Only few months after the 2015 Court of Justice of the European Union (CJEU) landmark decision that put an end to the Safe Harbour system, the EU Commission proudly announced a new framework agreement with the US authorities, allegedly providing strong safeguards, sufficient to “enable Europe and America to restore trust in transatlantic data flows” (Commissioner Věra Jourová).
According to the Commission’s press release, the Privacy Shield’s guarantees include:
Nevertheless, the newly issued opinion of the Art. 29 Working Party (“WP29”) already raised strong criticism against the Privacy Shield, tempering the Commission’s enthusiasm. Although WP29 did not abstain from underlining the improvements the Privacy Shield offers in comparison to the invalidated Safe Harbour decision, its concerns seem to eclipse those positive features, leading to the overall negative assessment of the new framework. Moreover, the impression is that the Privacy Shield led to more uncertainty, leaving everyone frustrated, with the exception of those authorities that negotiated it.
But what are, then, according to WP29, the improvements offered by the Privacy Shield? On the other hand, what major concerns does it raise? Finally, does it provide for adequate answers to post-Safe Harbour issues?
Firstly, it must be recognized, as WP29 certainly does, that the Privacy Shield represents a large step forward from Safe Harbour in terms of data protection. And, one could argue, it couldn’t be otherwise, since the Safe Harbour decision dates back sixteen years ago, before Facebook, the social network, big data era and the emergence of encryption vs. surveillance-like debates.
However, WP29 welcomes the additional recourses made available to individuals to exercise their rights, together with the extensive attention dedicated to data accessed for purposes of national security and law enforcement. Increased transparency measures are also appreciated by WP29: both those offered by the US administration on the legislation applicable to intelligence data collection and those provided through the introduction of two Privacy Shield Lists on the US Department of Commerce website (one containing the records of those organizations adhering to the Privacy Shield and one containing the records of those that have adhered in the past, but no longer do so).
Unfortunately, it seems that, these (few), general, positive notes are by far neutralized by the much more incisive negative remarks made by the WP29. WP29 points out the inadequate safeguards set forth to protect some key data protection principles under European law: the data retention principle is not expressly mentioned by Privacy Shield instruments (nor it can be clearly construed from their current wording) and onward transfers of EU personal data to third Countries are insufficiently framed. Despite the EU Commission’s enthusiastic press releases, WP29 underlines how, from the documents signed by US authorities, it cannot be fully excluded that US administrations will continue the collection of massive and indiscriminate data. And one cannot abstain from noting how crucial the latter aspect is, being one of the main reasons that led the CJEU to invalidate the Safe Harbour decision. Moreover , WP29, while recognizing the effort to create additional oversight mechanisms, considers those efforts not satisfactory: the new redress mechanisms, in practice, may prove to be too complex and difficult to use and, more specifically, the capability of the Ombudsperson mechanism to be truly independent from US governmental authorities is strongly questioned. The lack of clarity of the new framework is also stigmatized by the WP29 by calling for a glossary of terms to be included in the negotiated instruments, in order to ensure that the key data protection notions of the Privacy Shield will be defined and applied in a consistent way. Lastly, the WP29 points out, rightly, how the newly issued Privacy Shield documents already appear out-of-date, considering the approval and forthcoming enter into force of the EU data protection reform, which will bring important improvements on the level of data protection offered to individuals, not at all reflected in the Privacy Shield.
The adequacy of the Privacy Shield to address the issues raised after the CJEU decision invalidating Safe Harbour is hence, at least, arguable. The significant uncertainty created after the fall of Safe Harbour is not only far from being clarified but, possibly, worsened. The major concerns raised by the CJEU have not been adequately tackled, especially if one considers the absence of clear-cut undertakings of the US authorities on mass surveillance programs by security intelligence agencies. Regulatory costs on companies and governmental agencies will not therefore be balanced by stability, certainty and higher levels of fundamental rights protection, leaving everyone dissatisfied.
So, what’s next for Privacy Shield? Another advisory decision is awaited from Article 31 Committee after the second half of May. Then, different options are available but, basically, the implementation of Privacy Shield could take place with or without addressing WP29’s most important concerns. In any case, legal challenges before the CJEU, as well as claims brought to national data protection authorities, will always be open and much likely to happen, given the overall uncertainty characterizing transatlantic data flows: trust is, indeed, very far from being restored.
On March 5, 2015 the European Court of Justice (“ECJ”) delivered a ruling on product liability that could have consequences for manufacturers of medical devices.
FACTS OF THE CASE. The quality control system of a company selling pacemakers and implantable defibrillators in Germany found that a component utilized to hermetically seal pacemakers may experience a gradual degradation. That defect could lead to premature battery depletion, resulting in loss of telemetry and/or loss of pacing output without warning. In light of such circumstances, the manufacturer issued a warning recommending physicians to replace the implanted pacemakers with others provided free of charge. At the same time, the manufacturer also recommended physicians to turn off a switch in the defibrillators.
PROCEEDINGS. The insurance companies, covering patients whose pacemakers or defibrillators had been replaced, instituted legal proceedings to obtain reimbursement of costs relating to such replacements. The German High Court raised a preliminary question before the ECJ asking whether the devices that had been replaced may be classified as defective, despite lack of evidence that the actual product implanted was defective, on the basis of the corrective measures recommended by the manufacturer. Moreover, the German Court asked whether costs of replacing those pacemakers and defibrillators could be classified as damages, for which the manufacturer may be liable pursuant to the Product Liability Directive[1].
ECJ RULING. In its ruling, the ECJ stated that, in order to determine whether or not the manufacturer was liable, (i) the function of such products, (ii) the vulnerability of patients utilizing them, (iii) the costs borne to replace them, and (iv) the costs relating to turning off the switch of defibrillators had to be taken into account and balanced. In this respect, the ECJ observed that even the potential lack of safety of those products gave rise to the manufacturer’s liability, in light of safety standards that patients could expect from that kind of products and the abnormal possibility of damages to patients, who would be at risk of death. In addition, and in more general terms, the ECJ affirmed that costs borne to replace potential defective devices may constitute damages inasmuch as the expenses incurred are necessary to remedy the defect. However, such a judgment, as pointed out by the ECJ, pertained to the merits of the claim, and must therefore be ascertained by a national Court.
CONSEQUENCES OF THE RULING. Under the Product Liability Directive claimants must produce evidence of the defect, damages arising therefrom and a causation link between the two. By contrast, the ECJ’s decision establishes that even potential defects may be considered as defects. As a consequence, consumers appear to be relieved from the burden of proof that products are actually defective. By the same token, manufacturers’ right of defense seems to be compressed, as – when there are corrective measures recommended by them – the ruling does not leave any room for proof of lack of liability.
WHAT WILL BE THE IMPACT OF THE RULING. The ECJ’s approach to product liability adopted in the ruling at hand appears to be skewed towards consumers’ protection. A cynical reading of the ECJ’s judgment may even prompt manufacturers to be reluctant to “admit their own mistakes” and issue safety warnings regarding their products! As often happens with legal issues affecting innovation and health policies, balancing of interests is key.
[1] Council Directive 85/374/EEC of July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products. According to the Directive, the producer is liable for damages caused by a defect in his product.
Law, Health & Technology 