Young woman taking photo from behind a blinds showing implications of surveillance post-Schrems II and invalidation of Privacy Shield

Spies Gonna Spy: So What Does That Mean for Personal Data Post-Schrems II?

How to keep the data flowing in a world of espionage

Hot on the heels of the European Court of Justice’s Schrems II ruling, the Council of Europe, an international body comprising nearly 50 states, has said that intelligence services need to stop spying on individuals’ digital communications.

In a joint statement on 7 September, the Chair of the Council of Europe’s (CoE) data protection “Convention 108” committee, Alessandra Pierucci, and the Council of Europe’s Data Protection Commissioner, Jean-Philippe Walter, called on countries to strengthen the protection of personal data in the context of digital surveillance carried by intelligence services.

The potential interference or interception of personal data by the US intelligence services was one of the main reasons the European Union’s top court ruled that the Privacy Shield mechanism for transferring EU citizens’ data to the US was invalid. Since then, many commentators have pointed out that the United States is not the only country where intelligence services can gain access to private data.

Referring to the European Court of Justice’s judgment of 16 July 2020, the CoE statement also highlights that this decision has implications beyond EU-US data transfers. The statement urges countries to join “Convention 108” – the Council of Europe’s convention on data protection – and to promote “a new international legal instrument providing democratic and effective safeguards in this field.”

Such an instrument does not currently exist, but a new legal standard “could be based on the numerous criteria already developed by the courts, including the European Court of Human Rights and the US Supreme Court,” they say. “Convention 108” (aka the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) is the only legally binding instrument on the protection of privacy and data protection open to any country in the world. To date, 55 countries have signed up to follow its data protection principles.

“Countries must agree at international level on the extent to which the surveillance performed by intelligence services can be authorised, under which conditions and according to which safeguards, including independent and effective oversight,” stressed the statement.

But it admitted, “while the convention provides a strong international legal framework for the protection of personal data and specifically addresses the need for an independent and effective review and supervision of restrictions to data protection justified by national security or defence, it does not fully and explicitly address some of the challenges posed at international level by the mass surveillance capacities, which requires the drafting of a new specific international legal standard.”

When the predecessor to Privacy Shield, Safe Harbour was struck down in 2016, many accused the EU of “hypocrisy”, since European countries’ intelligence agencies also conduct similar surveillance, albeit not on the same scale.

A Sidley Austin report at the time concluded that the UK in particular has laws that are comparable to those in the U.S. “U.S. safeguards are at least as strong as those in effect in the EU,” it said. “France, Germany, Poland, the UK, and the Netherlands explicitly permit certain types of surveillance that are not targeted at identified suspected individuals, and these countries can apply ‘keywords’ or ‘selectors’ to large communications data flows crossing their territory. [They also] permit interception of external communications that is not targeted at specific individuals.”

Eduardo Ustaran, partner at Hogan Lovells, and Privacy and CyberSecurity Practice lead, told CPO that when it comes to interpreting the Schrems II ruling there are two camps. “One says categorically that with countries that have less data protection, transfers are forbidden. The other camp sees we live in an imperfect world and we have to do our best to find solutions that work in practice. I tend to be more in the latter camp,” he explained.

“What the court is saying is that the law is clear: there must be some respect for data protection in the government’s thinking. The US is actually probably one of the easiest countries for this to happen, as it is a democratic country, despite current upheavals . The same is true of the UK. But there are other countries around the world that are very opaque. China is a challenging country in this respect, yet you can’t exclude China from the world and we must find ways to protect data across all jurisdictions,” he continued.

“My view is that there is quite a bit that can be done in practice in terms of what the court has set out. There is a lot that can be done to mitigate disproportionate government access to data. Governments, the police and other agencies have to do their job in order to allow states to function. It’s not about stopping ALL access, it’s about preventing disproportionate or indiscriminate access,” said Ustaran, echoing what many in industry have said.

With the #PrivacyShield invalidation, the Council of Europe has said that intelligence services need to stop spying on individuals' digital communications. #surveillance #respectdataClick to Tweet

“Looking at the US situation for example, the Presidential Policy Directive 28 under former President Barack Obama was a step in the right direction – a basic step to provide limits to the activities of intelligence agencies. And while Privacy Shield may have been struck down – and I respect the court’s decision – the US was very nearly there. I think with the right will, and the right government in the US, it can be achievable,” he continued.

“Data localisation is political wishful thinking. I, personally, don’t think it is inspired by data protection concerns. It’s inspired by economic protectionism. And while I think the EU should develop and support its own tech industry and so on, in today’s world, data localisation is not the way to do it. When the internet was invented, localisation was over. The internet is global, services are global, providers are global, the cloud is global. So even if you agree with data localisation politically, in practice, it is not realistic.”


EU Policy Correspondent at CPO Magazine