Privacy Shield challenged a second time

(with contributions from Aida Mahmutović)

The fight over personal data transfers between the European Union (EU) and the USA is not over. Earlier this month, a second legal challenge directed at the Privacy Shield framework was raised.

After being formally adopted on 12 July, 2016 by the European Commission, the EU-US Privacy Shield was first challenged in September. Digital Rights Ireland, an Irish privacy advocacy group, filed for the annulment of the Commission’s Adequacy Decision in front of the Luxembourg-based General Court.

Privacy advocacy group La Quadrature du Net, non-profit Internet service provider French Data Network, and its Federation FDN industry, have now challenged the adoption of the Privacy Shield, following in this way the steps of the Digital Rights Ireland. Euractiv has stated that the French groups are objecting to the restrictions on US surveillance activities. In particular, the bulk collection of data and the purposes for which it can be used as inadequate. In addition, the objectors said the fact that the US ombudsman relies on so-called ‘independent’ instruments is not sufficient to consider it an independent judicial entity, therefore is not an effective mechanism for dealing with the complaints. Details of the case are not yet officially available.

Article 29 Working Party indicated however that the EU data protection authorities would not challenge the validity of the Privacy Shield for at least a year.

This is far from being the first time that La Quadrature du Net has publicly criticised the Privacy Shield, referring to the framework as ‘protection full of holes!’:

‘The Privacy Shield project was prepared and imposed in a rush by the European Commission and the US Department of Commerce, and does not offer sufficient guarantees for protecting the privacy of European citizens. The project ignores the CJEU judgment that invalidated Safe Harbor concerning the massive surveillance exerted through the data collection of users. It is essential that European governments and National Data Protection Authorities reject this agreement, and that they work together to draft a set of rules that actually protects fundamental rights. The necessity to establish a legal framework for companies whose economic model is based on exploiting personal data must not become an excuse to set up a sordid bazar that sells the private life of tens of millions of European Internet users.’

Under EU law, companies or individuals may challenge EU acts before the EU courts if they can prove direct or individual concern with the act. Proceedings can be instituted within two months of the act coming into force (Article 256 and 263 of the Treaty on the Functioning of the European Union). They would otherwise have to go through national courts, a process which takes longer. Both challenges face a strong risk of being declared inadmissible, if the court finds that the associations are not directly concerned.

Christian Wigand, a spokesman for the European Commission, which negotiated the Privacy Shield with Washington, said it was aware of the new complaint: ‘We don’t comment on ongoing court cases. As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations.’

According to Reuters, the US Department of Commerce did not respond to questions about the second challenge.

Principles and certification under the Privacy Shield framework

The EU-US Privacy Shield framework provides businesses storing Europeans’ data on US servers – from browsing history and hotel bookings to any other personal data – an easier way to do so without breaching data transfer rules. It also provides legal clarity for businesses relying on transatlantic data transfers.

The framework succeeds the International Safe Harbor Privacy Principles, which were overturned by the European Court of Justice in October 2015.

The Privacy Shield is based on several principles, including the involvement of companies handling data and safeguards, and transparency obligations on US government access. Read more: EU-US Privacy Shield’s seven principles

The framework provides various alternative dispute resolution mechanisms for any citizen who considers that his/her data has been misused under the Privacy Shield framework. In the best case, the complaint is to be resolved internally by the company itself or by the Alternative Dispute Resolution (ADR) solution, free of charge. Another possibility is the involvement of national Data Protection Authorities who would work with the Federal Trade Commission, an independent agency of the US government, to ensure that complaints by EU citizens are investigated and resolved. As a last resort, an arbitration mechanism remains.

Concerning a redress possibility, the Privacy Shield framework provides that an Ombudsperson, independent from the US Intelligence services, will adjudicate complaints from EU citizens about their data being abused and the transfer to EU citizens’ data to other companies. The role of the Ombudsperson has been highly questioned as the EU regulators have warned that, if the Ombudsperson does not have real independence from intelligence agencies, it cannot fulfil EU citizens’ rights by giving them an effective complaint route. The European Commission published a ‘Guide to the U.S.-EU Privacy Shield’ for EU citizens on how to file complaints against U.S. companies that handle their data but do fail to comply with the Privacy Shield rules.

From a practical perspective, companies from the United States have the possibility to sign up for the Privacy Shield framework from August 1, 2016. Microsoft became the first global cloud service provider to offer the Privacy Shield Certification.

The list of companies that have signed up to the Privacy Shield framework is over 500 so far, and it includes Google, Facebook and Microsoft. Over 1,000 companies are being processed by the US Department of Commerce.

Stronger efforts to protect consumers

In parallel, the legal framework concerning the storage of private communications and documents was revisited in the USA, amidst a plethora of concerns raised by the technical and privacy communities. The U.S. House of Representatives unanimously passed the Email Privacy Act (H.R. 699) in April, amending the Electronic Communications Privacy Act (ECPA) which allows law enforcement with a subpoena to seek data from a service provider and read emails more than 180 days old. The Email Privacy Act requires the government to get a probable cause warrant from a judge before asking companies to obtain stored private communications and documents. The bill is seen as a win for user privacy.

In the EU, the last few years have seen concerted efforts to increase the level of protection for consumers, and to strengthen controls on exports of certain dual-use goods and technologies. After more than four years of negotiations, the EU’s General Data Protection Regulation (GDPR) was passed earlier this year, replacing a 1995 directive. The new regulation aims to protect consumers and to give individuals more control over their personal data including the ‘right to be forgotten’ and a long list of users’ rights. Its main stipulations allow more user control of data, require notification of data use, and allows for data portability.

In September, the European Commission issued a proposal for a regulation that aims to strengthen controls on exports of certain dual-use goods and technologies – those that ‘may be misused for human rights violations, terrorist acts or the development of weapons of mass destructions’. According to the Commission, one of the main elements of the proposal concerns the adding of a ‘human security’ dimension in export controls, to prevent human rights violations associated with certain cyber-surveillance technologies. The proposal is aimed, among others, to ensure that EU authorities can stop exports in cases where surveillance technology, such as monitoring centres and data retention systems, could be used for human rights violations, repression or armed conflict. The export of encryption technologies also falls within the scope of this proposal.

An overview of the different regulations implemented over the past months shows that privacy and data protection is increasingly being tackled by the legislative powers. The Privacy Shield has been an important part of the discussions between the EU and the USA, and it will be very interesting to follow up on the concrete application of the framework in the upcoming months, in particular in regards to the controversial role of the Ombudsperson.

It also appears that the EU has made important efforts in order to increase the level of protection of the consumers and to strengthen controls on exports of certain dual-use goods and technologies which corroborates the EU’s commitment to protect its citizens from any misuse of their personal data.

For now, we await to see the developments of these two challenges which the Privacy Shield framework will face within this short period of time.