Ever since David Vogel coined the term of art “California effect” back in 1995, many have wondered, including Vogel himself, to what extent is policy convergence toward a more stringent regulatory standard really possible. The theory of Vogel of “a race to the top” in the environment in the 1970’s when California was a frontrunner in the field is based on the premise that trade liberalization triggers stricter standards developed in jurisdictions with large market share to force private companies in other jurisdictions with weaker standards either to meet the higher standard or sacrifice a large portion of exports.
As others in this symposium have already written, on October 6, 2015, the Court of Justice struck down the Safe Harbor decision of the EU Commission. “…[L]egislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life…[under the EU Charter of Fundamental Rights]”, the Court held.
From a US perspective, the far-reaching ongoing internal reform of the Foreign Intelligence Surveillance Act (FISA) can perhaps be interpreted as satisfying the criterion of targeted vs. massive surveillance. This remains contested however given that the US national security reform has so far not eliminated, but shifted the mass collection of data from the NSA to private companies. It seems that the pending Umbrella Agreement that the European Commission managed to negotiate in the meantime for co-operation between law enforcement authorities in the US and the EU may not be a panacea either. The Agreement will give Europeans limited rights of judicial redress in the US, subject to the passage of the US Judicial Redress Act. Albeit an important improvement to the status quo, the Umbrella does not cover national security measures and does not deal with some of the gaps in the 1974 US Privacy Act, such as possibilities for inter-agency exchange of information and multiple exceptions for law enforcement purposes.
The question then becomes whether in order to meet the standard of adequacy for data transfers with third countries currently required by the EU Directive of 1995 in the light of the Court’s judgment, the US government will attempt to update its statutory laws governing the processing of personal data for purposes of national security and law enforcement (Electronic Communications Privacy Act / Stored Communications Act, FISA, Privacy Act of 1974, Executive Order 12,333).
By and large the possibility of challenging mass surveillance worldwide can be strengthened by two factors. Perhaps counter-intuitively, the first should be the support of the business community. Although the sinking of Safe Harbor has meant legal uncertainty to a lot of businesses, the industry lobby in Washington, DC, can press for further reforms and insist on the overhaul of massive surveillance measures. Since technology businesses rely on consumer trust, they have economic incentives to pursue reforms that limit government’s access to data held on their servers. For example, in a high-profile case against Microsoft about the validity of a search warrant that the US sought in order to obtain data stored in Microsoft’s data center in Ireland, many of Microsoft’s competitors like Apple, Cisco, AT&T and Verizon all filed amici briefs in support of Microsoft. Similarly, the likelihood for the Court of Justice’s Schrems decision to be taken seriously outside Europe will depend on the commitment of the two European Courts to stay unrelenting on measures, either proposed or enacted, that make mass surveillance lawful in EU Member States and, and for the ECJ – to hold the EU institutions in check based on the Charter.
Alternatively, as noted by Lynskey, the EU could lower the bar on adequacy in the pending EU General Data Protection Regulation. Some Member States in the Council have signaled of this option by questioning the feasibility of maintaining an adequacy test in reference to massive flows of personal data in the context of cloud computing. Then again, there is democracy. During the protracted negotiations of the Regulation, the European Parliament has in turn stated that it would not agree to lower the standards in the Regulation below the level of the 1995 Directive. The promise of Parliament is in tune with the democratic concerns of various Member States’ legislatures that during the Early Warning Mechanism procedure insisted that the EU strengthens data protection guarantees in international data transfers.