The EU is acting at breakneck speed to fill the legal gap that the European Court of Justice (ECJ) created in October, invalidating the Safe Harbor Agreement for EU/U.S. data transfers. EU Justice Commissioner Vĕra Jourová reported on 1 February 2016 to the European Parliament’s Committee on Freedoms and Human Rights (Civil Liberties, Justice, and Home Affairs, or LIBE) on the state of the negotiations with the U.S., stating that an agreement was “imminent.” A few hours later, the European Commission already issued a press statement touting an agreement “in principle” on a “Privacy Shield,” slated to replace the Safe Harbor that more than 4,000 U.S. companies had been using for over 15 years. A negotiating text has not yet been published. One day later, on 3 February 2016, the group representing the national data protection agencies in Brussels, the Art. 29 Working Party, hastily voted in favor of an extension of the existing legal tools of data transfer. What happens next is unclear. The EU Commission will likely vote on the “Privacy Shield” in April. Most observers believe that the new framework will be challenged again in court.
State of Negotiations with the U.S.
Access restrictions for the U.S. authorities and greater transparency by U.S. companies
The Commission interprets the ECJ ruling that data access of U.S. authorities must be limited to “the bare minimum.” All available legal safeguards and remedies against such measures must be the same for U.S. and non-U.S. citizens. Everyone should have the right to take corrective action in the event of possible infringements. Companies should notify customers of the number and type of requests by the security agencies. How that can be successfully achieved under U.S. law is currently shrouded in mystery.
Independent control over data access
Access to the courts under the Safe Harbor framework was limited when related to national security issues. Under the Privacy Shield arrangement, the Commission wants the U.S. to appoint an Ombudsman with “real authority.” The Ombudsman will be embedded in the U.S. State Department. He must be neutral and must have access to all relevant (U.S.) documents. He must address individual complaints in the individual case and should report back to the EU authorities. Separately, the EU would exert its own “continuous control” to ensure that there are no data access violations. For this purpose, the EU will heavily rely on NGOs to investigate cases in which the U.S. security authorities have allegedly violated the “standard of necessity or proportionality of data collection.”
Individual complaints and dispute resolution
Ideally, the companies involved in the data transfer must deal with individual complaints raised by data subjects. The complaint process should be free of charge and subject to strict time limits. All national data protection authorities will be entitled to refer complaints to the U.S. Department of Commerce or the Federal Trade Commission (FTC) for a dispute resolution. On top of it, the Commission wants a “last resort mechanism” for any remaining dispute: an arbitration board whose decisions should be “binding” and “enforceable.” Independently, each national supervisory authority, acting as a “guardian of the rights of the individual to privacy,” would still be in a position “to protect the rights of EU citizens when their data are transferred to the United States.” It is uncertain whether these authorities may thus directly impose sanctions on data exporters in their jurisdiction. The new Privacy Shield agreement will periodically (at least annually) be reviewed jointly for flaws and possibly improved by mutual agreement.
The need for a binding commitment by the United States
EU Commissioner Jourová wants to wrap up the agreement through a diplomatic exchange of letters, which shall be published in the Official Gazette (Federal Register) “on the highest level possible.” It remains unclear whether this means that President Barack Obama and European Commission President Jean-Claude Juncker will sign the agreement. What is clear, however, is that the Commission seeks no international treaty with the U.S. It also seeks no implementation act of the U.S. Congress, which in any event may be unrealistic given the political stalemate in Washington. After this exchange of letters, the Commission would then take a separate decision on the adequacy of data protection. The other EU institutions would be involved in the processes and able to voice their concerns. This “adequacy decision” of the Commission will then be the basis for the Privacy Shield. This process is not easy and could be derailed.
Reactions in Europe
Many members of the LIBE Committee present at the hearing on 1 February were skeptical of whether legally watertight agreement with the United States is possible and whether the Privacy Shield would pass muster at the ECJ. Some members questioned the seriousness of the United States in the negotiations, voicing their frustration that Congress hasn’t even adopted the Judicial Redress Act without amendments. The European security authorities should not be allowed to continue “the dirty work” of the NSA on European soil. A mere diplomatic exchange of letters with the United States is not deemed a solid legal basis by the critics; the role of the Ombudsman and his authority remain vague. Other members were friendlier to the U.S. and criticized that a higher standard for the adequacy of data protection will be applied to the U.S. than to other countries. In any event, the LIBE Committee wants to examine the exact wording of the agreement to check independently of the Commission whether the European Parliament can agree. There will be another LIBE Committee hearing once the agreement is published, and it surely will be a lively and controversial debate.
Peter Schaar, the long-term former German Federal Data Protection Commissioner, in his recent analysis of the new Privacy Shield, doubts that the agreement is compatible with U.S. law. In particular, the restrictions for the data access by the NSA and others and judicial redress would be difficult to achieve under the Freedom Act, he points out. Many other observers fear that the Privacy Shield is too weak and expect another devastating defeat of the Commission at the ECJ. Some blame the Commission for sacrificing the privacy interests of EU citizens by kowtowing before the U.S. government. Edward Snowden took issue with the label “shield” and spoke of a “shield to ward off the responsibility.”
Jan Philipp Albrecht, a Member of the European Parliament who is well known for this pointed criticism of U.S. surveillance measures and alleged privacy violations, has three main objections against the Privacy Shield: The U.S. government promises to honor the proportionality principle and refrain from unnecessary data collections are not new and worthless. The Presidential Policy Directive 28 of 2014, which prohibits a bulk collection of personal data in the U.S., had been brought to the attention of the ECJ even before its Schrems decision. The ECJ was well aware of the situation in the U.S. when it rendered the decision. Second, the commitments to perform an annual review are not new and would give the EU citizens no new legal recourse to challenge illegal bulk data collection. Third, he believes the appeals procedure is toothless. An Ombudsman in the U.S. State Department falls below the ECJ required standard of “binding legal control” and is nothing more than a messenger.
As the immediate next step, the Article 29 Working Party has extended the deadline for compliance for EU/U.S. data transfers to the end of February. During this period, existing legal possibilities of data transfer (EU Standard Clauses and BCR) remain applicable, but not the “old” Safe Harbor, which is definitely gone. This measure raises many questions: Is the use of the EU standard contractual clauses legitimate even after 1 March? How can companies that were registered under Safe Harbor migrate into the new scheme? Which data flows to the U.S. are covered by the Privacy Shield? Can the national data protection authorities impose further conditions as set forth in the Privacy Shield to control data exporters? The time table until April for an EU “Adequacy Decision” is very tight, as everyone who knows how Brussels operates will confirm. Commissioner Jourová has given herself and the Commission three months to reach a decision. The EU Parliament is expected to debate the new agreement once it becomes public. It is also uncertain when the U.S. Congress will adopt the legal requirements the EU wants (and with what wording), given that the Judicial Redress Act remains pending.
The Article 29 Working Party could be on a slippery slope if there are further delays. Each new time an extension will be granted, the critics will have more reason to state that the regulators are too lenient with the U.S. In the meantime, some national data protection authorities could break-off from the common position and issue their own rules, or at least launch their own investigations against any U.S. data exporters falling into their jurisdiction. The EU Commission wants the United States to launch the legal implementation of its commitments, while the EU is still debating what to do next. The United States negotiators seem to take the view that there is no need for new U.S. laws to put the “Privacy Shield” on track. This raises the question whether both sides have actually agreed on all essential points. One wonders whether the EU has learned its TTIP lessons and will provide full transparency of the negotiations. There is an imminent risk that the ECJ will once more strike down the “Privacy Shield” after the adequacy decision of the Commission will be adopted. Individual complaints to the data protection authorities on the data transmission in the U.S. separately could trigger more legal or regulatory proceedings and create more legal uncertainty.
Dr. Axel Spies, Morgan Lewis & Bockius, Washington, DC. Dr. Spies is the author of AICGS Issue Brief 46: German/U.S. Data Transfers: Crucial for Both Economies, Difficult to Regain Trust and A Reasonable Expectation of Privacy? Data Protection in the United States and Germany.