Privacy Shield - not just Safe Harbour 2
With the final Privacy Shield, the European Commission and US Government have concluded years of negotiation over transatlantic data flows. Cameron Kerry and Maarten Meulenbelt consider the implications.
Cameron Kerry, lawyer, Sidley Austin LLP
The Privacy Shield sets a high standard for international data transfers. The Commission's conclusion in its Privacy Shield decision that “the United States ensures an adequate level of protection for personal data transferred under the EU-US. Privacy Shield from the Union to self-certified organisations in the United States” is supported by a thorough analysis that should stand up to legal challenge.
Critics of the Privacy Shield operate under common misconceptions about the Privacy Shield and EU law as well as US law.
One criticism is easy to address: the claim that the Privacy Shield is just a repackaging of the Safe Harbour framework invalidated by the Court of Justice of the European Union (CJEU) last October. Anyone who says so doesn't understand privacy in practice and the interaction of US laws and law enforcement.
The details in the Privacy Shield make a concrete difference compared to Safe Harbour. The number of specific items that must be in disclosures, privacy policies, and contracts means companies have a lot of work to do to subscribe. These are not empty promises because checks by the Commerce Department and enforcement by the Federal Trade Commission will hold companies to the requirements. If they do not, the Commission, data protection authorities in EU countries, and EU civil society will be watching closely.
Maarten Meulenbelt, lawyer, Sidley Austin LLP
A second common criticism is a little more complex: a claim that the Privacy Shield fails to meet EU standards for safeguards against government surveillance, particularly as to bulk collection and remedies for individuals to challenge surveillance. This reflects an idealised view of EU law and practices, and assumes the worst about US surveillance without stopping to examine how they actually compare.
The European Commission, with the benefit of unprecedented scrutiny and transparency in response to the Snowden leaks, conducted a careful appraisal of US surveillance in the light of EU law. A few key points:
- The CJEU Safe Harbour decision did not rule on US surveillance or US law. Rather, it faulted the Commission's approval process for failing to address questions that the Privacy Shield approval addresses thoroughly.
- EU law does not condemn bulk collection of data as such even on a large scale. The CJEU invalidated EU legislation that enabled large-scale collection or storage without providing safeguards against abuse and limits on data access, and the European Court of Human Rights has permitted bulk surveillance provided it is accompanied by sufficient safeguards. In fact, the committee of data protection authorities known as the Article 29 Working Party agreed this is EU law, and the European Fundamental Rights Agency has documented laws and practices by EU member states that employ bulk surveillance.
- The Commission's Privacy Shield decision and supporting materials from the US government make clear that use of bulk surveillance for foreign intelligence is narrow and circumscribed. It must be for purposes specifically defined by law and further refined by presidential order and a broad administrative process, implemented with extensive checks and oversight, and used only where more targeted collection is not feasible. As a result, bulk surveillance is aimed selectively at limited situations (examples suggest Syria and Afghanistan).
- The Ombudsperson created under the Privacy Shield especially to give individuals in the EU a channel to complain about US surveillance is a high-level official who reports to directly to the Secretary of State ‒ and not to intelligence agencies. This official is vested with authority from the president “to serve as a point of contact for foreign governments who wish to raise concerns regarding signals intelligence activities conducted by the United States” and coordinate with other agencies to this end. The Ombudsperson's powers resemble those of EU agencies that review surveillance.
- The right of EU citizens to obtain legal redress regarding surveillance by their own governments is often limited. Independent judicial approval, oversight, and individual legal redress in the US compare favourably.
The Privacy Shield is very different from Safe Harbour and, if and when a legal challenge goes to the CJEU, that court will be presented with a very different case. The court can ‒ and should ‒ decide from an informed understanding rather than misconceptions from old headlines.
Contributed by Cameron F. Kerry and Maarten Meulenbelt, lawyers, Sidley Austin LLP