The European Commission has published the current version of the new framework on the protection of personal data of European individuals in the United States. Does the new framework provide enough guarantees compared to its predecessors suspended by the Court of Justice of the European Union? Lawyers and commentators are grim about the new framework’s prospects.
Several weeks ago we have published the background information concerning the last year’s court annulment of the Data Transfer framework for Personal Data between the European Union and the United States (“Safe Harbour” decision). Both the European and the American side had promised they would publish text of the new framework by the end of February. The new arrangement, called EU-U.S. Privacy Shield, has been negotiated behind the closed door so far, although the Commission regularly briefed the European Parliament in public meetings. The deadline was met partly thanks to 2016 being a leap year as the full text was published on 29 February. The European Commission has also published a Press release concerning the text.
New obligations for US companies and the government
The new version of the Privacy Shield mostly brings new obligations for the US companies and public authorities. The United States Department of Commerce will, on annual basis, evaluate the personal data protection standards of all the companies which have committed to protect the personal data and received the authorisation to manage the personal data of the European clients. These companies will continue to be subject to sanctions if they do not fulfil their obligations and a register of the companies which had their authorisation revoked will be created. What are the obligations? First of all the Privacy Shield requires “a clear and explicit” consent of the client with the processing of the sensitive personal data. The same rules apply to “the subcontractors” processing the data for the large companies. All the personal data transfers between different companies can only take place in well-defined and necessary cases, it has to be based on a contract (or similar agreement) and the transfer must not in any case lower the data protection standards. Last but not least, the companies have to address any complaints by European individuals about the way their data has been handled within 45 days.
The US authorities further undertake in writing to handle the personal data while complying with strict restrictions and being subject to supervision. These commitments are based on reforms undertaken in the US following the Snowden revelations (for example, the USA Freedom Act). In addition, the European Commission has obtained specific arrangements for the EU. For instance, the US State Department will create the Office of Privacy Shield Ombudsman, which will deal with the complaints from Europeans concerning possible access to personal data by the secret services.
The new American federal Judicial Redress Act signed a few weeks ago by president Obama has also contributed to the success of the negotiations on the Privacy Shield. This legislation gives the EU citizens right to seek redress directly with the US authorities should their rights be violated. It basically extends the scope of the Privacy Act of 1974 to include also the non-US citizens. According to the commentary by an influential American lawyer Timothy Edgar, however the Privacy Act itself includes a number of exceptions, notably when it comes to the national security issues and therefore may be of limited use in this context. This lack of clarity in cases of terrorism investigated by NSA-like agencies has raised suspicion towards the American personal data protection standards. A group of lawyers called The Identity Project dealing with the right to privacy issues underline in their analysis that areas like transfer of passenger name records from European countries to the USA are not at all covered by the Judicial Redress Act (we have looked into the European dimension of this issue in detail in our recently published expert material). The new EU-US “Umbrella Agreement” (on data protection standards for EU-US exchange of personal data for law enforcement purposes) is therefore important, because it will ensure judicial redress in such cases. This Umbrella Agreement is not yet in effect and it has also already been criticized in the European Parliament. An opinion from the Parliament’s legal service is that the Umbrella Agreement is not compatible with the primary EU law.
Will the the Privacy Shield agreement lead to better personal data protection?
No clean slate for the Shield
Coming back to the EU-U.S. Privacy Shield and its issues, the new Office of Ombudsman should be an independent and impartial body resolving the complaints of the interested parties, however it is quite clear it will not be independent from the institutional point of view. It will be created by the US State Department and will be entirely governed by this body; its affiliation with the executive arm of government completely destroys the illusion of impartiality, as far as the distribution of power is concerned; the State Department is a political body and it is very likely that at least the selection of the Ombudsman, if not the decision-making itself, will be driven by political interests. Nevertheless, the US has affirmed – in a letter signed by John Kerry – that it will be independent of any instruction from the US intelligence services. This written letter is, however, so far the only guarantee of impartiality.
However, the overall benefits of the new arrangement with the EU have been called into question by new steps taken by the executive arm and president Obama’s administration. While the negotiations on the Privacy Shield were still ongoing and the parties are now waiting for the courts and legislators to take further steps to clarify the obligations of the technology manufacturers concerning disclosure of the personal data of their customers to the investigators, the executive power is discussing with the representatives of the secret services and intelligence agencies how to further remove the obstacles to the sharing of the contents of the telephone conversations, emails and other communications collected by NSA with agencies like FBI and CIA. The limited available legal protection when it comes to the matters of national security and the wider sharing of data by agencies raises questions about how “effective” the standards of the new Transatlantic agreements are going to be. Once again, this problem is no longer limited to US citizens: once the personal data are legally on American soil, information about us, Europeans, will be subject to the same treatment.
A long journey in a short time
The current version of the Commission decision on the Privacy Shield is still a draft, even though we cannot expect any dramatic changes. The working party made up of representatives of the Personal Data Protection Authorities of the individual Member States (Working Party 29) is going to meet in April to formulate non-binding comments of the text. Subsequently the decision has to be agreed by the EU Member states, whose representatives will meet in the so called Article 31 committee and decide by qualified majority. Once agreed by the Member States, the decision can be formally adopted by the European Commission. Thereafter it can only be revoked by the Court of Justice of the European Union. As this is not an intergovernmental agreement, but a unilateral assessment by the European Commission of the US data protection safeguards, it will not be put to a vote by the European Parliament (nor the American Congress). But any Member State, the Council of the European Union or the European Parliament can ask the Court of Justice of the European Union to asses whether or not the arrangement is in line with the European legislation. A similar situation has already occurred in 2006 when the Court of Justice of the European Union annulled the Agreement with the United States of America on the processing and transfer of PNR data (cases C‑317/04 and C‑318/04) and the Commission’s decision that it ensures an adequate level of data protection. The sources close to the European Commission expect the arrangement to be fully adopted by the European side by the end of the Dutch presidency ending in June. No doubt there are serious time constraints and large eagerness to put the Privacy Shield in force as soon as possible, as the existing legal vacuum hinders international business flows with a value of 300 billion USD a year.
- European Commission will accept the agreement after approval from representatives of the european 28.
It is probably because of the time restraints that the Privacy Shield seems to be mainly an update of its predecessor and that it is purpose-built only to formally resolve the legal uncertainty caused by the autumn decision of the Court of Justice of the European Union, which provided for no transition period. Some of the safeguards offered by the American side are merely “honest promises” and are hardly legally enforceable by individuals. An Austrian lawyer Max Schrems, whose dispute with Facebook led to the annulment of the previous Agreement (Safe Harbour), even argues that Privacy shield is just “the same pig with ten layers of lipstick on it”. Adopting a new, even marginally better arrangement is better than no agreement at all. A welcomed novelty, compared to the old Safe Harbour, is the introduction of an annual joint review, where the European Commission will monitor how the arrangements work in practice. The Commission will draw on data from the US companies, but also companies themselves, as well as media and NGOs. If the arrangement proves unsatisfactory in practice, the Commission can suspend it – if the Court of Justice of the European Union does not force it to it. There will be no new obligations imposed on the EU Member States and the Agreement will contribute to legal certainty and boost the mutual trade. Sooner or later the Privacy shield will be very likely brought to the Court of Justice of the European Union – and there is no shielding from its judgements. By then the Commission will have to demonstrate that it has worked in practice. If not, it is sensible to expect that also the new arrangement may be annulled.
Vladimír Bízik is a European Values Think-Tank Analytical Team Associate.