The Commission’S Draft Eu-Us Privacy Shield Adequacy Decision: A Shield For Transatlantic Privacy Or Null Novel Nether The Sun?

  

Dr. Maria Tzanou (Lecturer inwards Law, Keele University)

On six Oct 2015, inwards its judgment inwards Schrems, the CJEU invalidated the Commission’s determination finding that the U.S. of A. ensured an adequate degree of protection for the transfer of personal information nether the Safe Harbour framework on the ground that U.S. of A. mass electronic surveillance violated the essence of the fundamental correct to privacy guaranteed inwards Article 7 EUCFR in addition to the correct to effective judicial protection, enshrined inwards Article 47 EUCFR (for an analysis of the judgment, meet here).

             

On two Feb 2016, the Commission announced that a political understanding was reached on a novel framework for transatlantic information flows, the EU-US Privacy Shield, which volition supervene upon the annulled Safe Harbour. On 29 Feb 2016, the Commission published a draft Privacy Shield adequacy decision followed past times seven Annexes that incorporate the U.S. of A. government’s written commitments on the enforcement of the arrangement. The Annexes include the next assurances from the US: Annex I, a alphabetic lineament from the International Trade Administration of the Department of Commerce, which administers the programme, describing the commitments that it has made to ensure that the Privacy Shield operates effectively; Annex II, the EU-US Privacy Shield Framework Principles; Annex III, a alphabetic lineament from the U.S. of A. Department of State in addition to accompanying memorandum describing the State Department’s commitment to found a Privacy Shield Ombudsperson for submission of inquiries regarding the US’ intelligence practices; Annex IV, a alphabetic lineament from the Federal Trade Commission (FTC) describing its enforcement of the Privacy Shield; Annex V, a alphabetic lineament from the Department of Transportation describing its enforcement of the Privacy Shield; Annex VI, a alphabetic lineament prepared past times the Office of the Director of National Intelligence (ODNI) regarding safeguards in addition to limitations applicable to U.S. of A. national safety authorities; and, Annex VII, a alphabetic lineament prepared past times the U.S. of A. Department of Justice regarding safeguards in addition to limitations on U.S. of A. Government access for police clit enforcement in addition to populace involvement purposes.

Similar to its predecessor, Privacy Shield is based on a scheme of self-certification past times which U.S. of A. companies commit to a laid of privacy principles. However, dissimilar Safe Harbour, the draft Privacy Shield determination includes a department on the ‘access in addition to job of personal information transferred nether the EU-US Privacy Shield past times U.S. of A. populace authorities’ (para 75). In this, the Commission concludes that ‘there are rules inwards house inwards the U.S. of A. designed to boundary whatsoever interference for national safety purposes amongst the fundamental rights of the persons whose personal information are transferred from the Union to the U.S. of A. to what is strictly necessary to arrive at the legitimate objective.’ This conclusion is based on the assurances provided past times the Office of the Director of National Surveillance (ODNI) (Annex VI), the U.S. of A. Department of Justice (Annex VII) in addition to the U.S. of A. Secretary of State (Annex III), which clit the electrical current limitations, oversight in addition to opportunities for judicial redress nether the U.S. of A. surveillance programmes. In particular, the Commission employs iv principal arguments arising from these letters to arrive at its adequacy conclusion: Firstly, U.S. of A. surveillance prioritises targeted collection of personal data, piece mass collection is limited to particular situations where targeted collection is non possible for technical or operational reasons (this captures the essence of the principles of necessity in addition to proportionality, according to the Commission). Secondly, U.S. of A. intelligence activities are acre of written report to ‘extensive oversight from inside the executive branch’ in addition to to to a greater extent than or less extent from courts such every bit the Foreign Intelligence Surveillance Court (FISC). Thirdly, 3 principal avenues of redress are available nether U.S. of A. police clit to European Union information subjects depending on the electrical charge they desire to raise: interference nether the Foreign Intelligence Surveillance Act (FISA); unlawful, intentional access to personal information past times regime officials; in addition to access to information nether Freedom of Information Act (FOIA). Fourthly, a novel machinery volition move created nether the Privacy Shield, namely the Privacy Shield Ombudsperson who volition move a Senior Coordinator (at the degree of Under-Secretary) inwards the State Department inwards club to guarantee that private complaints are investigated in addition to individuals have independent confirmation that U.S. of A. laws conduct maintain been complied amongst or, inwards illustration of a violation of such laws, the non-compliance has been remedied.

The draft Privacy Shield framework may conduct maintain been hailed every bit providing an ‘essentially equivalent’ degree of protection for personal information transferred from the European Union to the US, but despite the plethora of privacy-friendly words (‘Privacy Shield’, ‘robust obligations’, ‘clear limitations in addition to safeguards’) i cannot move real optimistic that the novel regime volition fully comply amongst the Court’s judgment inwards Schrems. Influenza A virus subtype H5N1 offset problematic aspect amongst the U.S. of A. assurances is that they simply clit the U.S. of A. surveillance legal framework in addition to the relevant safeguards that already exist. In fact, the only changes that were introduced inwards the U.S. of A. next the Snowden revelations was the issuance of Presidential Policy Directive 28 (PPD-28) (in Jan 2014) which lays downwardly a number of principles on the job of indicate intelligence information for all people; in addition to the passing of the USA Freedom Act which modified certainly U.S. of A. surveillance programmes in addition to position an halt to the mass collection of Americans’ telephone records past times the NSA (in June 2015).  Finally, inwards Feb 2016, the U.S. of A. Congress passed the Judicial Redress Act which was signed into police clit past times President Obama. Given that i tin reasonably assume that the Court was aware of these developments when laying downwardly its judgment inwards Schrems inwards Oct 2015, it seems that, amongst the exception of the Ombudsperson, Privacy Shield does non alter much inwards U.S. of A. surveillance law. In fact, the Commission has alone based its draft adequacy analysis on a mere detailed description of this police clit without whatsoever farther commitment that this volition better inwards whatsoever agency inwards club to comply amongst European Union fundamental rights every bit interpreted past times the CJEU.

While the assurance that U.S. of A. surveillance is mainly targeted in addition to does non accept house inwards mass is important, in that place is no reference to the fact that U.S. of A. authorities access the content of the personal information that was deemed to violate the essence of the correct to privacy inwards Schrems. Furthermore, fifty-fifty if the U.S. of A. authorities engage only inwards targeted surveillance, the CJEU has held inwards Digital Rights Ireland that the mere retentivity of private-sector information for the purpose of making them available to national authorities affects Articles 7 in addition to 8 EUCFR in addition to mightiness conduct maintain a chilling effect on the job past times subscribers of platforms of communication, such every bit Facebook or Google and, consequently, on their exercise of liberty of seem guaranteed past times Article eleven EUCFR. Individuals, when faced amongst surveillance, cannot know when they are targeted; nevertheless, the possibility of existence the object of surveillance has an effect on the agency they behave. Insofar every bit Article 47 EUCFR in addition to the correct to effective judicial protection is concerned, the Commission itself notes inwards its draft adequacy determination that the avenues of redress provided to European Union citizens produce non encompass all the legal bases that U.S. of A. intelligence authorities may job in addition to the individuals’ opportunities to challenge FISA are real limited due to strict standing requirements.

The creation of the Ombudsperson amongst the of import component of ensuring private redress in addition to independent oversight should move welcomed every bit the principal improver of the draft Privacy Shield. Individuals volition move able to access the Privacy Shield Ombudsperson without having to demonstrate that their personal information has inwards fact been accessed past times the U.S. of A. intelligence activities in addition to the Ombudsperson, who volition move carrying out his functions independently from Instructions past times the U.S. of A. Intelligence Community volition move able to rely on the U.S. of A. oversight in addition to review mechanisms. However, in that place are several limitations to the component of the Privacy Shield Ombudsperson. First, the physical care for for accessing the Ombudsperson is non every bit straightforward every bit lodging a electrical charge earlier a national Data Protection Authority (DPA). Individuals conduct maintain to submit their requests initially to the Member States’ bodies competent for the oversight of national safety services and, eventually a centralised European Union private electrical charge treatment torso that volition channel them to the Privacy Shield Ombudsperson if they are deemed ‘complete’. In damage of the final result of the Ombudsperson’s investigation, the Ombudsperson volition render a reply to the submitting European Union private electrical charge treatment torso –who volition in addition to so communicate amongst the individual- confirming (i) that the electrical charge has been properly investigated, in addition to (ii) that the U.S. of A. police clit has been complied with, or, inwards the trial of non-compliance, such non-compliance has been remedied. However, the Ombudsperson volition neither confirm nor deny whether the private has been the target of surveillance nor volition the Ombudsperson confirm the specific remedy that was applied. Finally, Annex III stipulates that commitments inwards the Ombudsperson’s Memorandum volition non apply to full general claims that the EU-US Privacy Shield is inconsistent amongst European Union information protection requirements. In the lite of the above, the Privacy Shield Ombudsperson does non seem to render the redress guarantees of a supervisory say-so such every bit the DPAs every bit the AG had asked inwards his Opinion inwards Schrems.

Draft Privacy Shield is problematic for to a greater extent than or less other argue every bit well: it puts together the regulative framework for commercial transactions amongst the regulation for police clit enforcement access to private sector data. These are, however, different issues in addition to they should move dealt amongst separately. It is of import to encourage in addition to facilitate transborder trade, thus flexible mechanisms allowing for undertakings self-compliance amongst information protection principles should proceed to apply. But, the challenges of online surveillance on fundamental rights are besides serious to move covered past times the same regime in addition to to a greater extent than or less ‘assurances’ that essentially clit the electrical current U.S. of A. law. Two solutions could maybe bargain amongst this problem: Either the U.S. of A. adheres to the Council of Europe Convention No. 108 in addition to abandons the distinction betwixt U.S. of A. in addition to European Union citizens regarding rights to redress or a transatlantic privacy in addition to information protection framework that ensures a high degree of protection of fundamental rights in addition to the transparency in addition to accountability of transnational counter-terrorism operations (the so-called ‘umbrella agreement’) is adopted. Regrettably, the electrical current shape of the umbrella agreement is real problematic every bit to its compatibility amongst European Union information protection standards- or fifty-fifty human rights standards inwards general, and, therefore, does non seem to render an effective solution to the issue.

      

A of late leaked document reveals that the Article 29 Working Party has difficulties inwards reaching an overall conclusion on the Commission’s draft adequacy determination in addition to supports the sentiment that Privacy Shield does non fully comply amongst the essential guarantees for the transfer of personal information from the European Union to the U.S. of A. for intelligence activities.

Should the Commission nevertheless create upwards one's heed to proceed amongst the electrical current draft, it is highly possible that the CJEU volition move called inwards the hereafter to guess the adequacy of Privacy Shield inwards a Schrems two draw of piece of work of cases.

Photo credit: www.teachprivacy.com

Share this post