Privacy shields doubling as privacy swords? … While “the best defence” may also make a “good offence” (or, “offense”, as our US counterparts would call it), first you need to be confident that your defence strategy works!
Last Friday, a statement was made by EU Vice-President Ansip and Justice Commissioner Vera Jourová announcing the adoption by Member State representatives of the EU-US Privacy Shield to govern future personal data transfers. To quote from the statement:
“Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows. This paves the way for the formal adoption of the legal texts and for getting the EU-U.S. Privacy Shield up and running. The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business.”
By way of background, as I mentioned in a post in the Spring of this year, the Privacy Shield adequacy decision replaces the defunct ‘Safe Harbour’ agreement, which was declared invalid by the Court of Justice of the EU (CJEU) last October in the case of Schrems v Data Protection Commissioner C-362/14 (see Sophie’s earlier post here on this decision). In short, in the Schrems judgement, the CJEU held that the Safe Harbour agreement – relying upon a scheme of US company data-security self-certification – was inadequate to protect the privacy and data protection rights of EU citizens in light of Edward Snowden’s revelations about the extent of US government surveillance. In particular, citizens had no judicial redress where harms ensued as a result of US intelligence activities being carried out in respect of their personal data.
Since that decision, negotiations to strike a new data transfer agreement quickly have been high on EU and US political agendas. However, the European Commission has consulted as broadly as possible (albeit as urgently as possible) to take on board the input of key stakeholders, notably from EU Member State data protection authorities and the European Parliament. Most recently, as part of the formal adoption process, the following events have occurred:
- The Commission presented a draft decision on the Privacy Shield at the end of February;
- The Article 29 Data Protection Working Party (WP) issued its Opinion (WP238) on the draft decision during April, as well as a Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data;
- The European Parliament adopted a non-legislative Resolution at the end of May in which it urged the Commission to carry on negotiating with the US to remedy certain deficiencies identified within the draft decision;
- Also at the end of May, the European Data Protection Supervisor published his Opinion on the draft decision outlining specific concerns.
So, what does last Friday’s statement say about the Privacy Shield and how it differs from the old ‘Safe Harbour’?
“It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms.”
This all seems consistent with the proposed measures I outlined in my post from March. So, how does the Shield in its final, agreed form differ from earlier versions? In other words, what changes have been made to the Shield which address the latest concerns raised about its adequacy? These included concerns around redress and oversight mechanisms (including the independence of a new Ombudsperson that will be created in the US State Department to deal with complaints relating to possible access of personal data by national security agencies), onward data transfers, data retention, disproportionate collection of bulk data, and derogations for national security and law enforcement purposes. In those respects, briefly, more has been done (reportedly) to address:
- Bulk collection of personal data. Further specifications have been added to the conditions under which bulk data may be collected and transferred – in particular, bulk data collection must be “targeted and focused”.
- Data retention. More rules have been introduced, including a requirement to delete personal data that no longer serve the original purpose(s) for which they were collected.
- Ombudsperson. Changes have been made to address concerns raised about the powers, position and independence of this role.
To note, however, criticisms of Privacy Shield endure. The most vocal of these come from civil society digital privacy watchdogs in the EU that believe that the renewed pact does not go far enough. Privacy International (a digital rights group), for example, has accused the new framework as being drawn upon a flawed premise. This criticism appears aimed, in particular, at a set of Privacy Shield Principles that US organisations will have to certify that they abide by to take advantage of the Shield, as well as written commitments by the US government (and important departmental arms therein) on the enforcement of the arrangement. It is has been argued that this should be replaced with legislation to guarantee that privacy is not abused. The privacy shield would then become more of a privacy sword in its own right!
In conclusion, the formal adoption of the Privacy Shield is expected sometime this week and its symbolic importance should not be underestimated as the pinnacle of many steps that have been taken by the EU to improve trust in the digital domain for the next decade. And trust is a must where the digital future is concerned! Its adoption will be welcomed by EU data controllers who for the moment are depending on EU Standard Contractual Clauses [although doubt remains as to their validity, which may soon be examined by the CJEU – see here]. The announcement will also, naturally, be heralded with relief by US-based tech companies such as Google and Facebook.
Yet obstacles still loom large. To quote the saying, “the best defense is a good offense” that only applies if the defence is adjudged sound. Without doubt the Privacy Shield will face the judicial scrutiny of the CJEU at some point in the future. It will have to be robust enough to withstand any further such challenge. The words of Vice-President Ansip and Commissioner Jourová imply a collective determination of confidence that all will be well this time: “Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.” Only time will tell.
And, of course, second, there is the Brexit vote hanging ominously overhead. At present, it is not clear how long the Privacy Shield will remain in force in the UK in the event of the Brexit, which will undermine legal confidence for businesses transacting between the UK, the US, and the EU. Moreover, post-Brexit questions will be raised about whether UK law ensures a high enough level of privacy and data protection for EU citizens whose personal data are processed here (including for intelligence surveillance purposes), especially in the event that the UK decides not to join the European Economic Area (EEA) or the European Free Trade Area (EFTA). A minister of the Department for Culture, Media & Sport made a speech on 4 July [a befitting date as it turns out…] underlining the uncertain times ahead. The Minister said “…it is not quite clear how [the Privacy Shield] will affect the UK, but we will need a satisfactory understanding with the US of the rules to be applied“. It sounds like we have a long way to go to establish trust all around…
More information on the Privacy Shield is available here.
Update 12 July 2016: The EU Commission adopted the Privacy Shield formally today, which thereby enters into force immediately. The Privacy Shield framework will be published in the US Federal Register, which is equivalent to the EU Official Journal, and companies will be able to certify with the US Department of Commerce from 1 August.
Update 26 July 2016: The Article 29 Working Party published a statement welcoming the adoption of the Privacy Shield, but noting that some of its concerns raised in its Opinion WP238 still remain. These concerns focus on commercial aspects and US public authorities’ access to personal data transferred from the EU (such as lack of clarity around how the Privacy Shield will apply to data processors, and a lack of specific rules on automated decisions and a general right to objection). The Working Party intends to provide specific guidance to data controllers about their obligations under the Privacy Shield shortly, as well as publishing its proposals for arrangements for subjecting the Shield to annual review by joint US-EU authorities in the future.