Tag Archives: european court of justice

Art. 29 Working Party on EU-US Privacy Shield: Trust Not Yet Restored For Transatlantic Data Flows

Only few months after the 2015 Court of Justice of the European Union (CJEU) landmark decision that put an end to the Safe Harbour system, the EU Commission proudly announced a new framework agreement with the US authorities, allegedly providing strong safeguards, sufficient to “enable Europe and America to restore trust in transatlantic data flows” (Commissioner Věra Jourová).

According to the Commission’s press release, the Privacy Shield’s guarantees include:

  • strong obligations on companies and robust enforcement;
  • clear safeguards and transparency obligations on US government access;
  • a redress possibility through an independent Ombudsperson mechanism;
  • effective protection of EU citizens’ rights through various measures (a specific timeline for resolving complaints , a free of charge alternative dispute resolution solution, as well as the possibility for EU citizens to lodge complaints with their national Data Protection Authorities, who will work with the Federal Trade Commission to solve them).

Nevertheless, the newly issued opinion of the Art. 29 Working Party (“WP29”) already raised strong criticism against the Privacy Shield, tempering the Commission’s enthusiasm. Although WP29 did not abstain from underlining the improvements the Privacy Shield offers in comparison to the invalidated Safe Harbour decision, its concerns seem to eclipse those positive features, leading to the overall negative assessment of the new framework. Moreover, the impression is that the Privacy Shield led to more uncertainty, leaving everyone frustrated, with the exception of those authorities that negotiated it.

But what are, then, according to WP29, the improvements offered by the Privacy Shield? On the other hand, what major concerns does it raise? Finally, does it provide for adequate answers to post-Safe Harbour issues?

Firstly, it must be recognized, as WP29 certainly does, that the Privacy Shield represents a large step forward from Safe Harbour in terms of data protection. And, one could argue, it couldn’t be otherwise, since the Safe Harbour decision dates back sixteen years ago, before Facebook, the social network, big data era and the emergence of encryption vs. surveillance-like debates.

However, WP29 welcomes the additional recourses made available to individuals to exercise their rights, together with the extensive attention dedicated to data accessed for purposes of national security and law enforcement. Increased transparency measures are also appreciated by WP29: both those offered by the US administration on the legislation applicable to intelligence data collection and those provided through the introduction of two Privacy Shield Lists on the US Department of Commerce website (one containing the records of those organizations adhering to the Privacy Shield and one containing the records of those that have adhered in the past, but no longer do so).

Unfortunately, it seems that, these (few), general, positive notes are by far neutralized by the much more incisive negative remarks made by the WP29. WP29 points out the inadequate safeguards set forth to protect some key data protection principles under European law: the data retention principle is not expressly mentioned by Privacy Shield instruments (nor it can be clearly construed from their current wording) and onward transfers of EU personal data to third Countries are insufficiently framed. Despite the EU Commission’s enthusiastic press releases, WP29 underlines how, from the documents signed  by US authorities, it cannot be fully excluded that US administrations will continue the collection of massive and indiscriminate data. And one cannot abstain from noting how crucial the latter aspect is, being one of the main reasons that led the CJEU to invalidate the Safe Harbour decision. Moreover , WP29, while recognizing the effort to create additional oversight mechanisms, considers those efforts not satisfactory: the new redress mechanisms, in practice, may prove to be too complex and difficult to use and, more specifically, the capability of the Ombudsperson mechanism to be truly independent from US governmental authorities is strongly questioned. The lack of clarity of the new framework is also stigmatized by the WP29 by calling for a glossary of terms to be included in the negotiated instruments, in order to ensure that the key data protection notions of the Privacy Shield will be defined and applied in a consistent way. Lastly, the WP29 points out, rightly, how the newly issued Privacy Shield documents already appear out-of-date, considering the approval and forthcoming enter into force of the EU data protection reform, which will bring important improvements on the level of data protection offered to individuals, not at all reflected in the Privacy Shield.

The adequacy of the Privacy Shield to address the issues raised after the CJEU decision invalidating Safe Harbour is hence, at least, arguable. The significant uncertainty created after the fall of Safe Harbour is not only far from being clarified but, possibly, worsened. The major concerns raised by the CJEU have not been adequately tackled, especially if one considers the absence of clear-cut undertakings of the US authorities on mass surveillance programs by security intelligence agencies. Regulatory costs on companies and governmental agencies will not therefore be balanced by stability, certainty and higher levels of fundamental rights protection, leaving everyone dissatisfied.

So, what’s next for Privacy Shield? Another advisory decision is awaited from Article 31 Committee after the second half of May. Then, different options are available but, basically, the implementation of Privacy Shield could take place with or without addressing WP29’s most important concerns. In any case, legal challenges before the CJEU, as well as claims brought to national data protection authorities, will always be open and much likely to happen, given the overall uncertainty characterizing transatlantic data flows: trust is, indeed, very far from being restored.

Advertisements

The Safe Harbor Decision (And What Is Wrong With It)

As most people and businesses on either side of the Atlantic are now aware, on October 6, 2015 the European Court of Justice invalidated the Commission’s Safe Harbor decision and made the transfer of personal data to the United States slightly more difficult for businesses.

The Court decision is based on two fundamental findings: first, the Commission’s Safe Harbor decision did not find – as it was required to do according to the Court – that the United States ensures a level of protection of fundamental rights essentially equivalent to that guaranteed within the European Union. Second, and equally important, the Court held that the Commission had no authority to restrict the powers of national data protection authorities to examine complaints of their citizens and assess whether the transfer of data to the United States affords an adequate level of protection.

Until the recent Court decision, the Safe Harbor program has provided a framework for the transfer of personal data from the European Union to the United States. Safe Harbor, however, is neither the only way to transfer personal data to the United States, nor the most commonly used. United States undertakings have consistently used – and will be able to continue to use even after the Court’s decision – model clauses and binding corporate rules.

As European and US undertakings have a wide variety of tools available to transfer data to the United States, the most troubling finding of the Court’s decision is not the invalidation of the Safe Harbor per se, but rather the recognition of much broader powers to member states’ data protection authorities. While the Safe Harbor scheme provided a single and simplified framework that was easily understood by United States’ businesses, the new decision leaves uncertainty as to the approach that each member state’s data protection authorities will take in connection with the export of their citizens’ data. As a consequence, in spite of the current efforts by European authorities to adopt a single data protection regulation ensuring a more uniform legislation throughout the continent, the Court decision is likely to lead – for at least some time – to a more fragmented and less clear legal framework among different member states.

Last, but not least, it is worth noting that one of the main reasons that led the Court to invalidate the Safe Harbor Commission’s decision has been the discovery of mass surveillance programs by US national security intelligence agencies and their rights to access personal data of European citizens. The concern of the European Court of Justice is well grounded and all of us, as individuals, are likely to share that same concern. However, why is the Court not equally worried about the surveillance programs and data retention policies adopted by several member states over the last few years?

Many have pointed out (see for instance here and here) that the Court decision is the result of different sensitivities between US and European people when it comes to the protection of their privacy, being the Europeans more keen to consider the protection of their personal data as a fundamental human right (or, rather, very keen on teaching data protection lessons to the United States). However, the failure of the European Court of Justice to acknowledge that such fundamental right is as much at risk within the borders of Europe as it is outside leaves us wondering whether the Court is really protecting the substance of our privacy as European citizens.