Dr. Maria Tzanou (Lecturer in
Law, Keele University)
On 6 October 2015, in its judgment in Schrems, the CJEU invalidated the Commission’s decision finding
that the US ensured an adequate level of protection for the transfer of
personal data under the Safe Harbour framework on the basis that US mass
electronic surveillance violated the essence of the fundamental right to
privacy guaranteed in Article 7 EUCFR and the right to effective judicial protection,
enshrined in Article 47 EUCFR (for an analysis of the judgment, see here).
On 2 February 2016, the Commission announced that a political agreement was reached on a new
framework for transatlantic data flows, the EU-US Privacy Shield, which will
replace the annulled Safe Harbour. On 29 February 2016, the Commission
published a draft
Privacy Shield adequacy decision
followed by seven
Annexes that contain the US government’s
written commitments on the enforcement of the arrangement. The Annexes include
the following assurances from the US: Annex I, a letter from the International
Trade Administration of the Department of Commerce, which administers the
programme, describing the commitments that it has made to ensure that the
Privacy Shield operates effectively; Annex II, the EU-US Privacy Shield
Framework Principles; Annex III, a letter from the US Department of State and
accompanying memorandum describing the State Department’s commitment to
establish a Privacy Shield Ombudsperson for submission of inquiries regarding
the US’ intelligence practices; Annex IV, a letter from the Federal Trade
Commission (FTC) describing its enforcement of the Privacy Shield; Annex V, a
letter from the Department of Transportation describing its enforcement of the
Privacy Shield; Annex VI, a letter prepared by the Office of the Director of
National Intelligence (ODNI) regarding safeguards and limitations applicable to
US national security authorities; and, Annex VII, a letter prepared by the US
Department of Justice regarding safeguards and limitations on US Government
access for law enforcement and public interest purposes.
Similar to its predecessor, Privacy Shield is based on a
system of self-certification by which US companies commit to a set of privacy
principles. However, unlike Safe Harbour, the draft Privacy Shield decision
includes a section on the ‘access and use of personal data transferred under
the EU-US Privacy Shield by US public authorities’ (para 75). In this, the
Commission concludes that ‘there are rules in place in the United States
designed to limit any interference for national security purposes with the
fundamental rights of the persons whose personal data are transferred from the
Union to the US to what is strictly necessary to achieve the legitimate
objective.’ This conclusion is based on the assurances provided by the Office
of the Director of National Surveillance (ODNI) (Annex VI), the US Department
of Justice (Annex VII) and the US Secretary of State (Annex III), which
describe the current limitations, oversight and opportunities for judicial
redress under the US surveillance programmes. In particular, the Commission employs
four main arguments arising from these letters to reach its adequacy
conclusion: Firstly, US surveillance prioritises targeted collection of
personal data, while bulk collection is limited to exceptional situations where
targeted collection is not possible for technical or operational reasons (this
captures the essence of the principles of necessity and proportionality,
according to the Commission). Secondly, US intelligence activities are subject
to ‘extensive oversight from within the executive branch’ and to some extent
from courts such as the Foreign Intelligence Surveillance Court (FISC).
Thirdly, three main avenues of redress are available under US law to EU data
subjects depending on the complaint they want to raise: interference under the Foreign
Intelligence Surveillance Act (FISA); unlawful, intentional access to personal
data by government officials; and access to information under Freedom of
Information Act (FOIA). Fourthly, a new mechanism will be created under the
Privacy Shield, namely the Privacy Shield Ombudsperson who will be a Senior
Coordinator (at the level of Under-Secretary) in the State Department in order
to guarantee that individual complaints are investigated and individuals
receive independent confirmation that US laws have been complied with or, in
case of a violation of such laws, the non-compliance has been remedied.
The draft Privacy Shield framework may have been hailed as providing an ‘essentially equivalent’ level of
protection for personal data transferred from the EU to the US, but despite the
plethora of privacy-friendly words (‘Privacy Shield’, ‘robust obligations’,
‘clear limitations and safeguards’) one cannot be very optimistic that the new
regime will fully comply with the Court’s judgment in Schrems. A first problematic aspect with the US assurances is that
they merely describe the US surveillance legal framework and the relevant
safeguards that already exist. In fact, the only changes that were introduced in
the US following the Snowden revelations was the issuance of Presidential
Policy Directive 28 (PPD-28)
(in January 2014) which lays down a number of principles on the use of signal
intelligence data for all people; and the passing of the USA
Freedom Act which modified certain US
surveillance programmes and put an end to the mass collection of Americans’
phone records by the NSA (in June 2015). Finally, in February 2016, the US Congress
passed the Judicial Redress Act which was signed into law by President Obama.
Given that one can reasonably assume that the Court was aware of these developments
when laying down its judgment in Schrems
in October 2015, it seems that, with the exception of the Ombudsperson, Privacy
Shield does not change much in US surveillance law. In fact, the Commission has
entirely based its draft adequacy analysis on a mere detailed description of
this law without any further commitment that this will improve in any way in
order to comply with EU fundamental rights as interpreted by the CJEU.
While the assurance that US surveillance is mainly
targeted and does not take place in bulk is important, there is no reference to
the fact that US authorities access the content of the personal data that was
deemed to violate the essence of the right to privacy in Schrems. Furthermore, even if the US authorities engage only in
targeted surveillance, the CJEU has held in Digital Rights Ireland that the mere retention of private-sector data for the
purpose of making them available to national authorities affects Articles 7 and
8 EUCFR and might have a chilling effect on the use by subscribers of platforms
of communication, such as Facebook or Google and, consequently, on their exercise
of freedom of expression guaranteed by Article 11 EUCFR. Individuals, when
faced with surveillance, cannot know when they are targeted; nevertheless, the
possibility of being the object of surveillance has an effect on the way they
behave. Insofar as Article 47 EUCFR and the right to effective judicial
protection is concerned, the Commission itself notes in its draft adequacy
decision that the avenues of redress provided to EU citizens do not cover all
the legal bases that US intelligence authorities may use and the individuals’
opportunities to challenge FISA are very limited due to strict standing
requirements.
The creation of the Ombudsperson with the important
function of ensuring individual redress and independent oversight should be
welcomed as the main addition of the draft Privacy Shield. Individuals will be
able to access the Privacy Shield Ombudsperson without having to demonstrate
that their personal data has in fact been accessed by the US intelligence
activities and the Ombudsperson, who will be carrying out his functions
independently from Instructions by the US Intelligence Community will be able
to rely on the US oversight and review mechanisms. However, there are several
limitations to the function of the Privacy Shield Ombudsperson. First, the
procedure for accessing the Ombudsperson is not as straightforward as lodging a
complaint before a national Data Protection Authority (DPA). Individuals have
to submit their requests initially to the Member States’ bodies competent for
the oversight of national security services and, eventually a centralised EU
individual complaint handling body that will channel them to the Privacy Shield
Ombudsperson if they are deemed ‘complete’. In terms of the outcome of the
Ombudsperson’s investigation, the Ombudsperson will provide a response to the
submitting EU individual complaint handling body –who will then communicate
with the individual- confirming (i) that the complaint has been properly
investigated, and (ii) that the US law has been complied with, or, in the event
of non-compliance, such non-compliance has been remedied. However, the
Ombudsperson will neither confirm nor deny whether the individual has been the
target of surveillance nor will the Ombudsperson confirm the specific remedy
that was applied. Finally, Annex III stipulates that commitments in the
Ombudsperson’s Memorandum will not apply to general claims that the EU-US
Privacy Shield is inconsistent with EU data protection requirements. In the
light of the above, the Privacy Shield Ombudsperson does not seem to provide
the redress guarantees of a supervisory authority such as the DPAs as the AG
had asked in his Opinion in Schrems.
Draft Privacy Shield is problematic for another reason as
well: it puts together the regulative framework for commercial transactions
with the regulation for law enforcement access to private sector data. These
are, however, different issues and they should be dealt with separately. It is
important to encourage and facilitate transborder trade, thus flexible
mechanisms allowing for undertakings self-compliance with data protection
principles should continue to apply. But, the challenges of online surveillance
on fundamental rights are too serious to be covered by the same regime and some
‘assurances’ that essentially describe the current US law. Two solutions could
possibly deal with this problem: Either the US adheres to the Council of Europe
Convention No. 108 and abandons the distinction between US and EU citizens
regarding rights to redress or a transatlantic privacy and data protection
framework that ensures a high level of protection of fundamental rights and the
transparency and accountability of transnational counter-terrorism operations
(the so-called ‘umbrella agreement’) is adopted. Regrettably, the
current form of the umbrella agreement
is very problematic as to its compatibility with EU data protection
standards- or even human rights standards in general, and, therefore, does not
seem to provide an effective solution to the issue.
A recently leaked
document reveals that the Article 29
Working Party has difficulties in reaching an overall conclusion on the Commission’s
draft adequacy decision and supports the view that Privacy Shield does not
fully comply with the essential
guarantees for the transfer of personal
data from the EU to the US for intelligence activities.
Should the Commission nevertheless decide to proceed with
the current draft, it is highly possible that the CJEU will be called in the
future to judge the adequacy of Privacy Shield in a Schrems 2 line of cases.
Photo credit:
www.teachprivacy.com
No comments:
Post a Comment