The second issue of our summer series focuses on the recent decision by the Italian Data Protection Authority, which affects all users of the Google Analytics services in Italy, as well as other similar services that entail the transfer of users’ personal data to the United States.
Read our slides to understand what actions are available to you.
The Italian Data Protection Authority has authorized the transfer of personal data to the United States on the basis of the new “Privacy Shield” program, designed by the European Commission and the U.S. Department of Commerce to provide companies with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. On July 12, 2016 the European Commission deemed that the “Privacy Shield” offered adequate protection and could enable data transfers under EU legislation.
The Italian Data Protection Authority has now issued a general authorization for the processing and transfer of personal data in accordance with the “Privacy Shield” program and with the European Commission adequacy decision. The general authorization will be published today on the Official Gazette. Italian companies and multinational corporations active in Italy will therefore be able to transfer personal data to United States entities adhering to the “Privacy Shield”.
This latest decision comes after the expiration of the previous general authorization allowing the transfer of personal data to the United States pursuant to the “Safe Harbor” framework, held invalid by the Court of Justice of the European Union on October 22, 2015.
The European Commission plans to implement a continuous monitoring of the “Privacy Shield”, while at the moment it remains unclear how many business entities will seize this opportunity and join in the new program.
Yesterday the European Commission announced that the new agreement between the European Union and the United States on European data flowing into the United States has been approved. After months of negotiations, the deal was enthusiastically announced as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses” that “brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints” in the words of Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality.
Ever since the 2015 Court of Justice of the European Union (“CJEU”) landmark decision that put an end to the Safe Harbour system (i.e., the previous agreement regarding EU-US data flows), the US and the EU had negotiated for about 2 years in the attempt to create a system that aims at reassuring European citizens and creating clarity for United States businesses. An initial agreement on the Privacy Shield was already reached in February, and heavily criticized by the association of European data protection authorities named “Article 29 Working Party” (as we covered in our blog). Allegedly, the European Commission has taken note of such criticism and added additional clarifications and improvements to the draft.
Here are the main features of the Privacy Shield, as set forth in the Commission’s fact sheet:
The one million dollar question is: will the Privacy Shield hold?
The CJEU may struck it down in the future and privacy groups will undoubtedly test the waters with new cases. If this happens, some predict that there will not be any further attempt to create another “Safe Harbor” or “Privacy Shield”. As Mark Scott of the New York Times puts it: “The European Commission, the executive arm of the European Union, and the United States Department of Commerce spent years negotiating the new deal. If it were eventually overturned in court, few companies or privacy experts would have faith that either side could do any better the next time around”.
Only few months after the 2015 Court of Justice of the European Union (CJEU) landmark decision that put an end to the Safe Harbour system, the EU Commission proudly announced a new framework agreement with the US authorities, allegedly providing strong safeguards, sufficient to “enable Europe and America to restore trust in transatlantic data flows” (Commissioner Věra Jourová).
According to the Commission’s press release, the Privacy Shield’s guarantees include:
Nevertheless, the newly issued opinion of the Art. 29 Working Party (“WP29”) already raised strong criticism against the Privacy Shield, tempering the Commission’s enthusiasm. Although WP29 did not abstain from underlining the improvements the Privacy Shield offers in comparison to the invalidated Safe Harbour decision, its concerns seem to eclipse those positive features, leading to the overall negative assessment of the new framework. Moreover, the impression is that the Privacy Shield led to more uncertainty, leaving everyone frustrated, with the exception of those authorities that negotiated it.
But what are, then, according to WP29, the improvements offered by the Privacy Shield? On the other hand, what major concerns does it raise? Finally, does it provide for adequate answers to post-Safe Harbour issues?
Firstly, it must be recognized, as WP29 certainly does, that the Privacy Shield represents a large step forward from Safe Harbour in terms of data protection. And, one could argue, it couldn’t be otherwise, since the Safe Harbour decision dates back sixteen years ago, before Facebook, the social network, big data era and the emergence of encryption vs. surveillance-like debates.
However, WP29 welcomes the additional recourses made available to individuals to exercise their rights, together with the extensive attention dedicated to data accessed for purposes of national security and law enforcement. Increased transparency measures are also appreciated by WP29: both those offered by the US administration on the legislation applicable to intelligence data collection and those provided through the introduction of two Privacy Shield Lists on the US Department of Commerce website (one containing the records of those organizations adhering to the Privacy Shield and one containing the records of those that have adhered in the past, but no longer do so).
Unfortunately, it seems that, these (few), general, positive notes are by far neutralized by the much more incisive negative remarks made by the WP29. WP29 points out the inadequate safeguards set forth to protect some key data protection principles under European law: the data retention principle is not expressly mentioned by Privacy Shield instruments (nor it can be clearly construed from their current wording) and onward transfers of EU personal data to third Countries are insufficiently framed. Despite the EU Commission’s enthusiastic press releases, WP29 underlines how, from the documents signed by US authorities, it cannot be fully excluded that US administrations will continue the collection of massive and indiscriminate data. And one cannot abstain from noting how crucial the latter aspect is, being one of the main reasons that led the CJEU to invalidate the Safe Harbour decision. Moreover , WP29, while recognizing the effort to create additional oversight mechanisms, considers those efforts not satisfactory: the new redress mechanisms, in practice, may prove to be too complex and difficult to use and, more specifically, the capability of the Ombudsperson mechanism to be truly independent from US governmental authorities is strongly questioned. The lack of clarity of the new framework is also stigmatized by the WP29 by calling for a glossary of terms to be included in the negotiated instruments, in order to ensure that the key data protection notions of the Privacy Shield will be defined and applied in a consistent way. Lastly, the WP29 points out, rightly, how the newly issued Privacy Shield documents already appear out-of-date, considering the approval and forthcoming enter into force of the EU data protection reform, which will bring important improvements on the level of data protection offered to individuals, not at all reflected in the Privacy Shield.
The adequacy of the Privacy Shield to address the issues raised after the CJEU decision invalidating Safe Harbour is hence, at least, arguable. The significant uncertainty created after the fall of Safe Harbour is not only far from being clarified but, possibly, worsened. The major concerns raised by the CJEU have not been adequately tackled, especially if one considers the absence of clear-cut undertakings of the US authorities on mass surveillance programs by security intelligence agencies. Regulatory costs on companies and governmental agencies will not therefore be balanced by stability, certainty and higher levels of fundamental rights protection, leaving everyone dissatisfied.
So, what’s next for Privacy Shield? Another advisory decision is awaited from Article 31 Committee after the second half of May. Then, different options are available but, basically, the implementation of Privacy Shield could take place with or without addressing WP29’s most important concerns. In any case, legal challenges before the CJEU, as well as claims brought to national data protection authorities, will always be open and much likely to happen, given the overall uncertainty characterizing transatlantic data flows: trust is, indeed, very far from being restored.
Law, Health & Technology 