – frankly I think the US will try to avoid even having to do that much. As for the EU/EEA issue, you may well be right, but does anyone really know? And would our domestic data protection keep pace with the EU? I’m far from convinced of that, given the noises made about the right to be forgotten in particular. Still, it’s a less apocalyptic possibility.

  3. I was watching a newscast recently and the case of someone in the dock who was a religious pastor of some kind. It was reported in court that his Internet browsing had been checked and although he had done nothing illegal, the court was of the opinion that the subjects he chose to view “were inappropriate for someone in his position”. Let this be a warning to all who think that spying on us all is benign because they have done nothing wrong. This is the thin end of the wedge.
    Everything is corrupted and abused and will continue to be so.
    I’d like to suggest yet another elephant in the room: The representatives for whom we vote and who are responsible for maintaining our rights are the very same people who are eroding those rights. We seem to be fighting against a duly elected enemy. This is the situation that needs to be changed and its in our power to change it by voting for those who will protect us.

    1. Not to be confused with the European Court of Human Rights, which has a wider geographical remit than the EU, but which only concerns the European Convention on Human Rights. The European Commission (essentially an executive civil service for the EU) is instructed to negotiate bilateral agreements between the EU and other countries, which have to be compliant with EU legislation (which also happens to include fundamental human rights at Treaty level). As Paul has pointed out, the Commission has simply ignored the potential for spying & surveillance, probably because this has always been within the remit of national governments, not EU institutions. The problem is that the Court of Justice (aka CJ, CoJ, ECJ) hasn’t ignored surveillance, thereby making the Commission’s negotiated agreement with the US invalid. One route out of this would be the adoption of US national legislation which would explicitly prohibit surveillance on European data, and hoping that the Court accepts law over fact. All a bit unlikely.

  4. I’m not so worried about governmental surveillance as I am with corporate surveillance. With the former, there are at least nominal checks on what the government can and cannot do. And they are at least in theory responsible to the public. With corporate surveillance (tracking your product searches and purchase history), the corporate overlords are responsible to no one and don’t have any checks other than what they themselves impose…. And we freely give our information to corporations, often without realizing it.

    For example, statistical analysis of purchase histories can tell when a young woman is pregnant by what products she looks at and then buys online. A company can then send her targeted advertising materials. But what if she doesn’t want anyone to know that she’s pregnant?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s