The draft text of an agreement between the EU and the U.S. to establish a new self-certification framework governing transatlantic data flows aimed at ensuring data protection and privacy compliance when Europeans’ data is taken to the U.S. for processing has now been published. But questions remain over whether the deal is robust enough to pass muster.
The so-called EU-US Privacy Shield is aimed at replacing the defunct Safe Harbor agreement, which was struck down last October by Europe’s top court, the ECJ, on the grounds that U.S. mass surveillance programs were violating fundamental European privacy rights.
Since then, officials from the two regions have stepped up efforts to negotiate a replacement for Safe Harbor, which they announced with much fanfare in early February — albeit, at the time, without releasing the text of the agreement. That next step has now been taken, allowing for closer scrutiny of the proposed new deal.
The publication of the text follows President Obama signing the Judicial Redress Act into law — which grants EU citizens the right to enforce data protection rights in the U.S.; a key stipulation of the EC negotiators.
In a statement noting the publication of the draft agreement and layering on the political PR, U.S. Secretary of Commerce, Penny Pritzker, dubbed it a “strong” and “historic” agreement.
“The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic. We have spent more than two years constructing a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy,” she said.
“Our U.S. and EU negotiators worked around the clock to develop a new framework that underpins $260 billion in digital services trade across the Atlantic. The new EU-U.S. Privacy Shield provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.”
Commissioner Vera Jourová, who led negotiations from the European side, was a little more measured in her rhetoric. “The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds,” she said, talking of “strong safeguards” and restoring “trust.”
Despite the high-level congratulatory noises, the Privacy Shield is still not yet a done deal — with other parts of the European political machinery and individual European member states needing to accept the agreement. Most notably the Article 29 WP will have to be convinced. This body is comprised of representatives from all the member states’ data protection authorities — the role of whom is strengthened under Europe’s own new data protection directive, agreed at the back end of last year.
In a press conference reacting to news of the Privacy Shield deal earlier this month, the WP29 said it was not then in a position to judge the agreement — not having yet seen the now released full text. The WP29 will now be assessing whether the deal can answer to wider concerns raised by the court case that invalidated Safe Harbor, brought to the ECJ by European privacy campaigner and lawyer Max Schrems.
The WP29 called for the documents pertaining to the Privacy Shield to be delivered to it by the end of February — so the EC has just managed to squeak through on the extra day afforded by 2016’s Leap Year. In terms of next steps, the WP29 said it will be holding a meeting next month to assess the text, and has previously said it “could” come to a conclusion on whether the Privacy Shield is acceptable by mid-April or the end of April.
Yet more uncertainty?
Beyond the WP29’s assessment, it is also not clear that an agreed Privacy Shield will be able to deliver the certainty businesses crave. On this front, giving his early reaction to the text in a press statement, Schrems couches the deal as an attempt to put a lot of lipstick on the same old data-suckling pig…
And while he conceded the text contains “a large number of new improvements,” vis-a-vis EU-U.S. data transfers, he argued it does not address the “core concerns and fundamental flaws of US surveillance law and the lack of privacy protections under US law” — and is therefore vulnerable to future legal challenges.
Schrems notes, for example, that a page from one of the documents published today sets out six exceptions where the U.S. can still collect data “in bulk” — namely: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion — going on to argue the ECJ ruling made it clear that no such bulk-based surveillance activity is acceptable under European privacy law.
“The Court held that any form of ‘mass surveillance’ of content data violates the EU’s Charter of Fundamental Rights and that a country has to provide ‘essentially equivalent’ protections to EU law in the public and private sector,” Schrems writes.
He’s not the only data protection law expert with that view either…
Schrems is also dismissive of the claim the Privacy Shield deal provides for “essential equivalence” of European data privacy protection in the U.S. “The new deal does not even address the matter of private sector data misuse, despite the fact that there would have been much more leeway than in the government sector. There are tiny improvements, but the core rules on private data usage are miles away for EU law. This is nowhere close to ‘essential equivalence’ that the Court required,” he writes.
“At first sight the Commission decision seems to unfortunately go right back to the Court in Luxembourg. It’s a shame that the European Commission has not used this situation to come up with a stable solution for users and businesses. I guess most businesses will not engage in the ‘Privacy Shield’ as their main legal basis for EU-US data transfers given its obvious limitations. There will be a number of people that will challenge this decision if it ever comes out this way — and I may very will be one of them.”
In an interesting additional observation, Schrems further suggests the draft agreement appears to include a provision that allows individual DPAs to suspend data flows to the U.S. in their own country even if a company is Privacy Shield certified — suggesting there could be scope for some of the more pro-privacy DPAs (such as France’s CNIL or German DPAs) to attack aspects of the agreement that they do not agree with. Presumably unless the WP29 agrees to adopt a common position.
“This means basically that there is no legal certainty for businesses that a ‘Privacy Shield’ certification ensures continuous data flows. Any national DPA can simply pull the plug under this system,” Schrems suggests.
For its part, the EC is arguing that data protection “equivalence” will be delivered for EU citizens’ data in the U.S. under the Privacy Shield via what it says are “strong obligations” on companies and “robust enforcement” via supervision mechanisms “to ensure companies respect their obligations, including sanctions or exclusion if they do not comply,” as well as tighter conditions for onward transfers to other partners by companies participating in the scheme; written assurances from the U.S. government that national security access to data “will be subject to clear limitations, safeguards and oversight mechanisms,” with a redress possibility via an independent ombudsman mechanism within the Department of State; a 45-day period for complaints to be resolved by companies which allows for EU citizens to also complain via their national DPA; and an annual joint review mechanism to monitor how the agreement is functioning over time.
“The U.S. authorities provided strong commitments that the Privacy Shield will be strictly enforced and assured there is no indiscriminate or mass surveillance by national security authorities,” the EC adds in today’s statement.
On the political sleight of hand that seeks to makeover illegal “mass surveillance” as apparently acceptable “bulk collection in six specific circumstances,” Schrems is especially scathing.
“Basically the US openly confirms that it violates EU fundamental rights in at least six cases,” he writes, noting the six “in bulk” exceptions listed above. “The Commission claims that there is no ‘bulk surveillance’ anymore. It used to be the other way around.
“This charade is so bluntly against the law and the Court judgement, that it begs the question what forces push the Commission in the background. This is obviously not driven by a rational implementation of the law and the judgement.”