Follow ACC Docket Online:  

EU Data Regulators Review EU-US Privacy Shield

T he Article 29 Working Party (WP29) group of European Union (EU) data protection authorities released its opinion on the EU-US Privacy Shield (Privacy Shield) on November 28, 2017. The overall verdict is rather negative, raising some serious issues and pointing out many areas for improvement. The WP29 ends with the threat of legal challenge if it’s left ignored. However, counsel whose organizations have certified under the Privacy Shield or those considering it should not panic.

Background

The Privacy Shield is the more robust successor to Safe Harbor, which was declared “inadequate” by the Court of Justice of the European Union (CJEU) in 2015. One of the factors that persuaded the European Commission to find the Privacy Shield “adequate” was that it contained an annual joint review, conducted by the commission and Washington representatives of the Department of Commerce (DoC), Federal Trade Commission, and US Intelligence Community. The commission gave the official (if lukewarm) approval in October last year. The WP29, which also participated in the review, was even more negative.

The good

The opinion recognized that the Privacy Shield is a great improvement on Safe Harbor. It welcomes the DoC's commitment, systems, and dedicated team. It also approves of increased transparency on security surveillance and declassification of certain documents. Organizations that are Privacy Shield-certified should take some comfort in this.

[Related: Seeing the Silver Lining: 4 Positive Aspects of GDPR for Businesses]

The bad

The body of the opinion is made of criticisms of the Privacy Shield. The WP29 objections fall into two categories: (1) certain aspects on its commercial application, and (2) major concerns about US mass surveillance.

Commercial aspects
  • The WP29 criticized the lack of detail both for organizations certifying to the Privacy Shield and for individuals trying to assert their rights under it. DoC retorted that the Privacy Shield is a principles-based scheme, and they wanted organizations to consider the principles rather than copy and paste the official text. One of the longstanding criticisms of Safe Harbor was that organizations merely ticked the boxes then forgot all about it.
  • The WP29 wants clear guidance for individuals and organizations on how the scheme works. This is a fair criticism, as anyone who has read the Adequacy Decision and Privacy Shield Principles can attest. However, any counsel following developments in the European Union will be forgiven for considering this rather befuddling, given the WP29's own efforts to publish guidance on the European General Data Protection Regulation (GDPR).
  • Whilst the DoC reviews privacy notices of applicant organizations, it does not check vendor contracts (which must flow down Privacy Shield obligations), test a certified organization's statements, nor undertake any proactive compliance monitoring. The WP29 felt this was neither a sufficient check of initial certification nor ongoing compliance.
  • The certification process, which may take a month, requires organizations to publish their privacy notice once they start the process. Organizations in the process of recertifying are given a month to get their paperwork in order. As such, the WP29 disliked that the Privacy Shield website would thus be temporarily listing organizations as certified fully when they were not.
  • During the review, it emerged there is a considerable misunderstanding between the European Union and United States regulators on what constitutes HR data. For the W929, it is any data relating to an employee, whereas in the DoC's view it only applies to employees within the same organization. The DoC believes employee data transferred to another organization becomes commercial data. This is significant as the commission and the WP29 clearly intended HR data to receive greater protection, such as the ability to complain directly to EU regulators.
  • The WP29 also reiterated its list of objections that it raised at the time of the commission's initial approval of the Privacy Shield and which have not been addressed: the lack of a glossary, the lack of a distinction between controllers and processors, and the overly broad exemption for publicly available information.
[Related: Pay to Play: Our Data is Locked Down, But Not by Us]

Mass surveillance
  • US authorities asserted that collection of data under the Foreign Intelligence Surveillance Act s702 is no longer generalized. However, the WP29 noted the lack of evidence or binding commitments to back this up. And whilst the authorities asserted that such surveillance is limited to specific “targets,” it transpired that there are at least 100,000 such targets in 2016 alone.
  • The WP29 sees the upcoming deadline to re-authorize s702 as an opportunity to add safeguards such as a “reasonable suspicion” criterion or an oversight body. This was always unlikely given US President Donald Trump announced that the US can keep warrantless surveillance under s702 even if Congress fails to extend it. In fact, Congress voted to extend it for another eight years this week. Mass indiscriminate surveillance was a key objection of the CJEU to Safe Harbor, which will no doubt be raised in any legal challenge to Privacy Shield.
  • Continuing the theme of increased transparency, the WP29 would also like the Privacy and Civil Liberties Oversight Board (PCOLB) to update its report on mass surveillance under s702 (last released 2014), publish a report into Executive Order 12333, and release its currently privileged report on Presidential Policy Directive 28. These updates should provide clearer insight into the necessity and proportionality of the surveillance system and whether the commitments made during the adoption of the Privacy Shield and the joint review are being met in practice.
  • Whilst it rates the PCLOB highly as a key oversight body, the WP29 laments the fact that there is actually only one sitting member on the board. The WP29 feels it is essential that members be appointed as soon as possible, particularly given the weight the CJEU gave to the lack of oversight of surveillance programs. Given the large number of senior posts in the current administration that remain unfilled, this seems unlikely to be resolved soon.  
  • The WP29 raised the same issue against the ombudsperson, who is currently sitting in an acting role. It wanted more clarity over the exact powers and procedures of the ombudsperson. The interactions with the rest of the Intelligence Community are classified, but the WP29 suspects the ombudsperson does not have sufficient power to act as a genuine safeguard. Its decisions cannot be brought to open court.
The opinion finishes with 20 or so pages of facts that came out of the review interviews, which provide an interesting insight into how the scheme is actually working in practice.

The ugly

The opinion starts and ends with an invitation to the commission to rethink the adequacy decision backed up by a threat: The serious concerns must be addressed at the latest by 25 May 2018 (the date GDPR applies), the remaining concerns must be addressed at the latest by the second joint review. Failing this, the WP29 will take “appropriate action,” including seek a CJEU preliminary ruling. For counsel not familiar with the workings of the European justice system, this would involve a regulator bringing a case in a national court and seeking a reference to the CJEU to rule on the validity of the Privacy Shield, which could potentially declare it invalid.

Should Privacy Shield organizations be worried?

The WP29 represents all EU data regulators and so gives an insight into how they perceive the Privacy Shield. Once GDPR applies it will become the European Data Protection Board and be responsible for upholding the GDPR, complete with wide-ranging new powers. The WP29 may also be trying to reassert its role as guardian of EU data protection following criticism from the CJEU in the Schrems decision.

However, it is the commission, not the WP29, which rules on the adequacy of the Privacy Shield. The WP29's role stems from a recital which states participation in the review meeting is "open to" it; the opinion is not legally binding. Given the political nature of the Privacy Shield, the importance of transatlantic data flows, and the commission's pronouncement of support, it is hard to see the commission revisiting its finding.

[Related: New Data Protection Regulations to Reach US Companies]

A referral to the CJEU will first have to go via a national court, which may refuse the referral, or certainly cause delay whilst the specific questions are fought over. Such a battle will get going in the Schrems 2 referral in Ireland. The General Court (the CJEU's lower court) could strike it down, as it just has the Digital Rights Ireland challenge. Cases at the CJEU are notoriously slow, and there is currently a 18- to 24-month backlog. By that time the third and probably fourth Privacy Shield annual reviews will have taken place and we will have an idea of how GDPR is interpreted in practice. Some of the promising new transfer mechanisms that could be alternatives to the Privacy Shield, such as codes of conduct, may be available as alternatives.

Counsel of Privacy Shield-certified organizations, those who utilize it or those considering certifying, should not panic. Keep an eye on developments but at the moment business should continue as usual.

PS: Interesting Brexit side note: It is notable how much weight the WP29 gives to state surveillance. A post-EU United Kingdom will be pushing for a finding of adequacy and one of the factors the commission will take into account is mass surveillance. The United Kingdom's controversial Investigatory Powers Act, which Edward Snowden described as "the most intrusive and least accountable surveillance regime in the West," may harm its chances.

About the Authors

Alex De GayeAlexander de Gaye is a UK-qualified lawyer specialising in data protection in Fieldfisher's top-ranked Privacy, Security, and Information team. He is currently seconded to Silicon Valley advising primarily US technology, ad-tech, and data companies on their GDPR preparations.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.