On 12 July the European Commission formally adopted the EU-US Privacy Shield. The effectiveness of the Privacy Shield is hugely controversial. According to the Commission, the new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the USA as well as bringing legal clarity for businesses relying on transatlantic data transfers. The full text of the all-important ‘adequacy decision’ of the Commission is here.
Andrus Ansip, Commission Vice-President for the Digital Single Market, said on 12 July:
‘We have approved the new EU-U.S. Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses. We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions’.
V?ra Jourová, Commissioner for Justice, Consumers and Gender Equality said:
‘The EU-U.S. Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data’.
The Commission press release states that the Privacy Shield is based on the following principles:
· Strong obligations on companies handling data: under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
· Clear safeguards and transparency obligations on US government access: The USA has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The USA has ruled out indiscriminate mass surveillance on personal data transferred to the USA under the EU-US Privacy Shield arrangement. The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible. It details the safeguards in place for the use of data under such exceptional circumstances. The US Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State.
· Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
· Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the US Department of Commerce will conduct the review and associate national intelligence experts from the USA and European Data Protection Authorities. The Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.
Since presenting the draft Privacy Shield in February, the Commission has drawn on the opinions of the Article 29 Working Party and the EDPS, and the resolution of the European Parliament to include a number of additional clarifications and improvements. The European Commission and the USA notably agreed on additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers.
Supposed Immediate Effect
The ‘adequacy decision’ will be notified to the Member States and thereby enter into force immediately. On the US side, the Privacy Shield framework will be published in the Federal Register, the equivalent to the EU’s Official Journal.
However, this is a special definition of ‘immediate’ as there is in fact an in-built delay. Companies will be able to certify with the Commerce Department starting 1 August. In parallel, the Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.
Initial Criticism
The effectiveness of the Privacy Shield was called into question at once. Most notably, Max Schrems, whose action before the CJEU led to the demise of Safe Harbour, said:
‘Privacy Shield is the product of pressure by the US and the IT industry – not of rational or reasonable considerations. It is little more than an little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU. This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution. The European Commission and the US government managed to make everyone miserable, when they could have used this opportunity to upgrade the protections that are crucial for consumer trust in online and cloud services.’
Jan Albrecht MEP, a leading light in the EU privacy environment, has published a very full statement, from which the following is an extract:
The European Commission has now issued a new decision named ‘Privacy Shield’ that is meant to replace ‘Safe Harbor’. Privacy Shield is a blanket adequacy decision under Article 25 of Directive 95/46/EC, when so far only a number of derogations under Article 26 were available to business that wished to transfer data to the United States.
Shortcomings in the Private Sector
In the private sector, the proposed rules are nowhere near the level of protection and principles of the European Union, despite the finding of the CJEU it has to be ‘essentially equivalent’.
Backbone of EU law: purpose definition
When a patient shares personal information with a doctor, the patient reasonably expect that the doctor will only use this information for the treatment – not sell the personal data to a data dealer.
This expectation is enshrined as ‘purpose limitation’ in EU law. Contrary to EU law, Privacy Shield allows very broad and generic purposes such as ‘we use your data for all services we may provide to you and others’, which undermines this very crucial protection. Many other rules, for the deletion of data or the sharing of data are interlinked with this principle.
‘Notice & Choice’
Privacy Shield is meant to be based on ‘Notice and Choice’, which sounds promising. Contrary to this verbiage, and contrary to EU law, Privacy Shield does not give users much ‘choice’. It actually gives companies a general blanket allowance to use the personal data of any person under the sun.
Only in two specific cases (data sharing with a third party and a change of purpose), can users object. Obviously, users would first have to know about the US business taking such steps, actively contact the company and conduct an ‘opt-out’. In reality this will hardly happen, which is why EU law is based on an ‘opt-in’ system, where companies typically have to ask customers for consent.
Many other such differences, which make Privacy Shield not ‘essentially equivalent’ to EU law could be mentioned.
Private Sector Redress
In its judgment the CJEU has called for ‘effective detection and supervision mechanisms’.
Privacy Shield does not provide such mechanisms, but rather sends users through a patchwork of options. Users have to contact the relevant US Company, then different private US arbitration bodies and their national authorities, who in turn contact the Federal Trade Commission and the Department of Commerce, to finally be able to address concerns with a ‘privacy shield board’.
However, Privacy Shield does not ensure that any of these institutions is empowered to factually review the practices of any company. They lack the power to e.g. inspect the servers and software. The user will therefore typically be unable to proof allegations.
Also, none of the options available are directly enforceable for a customer. Findings of the institutions, which have a duty to investigate complaints, are only sanctioned by a removal from the program, if a company does not comply – but not directly enforceable by the individual. Even the decision by the so-called ‘privacy shield panel’ must be brought before a US court for enforcement.
Further, the procedures will be held on US soil, before US lawyers, under US law and in English. Customers will have an inherent disadvantage, as typically seen with private arbitration. For this reason ‘arbitration’ in consumer cases is prohibited within the EU since 1993.
It is hard to see how this system could fulfill the ‘effective detection and supervision’ benchmark.
Shortcomings in [relation to] Mass Surveillance
In its judgment the CJEU has held that ‘legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life’.
In Annex VI of the Privacy Shield decision, the US government explicitly confirms, that US services conduct ‘bulk collection’ by using data from US companies. While the US highlights, what it called limitations (for example for only six broad purposes), the mere possibility of such mass surveillance is contrary to the CJEU judgement cited above.
Redress on Mass Surveillance (Ombudsperson)
As the new redress mechanism, customers may address an ombudsperson in the US. The ombudsperson is an undersecretary of the US state department, not a court or independent body. While the new ombudsperson can raise issues within the US government, the reply to the individual is defined in Annex IV of the Privacy Shield decision. It will always contain the same two sentences:
· First, the US will not confirm or deny any surveillance.
· Secondly, say that all US laws were adhered to, or any non-compliance was remedied.
The proposed ombudsperson therefore provides for anything but a ‘right to an effective remedy and to a fair trial’ as the CJEU has required in line with Article 47 of the Charter of Fundamental Rights.
Future of the ‘Privacy Shield’
While it seems that so far, there are no immediate challenges planned, it can be suspected that there will be no lack of possible plaintiffs. In addition to activists and NGOs, the Data Protection Authorities in the 28 member states can refer the question to national courts and the CJEU. Even the European Commission mentioned the possibility of a legal challenge on the validity of the Privacy Shield.
Options for Businesses
While businesses will soon be able to sign up to the Privacy Shield system, it seems that many would only do so in addition to other – more stable – transfers mechanism like so-called ‘Model Contracts’.
It remains to be seen if a considerable number of US businesses will go through the expensive and somewhat complicated implementation procedure, if there is a high likeliness of legal challenges to the Privacy Shield system. Most expert lawyers recommend sticking with alternative mechanisms, or only using Privacy Shield as an additional option.
Unanswered Questions
Many obvious questions concerning Privacy Shield remain unanswered, for example:
· How can a system that effectively only requires opt-out for the transfer of data to a third party (‘Notice & Choice’) be ‘essentially equivalent’ to EU data protection law, that requires consent (or another legal basis) even for the mere collection of data?
· Why should US providers be granted access the European market, without following similar rules?
· How are private arbitration bodies an ‘effective detection and supervision mechanisms’ when they cannot even investigate the facts by e.g. on-site reviews?
· How can the Commission claim that there is no ‘have access on a generalised basis’ when the US explicitly names six cases where it allows ‘bulk collection’?
· How can an Ombudsperson, that will not even disclose if a person was subject to surveillance, provide for a ‘right to an effective remedy and to a fair trial’?