Privacy Shield: Data Protection Commissioners break out a six-pack
Get comfortable, you're not going to be using it to transfer data any time soon
Hawktalk In this blog, I make a few comments about “Safe Harbor 2” (or the “Privacy Shield” to use the flash marketing term for the recently announced agreement). In summary, there is no published evidence that the Privacy Shield actually provides an adequate level of protection: so contrary to all those optimistic news reports, can you please “hold your horses” if you are anticipating transfers to the USA under Privacy Shield.
Also, be aware also that some serious contingency planning might be needed if Europe’s Data Protection Commissioners judge that the Privacy Shield does not provide an adequate level of protection.
The importance of Schrems
The first thing to understand is that the European Commission, which is trying to finalise a replacement deal for Safe Harbor, is not in the driving seat; neither are the USA negotiators.
This is because the most important part of the Court of Justice of the European Union (CJEU) in Schrems was not that Safe Harbor agreement was made void; it was that Data Protection Authorities can assess whether any “transfer” to a territory outside the European Economic Area (EEA) provides an adequate level of protection.
In its judgment, the CJEU said that the Data Protection Authority’s ability to independently assess adequacy applied universally. It said the existence of an international agreement such as Safe Harbor that claimed adequacy:
“….does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”.
Note the implication of this. If a Data Protection Authority found that the level of protection was inadequate, then it could act to protect the interests of data subjects (e.g. by banning transfers to that territory) despite any political agreement asserting adequacy.
As will be seen, this independence generalises to any transfer to any non-EEA country for any purpose and any agreement (e.g. transfers subject to BCRs or European Commission Standard Contract Terms).
This issue appears to have escaped notice by the USA negotiators who almost appear to consider Privacy Shield to be a done deal. Secretary of Commerce, Penny Pritzker, for instance delivered the following statement on the completion of the EU- U.S. Privacy Shield:
“This historic agreement is a major achievement for privacy and for businesses on both sides of the Atlantic. It provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.
Beyond being essential to transatlantic commerce, the EU-U.S Privacy Shield also underscores the strength of the U.S.-EU relationship. It demonstrates our commitment to working together as leaders in the global economy, promoting our shared values, and bridging our differences where they exist”.
“Shields down!”: back to Earth with a bump
Anyway, back to reality and the Article 29 Working Party of Data Protection Authorities (WP29) – a powerful advisory board with representatives from the European Commission and data-protection authorities.
In the party's press statement on Privacy Shield, it is clear that the WP29 has not accepted any fait accompli.
Its press release says that WP29 need “four essential guarantees” before the USA is deemed as offering an adequate level of protection. These guarantees, which relate to access by the national security agencies in the USA, to personal data transferred to the USA, are:
“A. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
C. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks; (CP comment: can we have an effective independent oversight mechanism in the UK as well please?).
D. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body. The WP29 stresses that these four guarantees should be respected whenever personal data are transferred from the EU to the United States and to other third countries, as well as by EU Member States.” (My emphasis to show WP29 considers Schrems is NOT limited to transfers to the USA).
The WP29 press statement then states it needs to see the detail of the agreement (e.g. WP29 “will examine whether the (Privacy Shield) provisions respect the powers of Data Protection Authorities as laid down in Article 28 of Directive 95/46/EC”). Roughly translated into English, this means that “WP29 wants to be satisfied that there is a valid mechanism to sort out any data protection issue before it approves the Privacy Shield as adequate”.
Accordingly, “the WP29 calls on the Commission to communicate all documents pertaining to the new arrangement by the end of February”. This can be translated as: “WP29 does not trust the politicians to get the detail right; WP29 gives you four weeks to provide the details”.
In the meantime “EU Data Protection Authorities will therefore deal with related cases and complaints on a case-by-case basis” (Translation: a Data Protection Authority “reserves the right to enforce its national data protection legislation where transfers do not use the alternatives to Safe Harbor”).
There is also a sting in the WP29 tail arising from another aspect of the Schrems decision (see references). In summary, in Schrems, the CJEU criticised the absence of any “due process” when the USA’s national security agencies gained access to personal data in Safe Harbor.
This criticism applies to any transfer of personal data to the USA, a fact that has been picked up by the WP29. Its press statement states that once the WP29 has assessed Privacy Shield documents “the WP29 will consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S”.(my emphasis).
This emphasised comment explains the headline about WP29’s new muscle on display. Prior to Schrems, WP29 documentations were largely left unread except by the cognoscenti; however, post Schrems (and the morphing of WP29 into a European Data Protection Board of the Regulation), such documentation is a must read.
It can be seen that the implied threat to transfers is very clear; if Privacy Shield documents do not pass muster in relation to adequacy, then other arrangements for transfers to the USA (Contract Clauses, BCRs) could be in trouble.
Of course, there is a long way to go before any decision like this is made; WP29 showing that it has muscle is not the same as WP29 using that muscle.
However, it explains why I said at the beginning of this blog, that some contingency thinking (if needed) might not go amiss.
CJEU Case C‑362/14: Maximillian Schrems v Data Protection Commissioner; 6 October 2015
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Bootnote Since the publication of this story, the European Data Protection Supervisor has issued an opinion stating his concern over the current wording, which his office says opens the possibility of having bulk transfers of sensitive data between the US and an EU member state.