“I’m ready to protect your privacy!”
By:
Gregory P. Bufithis, Esq.
Founder/CEO
13 July 2016 – Yesterday the European Commission adopted the EU-US Privacy Shield agreement, which will enter into force as soon as all member states are notified of the adequacy decision.
Yes, adopted after months of negotiations between the EU and the US it ostensibly ensures that the data protection which Europeans benefit from when their personal data is held locally is also effected when that data is transported to the US.
As it was brought forward following the collapse of Safe Harbor in the light of the Snowden revelations, which have not resulted in any significant change in the NSA’s surveillance activities, it is widely expected that legal challenges will begin in short order (more on that below).
But as of now, the Privacy Shield governs the transfer of data from the EU to the US. Some brief clips from the media blurbs over the last few days:
- The US Department of Commerce will conduct regular update and reviews of participating companies to ensure that they are in compliance, and has the power to impose sanctions and remove those companies from the list of certified companies if found to be non-compliant.
- Andrus Ansip, the European Commission’s veep for the Digital Single Market, said the agreement
“will protect the personal data of our people and provide clarity for businesses. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions.”
- Věra Jourová, the commissioner for justice, consumers and gender equality described it as
“a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic. We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data.”
- Meanwhile the US will publish the Privacy Shield framework in its Federal Register, the equivalent of the EU’s Official Journal, and the Department of Commerce will become responsible for operating it. American megacorps now have an opportunity to review the framework and update their compliance activities before certifying with the Department of Commerce from August 1.
At the same time the European Commission will publish “a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.” Given I have read a leaked copy of the decision that will be no mean feat. But to highlight a few points from the Commission’s official summaries:
- Any citizen who suspects their personal data has been “misused” under the new agreement “will benefit from several accessible and affordable dispute resolution mechanisms”.
- Where companies themselves fail to resolve these complaints, and free of charge Alternative Dispute resolution (ADR) solutions are not reached, Europeans will be able to appeal to their own Data Protection Authorities, who will work with the US Federal Trade Commission to ensure that their complaints are investigated and resolved.
- If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from US intelligence.
NOW, ABOUT THOSE LEGAL CHALLENGES …
As Tomaso Falchetta, Legal Officer for PrivacyInternational, made clear in a blog post this week:
The European Union’s attempts to make data transfers to the United States compliant with privacy laws are an opaque exercise, so much is obvious, but will they work? It’s clear that it is necessary to retain the Transatlantic data trade – in economic terms, but also as a means of preventing the Balkanization of the internet. However, some people question whether the process of replacing Safe Harbor with Privacy Shield leaves the final outcome in an area of legal difficulty. Europeans’ data is still being left open to mass surveillance in the US, but now with a supposed means of redress via a US Ombudsman reporting directly to the Secretary of State. US corporations are shifting EU citizens’ data into a jurisdiction whose lawmakers would be revolted by Brussels’ notions of exposing State powers to the light of independent oversight bodies. However, between the turn of the millennium and 2015, the EU politely and resolutely ignored that elephant in the room.
For many years and despite much criticism, the EU Commission stood by the claim that U.S. legal principles complied with those of its own Data Protection Directive, even doing so after that US National Security Agency whistleblower provided some documentary evidence countering that claim.
So when good ole Ed Snowden made the activities of the NSA’s PRISM programme (Planning tool for Resource Integration, Synchronization, and Management) known, it actually fell to Max Schrems to make a legal complaint about Facebook facilitating these extralegal abuses (at least under the EU’s definitions of legality). The European Court of Justice ultimately conceded that Safe Harbor was indeed invalid and suddenly there was no legal basis for American megacorps to continue quaffing Europeans’ data.
Not that those companies cared, or agreed even. Facebook, Microsoft, and Salesforce continued to shuttle Zuckabytes back home through “model clauses” contracts, a measure which is again being challenged by Schrems.
The first attempts by the EU at improving the situation came through Article 29 of the Data Protection Directive, or Directive 95/46/EC – known as the Article 29 Working Party.
The working party was initially responsible for a number of criticisms of the Privacy Shield agreement, welcoming its “significant improvements” compared to Safe Harbor, but noting that “some key data protection principles … are not reflected” in the draft.
This was just an opinion, however, and not binding – and so when the U.S. brushed off its claims that its Ombudsman would not truly be independent, nor provide an adequate means of redress if Europeans’ data was unlawfully probed, that was that.
The U.S., of course, delivered a written assurance that mass surveillance of EU citizens would not take place in the United States, but its definition of mass surveillance is likely to be strongly contested (more below), and the Ombudsman almost certainly will not have investigatory powers (for instance, as per the UK’s Interception of Communications Commissioner’s Office) to ensure compliance.
The European Parliament subsequently adopted resolution on May 26 which said that it too considered that, “this new institution [the US Ombudsman] is not sufficiently independent and is not vested with adequate powers to effectively exercise and enforce its duty.”
Amendments were made to the draft, and last Monday the Article 31 Committee, made up of representatives from member states and also founded through an article of the Data Protection Directive, made its own amendments.
It is not clear what amendments were made, however, but a qualified majority (more than 16 member states, representing over 65 per cent of the European Union’s population) approved the final version of the EU-US Privacy Shield agreement last Friday. Representatives from four nations – Austria, Bulgaria, Croatia, and Slovenia – abstained.
Again quoting Tomaso Falchetta:
Given the flawed premises trying to fix data protection deficit in the US by means of the Obama Administration’s assurances – as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield, at least as it appears in the leaked version, remains full of holes and offers limited protections. It is unlikely to be the final chapter of the EU-US data transfer saga. Because it fails to address the concerns expressed by the Court of Justice of the EU in the Schrems’ case last year, the new Privacy Shield, if adopted in the current form, is likely to be challenged in courts.
Many law firms and businesses have welcomed the agreement, with Microsoft leading the bunch. A blog by John Frank, Microsoft’s VP for EU government affairs, restated the company’s desire to implement the Privacy Shield requirements:
“Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements. The Privacy Shield secures Europeans’ right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body, and it clarifies data collection practices by US security agencies. In addition, it introduces new rules for data retention and onward transfer of data.”
Many disagree. Kuan Hon, a consultant lawyer at Pinsent Masons, has said “it’s very likely that the Privacy Shield will be challenged by activists or data protection authorities, but it depends on what concessions the Commission managed to get from the US – especially on mass surveillance. If the Privacy Shield adequacy decision is challenged, the CJEU [Court of Justice of the European Union] is likely to expedite the hearing given the importance of this issue”.
Sidley Austin lawyers, in a conference call, opined that a challenge seemed likely, but would differ greatly from that which brought down Safe Harbor, noting the ruling against Safe Harbor was a procedural matter, the lack of oversight in the U.S. system.
But based on a review of the leaked text, a few points:
First, the Privacy Shield will surely be renamed “The Lawyer Relief Act”. It is an opaque document that will be a field day for law firms. The Privacy Shield is contained in the EU Commission draft adequacy decision, annexes and the annexes to the annexes, running into over 200 pages. As such, the Privacy Shield is made up of a collection of commitments and explanatory notes by various parts of the U.S. Government making it very difficult for anyone to assess what guarantees are provided to the protection of personal data and how they would apply in practice.
Second, there are no meaningful legal protections, and therefore any promises today can be easily be undermined tomorrow. The safeguards relating to unlawful surveillance, particularly mass surveillance, by U.S. intelligence agencies continue to not contain meaningful legal protections. One of the Annexes in the leaked document contains an additional letter by the Office of Director of National Intelligence providing further information in the ways the U.S. conducts “bulk collection of signal intelligence”.
The letter confirms that when targeting using specific selectors is not possible (because, for example, the name or e-mail address of the target is not known), collection “in bulk” is allowed, provided it is focused “as precisely as possible” (such as collecting all communications to and from a region in the Middle East). So, it seems, according to the U.S. Government it is not mass surveillance if surveillance is limited to all communications to and from a region of the world, but not to the whole world.
Beyond the debate on semantics (“bulk” v. “mass”) the fact remains that the U.S. Government is arguing that it can collect all communications to and from a region of the world if the use of specific selector is not possible.
The strict principles of necessity and proportionality in any interference with someone’s privacy cannot be dismissed just by references to “filters and other technical tools” which give no concrete indication of the extent of such collection. Bulk collection of personal data is an impermissible interference with the right to privacy because of its indiscriminate nature.
Interesting point made by Falchetta: the letter goes on to provide further information on the oversight role of the Privacy and Civil Liberties Oversight Board (PCLOB). What it fails to mention is that a provision of the Intelligence Authorization Act for FY 2017 would bar, if adopted, the PCLOB from considering the privacy and civil liberties interests of anyone but citizens and lawful permanent residents of the U.S.
Fourth, the agreement creates a privacy ombudsperson mechanism. While the language contained in the leaked Privacy Shield Ombudsperson Mechanism regarding signals intelligence (contained in an annex to a letter by the U.S. State Department, in Annex III) includes some minor changes, the substance of the two main concerns expressed by EU data protection authorities and by NGOs remains unaddressed.
Points raised by PrivacyInternational:
• First, the proposed Ombudsperson lacks independence from the executive, as he/she is appointed by and report to the Secretary of State. Contrary to assertions in the draft EU Commission adequacy decision, the independence and impartiality of such a mechanism, including the perception of such independence, is questionable.
• Second, the Ombudsperson continues to have only limited powers of redress. This is starkly stated in paragraph 4(e) of the leaked Annex III, where it states that “the Privacy Shield Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Privacy Shield Ombudsperson confirm the specific remedy that was applied.” So … WTF!?
• Both of these flaws in the proposed redress mechanism mean it falls short of providing effective redress, as described, for example, in the recommendations by the Council of Europe’s Commissioner for human rights.
And that is a key complaint. In its “Schrems” judgment the European Court of Justice called for “effective detection and supervision mechanisms”. Privacy Shield does not provide such mechanisms, but rather sends users through a patchwork of options. Users have to contact the relevant U.S. company, then different private U.S. arbitration bodies and their national authorities, who in turn contact the Federal Trade Commission and the Department of Commerce, to finally be able to address concerns with a “privacy shield board”.
And, as SCL noted this morning:
However, Privacy Shield does not ensure that any of these institutions is empowered to factually review the practices of any company. They lack the power to e.g. inspect the servers and software. The user will therefore typically be unable to proof allegations.
Also, none of the options available are directly enforceable for a customer. Findings of the institutions, which have a duty to investigate complaints, are only sanctioned by a removal from the program, if a company does not comply – but not directly enforceable by the individual. Even the decision by the so-called ‘privacy shield panel’ must be brought before a US court for enforcement.
Further, the procedures will be held on U.S. soil, before U.S. lawyers, under U.S. law and in English. Customers will have an inherent disadvantage, as typically seen with private arbitration. It is for this very reason “arbitration” in consumer cases is prohibited within the EU since 1993.
It is hard to see how this system could fulfill the ‘effective detection and supervision’ benchmark.
So:
- How can a system that effectively only requires opt-out for the transfer of data to a third party (‘Notice & Choice’) be “essentially equivalent” to EU data protection law, that requires consent (or another legal basis) even for the mere collection of data?
- How are private arbitration bodies an “effective detection and supervision mechanisms” when they cannot even investigate the facts by e.g. on-site reviews?
- How can an Ombudsperson, that will not even disclose if a person was subject to surveillance, provide for a “right to an effective remedy and to a fair trial”?
In the meantime, businesses have to move forward and European customers are increasingly voting with their wallets by signing up with cloud services hosting data in the EU or encrypting data before uploading it to the cloud, thus ensuring data never leaves the EU.
