The Privacy Shield Agreement Enters into Force (by Army General (2S) Watin-Augouard, Founder of the FIC)

Privacy Shield has just been adopted to replace Safe Harbor. This agreement, concerning European personal data protection, represents progress, even if the WP29 has reservations about it. An initial assessment will be performed when the agreement is reviewed in 2017.

The principles of Safe Harbor were established to protect personal data, in accordance with the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, which remains in force until 25 May 2018. This directive requires a high and equivalent level of protection of people’s rights and liberties in all the Member States, particularly to allow people’s data to circulate freely within the European Economic Area (EEA). It prohibits the transfer of personal data to a third country when this third country does not offer an « adequate level of protection. »

The European Commission’s decision of 26 July 2000 on the adequacy of the protection provided by the « safe harbor » principles recognised that transfers between the European Union and the United States met the requirements. The decision did not affect the financial or banking industry concerned by the SWIFT agreement[1]. It also did not apply when internal data transfer rules (Binding Corporate Rules or BCRs) approved by the 28 European national regulators (in truth just one under the principle of mutual recognition) were established, when « standard contractual clauses » prepared by the European Commission were in place or when the transfer met the requirements set out in Article 69 of the French law of 6 January 1978 concerning information technology, data files and civil liberties[2].

The European Commission’s decision was cancelled by the CJEU’s judgement in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, of 6 October 2015.

More than 4,000 American companies established in Europe were concerned by the judgement and directly affected by its consequences. While the judgement was welcomed by Internet rights defenders, it caused concern in economic environments, especially SMEs. Indeed, SMEs lack sufficiently developed legal departments to establish standard contractual clauses or binding corporate rules, or to obtain authorisations from the French CNIL (Art. 69 of the French law of 6 January 1978) providing for the transfer of data outside of the « safe harbor. »

On 26 October, Věra Jourová, the European Commissioner for Justice, announced a « Safe Harbor 2.0. » This demonstrated that the urgency of the matter was being taken into account. The European Commission, ordered to present a new agreement by 31 January 2016, accelerated negotiations (already under way) to arrive at a text that could be deemed satisfactory, especially by the WP29. Thus on 29 February 2016 it presented its draft « decision on the adequacy of the protection provided, » as well as the texts (Privacy Shield Principles) to constitute the « EU-US privacy shield. »

The Privacy Shield may be outlined as follows:

1. Companies shall be subject to certain obligations coupled with surveillance mechanisms allowing them to be sanctioned or excluded. The new rules also include stricter requirements for transfers to other partners by companies adhering to the measures.
2. Access by American authorities shall be closely supervised and transparent: the American government, through the voice of the American Director of National Intelligence, has given the European Union certain guarantees in writing. All access by authorities to data for purposes of national security shall be subject to certain well-defined limitations, requirements and mechanisms. This will prevent widespread access to personal data. A mediation mechanism, independent of departments of national security, shall be established.
3. The protection of EU citizens shall be better ensured by a non-judicial alternative dispute resolution mechanism, which shall be accessible free of charge. The companies affected must respond to complaints within 45 days. EU citizens shall also be able to turn to their national authority in charge of data protection, which shall collaborate with the Federal Trade Commission to find a solution. An arbitration mechanism shall be available as a last resort.
4. A joint annual review shall be performed by the European Commission and the US Department of Commerce. This shall bring together experts working within the American and European data protection authorities. The European Commission shall organise an annual meeting with NGOs and stakeholders in the field of respect for privacy to debate more general trends in American legislation on privacy and their repercussions for European citizens. It shall send a public annual report to the European Parliament and to the Council.

After Barack Obama enacted the Judicial Redress Act[3] on 24 February, the European Commission started the process of signing the framework agreement. The College of European Commissioners must adopt the measures, after consulting with a committee consisting of representatives from Member States and after obtaining the opinion of the European authorities in charge of personal data protection (WP29). Meanwhile, the United States must implement the new framework and the mechanisms of control and mediation. On 13 April 2016, the WP29 indicated, through the voice of its president Isabelle Falque-Pierrotin, that the text is a step forward that can still be improved.

The decision on the conclusion of the agreement was adopted by the Council on 12 July 2016 after it was approved by the European Parliament. It will enter into force as soon as the Member States are notified of it.

On 25 July 2016, the WP29 met and maintained its position. The points raised by critics include the lack of guarantees that US departments will cease to conduct mass surveillance of European data, doubts as to the mediator’s impartiality and the difficulties that complainants may encounter. All European citizens may, in effect, turn to the American justice system, but, as the WP29 emphasised, this mechanism could prove to be too complex, especially when they do not speak English.

The agreement must be reviewed each year. When taking part in re-evaluating it, the WP29 « will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-US Privacy Shield are workable and effective. »

In any case, it should be noted that the isolated procedure by a 27-year-old man who ventured into the breach created by the Snowden revelations has called into question an entire system to which 29 Member States belong. This is yet another demonstration of the extraordinarily asymmetric power that individuals possess in the digital space.

[1] Agreement signed on 28 June 2010 between the European Union and the United States allowing the United States to access European banking data stored in the Society for Worldwide Interbank Financial Telecommunication network.

[2] The transfer is expressly agreed to by the person concerned or meets certain requirements listed in Article 69 (protection of a person’s life or a public interest, exercise or defence of a specific right in legal proceedings, etc.).

[3] This law allows Europeans to bring civil actions against the United States should the rules concerning their personal data be violated.