An article by Pieter Gryffroy*
I. INTRODUCTION
On 2 February 2016, the European Commission announced[1] that it had reached an agreement with US authorities on a new safe harbour regime, after the old regime had been invalidated by the Court of Justice on 6 October 2015 in its judgment in the Schrems case,[2] already reported on here. The new regime, called the EU-US Privacy Shield, was agreed upon just in time to meet the deadline set by the Article 29 working party (which represents the national data protection authorities) after the Schrems judgment, failing which national data protection authorities within the EU would have taken coordinated enforcement actions to ensure effective protection of the personal data of EU citizens in the US.[3] The article 29 working party will now assess the new deal on transfer of personal data across the Atlantic.[4] Whilst the full text of the new agreement is not yet accessible to the large public, the key elements of the agreement are known and have already attracted a lot of criticism. This contribution will first touch upon the background of the new agreement, explaining why it was necessary and how it functions within the framework of EU data protection law. Secondly, the contribution will assess whether the EU-US Privacy Shield is up to the task of ensuring an effective protection of personal data of EU citizens contained in transatlantic data flows.
II. BACKGROUND: THE OLD SAFE HARBOUR AGREEMENT STRUCK DOWN BY THE COURT OF JUSTICE
Before one can assess the impact of the successor to the safe harbour agreement, it is crucial to understand the role of the original agreement in the framework of the EU’s data protection regulation. Equally, a basic understanding of the Schrems case, leading to the agreement’s invalidation by the Court of Justice is indispensable for a good understanding of the context of the new agreement.
Although the European legislator could never have foreseen the extent of the current data flow between the EU and third countries, notably the US, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data[5] already provided for rules on the transfer of personal data of European citizens from the EU member states to third countries in its chapter IV. Whereas the directive is clear and relatively precise on the principles relating to data protection within the EU, the rules on the transfer of personal data to third countries merely provide that member states may only allow the transfer of personal data when the country in question “ensures an adequate level of protection”.[6] In order to allow an EU-wide approach to third country data transfers, the Directive endows the Commission with powers to make EU-wide determinations of the adequacy of the level of protection of a third country, either in the positive or in the negative.[7] In both cases member states are by the letter of the Directive bound to take the measures necessary to comply with the Commission’s decision. Additionally, the Directive also mandates the Commission to enter into negotiations with certain third countries in order to guarantee an effective protection of personal data of EU citizens through a specific agreement with the third country concerned.[8] Upon reaching a satisfying agreement, the Commission can then render a decision, finding that the country in question ensures an adequate level of protection of the personal data of EU citizens.[9]
It is within this exact context that between 1998 and 2000 the EU and the US federal Department of Commerce developed the safe harbour privacy principles for the transfer of personal data between the EU member states and the US, culminating in Commission Decision 2000/520/EC on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.[10] In accordance with the agreement between the EU and the US, the US Department of Commerce issued the safe harbour principles,[11] enabling US organizations to self-certify by either joining a self-regulatory privacy program that adheres to the principles or by developing their own privacy policies, provided that they are in conformity with the principles. In order to benefit from the safe harbour mark of quality, facilitating the provision of services to EU citizens, the organization had to publicly declare that they adhere to the principles, at which point further compliance became mandatory. In principle however, adherence was voluntary and non-adherence did not prevent a US organization from receiving personal data coming from the EU. Such organizations were simply required to give notice to those using theirs services that their privacy policy possibly did not comply with international standards. Nonetheless, the benefit of compliance seemed to outweigh the cost and most major organizations adhered to the principles, albeit in diverging manners. Decision 2000/520/EC created a blanket allowance for the different approaches to privacy in the transatlantic flow of personal data, as long as they declared to adhere to the principles. Following Art. 3 of Decision 2000/520/EC the national data protection authorities of a EU member state could only suspend the flow of personal data in connection with a self-certified organization if either the US authority found a violation of the principles (Art. 3(1)(a)) or if there extraordinary circumstances presented itself, creating a substantial likelihood that the principles were being violated by a certified organization (Art. 3(1)(b)).
The safe harbour agreement came under heavy fire in 2013, when Edward Snowden revealed that US intelligence agencies, notably the NSA through its “PRISM” program accessed personal data stored on US servers to conduct surveillance on people worldwide, gathering personal data en masse and virtually without restriction. This included personal data of European citizens, which had been sent to the US. At that time, the Commission had already started renegotiating the safe harbour agreement. However, it should be pointed out that the safe harbour principles never applied to national agencies such as the NSA in the first place, since they are not covered by Decision 2000/520/EC.[12] Although there is a separate discussion to be had about the protection of personal data of European citizens by private US companies as such, the main problem with the safe harbour agreement was that it allowed for a transatlantic data flow, which was then, so it was revealed, subject to mass surveillance by US authorities, contrary to the EU’s principles of data protection. The principles as such, however, were not scrutinized in the Court’s judgment.[13]
Amongst others, an Austrian law student by the name of Maximilian Schrems argued that the very fact that such operations can take place in the US shows that the US does not provide an adequate level of protection, meeting the EU’s standard of privacy protection, thereby inherently invalidating the safe harbour agreement between the US and the EU. Just like hundreds of millions of people around the world, Schrems was a user of Facebook’s social network, which had self-certified under the safe harbour regime. In Europe, all personal data Facebook collects, passes through the server of its European seat in Ireland, before being sent anywhere else, notably to the US main servers. Although Facebook itself may have complied with the safe harbour principles, Schrems complained before the Irish Data Protection Commissioner that the safe harbour regime as such did not offer adequate protection for his personal data against surveillance by the US.
The Irish national data protection authority first rejected this complaint because it considered itself bound by the Commission’s decision on the adequacy of the level of data protection offered by the US. The Court however,[14] decided that the neither Directive 95/46/EC nor Decision 2000/520/EC of the Commission can, in the light of the Charter of Fundamental Rights of the EU, be interpreted as precluding a national data protection authority “from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.”[15] However, as long as the Commission decision stood, member states could not adopt measures contrary to the decision. Therefore, the Court analysed the decision and found that given the lack of any limit on US state interference, allowing the storage of personal data on a generalized basis without an effective remedy, Decision 2000/520/EC violates the fundamental rights guaranteed under Art. 7, 8 and 47 of the EU charter.[16] Moreover, under Art. 25(6) of Directive 95/46/EC, the Commission must find in its decision, “duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order”.[17] The Court found that Decision 2000/520 EC did not state that the US did in fact ensure an adequate level of protection, nor could it have, given that the aforementioned US practices violated the EU Charter. Consequently, the ECJ concluded that the decision was invalid.[18]
The direct consequence of the Schrems judgment was that the main legal framework governing the data flow between the EU and the US suddenly disappeared, creating significant uncertainty and burdening the national data protection authorities of the member states with the task to assess all remaining options for data transfer on a case-by-case basis and to take action to stop the transatlantic flow of personal data where necessary. There is however nothing that suggests that the actual flow of personal data from the EU to the US has declined following the judgment. The national data protection authorities, through the Article 29 working party, adopted a practical approach under which certain data transfer tools could still be used, at the same time setting a deadline for the negotiation of a new safe harbour agreement by the end of January 2016.[19] The Commission has roughly met that deadline, announcing the EU-US Privacy Shield as the successor to the safe harbour agreement on 2 February 2016. The new agreement is the product of nearly three years of negotiations, which started in 2013 after the Snowden leak and were intensified following the Schrems judgment. While the text of the agreement is being finalized before its planned release to the public at the end of February, it has already attracted a lot of critique. This will be discussed in what follows.
III. THE NEW AGREEMENT
Although the full text remains to be disclosed, the Commission has already indicated the main elements of the new agreement, which are structured around three pillars.
The first pillar provides that US companies importing personal data from Europe will have to commit to “robust” obligations concerning the processing of such data. The US Department of Commerce will monitor that companies publish such commitments, making them enforceable under US Law. Any company handling personal data coming from Europe has to commit to comply with decisions by European data protection authorities. In essence, this is no more than a restatement of the previously existing safe harbour regime.
The second pillar aims at limiting the surveillance mechanisms used by certain US authorities such as the NSA, which were revealed after the Snowden leak and were an important factor in invalidating the original safe harbour agreement. The new agreement aims to establish clear safeguards and transparency obligations for organs of the US government accessing personal data. In this regard, the US has assured the EU that the access to personal data by its authorities and agencies “for reasons of law enforcement or national security will be subject to clear limitations, safeguards and [will be accompanied by] oversight mechanisms.”[20] The remaining powers will be used only to the extent they are necessary and proportionate, supposedly ruling out indiscriminate mass surveillance. The arrangement will be reviewed yearly. It seems however to remain up to the US to determine the exact interpretation of these vague terms, and with US law still explicitly allowing mass surveillance,[21] strong concerns are being voiced by the media and privacy advocates. Given that the Court of Justice invalidated Decision 2000/520/EC precisely because it allowed the US to store personal data on a generalized basis,[22] one can expect that if no further clarification of these terms follows, the Court might not accept these vague commitments.
The third pillar of the new agreement aims at ensuring an effective protection of the rights of EU citizens to protection of their personal data, through the enactment of a Judicial Redress Act by the US Congress, providing for several redress possibilities. US companies will have strict deadlines to reply to complaints, the EU’s national data protection authorities will have the possibility of referring complaints directly to the US Department of Commerce and the Federal Trade Commission, and there will be possibilities for alternative dispute resolution, free of charge. The Judicial Redress Act will, however, not cover matters of intelligence and public security. For complaints concerning access by US authorities to personal data, EU citizens will have access to a newly created ombudsman. While these remedies might sound promising, it has been pointed out that European citizens are in large part forced to find judicial redress in the US, which has been met with criticism. Moreover, it is very questionable whether the proposed ombudsman will be an effective remedy to protect European citizens from violations of their right to protection of their personal data committed by US authorities. In its judgment in the Schrems case, the Court of Justice had put special emphasis on the right to have an effective remedy.[23]
Even without knowing the final text of the agreement and the exact extent of the obligations the US has entered into, it is already clear that the new agreement will not satisfy privacy advocates that had called for far greater commitments on the US side, especially concerning its mass surveillance practices. In the eyes of the critics, the agreement is a weak compromise, containing little or no relevant changes, desperately agreed upon to replace the main legal basis for the transatlantic flow of personal data, which is of major economic importance for multinationals with data-intense activities, Facebook just being one of numerous examples.
In conclusion, it is clear that the legal vacuum left by the Schrems judgment has raised the economic and political pressure on both sides, given the mutual interest in the transatlantic flow of personal data and the ever-growing economic importance of the services connected to this flow of data. Whether the resulting agreement will be a workable compromise, capable of protecting the personal data of Union citizens across the Atlantic remains to be seen.
IV. THE NEXT STEPS
While the agreement as such has been concluded, the EU-US Privacy Shield still has a way to go before it becomes operative. Currently, the Commission is drafting an adequacy decision as provided for under Art. 25(6) of Directive 95/46/EC. Before taking this decision, the Commission has to consult the article 29 working party, which has committed to deliver its opinion by the end of March, and the so-called article 31 Committee, constituted of member state representatives.[24] In the meantime the US side will make preparations to establish the framework and monitoring mechanisms agreed upon. Notwithstanding the heavy criticism it seems likely that the Commission will take a decision giving effect to this agreement in the coming months.
It is clear that the negotiating parties have tried to address the concerns the Court of Justice had voiced in the Schrems case. However, as the agreement stands, without further clarifications of the broad and vague commitments relating to US government access to personal data, and without addition of more effective judicial remedies, the author must admit that the decision implementing the EU-US Privacy Shield seems predetermined to make a round trip to Luxembourg and back to Brussels only to be renegotiated and renamed once more.
————————————————
*Pieter Gryffroy was a reserach assistant at the Jean-Monnet-Chair of Prof. Dr. Giegerich for European Law and European Integration. He studied law in Leuven (LLB and LLM at the KU Leuven) and in Saarbrücken (Europa-Institut).
[1] http://europa.eu/rapid/press-release_IP-16-216_en.htm, accessed 15/02/2016.
[2] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650.
[3]http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf, accessed 15/02/2016.
[4] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160203_statement_consequences_schrems_judgement_en.pdf, accessed 15/02/2016.
[5] Official Journal L 281 , 23/11/1995 P. 0031 – 0050.
[6] Art. 25 (1) Directive 95/46/EC. Art. 25 (2) provides for some broad assessment criteria.
[7] See Art. 25 (4) and 25(6) of Directive 95/46/EC.
[8] Art. 25(5) Directive 95/46/EC.
[9] Art. 25(6) Directive 95/46/EC.
[10] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441), Official Journal L 215 , 25/08/2000 P. 0007 – 0047.
[11] See Annex I of Decision 2000/520/EC. The seven main principles are: notice, choice, onward transfer (requiring notice and choice), security, data integrity, access and enforcement.
[12] This follows from the limited scope of application of Directive 95/46/EC itself, in pursuance of which the Decision was taken. In its Art. 3(2) the Directive states that it does not apply to matters of public security, defence, state security and activities of the state in areas of criminal law.
[13] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 98.
[14] The matter was taken to the high court in Ireland and reached the Court of Justice through a preliminary ruling.
[15] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, paras. 38-66.
[16] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, paras. 67-98.
[17] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 96.
[18] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 106.
[19] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf, accessed 15/02/2016;The article 29 working party had agreed that should the Commission fail, the national data protection authorities would take all necessary actions, including coordinated enforcement actions, to ensure the effective protection of personal data of European citizens. It should be noted that this would have been a herculean task.
[20] http://europa.eu/rapid/press-release_IP-16-216_en.htm, accessed 15/02/2016.
[21] Congress is currently struggling, trying to rewrite some of the US’s laws on surveillance. However, it remains to be seen what will effectively change, see e.g. http://www.theguardian.com/technology/2015/jun/06/surveillance-privacy-snowden-usa-freedom-act-congress, accessed 15/02/2016. An example of legislation still allowing mass surveillance is the Foreign Intelligence Surveillance Act.
[22] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, paras. 34, 93-94.
[23] CJEU, case C-362/14, Maximilian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, para. 95.
[24] In theory, should the Committee render a negative opinion, the matter would come before the Council, which could render an opposing decision (Art. 31 Directive 95/46/EC).
Copyright of the image: Defense Advanced Research Projects Agency (DARPA), https://commons.wikimedia.org/wiki/File:DARPA_Big_Data.jpg?uselang=de.
Suggested Citation: Gryffroy, Pieter, The EU-US Privacy Shield: An Effective New Framework for Transatlantic Data Flows or A Weak Compromise Doomed to Fail?, jean-monnet-saar 2016, DOI: 10.17176/20220706-165701-0