This brief comment will address the 6 October 2015 CJEU Grand Chamber ruling in Max Schrems, asking what it tells us about the status of two fundamental rights in the EU legal order, namely the right to the respect for private life (privacy) and the right to the protection of personal data (EU Charter of Fundamental Rights, Articles 7 and 8, respectively). The ruling must be read together with the 8 April 2014 ruling in Digital Rights Ireland where Articles 7 and 8 were discussed side by side.
Although the Max Schrems ruling contains many references to personal data, it does not really discuss the right to the protection of personal data as a distinct fundamental right. Article 8 of the Charter is mentioned in the dispositive part of the ruling but not for instance in what I would call the main finding by the Court which refers only to Article 7:
In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…
The outcome of the case – declaring Commission’s Safe Harbor Decision 2000/52 invalid – flows from this finding of a breach of the essence of the right to privacy when we are dealing with indiscriminate blanket access to data. In Digital Rights Ireland the CJEU had already indicated (paras. 39-40) that blanket access to ‘content’ would trigger the application of the essence clause in Article 52 (1.1) of the Charter, while surveillance, even indiscriminate mass surveillance, based on even complex use of various categories of metadata amounted to a “particularly serious interference” (Digital Rights Ireland, para. 65) with fundamental rights but did not trigger the application of the essence clause. The Court’s distinction between ‘content’ and ‘metadata’ can be criticized, and it was indeed relativised by the Court itself in Digital Rights Ireland (para. 27).
What is now remarkable in Max Schrems is that a) the Court actually identified the intrusion in question as falling under the notion of the essence of privacy – something the European Court of Human Rights has never done under the privacy provision of ECHR Article 8, and b) the identification of an intrusion as compromising the essence of privacy meant that there was no need for a proportionality assessment under Article 52 (1.2) of the Charter. This can be contrasted with the Digital Rights Ireland judgment (para. 69) where the final outcome was based on the application of a proportionality test. For these reasons, the Max Schrems judgment is a pathbreaking development, a major contribution to the understanding of the structure and legal effect of fundamental rights under the Charter. Digital Rights Ireland indicated where the path would go, and now the Court actually went that way.
An equally important contribution is documented in the same paragraph, namely that mere “access” to communications by public authorities) constitutes an interference. Notably, Article 8 (2) of the Charter uses the notion of “processing” when defining the fundamental right to the protection of personal data. Surveillance advocates might have until the Max Schrems ruling enjoyed some credibility with their claims that mere access does not amount to processing, and therefore mere access to the flow of communications does not amount to an intrusion until the automated selectors and algorithms have made their job and the human eye starts to “process” a much more narrow set of data. Now we know, that mere access is an intrusion into privacy, and even into the essence of privacy when it provides for indiscriminate access to ‘content’.
This gives rise to the next question, whether the Max Schrems rationale will only apply to the “transfer” of data from Europe to “servers” in the United States. This was the factual basis of the case, as reflected in paragraphs 2 and 31. The CJEU was asked a question about data transfers from Europe to Facebook servers in the US under the Safe Harbor arrangement, and it responded to that question. It did not address the scenario of “upstream” access to data flows through the splitting of fiber-optic cables to obtain generic access to all data that passes through transatlantic cables just because the Internet is built in the way that a lot of traffic ends up going through those cables. It would indeed be difficult to bring a case to the CJEU that would address this scenario.
Nevertheless, paragraph 94 quoted above is formulated in a way that gives a generic answer concerning the contours of the right to privacy under Article 7 of the EU Charter: yes, also access through the upstream method of capturing the data flow in a fibre-optic cable is to be regarded as compromising the essence of privacy and therefore as prohibited under the Charter, without a need even to engage in a proportionality analysis. It may be hard to get a case to the CJEU but the content of the substantive norm under Article 7 of the Charter is now clear. One can on good grounds expect that the European Court of Human Rights will now be prepared to follow the lead of the CJEU and draw the same conclusion under ECHR Article 8.
In closing, I dare to present the view that the Digital Rights Ireland and Max Schrems rulings taken together provide verification and demonstration of the utility of the methodology we developed in the SURVEILLE project where we produced a general framework for the holistic assessment of surveillance technologies for their security benefit, cost efficiency, moral hazards and fundamental rights intrusion. In short, in our model an intrusion into the essence of privacy would by definition produce the highest possible fundamental rights intrusion score which is, again by definition, higher than the maximum usability score and would therefore make redundant any proportionality assessment. Other types of intrusion – even particularly serious ones – would be assessed through giving separate scores to the importance of a fundamental right in a given situation and the depth of the intrusion into the same right as created by surveillance, and by then comparing the resulting fundamental right intrusion score against the usability score based on technology assessment. Here, a proportionality assessment is needed, even if the highest possible intrusion scores will be so high that the benefits obtained through surveillance cannot in practice outweigh them. Similarly to the CJEU in the Digital Rights Ireland case, the outcome will be that crude methods of mass surveillance, even when not triggering the essence clause, will be assessed as unlawful.