European Data Protection Supervisor issues opinion on Privacy Shield

12th July 2016

European Data Protection Supervisor issues opinion on Privacy Shield

This article was first published on Lexis®PSL IP & IT on 8 June 2016. Click for a free trial of Lexis®PSL.

IP & IT analysis: Giovanni Buttarelli, the European Data Protection Supervisor (EDPS) published his non-binding opinion on the Privacy Shield on 30 May 2016. The Regulatory Team at Walker Morris considers the opinion and assess its implications.

Original news

EDPS issues opinion on draft Privacy Shield, LNB News 01/01/0001 1618

The draft Privacy Shield does not adequately include all appropriate safeguards to protect the EU rights of privacy and data protection, according to an opinion issued by the EDPS. The opinion contains a number of specific recommendations on the Privacy Shield.

What has the EDPS said about the Privacy Shield?

The EDPS acknowledges that the Privacy Shield “may be a step in the right direction” towards resolving the issues with Safe Harbor and he welcomes the improvements that have been made. However, the EDPS is very clear that the Privacy Shield in its current form does not provide adequate protection and that if it is challenged before the Court of Justice of the European Union (the CJEU), it is likely to be held to be invalid, just like Safe Harbor.

He also does not believe that the Privacy Shield provides a long-term solution for transatlantic transfers of EU personal data as:

• it does not deal with the changes to be brought in by the General Data Protection Regulation (the GDPR) and
• the concept of self-regulation by private organisations as well as representation and commitments by public officials are not sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalised digital world.

How does this compare to the Article 29 Working Party’s opinion?

Unsurprisingly, as the EDPS is a member of the Article 29 Working Party (the Working Party) which published its opinion on 13 April 2016 (see Preparing for Privacy Shield – what’s next?), he identifies many of the same issues with the proposed framework, such as the concerns over mass and indiscriminate surveillance by the US authorities.

However, the EDPS is far more damning in his criticism with his declaration that the “Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court“.

In addition, where the Working Party urged the Commission to identify appropriate solutions to provide clarifications of the concerns it raised, the EDPS has issued direct advice in the form of “principled and pragmatic” recommendations.

What are the EDPS’ key concerns?

Again, unsurprisingly, the EDPS’ biggest concern is access by the US authorities to personal data transferred from the EU; particularly as the current drafting of the Privacy Shield appears to allow the US authorities to use the exceptions to the Privacy Principles to carry out mass and indiscriminate surveillance in certain circumstances “without any limitation on the purpose of such access“.

The EDPS believes that, whereas Safe Harbor “formally treated access for national security as an exception“, the way in which the Privacy Shield deals with such access “indicates that the exception has become the rule” and “legitimises routine access to transferred data by US authorities“.

His other key concern is that the Privacy Shield has been drafted on the basis of the existing legal framework and fails to consider the changes that will apply under the GDPR from 25 May 2018, such as privacy by design, privacy by default and data portability. As a result, organisations will have to change their compliance model yet again “less than one year after the full implementation…of the Privacy Shield“.

What other issues does the EDPS raise?

The EDPS highlights that the Privacy Shield needs to provide protection which is “essentially equivalent” to that provided by the EU legislation but it does not adequately deal with all of the basic principles, particularly data retention and automated processing. The provisions relating to onward transfers, the right to access and the right to object also need improvement.

The EDPS echoes the Working Party’s concerns that the newly created Ombudsperson mechanism is not sufficiently independent and that the redress mechanisms provided for individuals are overly complex.

The EDPS also does not believe that the self-regulation model is appropriate and he recommends that the US authorities systematically and effectively monitor compliance with the Privacy Principles.

What recommendations does the EDPS make?

The EDPS makes 3 main recommendations:

• the Privacy Shield must fully address all of the basic principles set out by the current EU legislation and in particular the provisions dealing with data retention, automated processing, onward transfers, the right to access and the right to object should be developed accordingly
• clear and precise rules limiting the access by US authorities to EU personal data are required
• the role of the Ombudsperson needs to be developed to ensure that it is independent and has sufficient authority to enforce its decisions and recommendations, and ensuring that compliance by US organisations who register for the Privacy Shield is effectively supervised.

The EDPS also makes a number of additional recommendations including the need to make improvements to the mechanics of the annual joint review of the Privacy Shield, such as incorporating the findings of the EU data protection authorities in the report generated by the review, as well as ensuring that the Privacy Shield is compatible with and reflects the requirements of, the GDPR.

In light of the significant pressure on the Commission to end the current legal uncertainty regarding transatlantic transfers of EU personal data, perhaps the most welcome, if unexpected, of the EDPS’ recommendations is the one to legislators urging them to “take their time in finding an adequate, long-term solution“.

What does the EDPS’ opinion mean for the Privacy Shield?

Although the EDPS’ opinion is non-binding on the Commission, it adds significant weight to the calls on the Commission to redraft and improve the Privacy Shield.

It will be taken into account by the Article 31 Committee when it considers the Privacy Shield again at its next meeting, together with the Working Party’s opinion and the non-binding resolution of the members of the European Parliament which was passed on 26 May 2016 and which states that the Commission should continue to negotiate with the US to remedy “deficiencies” in the Privacy Shield framework.

What’s next for the Privacy Shield?

In order for the Commission to adopt the draft adequacy decision in respect of the Privacy Shield, it first requires the Article 31 Committee (made up representatives of the EU member states) to vote in favour of the Privacy Shield by a qualified majority (16 member states representing at least 65% of the EU population). Once it has been approved by the Article 31 Committee, the Commission is bound to adopt the Privacy Shield.

The next meeting of the Article 31 Committee is scheduled for 6 June 2016.

What happens if the Article 31 Committee doesn’t approve the Privacy Shield?

If a qualified majority votes against the Privacy Shield, the Commission can appeal against the outcome to the appeal committee. If the appeal committee votes against the Privacy Shield, the Commission must abide by the appeal committee’s decision.

If there is no qualified majority for or against the Privacy Shield, the Commission can choose either to adopt the Privacy Shield in its current form or it can submit a revised draft taking into account the views expressed by the Article 31 Committee.

Is the Article 31 Committee likely to approve the Privacy Shield?

The Article 31 Committee has met 3 times to discuss the Privacy Shield and so far it has not reached an opinion.

Commissioner Vera Jourova has confirmed that the Commission is working on addressing the Working Party’s criticisms of the Privacy Shield including holding further discussions with the US and the amendments will be submitted to the Article 31 Committee. However, she went on to note that:

“I cannot say that…Privacy Shield is perfect…I must say very openly that we are not fully satisfied, but we are satisfied in the sense that we achieved the maximum which was possible“.

This, together with a quote attributed to Stefan Selig, US Undersecretary of Commerce for International Trade that US officials are “very cautious about not upsetting what was a delicate balance that was achieved when we negotiated the original text“, suggests that further concessions from the US on key issues such as access by US authorities are unlikely to be forthcoming.

We will have to wait and see whether the amendments which are currently being made to the draft Privacy Shield documents will be sufficient for the Article 31 Committee to vote in favour of the adequacy decision.

What other recent developments are likely to affect the adoption of the Privacy Shield?

The US Supreme Court’s recent changes to the Rule 41 of the Federal Rules of Criminal Procedure are likely to increase concerns about US government access. The change which allows US judges to issue warrants outside of their districts, actually grants expansive powers to law enforcement agencies to hack and access information on computers where the device location information has been concealed through technological means. In practice this means that judges can issue warrants in respect of any computer user in the world who is “using technology to protect their location privacy or is unwittingly part of a botnet” (Rainey Reitman of Electronic Frontier Foundation).  This is seen by many as a significant change, as federal judges have been reluctant to issue search warrants on computers outside their jurisdiction.

The US Department of Justice has also recently published a document which showed that the US Foreign Surveillance Intelligence Court had approved 1,457 requests from the FBI and NSA to intercept email and phone communications and that no request made by either agency had been rejected.

Both of these recent developments are unlikely to reassure the Privacy Shield sceptics such as Max Schrems who has described the Privacy Shield as “lipstick on a pig“.

Is there likely to be a legal challenge to the Privacy Shield?

The UK’s Information Commissioner, Christopher Graham, has intimated that if the Commission does adopt the Privacy Shield without resolving the issues which the Working Party has highlighted, it will almost certainly face a legal challenge before the CJEU:

“[T]he Article 29 Working Party…posed some very reasonable questions about the documentation surrounding the Privacy Shield…[a]nd I think those questions need answers…if the Article 29 Working Party can ask those questions then so can the Court of Justice“.

And according to the EDPS, if there is a challenge, it is likely to be successful, which will effectively turn the clock back to 6 October 2015 when the CJEU ruled Safe Harbor invalid. (C-362/14: Schrems v Data Protection Commissioner [2015] All ER (D) 34 (Oct)).

The EDPS’ argument is that it would be more damaging for organisations, particularly SMEs, to implement a new regime which is subsequently invalidated than for the current uncertainty to continue for the foreseeable future while a more robust, longer-term solution is negotiated.

The German data protection authorities have also reportedly published a resolution calling for an independent right of action for EU data protection authorities to challenge adequacy decisions of the EU Commission in front of national courts.

Are the Model Contract Clauses and Binding Corporate Rules still valid?

The Working Party has confirmed that, for the time being at least, Model Contract Clauses and Binding Corporate Rules remain valid and businesses can rely on these for the purposes of transatlantic data transfers, although it also indicated that both mechanisms would be reviewed once the Privacy Shield has been finalised.

However, on 25 May 2016, the Irish data protection authority announced, that as part of its ongoing review of the complaint made by Max Schrems against Facebook Ireland, it intends to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Model Contract Clauses.

On the basis that the Model Contract Clauses offer little (if any) additional protection against mass surveillance by the US authorities, it is likely that these will also be ruled as invalid by the CJEU.

What should businesses be doing now?

For the time being at least, the advice remains that UK organisations should review what data they are transferring, where it is being transferred to and what arrangements have been put in place to ensure that it is adequately protected, without making any ‘knee jerk’ changes to those arrangements.

US businesses should also identify what data they receive or collect from the UK and other EU countries and the basis on which they are receiving or collecting that data.

Going forwards, US businesses should have a clear policy governing how they will acquire, safeguard, store, disclose and manage personal data.

Whatever transfer mechanism is eventually adopted, US organisations will need to demonstrate that they comply with the Privacy Principles as a minimum. By reviewing their existing policies, processes and procedures now and addressing any identified gaps between the Privacy Principles and their existing practices, they can get a head start on making sure they are compliant with the new regime.

Organisations on both sides of the Atlantic will need to keep up to date with the developments on the Privacy Shield to ensure that they are ready to implement any necessary changes as soon as the mechanism is finalised.

Interviewed by Alex Heshmaty.