The European Commission has finally published the text of the programme called Privacy Shield, the name of the agreement reached with the United States to safeguard the export of personal data from European citizens across the Atlantic. This is in response to the CJEU case of Maximiliam Schrems v Data Protection Commissioner, which declared invalid the previous agreement called Safe Harbor (our take on the case here).
The European Data Protection Directive contains a principle stating that personal data from European citizens can only be transferred to a third country if the recipient territory provides an adequate level of protection for that data. The level of adequacy will take into account several circumstances, such as “the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.” It soon became clear that the United States could not comply with this principle, and as a lot of data was sent across the Atlantic, a solution had to be found. European institutions came up with a so-called ‘Safe Harbor’ allowing the transfer of personal data to the United States without having to declare that US law complied with data protection requirements. The agreement reached in 2000 allowed the transfer to companies in the US that signed up to the “Safe Harbor Privacy Principles”, a condensed version of the provisions contained in the Data Protection Directive. The companies also agreed to be held responsible for keeping to those principles by the US Federal Trade Commission (FTC) or other oversight schemes.
The system had been working for 15 years without incident, but after Edward Snowden provided evidence of complicit actions by US tech companies on the mass-surveillance apparatus, Schrems alleged that this was evidence of a violation of the data protection principles. Therefore, Schrems wanted the courts to declare the Safe Harbor agreements invalid. The case made it all the way to the CJEU, which carefully considered the different rights involved, and decided to agree with Schrems, and declared the existing Safe Harbor invalid because it clearly did not protect European citizens adequately. The Court considered that the Data Protection Directive had given Member States the power to create national authorities tasked with the obligation to determine how personal data is being used. By relying on the Safe Harbor decision, the data protection authorities would not have the power to examine claims lodged by data subjects, which would erode the very core principles behind the data protection regime.
The declaration of invalidity of Safe Harbor sent shocks through the entire system, data exports are necessary for the functioning of a lot of data-driven industries. The Commission immediately started negotiating a new agreement that would pass the Schrems test.
Enter Privacy Shield.
The agreement is based on a declaration by the United States that in order to facilitate the enactment of the Privacy Shield initiative (which sounds like something out of The Avengers), it will enable more safeguards towards EU citizens. They did that by enacting the Judicial Redress Act, which will enable European Union citizens to seek remedies for alleged privacy violations by the federal government in U.S. courts. This was a very important element of the Schrems decision. Coupled to that, the Privacy Shield will further attempt to ensure the protection of European citizens. The statement from the Commission contains the following 4 points:
Strong obligations on companies and robust enforcement: the new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating in the scheme.
clear safeguards and transparency obligations on U.S. government access: for the first time, the U.S. government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data. U.S. Secretary of State John Kerry committed to establishing a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State, who will be independent from national security services. The Ombudsperson will follow-up complaints and enquiries by individuals and inform them whether the relevant laws have been complied with. These written commitments will be published in the U.S. federal register.
Effective protection of EU citizens’ rights with several redress possibilities: Complaints have to be resolved by companies within 45 days. A free of charge Alternative Dispute Resolution solution will be available. EU citizens can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism ensuring an enforceable remedy. Moreover, companies can commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.
Annual joint review mechanism: the mechanism will monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the U.S. Department of Commerce will conduct the review and associate national intelligence experts from the U.S. and European Data Protection Authorities. The Commission will draw on all other sources of information available, including transparency reports by companies on the extent of government access requests. The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss broader developments in the area of U.S. privacy law and their impact on Europeans. On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.
All of these seem directly answering the Schrems case, and might make it more difficult for Privacy Shield to receive the same fate as its predecessor, but we will just have to wait and see. Schrems himself has made a statement that he does not think this is enough, particularly pointing out that the above does not even begin to address misuse of personal data by private entities on behalf of the US intelligence services.
I have a different doubt about the Privacy Shield. The European Union will be implementing this year the General Data Protection Regulation (GDPR), an overhaul of the Data Protection regime. Of particular interest, the GDPR contains a new set of principles to create a regime of privacy by design. Art 23(2) of the Regulation reads:
“The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.”
This sets out an a priori regime where privacy must be built into the system for any operation that processes personal data. However, the Privacy Shield is mostly relying on a posteriori system where EU citizens will be able to seek remedies for possible violations. In short, I tend to agree with Schrems that the system might not be enough to soothe the Court of Justice. I am sure that we will find out, I imagine swift action will be brought in front of the data protection authorities very soon.
I do not know what may be the result, but let’s just bask in the fact that data protection authorities will now be Agents of Shield.