EU-US Privacy Shield Offers Partial Response to a Wider Issue

On 29 February, the European Commission published a set of documents, which make up the Privacy Shield agreement. The Privacy Shield is intended to put in place a new framework for ensuring adequate data protection standards when companies transfer data from the EU to the US. If adopted, the Privacy Shield will replace the Safe Harbor scheme that was declared invalid by the Court of Justice of the EU (CJEU) in the Schrems ruling in October 2015.

The Privacy Shield documents are broadly consistent with the outline the European Commission gave in a press release on 2 February. They include elements that pertain to companies’ data governance obligations, to government access to data by US authorities, oversight mechanisms, and redress, and complaints options for European citizens.

Privacy Shield can be understood as a short-term, partial solution that enables transatlantic commerce and data flows to continue in the near term.

European Data Protection Authorities (DPAs) and EU Member States will now review the agreement, and European Commission will then adopt the adequacy decision, presumably in June. The European Parliament could also request that the decision be amended or withdrawn.

Whether the Privacy Shield, if adopted, will serve its intended purpose and provide a durable framework for protecting and transferring personal data will be decided when complaints reach the CJEU. The Court will then determine whether the framework meets the requirements it set in its ruling in the Schrems case.

CDT has for a long time advocated for reform of FISA Section 702, because the data collection it authorizes is too broad and not sufficiently targeted. It was the Section 702 PRISM and Upstream programs the CJEU objected to in Schrems.

Companies that certify under the Privacy Shield must continue to comply with requests they receive under this law and so will companies that use other transfer mechanisms. In that sense, the fundamental concerns that motivated the Court’s decision remain to a large extent unanswered. This is not surprising, as the Privacy Shield negotiators did not have competence to amend or improve the underlying law, neither for government nor company data governance.

The Privacy Shield can be understood as a short-term, partial solution that enables transatlantic commerce and data flows to continue in the near term, to meet the European Commission’s tight deadline. The agreement reflects the political and economic reality that the European Commission, Member State governments, and the US Government need transatlantic commerce and communications to continue without disruption.

The need for transatlantic progress on surveillance reform has been clear since the Snowden revelations.

This is not to say that some of the elements cannot contribute to a higher level of data protection and privacy for EU citizens. There are new obligations on companies, several overlapping (and quite complex) complaints processes, and strengthened oversight by DPAs and the Federal Trade Commission. The joint annual review process could have the effect of enhancing transparency, and keeping surveillance and privacy concerns front and center. However, while these elements are a step in the right direction, they will probably fail to satisfy the CJEU.

In Schrems, the Court found that access by public authorities to communications and personal data on a ‘generalised basis’, without a specific purpose or target, compromised privacy protections guaranteed by the Charter of Fundamental Rights of the European Union. However, US intelligence agencies continue to operate a surveillance program, Upstream, that gives US intelligence agencies access to virtually all electronic and telephonic communications flowing in and out of the US. Moreover, the US continues to maintain bulk collection programs outside the US. While a Presidential Policy Directive, PPD-28, limits the use of data collected in bulk to five broadly-defined national security purposes, such as terrorism and cybersecurity, it includes no meaningful limitations on the initial collection, thus permitting continued access to personal data on a ‘generalised basis’. In a positive development, the US agreed to abide by the existing use limitations in PPD-28, making it more difficult for a future administration to broaden them further.

Another problem the CJEU identified in Schrems was a lack of administrative or judicial redress that would enable an EU citizen to access, rectify, or erase personal data. The Ombudsman institution may provide a small measure of redress for EU citizens, but it is powerless to stop surveillance that is inconsistent with the privacy rights of Europeans and its review is not sufficiently independent because it sits in the Executive Branch of government.

Therefore, the Privacy Shield seems unlikely to be a long-term solution. That would require broad political consensus among US and EU Member State lawmakers about standards and safeguards for conducting national security intelligence in accordance with international human rights norms. And, it would require substantive reform of both US and European surveillance laws and practice. CDT has made this argument consistently and repeatedly. The need for transatlantic progress on surveillance reform has been clear since the Snowden revelations, and the Schrems ruling added urgency. However, the European Commission, responsible for putting in place a new adequacy decision for data transfers, has no authority to deal with national security matters in the EU or elsewhere, and the US Department of Commerce (or other parts of the Administration) cannot mandate the US Congress to amend FISA Section 702.

It is therefore no surprise that many elements the Privacy Shield are receiving criticism and open to legal challenge. In the absence of more comprehensive reform, citizens in the EU, the US and elsewhere will continue to face intrusive surveillance and data collection, and companies that operate on both sides of the Atlantic will continue to deal with uncertainty about the legal framework they operate under.