The enemies of the Privacy Shield sharpen their knives …

Home / Uncategorized / The enemies of the Privacy Shield sharpen their knives …

privacy-shield-logo

 

 

By:

Gregory P. Bufithis, Esq.
Founder/Executive Director

 

10 October 2016 – As mangled as it is, last week’s Reuters story that Yahoo! searched emails for the NSA has not done any favors for the EU Data Protection team that negotiated the Privacy Shield. They face a full hearing tomorrow before the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. The meeting was scheduled weeks ago as merely an update on the Privacy Shield but now the entire focus will be on the Yahoo story. See more below.

SIDE NOTE: I say mangled for many reasons. I call it the “fog of cyber war”. In an era where everyone is amped up about cyber attacks, “other Snowdens”, etc. a lot of first impressions are tinged with paranoia and misinformation or are just flat out wrong. I don’t know what to do about this except to say that, as with other dramatic events like mass shootings, it’s best to take first reports with a giant grain of salt. I am fortunate. I have been a long-time member of InfraGard, a non-profit organization serving as a public-private partnership between U.S. businesses and the U.S. Federal Bureau of Investigation. It is an association of individuals that facilitates information sharing and intelligence between businesses, academic institutions, state and local law enforcement agencies, and other intelligence community participants. That membership, coupled with my Linkedin intelligence community groups and my ties to the Munich Security Conference allows me to run a check on many of these “cyber stories” via my network. The Yahoo story? A lot of questions. See my post from last Friday (click here).

After a torturous route through the labyrinthine of EU policy making, the Privacy Shield was eventually adopted on 12 July 2016, and entered into force in European Union (EU) Member States immediately. In the United States (U.S.), the documents were published in the Federal Register which is the equivalent of the EU Official Journal. It’s bona fide!

I have covered the process in detail with my team for 2+ years which included attending the March 2015 European Court of Justice hearing on the Schrems/Facebook case which led to the death of Safe Harbor following the Snowden revelations on NSA surveillance, plus my appearance and team member appearances at myriad meetings and presentations at the various EU institutions, and my chats with some well-placed participants in the U.S.-EU Privacy Shield negotiation process.

Privacy Shield post
 

“I’m ready to protect your privacy!”

My view is rather cold. The Privacy Shield has rendered a few changes over Safe Harbor, but substantively … not much. A lot of digital ink spilled on the Ombudsman role, just what the “clarifications” are on the collection of data for U.S. surveillance (what is meant by “targeted and focused”?) – and the myriad exceptions the U.S. has carved out for itself. As noted by a wave of U.S. intelligence experts there have not been, nor will there be, any significant change in the NSA’s surveillance activities or procedures.Oh, and much linguistic contortion by U.S. legal pundits and legal vendors to show the “redress mechanism” and ” essentially equivalent” requirements have been met in the Privacy Shield.

But in Brussels, amongst the intelligentsia, there is an overall feeling that what we saw was a total capitulation by the EU on the basis of politics and time and frustration. Granted, the EU negotiation team was short-staffed, worked brutal hours, endured 12 face-to-face meetings … 6 in Brussels (one in Paris), and 6 in D.C. … and countless conference calls and strategy sessions and probably did their best. But as one insider told me:

“Look, we had to wind up. The U.S. election was coming, there was going to be a change in personnel. Plus, hey: the EU and US are finding that their economies are increasingly intertwined. This creates new challenges, as both discover that their jurisdictions now also overlap on the internet and digital world. Data has to flow. And seriously: half of those Safe Harbor data transfers were HR-related and had nothing to do with litigation or data mining. It was just companies with employees in other countries, transferring HR data”.

Note: I will address that point about “litigation” in a subsequent post. E-discovery and data transfers skated through the process, being a mere agenda item very early on at one of the initial meetings.

That the pact would be challenged in the courts was a foregone conclusion, even by the negotiation teams despite public pronouncements of “we’re comfortable it will be secure from challenge”. Almost all analysts have raised the same points:

1. that the U.S. government will find always find a way to continue carrying out mass surveillance of European citizens through semantics, because the poor wording of the agreement offers plenty of opportunities and opt-outs

2. that the new Ombudsman role created to look into any EU citizen complaints is completely toothless

3. that the annual “Privacy Shield Review” has been designed in such a way as to be largely useless.

In a post over the summer shortly after passage and after I reviewed the 350+ pages, I noted the following:

* First, the proposed Ombudsperson lacks independence from the executive, as he/she is appointed by and report to the Secretary of State. Contrary to assertions in the EU Commission adequacy decision, the independence and impartiality of such a mechanism, including the perception of such independence, is questionable.

* Second, the Ombudsperson continues to have only limited powers of redress. This is starkly stated in paragraph 4(e) of Annex III, where it states that “the Privacy Shield Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Privacy Shield Ombudsperson confirm the specific remedy that was applied.”

* Both of these flaws in the proposed redress mechanism mean it falls short of providing “effective redress”, as described, for example, in the recommendations by the Council of Europe’s Commissioner for human rights and the European Court of Justice Schrems decision.

And that is the key complaint and where any court challenge has the most strength.

In its Schrems judgment the European Court of Justice called for “effective detection and supervision mechanisms”. The Privacy Shield does not provide such mechanisms, but rather sends users through a patchwork of options. Users have to contact the relevant U.S. company, then different private U.S. arbitration bodies and their national authorities, who in turn contact the Federal Trade Commission and the Department of Commerce, to finally be able to address concerns with a “privacy shield board”.

Further, even the decision by the so-called “privacy shield board” must be brought before a U.S. court for enforcement, the procedures held on U.S. soil, before U.S. lawyers, under U.S. law and in English. Customers will have an inherent disadvantage, as typically seen with any private arbitration.

NOTE: for this reason ‘arbitration’ in consumer cases is prohibited within the EU since 1993.

Moreover, the Privacy Shield does not ensure that any of these institutions is empowered to factually review the practices of any company. They lack the power to e.g. inspect the servers and software. The user will therefore typically be unable to prove allegations.

It is hard to see how this system could fulfill the “effective detection and supervision” benchmark established by the European Court of Justice . As noted in a blog post by Jan Albrecht, a Member of the European Parliament who was rapporteur for the General Data Protection Regulation (GDPR) in the European Parliament:

  • How can a system that effectively only requires opt-out for the transfer of data to a third party (‘Notice & Choice’) be “essentially equivalent” to EU data protection law, that requires consent (or another legal basis) even for the mere collection of data?
  • How are private arbitration bodies an “effective detection and supervision mechanisms” when they cannot even investigate the facts by e.g. on-site reviews?
  • How can an Ombudsperson, that will not even disclose if a person was subject to surveillance, provide for a “right to an effective remedy and to a fair trial”?

He noted many other such differences which make the Privacy Shield not “essentially equivalent” as dictated by the European Court of Justice decision.

Tomaso Falchetta, Legal Officer for Privacy International summed it up best:

“Given the flawed premises trying to fix data protection deficit in the U.S. by means of the Obama Administration’s assurances – as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield remains full of holes and offers limited protections. It is unlikely to be the final chapter of the EU-U.S. data transfer saga. Because it fails to address the concerns expressed by the Court of Justice of the EU in the Schrems’ case last year, the new Privacy Shield, if adopted in the current form, is likely to be challenged in courts.”

And who better to challenge than an EU data protection authority. Or maybe an EU digital rights group. Or both. Fully informed that a challenge could come as early as next month, the Data Protection Unit at the European Commission has been preparing massive briefing books to track/substantiate every point in the Privacy Shield negotiation process knowing they will need to present that information at any court challenge.

And they expect Ireland to be first.

 

to-the-barricades

 

 

The Yahoo case

Not a good day in Yahooville. As Stephen Arnold noted “Yahoot -err, sorry – Yahoo may become a Kmart virtual blue light special”. He is referring to the news that Verizon reportedly now wants $1 Billion discount to is its original offer on Yahoo. Makes you wonder how due diligence missed those “minor” security breaches and the relationship of the company to law enforcement.

Meanwhile, back in the EU, Ireland’s data protection commissioner, which is the lead European regulator on privacy issues for Yahoo, has made formal inquiries as to whether any European citizens may have been affected. The data protection commissioner and a bevy of European politicians have formally called on the European Commission to investigate the matter. The Commission’s data protection unit is swamped with requests.

Ireland’s data protection commissioner’s position is short and to the point:

  • any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern.
  • if the Yahoo story is true “as reported”, it contravenes every assurance about data protection and the NSA tendered by the U.S. to get the Privacy Shield passed.

And it’s been made clear to the Commission that legal action can be taken. And the Commission is preparing.

Interesting point: Privacy International legal officer Camilla Graham Wood said the Yahoo “behavior” may not be illegal even if UK citizens were among the subjects of the alleged spying. She said:

“The information on the scanning of emails by Yahoo remains sparse. It is important to note that similar powers exist in the United Kingdom, in the form of the Investigatory Powers Bill. There has been little public debate about how intrusive such powers are. The fault lies with the Government in failing to clearly inform the public about the broad spectrum of powers that will be authorised by the Investigatory Powers Bill.

We do not know if the UK Government has already requested that companies scan their customers’ emails on a bulk scale, but we do know that this will be possible under the Investigatory Powers Bill, if we look at powers such as Technical Capability Notices.”

Ah, the old question of “standing to sue” …

It has been an axiom that in Europe, when you have a complaint about a violation of your data privacy, you must first address the matter with the respective Data Protection Commissioner in the applicable country whose job is to ensure that your legal rights are fully upheld, and that organizations meet their obligations under the Data Protection Acts. If that Commissioner upholds your complaint, he has legal powers to ensure that these matters are put right. If the decision goes against you, you can appeal to the European Court of Justice .

This was the path taken by Max Schrems in the seminal case which led to the death of Safe Harbor, and the “Max Schrems 2” case which seeks to bring death to standard contractual clauses, although some behind-the-scenes judicial and political hanky-panky has delayed that case (click here).

But the European Court of Justice in its October 2015 Schrems decision has thrown a monkey wrench in that axiom.

  • The Court called for greater rights for national data protection commissioners to investigate complaints by EU citizens that their data protection and privacy rights are being breached. There is an excellent analysis (from paragraph 74 onward in the decision) of the fact there is “no hierarchical connections” between Commission directives, the Charter and national authorities to suggest that the provisions on the national supervisory authorities are in any way subordinate to the separate provisions on data transfers.
  • The Court went on to say national data protection commissioners need not take the Commission’s word protection is “adequate”. The powers of the national supervisory authorities to investigate, with complete independence, complaints submitted to them must be interpreted broadly in accordance with the EU Charter. And those powers cannot be limited by the powers which the EU legislature has conferred on the Commission.
  • Further, if a national supervisory authority considers that a transfer of data undermines the protection of citizens of the EU as regards the processing of their data, it has the power to suspend that transfer, irrespective of the general assessment made by the Commission in its decision. And the Commission is not empowered to restrict the powers of the national supervisory authorities.

Many of the national data protection commissioners are taking the position that this empowers them to challenge the Privacy Shield immediately in court. That is certainly the position of the Irish data protection commissioner, and several of the German data protection commissioners. Read on!

Those Article 29 Working Party folks

On 26 July the EU data protection authorities (DPAs) ostensibly promised to hold fire for one year on the new Privacy Shield agreement, withholding any potential legal challenges until mid-2017. In a statement by the Article 29 Working Party (WP29, a fairly influential body in these matters) they noted it was still unhappy with the final text of the agreement but that it would wait until the first annual review before putting forward any formal challenges.

They made it clear they were very skeptical about the agreement:

“The WP29 commends the Commission and the US authorities for having taken our concerns into consideration in the final version of the Privacy Shield documents. However, a number of these concerns remain.”

“On preliminary review issues of safeguards provided under the EU-US Privacy Shield do not seem workable and effective.”

“Regarding bulk collection of personal data, the WP29 notes the commitment of the ODNI not to conduct mass and indiscriminate collection of personal data. Nevertheless, it regrets the lack of concrete assurances that such practice does not take place.”

“For the first annual review all members of the joint review team shall have the possibility to directly access all the information necessary for the performance of their review, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities.” [Read: do not think you can fob us off]

But the Irish DPA and some German DPAs … such as Hamburg … say they are not bound by the WP29 decision to hold fire for one year and they have voiced a desire not to hold back and to challenge the Privacy Shield immediately in court.

NOTE: Germany is a multifaceted data-protection landscape. Germany maintains seventeen (17) independent DPAs. Sixteen of these DPAs are run by the German states (or Länder), and these state-run DPAs are primarily responsible for overseeing private companies. The remaining DPA is run by Germany’s federal government and has jurisdiction over federal public institutions and telecommunications companies.

But there is a bit of a legal glitch. Like the right to sue. The German DPAs do not have that right. But the Irish might.

Shortly after Safe Harbor was invalidated, the German DPAs-anticipating the passage of Privacy Shield- issued a joint position paper “call[ing] upon lawmakers to provide them with the power to engage in legal proceedings.” It presents a very forceful position of why it is incumbent upon the national legislature to provide for legal remedies enabling DPAs to challenge Commission decisions, because only through such suits could national courts refer such challenges to the ECJ.

The draft of the legislation permits German DPAs investigating data-subject complaints to bring a declaratory judgment action challenging Commission adequacy decisions directly before Germany’s Supreme Administrative Court (SAC). Such actions would permit the SAC to issue a preliminary declaration that Commission adequacy decisions were invalid, and – since the SAC is a court of last resort – would have procedurally required the SAC to refer the matter to the ECJ for final resolution.

More interesting, the resolution contains an additional point that went beyond the original proposal: it asked the German government to design a legal mechanism by which DPAs could challenge EU acts on behalf of the German state. As an example, it was suggested DPAs could be given rights to bring actions in EU courts on behalf of Germany to annul Commission adequacy decisions. Because annulment actions are usually only brought by the appropriate cabinet ministry within EU member state governments, permitting independent agencies like DPAs to bring them would have required express statutory authorization.

All of this passed the German legislature and so was forwarded to the German government for review. The German Interior Ministry (Bundesministerium des Innern, or “BMI”) issued a written response in which it declined to grant DPAs the rights they sought – at least for the moment. Instead, BMI stated that it was working “intensively” on legislation to bring German data-protection law into compliance with the forthcoming General Data Protection Regulation (GDPR). As part of this, BMI promised that its legislation would implement Article 58(5) GDPR. Article 58(5) GDPR provides:

“Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.”

BMI stated that it will provide “remedies for DPAs” and that in doing so, “applicable ECJ jurisprudence will be taken into account.” It also noted that – as requested by the Upper House – statutory DPA remedies will be available “promptly.”

Alston Bird, in a briefing note, made an interesting point. Notably, BMI declined to permit DPAs to bring annulment actions against Privacy Shield on behalf of the German state. In BMI’s view, fully independent agencies such as DPAs were not candidates to take positions on the state’s behalf.

A few other points:

  • According to BMI, German DPAs’ statutory rights of action will be part of comprehensive GDPR-facing amendments to German data-protection laws. Drafting and finalizing provisions that will substantially change decades of German data-protection practice will require significant work by both BMI and the German legislature.
  • At the earliest, these comprehensive amendments are not expected to appear before early next year. the end of this year. Also, the GDPR does not enter into force until May 25, 2018, so the German government has no immediate pressure to move data-protection changes to the fore. And it’s election time! 2017 will be a year of congressional elections so if the amendments containing DPA rights of action do not pass this year, their passage before 2018 becomes unlikely.
  • The scope of DPA rights of action is yet to be determined. BMI has not promised to grant German DPAs a right to challenge Privacy Shield, but has instead stated that it will implement Article 58(5) GDPR. This provision only requires Germany to permit DPAs to bring suits “as appropriate” to enforce GDPR provisions. It is possible that the German legislature grants DPAs limited rights to challenge the legality of particular transfers to the US, instead of a general right to challenge Privacy Shield in toto. In a blog post Jan Dhont noted:
    “Granting 17 independent state and federal agencies the right to directly challenge EU Commission decisions may raise separation-of-powers or federalism concerns, and the German legislature may decide to keep the right to challenge EU actions in the hands of cabinet departments.”
  • But German DPAs may try to participate in Privacy Shield legislation through some back doors. Despite not having direct rights of action, German DPAs may attempt to participate in Privacy Shield lawsuits by seeking to join procedures as amici, offering support to individual litigants, or offering briefs or expertise to German courts.
  • Moreover, Germany recently passed a law permitting registered consumer-rights organizations to challenge wrongful data processing – dubbed in Germany as “data-protection class actions”. DPAs must be notified and invited to participate when such suits are filed. Lastly, one of DPAs’ more potent ways to stay involved may be via their investigatory powers, which can result in document discovery that is usually unavailable in German litigation.

 

get-me-everything

Related Posts