(Update: The European Commission has formally adopted its implementing decision on 12th July 2016. The related documents and an FAQ with the Commission's spin are available here.)
The so-called "Privacy Shield" arrangement between the EU and the US is supposed to provide a legal basis for the transfer of personal data from the European Union to the United States. It has been subject to heavy debates. Here is background information, a list of frequently asked questions and the answers to them.
Background and Timeline
The first iteration of the “Privacy Shield” arrangement was adopted by the European Commission on 29th February 2016. It consisted of a draft implementing decision and a series of annexes, including the “Privacy Shield” principles jointly negotiated with the US Department of Commerce and a series of letters from different branches of the US administration.
It followed the revelations by Edward Snowden in June 2013 on large-scale mass surveillance by US intelligence services, and a judgement of the European Court of Justice in October 2015 (Schrems case), which invalidated the “Safe Harbor” arrangement that had been used as a legal basis for the transfer of personal data from the EU to the US since 2000. The Court especially pointed to the mass collection of communication content, which touched upon the essence of the fundamental right to privacy.
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) held a hearing on 17th March 2016 to assess the “Privacy Shield” arrangement, and adopted a resolution on 26th May 2016, asking the Commission to continue negotiations with the US. The Greens/EFA motion for resolution, which had been authored by Jan Philipp Albrecht, called for a sunset period of two years, but did not find a majority.
The Article 29 Data Protection Working Party - the body of all EU data protection authorities - issued an opinion on 13th April 2016. The European Data Protection Supervisor issued an opinion on 30th May 2016.
The new version of the “Privacy Shield” arrangement was officially transmitted to the European Parliament by the European Commission on 28th June 2016, after the Member States had already received it and the Chair of the EP’s Committee on Civil Liberties, Justice and Home Affairs had complained to justice commissioner Vera Jourova about this. So far, it has not been officially published.
The Article 31 Committee of the EU’s Member States approved the draft implementing decision - i.e. the new “Privacy Shield” adequacy finding - on 8th July 2016.
Frequently Asked Questions to Jan Philipp Albrecht
What do you think about this new version? Is there any improvement?
There are a few improvements, the most obvious being on the purpose limitation and the duration of data retention by private companies. But even here, the EU standard that data can only be stored as long as this is "necessary" is watered down to "relevant". Of course, any data can be relevant for the company, but that does not mean it meets the necessity test.
Do you think this new version should be approved?
No. At the very least, it should get a sunset clause and expire in two years, when the new EU data protection rules have to be applied. The negotiations should in the meantime continue with the next US administration, which also should amend its laws in the next two years. I know this is difficult given the current situation on Capitol Hill in Washington, but we can't give US companies such privileged access to EU data transfers market if they don't follow our standards.
Do you think there is a chance that it will be approved?
After it has been approved by the Member States on 8th July, it looks like the Commission is going to approve it this week – ignoring all the reservations voiced by the European Parliament, the data protection authorities, and several experts. This is very unfortunate especially in the post-Brexit situation and will not lead to more confidence of our citizens in the EU Commission and the EU as a whole. It will also leave companies in legal limbo, because it is clear that it will end up in front of the European Court of Justice again.
What do you think about the way the European Commission asks Member States to review this new version in only a few days?
This rush right before the summer break is unnecessary and raises a lot of eyebrows. It's not just the Member States. The European Parliament should have had an opportunity to express its assessments before adoption, but our next plenary session is only in September.
Who is supposed to be protected by the Privacy Shield? The text is referring to “EU data subjects” and “EU individuals”. Are these European citizens, or anyone in Europe?
The latest version of Privacy Shield now clarifies that everybody in the EU is covered, not just EU citizens, as required by the EU Charter of Fundamental Rights. But that basically means the non-EU citizens in Europe have the same weak protection as EU citizens.
According to the opinion of the data protection authorities (DPAs) in the Article 29 Working Party in April, the previous text allowed a very broad use of Europeans’ personal data. Is there any change about that?
See the first question on improvements.
Companies like Google or Facebook only have to make a self-assessment of their own compliance to the Privacy Shield principles. What do you think about this self-certification approach?
This approach has been one of the problems of "Safe Harbor" since the year 2000. It has not improved with the "Privacy Shield".
Under the complaints procedure, an EU data subject can bring a data protection issue before its national data protection authority (DPA), but only if the company in question has allowed that. Does this mean that the European DPAs cannot investigate in all the cases?
The Privacy Shield Principles are at least unclear in this regard, as far as I read them. The chapter on the role of Data Protection Authorities (DPAs) in arbitration indeed sounds like mandatory cooperation with them is only required for human resources data. However, the chapter on dispute resolution and enforcement requires companies to respond expeditiously to complaints referred by DPAs through the Department of Commerce. This needs more clarity.
Similarly, the Privacy shield is referring to an "independent dispute resolution body" in the US or in Europe, designated by the company. Who can this be?
These dispute resolution bodies have already been used under the "Safe Harbor" arrangement. They are traditionally set up by self-regulatory organisations such as Better Business Bureau or TrustE, which have a track record of being soft towards industry.
If, after complaints have been brought forward and a notification has been issued, a company still doesn’t comply with the “Privacy Shield” principles, the Department of Commerce or the Federal Trade Commission (FTC) can take over the case, right?
Yes. However, the FTC is not obliged to investigate and enforce all individual cases brought before it, but has to see if they are relevant for the functioning of a competitive market. This is not the same as a European DPA. The Department of Commerce in turn is not an independent oversight body as required for data protection enforcement by the EU treaties, but a branch of the US government.
Does this mean that European data protection authorities can’t enforce the “Privacy Shield Principles in the United States? If an issue occurred between a European data subject and a US company, the case can only be reviewed and decided in the US?
That seems to be the case within the "Privacy Shield" arrangement. The Commission's adequacy decision however thankfully clarifies that under EU law, DPAs always have the competence and powers to suspend data transfers to a third country if they see a violation of EU law. This follows the judgement of the European Court of Justice in the Schrems case last October.
About the mass surveillance: In its opinion issued in April 2016, the Article 29 Working Party of EU data protection authorities stated that the bulk collection of communications data was not "acceptable”. Have you seen any new guarantees in the new text?
All I have seen is a funny attempt to define "bulk collection" as not being "mass surveillance". The US government is still allowed to do bulk data collection in at least six cases, including gathering "foreign intelligence information", which can be information on anything from illicit arms trade to legitimate trade agreement protests.
The US is distinguishing between "bulk collection" and “massive and indiscriminate" surveillance of personal data and communications. How can bulk collection not be massive?
I am afraid you will have to ask the US administration to explain on this. I think it's a very obvious attempt to define away the situation of ongoing mass-surveillance outside of the United States. The US government tries to tell us that it is only surveillance if someone actually looks at the collected data. The EU courts however have repeatedly made clear that already the automated access to and collection of data and communications affects the fundamental rights to data protection and privacy.
In April, the European data protection authorities stated that the status of the new ombudsperson in the US Department of State was not good enough. Has anything changed about that?
The problem persists. The ombudsperson will be independent from the US intelligence community, but as an Under-Secretary of State, she ultimately reports to the US Secretary of State. This by no means satisfies the independence criteria for data protection authorities in the EU, as required by Article 16 of the Treaty on the Functioning of the European Union. The EU Court of Justice has made this crystal clear in several judgements.
The new version of the “Privacy Shield” has a subsection about “automated processing of personal data to take decisions affecting the individual”, also known as algorithmic treatment. Do you know why?
I am not sure, but I assume this was added because the new EU data protection rules entered into force in the meantime, and they contain such a provision. However, US law protects against algorithmic decision-making only in three specific cases (the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Housing Act). This is not comparable to EU rules. The Privacy Shield itself does not contain any specific rules prohibiting algorithmic treatment, and it is regrettable that instead of doing so, the EU Commission and the US administration only agreed to start a "dialogue".