Big victories and rollbacks for data in a year of terror

Austrian student Max Schrems walked out of the courtroom in Luxembourg with a large smile on his face.

In his first appearance before Europe’s top judges in late March, the privacy campaigner had scored another victory.

Judges backed his argument that a 15-year-old data sharing and transfer pact with the United States had been compromised. It was the first big crack in the so-called Safe Harbour agreement and a major blow to the social network giant Facebook.

A few months later in October, the same judges delivered a stunning verdict and invalidated the agreement for violating fundamental privacy rights.

Big companies like Apple and Google, along with some 4,000 other US firms, had relied on Safe Harbour to transfer and process the personal data of EU nationals. Now they had to look elsewhere.

“This is not bashing the US case, this is a mass surveillance issue", Schrems told EUobserver after the final verdict.

Edward Snowden, the former NSA agent who blew the lid off US-led mass surveillance that helped nail Safe Harbour, congratulated the Austrian in a widely shared tweet. "Congratulations, @MaxSchrems. You've changed the world for the better.“

But the Luxembourg Safe Harbour verdict is not without precedent.

Safe Habour ruling

Last year, the same court scrapped an EU data retention agreement for similar reasons. That law was spawned in the aftermath of the Madrid and London bombings.

Both cases point to a broader clash between fundamental rights and national security where the European Commission, as guardian of the treaties, has proven itself out of its depth.

The Brussels executive sees no policy contradiction between the two. Earlier this year it said that security and respect for fundamental rights are “consistent and complementary policy objectives.”

But those policy objectives appear increasingly blurred.

The Safe Harbour ruling was all the more extraordinary given the widespread push for increased surveillance and police oversight following the Jewish museum shooting in Brussels last year and the Charlie Hebdo massacre in Paris in January.

"Never let a serious crisis go to waste”

A dozen people died in the Paris shooting in January. Around a week later, the EU’s counter-terrorism coordinator, Gilles de Kerchove, told stunned onlookers that an unprecedented opportunity had arisen.

“It is a fact of political life that governments and parliaments are much more motivated just after an attack”, the Belgian senior European Union official said at a civil liberties committee (LIBE) meeting.

"Never let a serious crisis go to waste”.

It is a message that resonates.

A few months later the LIBE committee caved into pressure and endorsed a Commission proposal on passenger name records (PNR).

First proposed in 2011, PNR had been stuck at the committee level for years. Most MEPs opposed its broad underlying surveillance measures while others questioned its effectiveness in tracking down EU nationals who leave for Syria to fight alongside the Islamic State.

The Commission had been quietly financing national PNR projects throughout the debates.

German Green MEP Jan Phillip Albrecht warned PNR risked ending up in the scrap heap with data retention if it ever went to the European Court of Justice.

The EU's data privacy chief Giovanni Buttarelli also voiced his complaints.

“I’m still waiting for the relevant evidence to demonstrate, even in terms of the amount of money, and years to implement this system, how much it is essential,” he said.

But French interior minister Bernard Cazeneuve was dispatched to Brussels to convince them otherwise. He lobbied individual MEPs to sign off on PNR following the Paris murders, saying it would help deter terrorism.

The coup worked. The controversial bill went into inter-institutional talks in September and is likely to get rubber-stamped into law before the end of the year.

Smart borders

France had also evoked broad new national surveillance measures sparking outcry from civil liberty defenders.

At the same time in Brussels, French technocrats at the European council, representing member states, pushed for EU-wide rules requiring travelling EU nationals to give their fingerprints and possibly also have their faces scanned.

The idea is part of a larger digital dragnet known as the ‘smart borders’ package, to be proposed next spring.

Then Paris happened, again. On Friday 13 November, French and Belgian nationals killed 130 people in a carefully-staged attack.

A few days later, the centre-right EPP announced that talks should be suspended on a new EU data protection directive that grants law enforcement access to personal data.

Their lead negotiator said the draft contained too many bureaucratic privacy checks and safeguards for police to operate effectively. Suspending the talks could have implications for the wider EU data protection regulation. Both are linked and both are set, after years of talks, to be put into law before the end of the year.

The European Commission also jumped on the Paris bandwagon.

EU commissioner for migration Dimitris Avramopoulos announced an EU Internet forum “to strengthen cooperation” between government ministers and CEOs of major Internet companies in their fight against online jihadist propaganda.

It is an alliance that is set to test, once again, the Commission's awkward balancing act on security and respect for fundamental rights.