On the basis of the 1995 Data Protection Directive, the European Commission, on 26 July 2000, adopted the “Safe Harbour decision” recognizing the « Safe Harbour Privacy Principles » issued by the Department of Commerce of the United States, as providing adequate protection for the purposes of personal data transfers from the EU.
As a result, the Safe Harbour system allowed for the transfer of personal information for commercial purposes from companies in the EU to companies in the U.S. that have signed up to the Principles.
The NSA revelations in 2013 raised large questions on surveillance and personal data protection. The Safe Harbour permitted limitations to data protection rules where necessary on grounds of national security. The question therefore arose whether the large-scale collection and processing of personal information under U.S. surveillance programmes was necessary and proportionate to meet the interests of national security.
Following the Snowden revelations, the Commission decided to review the Safe Harbour, and issued 13 recommendations for its improvement in November 2013.
On 6 October 2015, the Court of Justice declared in the Schrems case that Commission’s Safe Harbour Decision was invalid, on the ground that government surveillance in the U.S. threatens the privacy of EU citizens’ data and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the U.S.
The ruling indeed, confirmed the importance of data protection as a fundamental right in Europe, where a transatlantic gulf separate ideas about privacy, because in America it is considered as a consumer protection right.
Following the ruling, on 16 October Article 29 Working Party, the independent advisory body that brings together representatives of all DPAs, issued a statement regarding the first conclusions to be drawn from the judgment, announcing that: if by the end of January 2016, no appropriate solution will be found with the U.S. authorities, the DPAs (Data Protection Authorities) will then have to take all necessary and appropriate action, including coordinated enforcement one.
Therefore, directly after the judgment, Vera Jourová, the European Commissioner for Justice, Consumers and Gender Equality, was in contact with the U.S. Secretary of Commerce Penny Sue Pritzker and negotiations at technical level continued at an intense pace, until last 2 February, when, after a year of dialogue between the two institution, the European Commissioner announced that an agreement had been reached on a new framework: the “EU-U.S. Privacy Shield”.
Regarding the recent accord Commissioner Jourová said: « The new EU-U.S. Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies.[…] For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. […]Also for the first time, EU citizens will benefit from redress mechanisms in the area of national security access. In the context of the negotiations for this agreement, the U.S. has assured that it does not conduct mass or indiscriminate surveillance of Europeans.[…] We have also agreed to monitor the functioning of this arrangement. The Commission and the Department of Commerce will do an annual joint review which will serve to substantiate the commitments made. »
Moreover the new arrangement will include three main elements.
- Strong obligations on companies handling Europeans’ personal data: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.
- Clear safeguards and transparency obligations on U.S. government access:. Under the new arrangement the U.S. has excluded indiscriminate mass surveillance on the personal data transferred to the U.S., in addition, to monitor the functioning of the agreement, there will be an annual joint review, which will also include the issue of national security access. Commissioner Jourovà stated that for the first time United States would provide written assurances of their obligation in this area, notably from the office of the Director of National Intelligence in the White House: a further demonstration of the will to restore trust in the transatlantic relation
- Effective protection of EU citizens’ rights with several redress possibilities: any citizen who considers that their data has been misused will have several redress possibilities and a new Ombudsman will be created for complaints on possible access by national intelligence authorities.
On 3rd February, after the announcement of the previous day by the Commissioner Jourovà on the Privacy Shield, the European data protection agencies met up in Brussels as part of the Article 29 Group and gave themselves two months to assess the new agreement.
Isabelle Falque-Pierrotin, president of the Article 29 Working Party, told journalists that the group of privacy authorities asked the Commission to share the written text of the new agreement by the end of February.
“We can’t just accept words,” Falque-Pierrotin said. “It’s difficult to come to a conclusion when you’re facing political will, but no real document ” she added. “The legal format of the arrangement is still unclear for us”. She also had questions regarding the legal form that the agreement would have and indicated that they had heard about “the exchange of letters” mentioned. The analysis of the new Privacy shield system will be carried out as declared in the “Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment” according to four criteria that need to be respected by the U.S. intelligence service: processing should be based on clear, precise and accessible rules, necessity and proportionality with regard to legitimate objectives pursued need to be demonstrated, an independent oversight mechanism should exist and effective remedies should be available to the individual .
The Article 29 Group is expected to make known its final position on this new mechanism at the end of March during a plenary session, as indicated by the President of the group.
The agreement also raised a number of perplexities among the MEPs, as well as among Internet Right organizations, such as EDRI and bodies involved in defending the rights of companies affected by the mechanism.
Commissioner Jourovà took stock of the dossier on privacy shield in front of the LIBE committee in Strasbourg on 1st February when an agreement was not yet reached between the parties, which have anyway agreed upon the essential framework of the accord. Many MEPs raised concern on this, a vision that was essentially confirmed by The Article 29 Group, when an agreement was formally announced, one day later.
In particular several MEPs, such as Claude Moraes (Group of the Progressive Alliance of Socialists and Democrats in the European Parliament), Laura Ferrara (Europe of Freedom and Direct Democracy Group) Cornelia Ernst (Confederal Group of the European United Left – Nordic Green Left) and Sophia in ‘t Veld (Group of the Alliance of Liberals and Democrats for Europe) doubted the legal binding nature of an accord expressed through written letters.
Jan Philippe Albrecht (Group of the Greens/European Free Alliance) commented after the meeting: “The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the U.S. authorities on their interpretation of the legal situation regarding surveillance by U.S. secret services, as well as the creation of an independent but powerless Ombudsman, who would assess citizens’ complaints. This is a sellout of the fundamental EU right to data protection.”
Birgit Sippel (Group of the Progressive Alliance of Socialists and Democrats in the European Parliament) had concerns regarding the independence of the future Ombudsman, as well as for a recent amendment to the Judicial Redress Act by U.S. Senate Committee which limits the possibility for citizens to bring matters before an American court if they come from countries which have signed agreements on data with the United States.
As regards for EDRI (European Digital Rights) the association of civil and human rights organizations from across Europe, the opinion about the agreement was highly critical. EDRI denounced the necessity of the commission to announce an accord on 2nd February even if the agreement reached was merely a political one. This because of the necessity to prevent regulators from starting enforcement actions against companies that were transferring data illegally to the United States.
The question is still open at this stage as to the ways and means by which the aims of the accord will be reached: how the political determination will be translated into a technical, legally binding agreement?
In the meantime the Commission has mandated Vice-President Ansip and Commissioner Jourová to prepare a draft « adequacy decision » in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. The U.S., on their side, will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.
Elena Dal Monte
For further information:
- Image source: https://www.itic.org/safeharbor
- European Commission – Fact Sheet: http://www.emeeting.europarl.europa.eu/committees/agenda/201602/LIBE/LIBE(2016)0201_1/sitt-2039429
- EU watchdog Falque-Pierrotin: ‘We can’t just accept words’ on privacy shield: http://www.euractiv.com/sections/digital/eu-watchdog-falque-pierrotin-we-cant-just-accept-words-privacy-shield-321572
- Jourova defends unfinished Safe Harbour deal: http://www.euractiv.com/sections/digital/jourova-defends-unfinished-safe-harbour-deal-321487
- Commission replaces Safe Harbour with rebranded ‘privacy shield’: http://www.euractiv.com/sections/digital/commission-replaces-safe-harbour-rebranded-privacy-shield-321527
- The new transatlantic data “Privacy Shield”: http://www.economist.com/blogs/economist-explains/2016/02/economist-explains-2
- Statement Of The Article 29 Working Party On The Consequences Of The Schrems Judgment: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160203_statement_consequences_schrems_judgement_en.pdf
- What’s behind the shield? Unspinning the “privacy shield” spin: https://edri.org/
- European Commission – Press release: http://europa.eu/rapid/press-release_IP-16-216_en.htm