INTERNATIONAL DATA FLOWS: A SCHREMS II ASSESSMENT OF ELECTRONIC SURVEILLANCE LAWS IN AUSTRALIA.

• Date: 01 August 2022
• Author: Gacutan, Joshua

CONTENTS I Introduction II The CJEU's Ruling in Schrems II A Deontological Commitments in EU Privacy and Data Protection Law B GDPR: International Personal Data Transfers from the EEA to Third Countries 1 Adequacy Findings 2 Additional Data Transfer Safeguards and Derogations C Schrems II: Invalidation of the EU-US Privacy Shield Adequacy Decision 1 Background 2 Decision D Conclusion III Assessment of Electronic Surveillance Law Case Studies A Justification and Overview of Case Studies B Proportionality under art 52(1) of the EU Charter 1 Australian Signals Directorate 2 Australian Security Intelligence Organisation 3 Mandatory Data Retention Regime C Right to an Effective Remedy under art 47 of the EU Charter 1 Access to Sufficient Information (a) Government Transparency Legislation (b) Australian Privacy Principles (c) Notifiable Data Breach Scheme 2 Access to an Independent Oversight Body with Binding Authority D Conclusion IV Australia's Adequacy Prospects under the GDPR A Electronic Surveillance Laws as Likely Barriers to an Adequacy Decision B The Absence of a General Right to Privacy V Conclusion I INTRODUCTION

The Court of Justice of the European Union ('CJEU') has historically upheld a fundamental-rights-based approach to privacy and data protection. (1) As a result, the CJEU has applied European Union ('EU') privacy and data protection law to countries outside the EU, affirming the primacy of the rights of EU citizens over the interests of third countries and foreign companies. (2) Since 1995, initially through the Data Protection Directive ('DPD'), (3) and, since 2018, the General Data Protection Regulation ('GDPR'), (4) one of the main mechanisms through which parties may transfer EU citizens' personal data to a country outside the European Economic Area ('EEA') (5) is when the European Commission ('EC') (6) certifies that the third country ensures 'an adequate level of protection'. (7) The effect of an adequacy decision is that personal data can flow from the EEA to the third country with limited data transfer safeguards. (8)

The influence of EU data protection law, especially the GDPR, on the domestic data privacy regimes of third countries has received significant attention in the literature. (9) A 2017 census of global data privacy laws conducted by Graham Greenleaf reported that 120 countries have enacted data privacy laws (in addition to 30 other countries that were considering draft legislation), with many of the laws bearing similarities with EU data protection law. (10) Even if third countries are not expressly legislating EU-style data privacy laws, EU regulatory law scholar, Anu Bradford, hypothesises that global regulatory convergence towards the GDPR's standards is taking place due to a 'de facto Brussels Effect'. (11) Bradford explains that '[w]hile the EU regulates only its internal market, multinational corporations often have an incentive to standardize their production globally and adhere to a single rule.' (12) It follows that multinational companies adapt their processes to comply with the GDPR's higher standards, and are then incentivised to lobby their respective governments to adopt the GDPR's standards to level the playing field against their domestic competitors. (13)

The GDPR's influence on the privacy reform discourse in Australia is clear. (14) In the Australian Competition and Consumer Commission's ('ACCC's') final report for the Digital Platforms Inquiry, the ACCC recommended major reforms to Australia's federal information privacy law--the Privacy Act 1988 (Cth) ('Privacy Act'). (15) A number of these reforms are influenced by the GDPR's standards and received immediate support from the federal government and inclusion in the Attorney-General's Department's ('AGD's') broader review of the Privacy Act. (16) In line with the ACCC's proposed reforms, and as evidence of the Brussels Effect hypothesis, submissions by businesses and industry groups to the AGD's review of the Privacy Act support the enactment of those GDPR-style provisions proposed by the ACCC in order to strengthen Australia's adequacy prospects. (17) Several submissions (18) also justify the removal of the small business and employee records exemptions in the Privacy Act because the Article 29 Data Protection Working Party, the EU's former data protection advisory body, considered those exemptions to be likely barriers to an adequacy decision for Australia in 2001. (19)

Even if these recommendations raise the Privacy Act closer to the GDPR's standards, any reforms proposed as part of moving towards adequacy under the GDPR must consider the position of Australia's National Intelligence Community ('NIC') agencies and the breadth of their statutory powers as judged in light of the CJEU's ruling in Data Protection Commissioner v Facebook Ireland Ltd ('Schrems II'). (20) The CJEU in Schrems II invalidated the EC's adequacy decision--Commission Decision 2016/1250 (21)--which approved the EU-US Privacy Shield, a mechanism on which thousands of United States ('US') and EU companies based their personal data transfers. (22) The CJEU's fundamental rationale for invalidating the EU-US Privacy Shield involved concerns that US surveillance programs authorised under [section] 702 of the Foreign Intelligence Surveillance Act of1978 ('FISA') (23) and Exec Order No 12333 ('EO-12333') (24) did not provide 'essentially equivalent' protections for EU citizens to those guaranteed under EU law. (25) The CJEU reasoned that [section] 702 of the FISA and EO-12333, taken together, did not provide for: (i) a proportionality assessment sufficient to ensure collection and use of EU citizens' personal data by US intelligence agencies is limited to what is strictly necessary; (26) and (ii) effective legal remedies for EU citizens if their personal data is misused in the course of US surveillance programs. (27) As a consequence of the CJEU's ruling, third countries seeking an adequacy decision must demonstrate limitations and safeguards that are 'essentially equivalent' to those guaranteed under EU law. (28) These limitations and safeguards must be available in circumstances where EU citizens' personal data is accessed and used by public authorities for national security and law enforcement purposes. (29)

Against this backdrop, this article argues that certain electronic surveillance laws in Australia would likely be considered barriers to an adequacy decision in light of the Schrems II ruling. This article begins, in Part II, by situating EU privacy and data protection law within the normative context of the EU's governance philosophy. It then outlines the GDPR's international data transfer provisions, and proceeds to identify the CJEU's key criticisms of US surveillance activities in Schrems II. Having set the background, the main analysis in this article is undertaken in the remaining two parts. Part III examines three case studies where the Australian Signals Directorate (ASD') and the Australian Security Intelligence Organisation (ASIO') have statutory powers to collect non-citizens' personal data offshore, intercept personal data over telecommunications systems onshore, and access metadata retained by telecommunications providers. Each case study is assessed against two threshold questions used by the CJEU to assess the compatibility of electronic surveillance laws with EU law. Those threshold questions are: (i) whether the relevant statutory power employs proportionality considerations to ensure access and use of non-citizens' personal data is limited to what is strictly necessary; and (ii) whether non-citizens are afforded effective legal remedies against misuse of their personal data in the third country. Part IV concludes that the case studies cast doubt on Australia's adequacy decision prospects under the GDPR, because each regime falls considerably short of providing 'essentially equivalent' protections to those guaranteed under EU law. Finally, this article posits that the case studies highlight not only a wider 'adequacy' gap overlooked by the present Privacy Act reform discourse, as well as the consequentialist treatment of privacy protection in Australia.

II THE CJEU'S RULING IN SCHREMS II

In order to consider Australia's adequacy prospects in light of the CJEU's ruling in Schrems II, it is necessary to briefly describe the EU's governance philosophy and situate EU privacy and data protection law within this normative context. Framing the EU's approach to privacy and data protection around deontological ethics assists in understanding the standard of privacy and data protection that third countries must guarantee to ensure 'an adequate level of protection' under the GDPR. (30) Part II, therefore, will outline the deontological commitments in EU privacy and data protection law. It will then describe GDPR provisions regarding international data transfers, then proceed to identify the CJEU's key criticisms of US surveillance activities in Schrems II.

A Deontological Commitments in EU Privacy and Data Protection Law

Historically, there have been two accounts that have applied to determine the extent and shape of privacy protection--namely, deontological and consequentialist approaches. (31) Although no legal and political system is an absolute embodiment of one single account, the EU's approach to privacy and data protection can be understood as grounded in deontological ethics. (32) For deontologists, the value of privacy protection is determined by the extent to which the protection engenders basic moral rights and duties such as individual autonomy, control and dignity. (33) By comparison, consequentialist bases are variable, such that the extent of protecting privacy interests hinges on what is considered desirable for society in the circumstances. (34) Consequentialist approaches are achieved by determining what is 'good' and then defining 'the right' that will promote 'the good'. (35) If 'the good', for...