EU uses Privacy Shield review to press for reform of U.S. foreign surveillance law

A one-year-old data transfer mechanism that’s used by thousands of companies to authorize transfers of personal data between the European Union and the U.S. for processing has been given the thumbs up after its first annual review.

“The Commission’s general view is that the American authorities are living up to their commitments and that the system works,” said Commissioner Vera Jourova today. “The US side have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield. Such as new redress possibilities for EU individuals and co-operation channels with European data protection authorities.”

But while the Commission said the implementation is, in its view, functioning well at this nascent stage it also wants to see improvements — and has made a number of recommendations.

These include more proactive and regular monitoring of US companies’ compliance with their obligations under Privacy Shield; raising awareness for EU users that a complaint pathway is open to them if they have concerns about how a US company is handling their personal data; and closer co-operation between U.S. and EU authorities to enforce privacy, such as by developing guidance for companies and enforcers.

The Commission said it will work with U.S. authorities to follow-up on its recommendations in “the coming months”, as well as continuing to “closely monitor” the functioning of the data transfer framework, including the U.S. authorities’ “compliance with their commitments”.

Its review report is also being sent to the EU parliament, Council and Article 29 Working Party so additional responses from other EU institutions are likely in the coming months.

Pushing for FISA Section 702 reform

Jourova also confirmed the EC is actively lobbying U.S. politicians engaged in the debate around reforming Section 702 of the Foreign Surveillance Intelligence Act (FISA). So while US intelligence agencies are pressing hard for the controversial portion of the law which allows the US government to intercept the communications of foreign intelligence targets to be made permanent, EU officials are pushing in the polar opposite direction.

Their lobbying position is strengthened by the fact that some 2,400 companies have now signed up to the EU-US Privacy Shield program — including tech giants such as Google, Facebook and Microsoft. The EC has the power to suspend the mechanism at any time if it feels it’s no longer providing adequate privacy protection for EU citizens’ date.

Jourova said today that the EC is hearing two lines in Washington regarding renewal of FISA 702:  One view being that Congress will reauthorize the current version of the law; and the other being that, as she put it, “there is a space for improvement in our interests — that the protection of non-American citizens could be added”.

Should the latter come to pass Jourova said it “would be very good news” for Privacy Shield, noting that the data transfer mechanism currently relies “for a very large extent” on a Presidential Policy Directive, signed by the Obama administration in 2014 (PPD-28), which imposes a number of limits on signal intelligence operations.

Having privacy provisions for foreigners’ data included in FISA would offer “much stronger protection” and be a “much more sustainable solution”, she continued, adding: “Yesterday I spoke to several Congressmen and Congresswomen… We are lobbying for improvements in this Act but we have to wait until the end of the year.”

That said, in a fact sheet relating to the review of Privacy Shield, the EC asks but does not comprehensively answer the question: “How many access requests from surveillance authorities were received by companies under the Privacy Shield?” — instead it just pulls out a few figures disclosed by Privacy Shield-certified companies that already publish transparency reports, claiming they are ‘illustrative’ of the fact that “as a percentage of total user accounts” the number of accounts affected by requests for government access to personal data “remains limited”. (A more pertinent question might be what proportion of the access requests directly involve EU citizens’ data?)

So it very much remains to be seen how red the EU’s line will be if US intelligence agencies get their way and knock back any sympathetic reform of FISA’s Section 702.

Safe Harbor -> Privacy Shield

The EU-US Privacy Shield is the replacement for the Safe Harbor arrangement which was struck down by Europe’s top court two years ago after a legal challenge by a privacy campaigner successfully argued that data protections were not adequately equivalent under the arrangement on account of U.S. government mass surveillance programs (which had been revealed by the Snowden disclosures to be harvesting EU citizens’ personal data via the NSA’s Prism program).

Safe Harbor had stood for 15 years, and EU and US officials scrambled to negotiate a new agreement to try to restore legal certainty for businesses that rely on being able to process users’ personal data in the US. The result was the EU-US Privacy Shield, which launched for signs ups in August last year.

More companies have signed up to the scheme in its first year than signed up to Safe Harbor in its first 10 years of operation, Jourova said today.

However the new data transfer mechanism has drawn criticism from the start, such as for lacking adequate privacy safeguards, and for the complexity of complaint processes it provides EU citizens seeking redress from a US company.

Ongoing concerns have also been voiced by the bloc’s influential data protection chiefs. And both it and alternative mechanisms for authorizing personal data transfers out of the region are facing legal challenges within the EU.

Jourova said that an extant challenge against so-called standard contractual clauses (SCCs) — which are used by the likes of Facebook (and many other companies) to transfer personal data between their EU and US businesses, and which earlier this month the Irish High said it would refer to Europe’s top court for a preliminary ruling — is relevant to Privacy Shield because it could also have implications for the latter’s future viability (i.e. if the ECJ decides SCCs do not in fact offer adequate protection for citizens’ data).

Although she once again expressed confidence in Privacy Shield’s legal robustness, saying it had been negotiated with knowledge of the earlier Safe Harbor ruling. “This court challenge will be the first one, probably when I consider the timing, which will declare something new on the functioning of Privacy Shield,” she said of the referral of the challenge to SCCs to the ECJ. “It has relevance for Privacy Shield.

“We have… tailored Privacy Shield on the basis of the very clear criteria set by the European Court of Justice in the Schrems [Safe Harbor] case. And that’s why I believe in continuity. I believe in the new court rulings which will consider Privacy Shield in all its parameters and will fairly assess whether it brought the necessary protection of EU people’s private data or not. And I am confident that Privacy Shield will withstand such court scrutiny.”

Unlike the prior arrangement, Privacy Shield bakes in regular (annual) reviews of the mechanism to ensure it is functioning as intended. And it’s the results of the first review that the EC has announced today.

Trust vs the Trump administration

Despite professed confidence in Privacy Shield from the EC, the mechanism has looked especially precariously placed since Donald Trump took office. The U.S. president’s decision in January to use an executive order to strip privacy rights from non-Americans under the US Privacy Act was seized upon by critics of the Privacy Shield. (Although the European Commission said the mechanism does not rely on that law for the adequacy protections necessary for it to continue to stand; rather it’s leaning on the aforementioned PPD-28).

Jourova said today that the inaugural review of Privacy Shield was especially important because of the change in US administration. Though she also had praise for US commerce secretary Wilbur Ross (but managed to make positive political noises without once mentioning president Trump by name).

“I had a very good working relationship and a very high level of trust with the people negotiating Privacy Shield under Mr Obama’s administration,” she said, discussing the difference of approaches of the two administrations to Privacy Shield. “I wondered whether we can continue based on this spirit of trust and after the second visit in Washington and after the second meeting with Wilbur Ross I can say that I tend to trust. I am positive about the approach of the American administration.

My second visit dispelled my doubts whether ‘America first’ doesn’t mean ‘American only’. Which would be bad news for the EU.

“I can say that my second visit dispelled my doubts whether ‘America first’ doesn’t mean ‘American only’. Which would be bad news for the EU.”

“Of course there is still some difference between the US and the EU — how we understand the conflict of the two priorities: Being more secure, being more protected from the privacy point of view. What I can say is after we tested and scrutinized the situation in the United States the privacy and the protection of privacy is very high on American soil,” she added. “Of course there is an emphasis on security but this is for us to balance it properly in the Privacy Shield — that both priorities, and from our point of view especially the priority of protection of data, is strongly enhanced and promoted.”

She did raise specific concerns about the Trump administration’s ongoing failure to appoint a permanent privacy ombudsperson, as required by Privacy Shield, as a key cause of concern in Europe. Asked by TechCrunch last month — after her visit to Washington — why the U.S. government has yet to nominate a permanent ombudsperson, Jourova said it was something she had asked and “stressed” in importance during the Privacy Shield review.

She was asked about this again today, and told journalists that the EC wants the post filled permanently “as soon as possible” — but also that it “didn’t want to give any deadline”. So, for whatever reason, the EC is avoiding the risk of pressing its demands too hard at this early stage of working with the Trump administration.

“I already was clear in Spring with my partners in the US that we want to have the fully fledged ombudsperson in place soon,” she added. “We were asked to be patient because, with the big change in the administration, it will take more time. But I made it very clear that now we expect them to act very quickly. But no concrete deadline.”

She was also asked about the fact the U.S. Privacy & Civil Liberties Oversight Board currently has just one standing member — out of what should be a total of five.

“We were promised that the situation will be improved soon but the procedure is rather lengthy,” she said on this. “So we, again, as in the case of ombudsperson, we didn’t give any deadline — but we make quite clear via the report that we expect the solution as soon as possible.”

Complaints and compliance

Discussing another EC recommendation, focused on the issue of complaints being made under Privacy Shield and the need to raise awareness among citizens that they are able to complain, Jourova said “practically no” complaints have been received by US companies from EU citizens, via the provided route. However she suggested this could be a result of a lack of awareness that a complaint pathway exists.

“We should not be complacent,” she said. “It might mean that people lack information. This is also the task for us — the European Commission — to inform the citizens about the possibility to get better redress and first of all to have their complaint dealt with properly.”

She said the EC also wants the US to engage in “a more proactive” and regular search for false claims by companies that they are signed up to the Privacy Shield scheme; and wants better ongoing monitoring of compliance by private US authorities.

“The Privacy Shield is placed in a challenging triangle for each regulator. It aims at striking the right balance between data privacy, security and business interest,” she said in her introductory remarks, describing Privacy Shield as both a “continuous work” and “a trust building exercise”.

“I’ve always said that the Privacy Shield was not a document lying in a drawer never checked. Both the US and the Commission will actively monitor it and the annual review is a key moment in that process.”

The EU’s influential WP29 group that’s comprised of the heads of member state’s data protection authorities is working on its own analysis of the operation of Privacy Shield — having sent its own representatives to Washington as part of the EU review delegation (as well as firing off some warning shots ahead of time).

A spokeswoman told us the group is expected to release an official statement on Privacy Shield at its next plenary meeting — likely by the end of November or beginning of December.