Unveiled February 29, 2016, the new EU-U.S. Privacy Shield attempts to address the shortcomings of the Safe Harbor arrangement identified originally by the European Commission and later by the Court of Justice of the European Union (CJEU) in its Schrems decision. The Privacy Shield proposes improved data protection principles, better enforcement by the US Department of Commerce and the Federal Trade Commission, redress mechanisms for EU citizens, and safeguards surrounding law enforcement and intelligence activities. Like Safe Harbor, the Privacy Shield is a co-regulatory system: companies that want to participate in the system agree to a set of data protection principles, and implement those principles within their organization under the supervision of the regulator – in this instance the US Department of Commerce and the US Federal Trade Commission. This approach is similar to Binding Corporate Rules (BCRs) or the data privacy governance certificate proposed by the CNIL. Companies that agree to the principles are accountable for their implementation within their corporate group. Companies must be prepared to demonstrate to authorities the measures taken to ensure compliance. This is an example of the accountability principle encouraged by the new General Data Protection Regulation 2016/679 (GDPR). In that respect, the Privacy Shield is consistent with European regulatory trends as expressed in the GDPR.
The European Parliament adopted a resolution on May 26, 2016 praising the progress made, but highlighting shortcomings in the Privacy Shield as presented in February 2016.
Now that the Irish Data Protection Controller has referred another data transfer mechanism known as Standard Contractual Clauses to the courts for review of their adequacy, greater focus will be placed on whether the criticisms of Privacy Shield are well founded.
Similarly, the European Parliament criticizes the powers of US intelligence agencies, arguing that they violate the proportionality principle of the Charter of Fundamental Rights of the European Union. But crucially, this criticism is also applicable to similar powers available in Europe. The broad powers accorded to intelligence agencies in the US and Europe raise sensitive issues relating to the proper balance between privacy and national security.
Civil rights advocates have criticized the US, but also European governments, for having increased the powers of intelligence agencies without adequate privacy safeguards. One of Europe’s top human rights officials, Nils Muisnieks, criticized governments in the EU for the extensive powers granted to national intelligence agencies to gather data about EU citizens. The European Parliament adopted a resolution on October 29, 2015 warning of the dangerous “downward spiral” in Europe of laws anti-terrorism laws granting broad powers to intelligence agencies, with little or no independent supervision. With its recent laws on intelligence gathering and on interception of communications outside of France, France follows this trend, which is understandable in light of the heightened terrorist threat.
Somewhat surprisingly, in its recent resolution concerning the Privacy Shield, the European Parliament criticizes the US system without referring to the intelligence gathering powers of authorities in Europe. The US legal framework governing intelligence gathering activities balances protection of individual rights and national security interests in a manner that is similar to the balance struck in several European countries, including France. Like French law, US law makes a distinction between gathering data in the context of criminal procedures, and gathering data in the context of intelligence activities. Data processing in the context of criminal investigations is generally surrounded by a high level of protection for individual rights, both in France and in the US. European residents are now even more protected with the enactment of the “Judicial Redress Act”, which gives Europeans certain procedural rights that had been, prior to the Act, only available to American residents.
The harder issues reside in intelligence gathering activities. Previously, the Article 29 Working Party had criticized the lack of clarity in US law relating to the definition of threats to national security. But the US definitions are no less precise than the broad definitions appearing in France’s Internal Security Code. In addition, the Working Party recognized the existence of effective internal controls within US intelligence agencies, but criticized the US for not having stronger independent oversight, preferably by a judge. Here too, the US situation is no different from France’s, where intelligence gathering activities are overseen by a National Oversight Commission on Intelligence Gathering Techniques, whose opinions are not binding on the Prime Minister. The European Parliament criticizes bulk collection of data, yet France’s intelligence law allows intelligence authorities to conduct data mining over huge volumes of metadata.
In summary, both the Working Party and European Parliament criticize the US system because it does not correspond to a European ideal of protection of individual liberties in the context of intelligence activities, even though in many parts of Europe, this European ideal is not reflected in the national laws adopted to facilitate intelligence gathering. Like parents speaking to their children, the Working Party essentially opines “do what we say, not what we do.” (Chris Wolf has written more extensively about this topic.)
In reality, the Privacy Shield includes several measures that improve the protection of Europeans with respect to intelligence gathering activities, including a new right of indirect access similar to what exists in France. A person who wants to know whether his or her data are collected by US intelligence authorities would be able to make a request to his or her local DPA, who would forward the request to a high-ranking official—called an “Ombudsman”— within the Department of State. The Ombudsman would in turn verify that any surveillance measure has been implemented in accordance with law. Like in France, the US ombudsman would not generally be able to confirm whether a person is listed in an intelligence file, since that information would be classified. But the Ombudsman would verify that appropriate procedures have been followed, and correct any anomalies. This is similar to the system that exists in France for data included in intelligence data bases. Notably, the Ombudsman is only available to Europeans, and not to Americans. In addition, the US government has agreed to apply to Europeans most of the same protections as those that exist for Americans.
Will Privacy Shield be challenged?
Some of the Working Party’s and European Parliament’s criticisms may be taken into account by the European Commission and the US government in the final version of the Privacy Shield documentation. However, other criticisms, such as those relating to US intelligence activities, may both be difficult and unnecessary to address.
The European Commission will likely issue its decision on the “adequacy” of the Privacy Shield sometime this summer, and from that point onward, Privacy Shield will become legally operational for data transfers. However, some DPAs, in particular in Germany, have indicated that they will challenge the Privacy Shield in court, which could lead to a new referral to the CJEU. Consequently, despite the fact that the Privacy Shield presents essentially equivalent protections to the protections available to EU citizens under European law and should be deemed adequate by the CJEU, the status of the Privacy Shield as a robust data transfer mechanism may remain uncertain for some time to come.