…But, will the highly anticipated EU-US ‘Privacy Shield’ live up to its super-hero billing?

Last month proved to be a particularly busy time for data protection news. First, the Council of the EU adopted a political agreement on the texts that will form part of the new Data Protection Reform Package. Also hitting headlines was the announcement that EU and US authorities had reached political agreement on the eagerly awaited ‘Privacy Shield’. Details about the contents of the texts that form the basis of that latter agreement has recently been published by the European Commission and the US Department of Commerce.

By way of a brief reminder, the Privacy Shield is a new protocol designed to legitimise commercial transfers of personal data to the US from the EU that fall within its ambit under EU data protection rules. It is intended to replace the now defunct ‘Safe Harbour’ agreement, which was declared invalid by the CJEU last October in the case of Schrems v Data Protection Commissioner C-362/14 (see Sophie’s earlier post here on this point). In short, in this judgement the CJEU held that the Safe Harbour agreement (relying upon a scheme of US company data-security self-certification) was inadequate to protect the privacy and data protection rights of EU citizens in light of Snowden’s revelations about the extent of US government surveillance. In particular, citizens had no judicial redress where harms ensued as a result of US intelligence activities being carried out in respect of their personal data. Since that decision, negotiations to strike a new data transfer agreement quickly have been high on EU and US political agendas.

The published legal texts laying the foundation of the new deal can be accessed here. They include a set of Privacy Shield Principles that US organisations will have to certify that they abide by to take advantage of the Shield, as well as written commitments by the US government (and important departmental arms therein) on the enforcement of the arrangement. The Commission has also published a Communication summarising the actions taken to restore trust in transatlantic data flows since 2013, as well as the all-important draft adequacy decision declaring that the Privacy Shield ensures an adequate level of personal data protection. The latter, which will need to be formally adopted in conclusion of the political agreement, will have to be robust enough to withstand any further challenge in front of the CJEU.

So, what is actually being proposed under this new framework? The primary focus is upon the extended range of safeguards that US organisations handling EU citizens’ personal data must follow to implement the framework. Another key strand is more robust enforcement and monitoring of compliance by the US authorities, including increased cooperation with EU data protection authorities (DPAs).

An additional and unprecedented step by the US authorities is the provision of written assurances on the limitations, safeguards, and oversight mechanisms to be put in place regarding access by public authorities to the personal data of EU citizens on national security grounds. These include assurances that indiscriminate mass surveillance of EU citizens’ personal data by US security agencies has discontinued. On a more practical level, these also agree to allow the EU to monitor the framework arrangement in action, and include a requirement that the EU Commissioner and the US Department of Commerce carry out annual joint reviews of its proper functioning (to which EU DPAs will be invited to contribute). Notably, this review will include analysis of access to EU-originating personal data for reasons of US national security during each relevant year.

Finally, another major pillar of the agreement is the introduction of enhanced rights of redress by EU data subjects against US organisations that misuse their personal data. For example:

• Companies will be subject to tighter deadlines to reply to complaints made against them by individuals who suspect that their personal data has been mishandled;
• EU DPAs will be empowered to refer complaints by individuals in their jurisdictions to the US Department of Commerce and the Federal Trade Commission;
• Free and binding alternative dispute resolution will become available to individuals to resolve their complaints; and,
• A new ombudsman will be created in the US State Department to deal with complaints relating to possible access of personal data by national security agencies.

On the US side, developments are already being made in preparation for the coming into force of this new regime as demonstrated by the publication of a fact sheet by the US Department of Commerce that clarifies certain aspects of the Privacy Shield framework. Attention is drawn, in particular, to measures concluded or underway to enhance privacy protections as applied to US intelligence collection activities.

Most recently, President Obama signed the Judicial Redress Act of 2015. This provides EU citizens with judicial redress rights in front of US courts in respect of privacy breaches they have suffered where these have been caused by the actions of US authorities in respect of the processing of their personal data. The passing of this Act gives the ‘green light’ for finalising the EU-US ‘Umbrella Agreement’, another data sharing arrangement to ensure that US authorities comply with EU data protection principles when processing EU citizens’ personal data for law enforcement purposes. For more information on both of these measures, see my previous post here.

Regulator reactions to these developments in the EU also came thick and fast in February. Most notably, in early February:

• The Article 29 Data Protection Working Party (WP) published a statement on the consequences of the Schrems judgement. The WP said that it welcomed the conclusion of negotiations over the Privacy Shield agreement and, once it received more detail, it would proceed to assess whether there were sufficient protections to meet the criteria laid down by the CJEU in Schrems. In particular, the WP highlighted four essential European guarantees related to the processing of personal data by US security agencies against which it would assess the robustness of the framework. These are: (1) personal data processing should be based on clear, precise and accessible rules; (2) necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated; (3) an independent oversight mechanism should exist, that is both effective and impartial; and, (4) effective remedies need to be available to the individual. Said otherwise, the WP adds, these mean that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred; a balance needs to be found between the objective for which personal data are collected and accessed (generally national security) and the rights of the individual; an independent overseer must have sufficient ability to carry out the necessary checks; and, anyone should have the right to defend her/his rights before an independent body. The WP also stated that it intends to assess the basic legal validity of alternative EU-to-US personal data transfer legal mechanisms distinct from the protection of the Privacy Shield (specifically, standard contractual model clauses and binding corporate rules) in light of these essential guarantees.
• A few days after the WP’s release, the UK’s Information Commissioner’s Office (ICO) published a blog post outlining its own position on the Privacy Shield. Like the WP, the ICO comments that it is too early to say whether the new Shield provides adequate protection for personal data passed from the EU to the US. In the meantime, it encourages organisations to “take stock of the transfers they make and have a proper understanding of the legal basis, so that they are in a good position to act, should they need to” and “to contact organisations in the USA to which you transfer personal data to highlight the possibility that the Shield may need to be considered in future”
• The European Data Protection Supervisor (EDPS) published a Preliminary Opinion on the text of the Umbrella Agreement. While expressing his support for the initiative, the EDPS raises particular concerns about the likely effectiveness of judicial redress provisions in practice, the prevention of bulk transfers of sensitive personal data, and ensuring that all safeguards apply to everyone protected by the EU Charter of Fundamental Rights, not just EU nationals. In other words, the EDPS prioritises the fact that the Agreement must be deemed compatible with the respect for fundamental rights that stands at the core of EU law (in particular, as set out in the EU Charter of Fundamental Rights and Article 16 TFEU ensuring a right to the protection of personal data).

In conclusion, in its billing as a mechanism that aims to restore trust in transatlantic data flow [according to Vice-President Ansip, “Trust in a must, it is what will drive our digital future”], the Privacy Shield should be viewed in the context of a wider quartet (not forgetting the EU Data Protection Reform package) of legislative instruments to ensure the future protection of EU personal data when it is processed (and mis-processed) in the US. For trust to be earnt in a post-Safe Harbour world, data protection safeguards for individuals must be clear, but also practically effective, and demonstrably compliant with EU primary law and respectful of EU fundamental individual rights and freedoms. Indeed, without such guarantees, the Umbrella Agreement may not be approved in its current form by the European Parliament as it passes through the legislative process this year.

In respect of the Privacy Shield, there are signs that it will live up to its hype, but only time will tell. To quote Isabelle Falque-Pierrotin, the WP’s President, until the final details are nailed down, “we can’t just accept words”. In the meantime, the Commission’s publication of the legal texts will be welcomed by the business world at this time of uncertainty when EU DPAs could, if they see fit, launch enforcement actions against companies which are deemed not to have implemented legal-proof mechanisms for data transfer to the US. (While some DPAs has shown themselves to be more lenient in their enforcement approach against inadequately-protected transatlantic data transfers during the negotiation period – such as the ICO who announced that it would not seek to expedite Safe Harbour complaints – others, such as the CNIL, have recently taken a more hard-line approach).

In terms of next steps, the Privacy Shield must be formally adopted on both sides of the Atlantic. In the EU, we look forward to a hearing to be held by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) on the Privacy Shield later this month and, during April, the WP will meet to issue their non-binding Opinion on the agreement. In fact, although the target for completion is June, the whole process could take many months as it depends on the adoption of the Commission’s adequacy decision under the comitology examination procedure. Assuming everything goes smoothly, however, the arrangement may still face the scrutiny of CJEU at some point in the future …

No doubt, data protection and privacy lawyers can expect the remaining months of 2016 to bring as many twists and turns as the months before them!

Alison Knight