Almost a month after announcing that a deal was done between the EU and the US in order to protect European personal data, the European Commission have finally announced the details of the replacement for Safe Harbor: Privacy Shield. We’re still working our way through all of the documentation, but thought we’d share our initial thoughts.
The FAQs issued by the Commission state that “the EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid”. This is a fundamental issue. If this isn’t the case, then all of the negotiations will have been in vain.
And there are definitely some who believe it doesn’t measure up. Those opposed to the US use of mass surveillance (including Max Schrems, the protagonist in the European Court of Justice (ECJ) case which lead to the invalidation of Safe Harbor) are already expressing their concerns that the decision won’t meet the requirements set out by the Court.
One of the key concerns of the ECJ was that there should be no “bulk surveillance” of EU citizens’ personal data.
The Commission’s FAQs state that “the U.S. affirms that there is no indiscriminate or mass surveillance”. However, the adequacy decision, when considering the legislative position in the US, states:
Finally, even where the United States considers it necessary to collect signals intelligence in bulk, under the conditions set out in recitals (58)-(60), [Presidential Policy Directive] 28 limits the use of such information to a specific list of six national security purposes with a view to protect the privacy and civil liberties of all persons, whatever their nationality and place of residence.”
So it does appear that there may still be scope for the US to carry out, in a much more limited sense than may previously have been the case, mass surveillance of limited information regarding EU citizens, much as they would for US citizens. The implementation of the Judicial Redress Act in the US should allow EU citizens to bring complaints against the way their data is handled to a US court.
The European Commission seem to have agreed that this limitation is sufficient to mean that the protection of data in place is adequate. The big question will be whether the ECJ agrees, should a legal challenge to the EU-US Privacy Shield be brought.
The proposed draft decision notice approving the Privacy Shield framework recognises that even if a company is signed up to Privacy Shield, transfers to that company can still be suspended by a Data Protection Authority (DPA) under the powers set out in Article 28 of the Data Protection Directive. So companies may find themselves in trouble even if the Privacy Shield adequacy decision itself is not challenged centrally.
This doesn’t appear to be a new power (following the Schrems decision, the Irish DPA is currently in the process of deciding whether to take such action against Facebook), but it was an approach not previously fully realised. Until the Schrems decision, there had been an assumption in practice (including as pleaded by the Irish DPA) that the DPAs could not look behind the basis of a Commission decision of adequacy. That assumption has now been blown away.
At this stage, it’s still not clear that the Privacy Shield will be free from risk of attack from those who objected in a similar manner to Safe Harbor.
However, on the plus side, there does appear to be greater transparency (and therefore associated limitations) to the processing that US authorities will now undertake with regard to EU citizens’ personal data, even if it doesn’t go as far as some may have hoped.
The appointment of an Ombudsperson where complaints relate to national security, together with a free Alternative Dispute Resolution Procedure and the ability for complaints to be managed by local DPAs in consultation with the FTC, should help give comfort to those who were concerned about enforcement issues. However it would be wrong to label the Alternative Dispute Resolution Procedure as a new development – Safe Harbor also had this option although in Safe Harbor at low-cost to the complainant not no-cost as envisaged by Privacy Shield.
And an annual joint review will mean that the new process will stay at the forefront of political minds in both the EU and the US. That however is something of a challenge for businesses who would rather not have the uncertainty of the scheme being reviewed on an annual basis.
So when is this all going to happen? We’re still not sure.
On the European side, a committee composed of representatives of the Member States will be consulted, and DPAs will have a chance to give their view through the Article 29 Working Party. Whilst the Article 29 Working Party doesn’t have a veto (or even a vote), their views will count – as we mention above, even if the Commission have the adequacy decision approved, DPAs could still cause chaos by suspending transfers if they believe they are not compliant with the Directive.
Meanwhile, the U.S. must make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.
So watch this space. We have no doubt that there is more to come.
Gayle McFarlane is a Lawyer with Cordery in London where her focus is on compliance issues.
Gayle McFarlane, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 118 2700