What's next for Privacy Shield?
Businesses have been able to use the data transfer mechanism 'Privacy Shield' for just over two years, an instrument designed to ensure adequate data protection when transferring data between the USA and Europe. However, data protection authorities are now demanding renegotiations of Privacy Shield, as these authorities question whether the level of data protection in the USA is equally stringent as that guaranteed in the European Union.
Basis for this is the assumption that third countries whose level of data protection has not been recognised as adequate by the EU Commission do not provide a level of data protection compliant with European requirements. In fact, third countries in particular fall within the scope of application of the German Federal Data Protection Act (FDPA; German 'BDSG'), Sections 4, 4b, 4c FDPA, provided their data transfer occurs within the framework of activities that are covered to any extent by the scope of application of European Community law. The new German Federal Data Protection Act refers in Section 1 para. 5 FDPA to the application of the GDPR, which, in accordance with Art. 3 para. 2, 3 GDPR is to be taken into account when personal data is processed by a controller not established in the European Union.
The USA is currently not considered a so-called „safe“ third country, which is why a variety of instruments such as Privacy Shield were created in order to ensure adequate data protection when data is transferred. A data transferal is then allowed on the basis of the guaranteed level of data protection, without which transferal would be impermissible.
The Safe Harbour agreement
EU-US Privacy Shield's predecessor was Safe Harbor, an agreement between the USA and the EU. Provided US businesses submitted themselves to the principles of the agreement, they would be included in the US Department of Commerce's list of businesses with adequate data protection, which assured compliance with the EU standard for the period of one year. However, since the European Court of Justice's Schrems verdict on 06.02.2015, the agreement is no longer valid. Max Schrems filed a suit against Facebook Ireland with the Irish Data Protection Agency regarding violations of EU law by the USA in the transfer of data from Europe to the USA and the subsequent surveillance measures by the US government. The suit made its way to the European Court of Justice, which ultimately ended the Safe Harbor agreement. The ECJ justified its decision, stating compliance with European data protection cannot always be guaranteed in the USA.
The most important points of criticism:
- The Safe Harbor agreement applied only to US businesses, not to agencies of the USA.
- Requirements of national safety, public interest and the enforcement of national laws of the USA were prioritised over the agreement. Thus US businesses were not obliged to apply the agreement if a conflict arose with the aforementioned requirements.
- There was no possibility of limiting encroachments of fundamental rights of data subjects carried out by US Agencies.
- There was no possibility of judicial protection of European citizens against the measures of US Agencies.
The 'EU-US Privacy Shield'
In order to close the gap that the invalidity of the Safe Harbor agreement had left, a new data transfer mechanism was created, namely the 'EU-US Privacy Shield', which obligates businesses to remain compliant with data protection standards and, in contrast to Safe Harbor, also limits the access that US Agencies have to the data of EU citizens. Another new feature was the introduction of legal protection for citizens via ombudsmen and dispute resolution services, as well as an annual review of Privacy Shield.
The review of Privacy Shield
This is why the European Commission and the US Government reviewed the functioning of EU-US Privacy Shield mid-September 2017. While the Commission claims the data transfer mechanism is functioning well, the independent advisory body of the European Commission, the Article 29 Working Party, disagrees. The Article 29 Working Party does acknowledge improvements in comparison to Safe Harbor, as well as the US Agencies' and EU Commission's efforts to implement Privacy Shield. At the same time, the advisory body also expresses criticism, voicing concerns regarding the equivalence of the level of data protection ensured by Privacy Shield in the USA and the level of data protection in the EU.
The concerns lie first and foremost in the functionality of the possibility for EU citizens to take legal action against governmental and / or commercial surveillance measures, which is meant to be ensured by the introduction of the ombudsman. In the process of their review of Privacy Shield, information referring to the procedure for an ombudsman's access to other members of the intelligence community, including supervisory bodies, was withheld from the Article 29 Working Party. This means they were unable to review, and therefore also unable to confirm whether an ombudsman is vested with sufficient authority to access information and remedy breaches in order to fulfil their role comparatively to a court or other independent body. This is in contradiction to an ombudsman's assessment as 'effective remedy' in accordance with Article 47 of the Charter of Fundamental Rights of the European Union.
Furthermore, the advisory body demands evidence or legally binding confirmation that data collection conducted by US Agencies is not arbitrary, and that unlimited access to personal data of EU citizens, such as within the framework of the NSA program UPSTREAM, cannot occur.
Because of these concerns, the Article 29 Working Party calls for renegotiations between the EU Commission and the US Government. For this to occur, in the first place an action plan would have to be drawn up by 25 May 2018 at the latest, when the GDPR will come into force, if it is to relieve concerns. Otherwise, the members of the Article 29 Working Party will take appropriate measures, such as bringing the matter before national courts, and announcing a possible review of Privacy Shield by the European Court of Justice.
For now, though, the Article 29 Working Party's criticism has no impact on the current effectiveness of Privacy Shield. The instrument can still be considered a legal basis for data transferal to the USA, as long as Privacy Shield is not found to be legally ineffective by any court.
Privacy Shield is currently not the only data transfer mechanism whose effectiveness is in question. In a second lawsuit, Shrems took action against the EU Standard Contractual Clauses. In conjunction with a reference for a preliminary hearing by the Irish Supreme Court, the ECJ is now reviewing whether the EU standard form contracts are an adequate guarantee for the protection of privacy where the transferal of personal data to third countries is concerned. In future, a great deal will happen in the field of requirements for legally compliant data exchange with third countries, about which we will of course keep you informed.