Ever since Edward Snowden’s revelations about the U.S. National Security Agency’s intelligence collection programs inspired Max Schrems’ campaign to end Facebook’s data transfers from Europe to the United States, U.S. foreign surveillance laws have been under the microscope in European courts.  They have not been viewed favorably, leading the Court of Justice of the European Union (CJEU) to abruptly terminate two successive transatlantic data transfer arrangements – the Safe Harbor Framework and the Privacy Shield Framework.

America’s troubles before the CJEU exist in some tension with the Court’s more nuanced perspective on EU member states’ own national security data collection and retention laws.   In the recent La Quadrature du Net and Others (LQDN) judgment, the CJEU opened the door a crack for continued bulk metadata retention for national security purposes, which France’s Conseil d’Etat subsequently took advantage of.  Strikingly, the European judiciary did so at a moment when the United States, through legislative and executive action, has scaled back its own reliance on these same practices.  It therefore seems ripe to take a fresh look at U.S. practices, in light of the new judicial standard in this area applied to EU member states.

The Snowden Shock in Europe

Edward Snowden’s disclosures reinforced the sense in Europe that U.S. foreign surveillance was a pervasive and existential threat to Europeans’ privacy. (Reports recently have emerged of Denmark’s intelligence service engaging in surveillance of undersea communications cables in coordination with the U.S. NSA during the years 2012-14, reinforcing certain Snowden allegations.)   In the first Schrems judgment (2014) in the Irish High Court, Judge Hogan professed a “suspicion” that US surveillance was aimed at “the preservation and reinforcing of American global political and economic power”. (paragraph 5)   The NSA programs demonstrated “massive overreach on the part of the security authorities,” with the result that “data protection rights have been seriously compromised by mass and largely unsupervised surveillance programmes.” (paragraph 8)

The CJEU, in ruling the next year on the preliminary reference proceeding from Ireland, did not delve into the substance of the Snowden revelations or address the Irish court’s findings about U.S. surveillance law.  However, it indirectly observed that foreign legislation permitting public authorities “to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life….” (paragraph 94) The shadow of US bulk data collection thus hung over the Schrems I judgment.

After the Schrems I case returned to the Irish High Court, detailed taking of evidence about U.S. surveillance law took place, and in 2017, Judge Costello issued a lengthy set of findings.  Among her conclusions was that “there is mass indiscriminate processing of data by the United States government agencies, whether this is described as mass or targeted surveillance.”  (paragraph 193).

Three years later, the CJEU decided Schrems II, assessing the validity of the Commission adequacy decision based upon the US-EU Privacy Shield Framework, and this time it reached specific conclusions about whether U.S. international surveillance programs conformed to the EU legal standard of essential equivalence.  One was that programs operating on the transatlantic internet backbone allowed for bulk collection of personal data inconsistent with the necessity and proportionality criteria of EU fundamental rights analysis (Paragraphs 183-4).

The Snowden Shock in America

While Europeans were dismayed to discover that U.S. intelligence was intercepting the unencrypted contents of communications data, Americans were more outraged by Snowden’s revelation that the NSA had begun collecting their domestic telephone call metadata records in bulk on an ongoing basis after September 11, 2001.  Under Section 215 of the Foreign Intelligence Surveillance Act (FISA),  the Foreign Intelligence Surveillance Court (FISC) could order monitoring within the United States of suspected international terrorists.  The FISC, in a classified ruling, had agreed that the NSA could use this authority to collect the entire domestic call database to ferret out terrorist connections.

Congress and the Obama Administration eventually responded to public disclosure of this expansive judicial interpretation by replacing the statutory provision in question with a more limited authority. The new program, authorized by the 2015 USA Freedom Act, ended bulk collection of call metadata generated by telecommunications companies; henceforth, only individualized records concerning terrorist suspects and their contacts, plus their contacts’ contacts, could be gathered by this means of compelled access.  Other controls on surveillance activities, including the promulgation by President Obama of Presidential Policy Directive 28 (PPD-28) placing additional limits on foreign bulk data collection, also were adopted in the United States in the years immediately following the Snowden revelations.

By the time the new program came up for legislative reauthorization in 2020, the NSA had acknowledged major implementation problems encountered by telecommunications providers, as well as its own doubts about its ultimate value.  An effort to reauthorize large-scale call metadata collection for national security purposes collapsed at the legislative deadline.  The Biden Administration has yet to indicate whether it will attempt to revive the former call metadata program in some form, but sustained bipartisan opposition makes its legislative reestablishment a difficult prospect.

A Limited EU Legal Regime for Bulk Metadata Retention Emerges

In LQDN, the CJEU examined whether bulk metadata retention practices in France and Belgium conformed to EU data protection law.  The Court, mindful of the instruction in Article 4(2) of the Treaty of European Union that national security “remains the sole responsibility of each Member State”, declined to extend the reach of EU law to these practices when member state security services conduct them unilaterally.  On the other hand, it broke new ground by insisting that the demanding requirements of the Charter of Fundamental Rights do apply when member state authorities rely on service providers such as telecommunications companies to collect and retain bulk metadata on their behalf.

In LQDN, the CJEU also delineated a degree of  flexibility for member state national security authorities to engage in bulk metadata retention.  If a member state determines that a “serious threat to national security” exists, it may order service providers to collect and retain bulk metadata, so long as the program is “not systemic in nature”.  Although such programs must be time-limited, they may be extended due to the “ongoing nature of the threat.” (Paragraphs 138-139)  France’s highest administrative court, the Conseil d’Etat, soon ruled that such a threat existed in that country and that French authorities could continue to utilize metadata previously retained for national security purposes in order to prosecute criminal offenses, subject to certain necessary reforms of domestic oversight mechanisms.

Moving Beyond Snowden on Surveillance

U.S. national security law observers watched with bemusement and some degree of indignation as the CJEU crafted an EU legal regime for member state surveillance programs that is noticeably more sympathetic than the one it had imposed on U.S. foreign surveillance counterparts in the Schrems cases.  The U.S. Government, in comments submitted to the European Data Protection Board (EDPB), suggested that since, under LQDN, EU privacy law does not apply to member states’ direct access to personal data for national security purposes, comparable U.S. government direct access measures should not be covered either.  “The EDPB should not interpret Schrems II to create a double standard under which non-EU countries’ direct access measures are subject to strict EU data protection rules while comparable Member State direct access measures are not subject to EU law at all.”

As a matter of EU law, some European scholars consider that this ‘double standard’ argument falls short.   The ‘double standard’ exists, in their view, because the CJEU felt compelled in LQDN to respect Article 4(2) TEU by creating a zone of member state national security surveillance activities exempt from EU data protection law.  No similar consideration appears to trouble the CJEU when it comes to non-member states.

Nevertheless, the security policy consequences of these differing levels of European law control over surveillance regimes cannot be lightly dismissed.  Intelligence services on both sides of the Atlantic, which operate under shared democratic values and the rule of law, must cooperate against threats ranging from terrorism to cybercrime to geopolitical bad actors.  As three senior U.S. national security officials gently but pointedly have written, the Court’s ruling in Schrems II “has potential implications in transatlantic information-sharing … in law enforcement and intelligence cooperation.”

Meanwhile, LQDN has been interpreted in other member states like Belgium – unlike in France – as requiring rapid reformulation of their data retention legislation to accord with the new CJEU requirements.  As these states do so, they may have more sympathy for the surveillance law issues faced by the United States in negotiating with the European Commission a successor to the Privacy Shield.

Eight years after Edward Snowden’s disclosures enlivened the summer of 2013 in Washington and Brussels, it seems time to acknowledge the legal changes that have occurred on both sides of the Atlantic.  At home, the United States has abandoned domestic bulk call metadata collection and retention.  In Europe, as a result of Schrems II, the United States remains under pressure to make further changes to its foreign surveillance laws in order to reestablish a stable transatlantic commercial data transfer arrangement with the EU.

On the other hand, a number of European security services, faced with significant domestic terrorist threats, see a need to continue their own bulk metadata programs, which the CJEU has partially accommodated.  The contrast between Europe’s perception of the ‘Wild West’ in America and its own surveillance landscape needs adjustment.  A gradual accommodation of viewpoints could contribute to a more lasting transatlantic data transfer architecture. The CJEU has laid down differing standards for U.S. foreign bulk data programs from what it will allow for member state metadata collection programs.  The European Commission and the United States Government now have the challenge and opportunity, in the ongoing negotiations on a successor to the Privacy Shield, to devise agreed solutions to the defects in U.S. surveillance law identified by the CJEU in Schrems II, with the hindsight provided by intervening CJEU jurisprudence.  Since the Court inevitably will scrutinize the resulting accord, there is still time to take account of the changed legal realities on both sides of the Atlantic.