The legal texts that establish the functioning of the Privacy Shield have been published
On the 29th of February, the European Commission issued the long awaited legal texts that will put in place the EU-U.S. Privacy Shield, along with a draft adequacy decision, a Communication summarising the actions taken over the last years to restore trust in transatlantic data flows since the 2013 US surveillance revelations, as well as written commitments by the U.S. Government (to be published in the U.S. Federal Register) on the enforcement of the arrangement, including assurance on the safeguards and limitations concerning access to data by public authorities. Comissioner Jourová, who led negotiations from the European side, stated that the Privacy Shield is “a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds.” But what provisions does the Privacy Shield include, how will those apply in practice, and in particular, is it really that much different to the Safe Harbor that was found to offer insufficient protection by the Schrems case?
Content of the Privacy Shield and main concerns
The publication of the texts that establish the Privacy Shield comes at a time when the US is (again) in the spotlight for its approach on privacy, following the highly-publicised, still ongoing case of Apple v FBI, where Apple, a private company, was requested under a Court Order to create a backdoor to its operating system, thereby bypassing encryption and potentially creating a dangerous precedent (Apple released a public statement contesting the validity of the Court Order and expressing its refusal to comply). It is thus understandable that concerns would arise regarding the reliability of a promise of respecting the right to privacy, made by the US government in the midst of this controversial situation.
As part of the Privacy Shield agreement, the US agreed to provide “written assurances” at Cabinet level that place limits on the government’s access to personal data for national security purposes. A multi-page letter from Robert Litt, the general counsel of the Office of the Director of National Intelligence, said that the U.S. intelligence community “does not engage in indiscriminate surveillance of anyone, including ordinary European citizens.” However, whilst the catchphrase “mass surveillance” does not show up in the Privacy Shield texts, the US retains the right to collect data in bulk for six “national security purposes”, including “detecting certain activities of foreign powers” and counterterrorism efforts. Maximilian Schrems, the Austrian privacy advocate who fought the legal battle that led to the invalidation of the Safe Harbor scheme, argues that the US effectively breaches EU data protection law in those six “exceptional” cases which allow in-bulk data collection.
The deal also establishes a position of ombudsman within the State Department to address complaints from EU citizens that US intelligence agencies have inappropriately accessed their personal data. This role is to be fulfilled by Undersecretary of State, who also serves as senior coordinator for international information technology diplomacy. However, critics argue that the new office lacks the appropriate authority to scrutinise intelligence practices and is not sufficiently independent from the US government.
Another controversial aspect is that any of the data protection authorities of the 28 EU Member States will be able to freeze transfers to the US from their country if they disagree with the specifics of a transfer. This makes the Privacy Shield more complicated and less predictable and therefore unlikely to be widely used by businesses, which like predictability and reliability. If most businesses will continue to use other tools, such as Binding Corporate Rules and Model Clauses, then the new EU-US Privacy Shield makes little sense as it is at the moment.
Another concern is that much of the Privacy Shield relies on promises made by the Obama administration, which however will have run its course on the 8th of November 2016, with the new presidential elections. A change of president could also mean a change in privacy protections, although safeguards have been put in place – such as the requirement of publishing all Privacy Shield-related documents in the U.S. Federal Register, the official government journal (which would allegedly make the documents more powerful). However, it is questionable whether this publication will ensure that the documents are given the required force and value – especially because documents revoking or replacing them may be published in the same Federal Register at a later date.
Finally, the last point of controversy is that the Privacy Shield calls for an annual review to ensure it is adequately functioning in practice as envisaged in theory. The mechanism is designed to give the EU Commission the ability to monitor the activities of the US government and potentially unilaterally suspend the Privacy Shield. However, the Commission appears to have overlooked the fact that the problem of non-cooperation with the US Authorities is not to going to be solved by suspending the Privacy Shield at an annual review. The purpose of the Shield should be to ensure steady, ongoing collaboration, in order to avoid the repetition of the same uncertain situation created by the invalidation of the Safe Harbor, which has left businesses on both sides of the Atlantic in a state of limbo. What is needed is not a “way out” for one party in case of non-compliance of the other, but a framework strong enough that it would deter any of the two parties from taking an action which would run contrary to the agreement.
With regards to the inconsistencies described above, Schrems called the new Privacy Shield “lipstick on a pig”, arguing that it does not address the “core concerns and fundamental flaws of US surveillance law and the lack of privacy protections under US law” and is therefore vulnerable to future legal challenges. Schrems also expressed his regret that “the European Commission has not used this situation to come up with a stable solution for users and businesses”, adding that the Privacy Shield will probably be challenged in the future and he “may very well” be the one who challenges it.
What happens next?
The Commission has submitted the legal text to the European data protection authorities in order to obtain their opinion. The 29 authorities (28 national representatives and the European Data Protection Supervisor) will meet in Brussels in April to discuss a common position on the Privacy Shield. The recommendations of the data protection authorities are taken into account by the Commission, however, they are not legally binding.
Taking into account that an agreement needs to be reached between the EU Commission and the European Council as well, and should also be approved in its final version by representatives of the EU and the US, we can expect the updated Privacy Shield to be in action in late spring to early summer. For now, the Privacy Shield, despite being an improved version of the Safe Harbor, is still far from being fully satisfactory and it remains to be seen whether the amendments will fill in the gaps of the current proposal.