EU-US Privacy Shield [by Aude Gery, CEIS]

After the European Court of Justice’s 6 October 2015 judgment[1] invalidating Safe Harbor, companies, citizens and national data protection authorities waited for the European Union and the United States to reach a new agreement on the transfer of personal data. Invalidating Safe Harbor did not put an end to the transfer of personal data from the European Union to the United States inasmuch as companies making these transfers could base their actions on binding corporate rules (for sharing internal personal data with companies), standard contractual clauses or even, when authorised, one of the exceptions to the ban on cross-border flows referred to in Article 69 of the Information Technology and Civil Liberties (“Informatique et Libertés”) law. Although it was a victory for defenders of the right to privacy, this decision did not create any less legal insecurity for companies. To mitigate this situation, a few days after the Schrems judgement, the members of the Article 29 Working Party (national authorities in charge of personal data protection) were “urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights[2].” This transition period had a deadline, 31 January 2016, beyond which national personal data protection authorities were authorised to implement the actions required to ensure personal data protection. On 2 February 2016, the European Commission announced that it had reached an agreement with the United States: the EU-US Privacy Shield[3]. Does the wording of this agreement really ensure that personal data are protected at a suitable level when they are transferred outside of the European Union? To date, the agreement has not yet been published, which precludes any detailed analysis of its future provisions. However, a press release by the European Commission presents the future system’s main mechanisms.

This new agreement’s objective is twofold. On the one hand, it aims to “protect the fundamental rights of Europeans where their data is transferred to the United States,” and, on the other hand, it aims to “ensure legal security for businesses.” The agreement has three major categories of provisions: obligations for companies, obligations for US authorities, and provisions to ensure effective protection of citizens’ rights. Companies wishing to transfer personal data must not only publicise their intended action, which may then be opposed, but also abide by strict terms regarding data processing. Supervision of these intended actions will be ensured by the US Department of Commerce and the Federal Trade Commission, which will be entitled to impose sanctions up to exclusion from the new system should a company breach its obligations. In addition, for data related to human resources, companies shall comply with the decisions of European authorities in charge of personal data protection. Access by US authorities to data shall also be supervised. Indeed, the United States has pledged to ensure that “the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” The national security exception must also be used proportionately and “only to the extent necessary.” Annual supervision of the agreement’s implementation will be organised with the participation of US intelligence experts and European regulators. Finally, European Union citizens will have access to several means of redress when they believe that their data have been used abusively. The recommended procedure for settling disputes is negotiating directly with the company having transferred the data. Citizens will also be able to turn to national authorities in charge of personal data protection, which will ensure that the Federal Trade Commission processes the complaint. Lastly, an arbitration mechanism will be established should the previous means of redress fail. For legal proceedings related to access by US public authorities to data, an Ombudsman not affiliated with any national security service will be appointed.

In its 6 October 2015 judgement, the ECJ ruled that the principles and mechanisms of Safe Harbor did not ensure a suitable level of data protection. The Court highlighted, on the one hand, the indiscriminate nature of data collection by US authorities, and, on the other hand, the lack of a supervisory mechanism to assess the legality of interfering with the fundamental rights of people whose data had been transferred. Finally, it noted the lack of opportunities for citizens seeking justice to exercise means of redress. Safe Harbor, then, violated the right to privacy and the right to effective legal protection. The EU-US Privacy Shield seems to respond to the criticisms issued by the ECJ. Indeed, it mitigates the violation of the right to privacy by supervising US authorities’ access to data, imposing new obligations on companies and granting US supervisory authorities a power to sanction. It responds to the violation of the right to effective legal protection by multiplying European citizens’ potential means of redress. However, certain Safe Harbor provisions do not seem to have been called into question. The Privacy Shield system will remain a system of accession and self-regulation, and the US supervisory authority will always be the Federal Trade Commission. While the announcements seem to point towards greater protection of European citizens’ data, many grey areas remain. Isabelle Falque-Pierrotin did not fail to raise this during a press conference[4]. One of the major unknown factors of this agreement concerns the powers and means that will be available to Ombudsmen, even though they are central to effective supervision to prevent any mass surveillance. The agreement’s effectiveness also raises doubts inasmuch as the concept of national security has a very broad meaning. It is indeed difficult to imagine that European regulators have enough influence to limit mass surveillance of Europeans. As for the Federal Trade Commission’s powers to supervise and sanction, for the moment they remain too vague for their potential effectiveness to be assessed. In addition, it should be recalled that a statement by the Art. 29 WP dated 16 October 2015[5] highlighted four principles that should govern the future agreement on the transfer of personal data: processing based on clear, precise and accessible rules; necessary, proportionate access founded on legitimate objectives; an independent supervisory mechanism; and finally the existence of effective means of redress allowing everybody to defend their rights before an independent entity. This outline of a European standard will be central to the assessment of the future agreement that will be done by the Art. 29 WP. While waiting for this agreement to be adopted, companies will be able to continue to transfer personal data to the United States on the basis of binding corporate rules (BCRs), standard contractual clauses and other ad hoc clauses.

A user’s trust in a company must be founded on transparency, based on respect for laws, compliance with independent international standards and verification of the compliance of services by an independent third party. Therefore, it is imperative that the future agreement meet these requirements. The announcement of the EU-US Privacy Shield has already aroused indignation, distrust and fury. It is not hard to foresee bitter debates on its content and its ability to protect European citizens’ data. Max Schrems has already announced that he will dispute this agreement’s validity. The CNIL’s formal notice to Facebook of 8 February 2016, in which it accused the company of continued reliance on Safe Harbor and other failures to comply with the French Data Protection Act, demonstrates the need for a new legal framework for the transfer of data from the European Union to the United States. However, the legal security requirement cannot serve as an excuse for violating the fundamental right to privacy.

Références :  

[1] ECJ judgement of 6/10/2015, Case C-362/14, Maximillian Schrems v Data Protection Commissioner, http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62014CJ0362&from=FR

[2] Statement of the Article 29 Working Party, Brussels, 16 October 2015: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf

[3] European Commission, press release, 2 February 2016, http://europa.eu/rapid/press-release_IP-16-216_en.htm

[4] https://scic.ec.europa.eu/streaming/article-29-subgroup-implementation-of-the-privacy-directive

[5] Statement of the Article 29 Working Party, Brussels, 16 October 2015: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf