Data Privacy

EU-U.S. Privacy Shield maintains legal limbo for transatlantic data transfers

Text and photography by Christian Ernhede

Fol­low­ing the rul­ing of the Eu­ro­pean Court of Jus­tice (ECJ) in Oc­to­ber 2015 in­val­i­dat­ing the Safe Har­bor agree­ment which al­lowed for the trans­fer of per­sonal data to the United States, the ne­go­ti­a­tions be­tween the Eu­ro­pean Com­mis­sion and the U.S. De­part­ment of Com­merce on a new “safer Safe Har­bor” as promised by Com­mis­sioner Věra Jourová in Oc­to­ber have been in­tense. The dead­line for reach­ing an agree­ment was set for 31 Jan­u­ary 2016 with a ple­nary meet­ing of the Ar­ti­cle 29 Work­ing Party of na­tional data pro­tec­tion au­thor­i­ties sched­uled for 2 Feb­ru­ary. While hav­ing missed the dead­line, the Com­mis­sion an­nounced a new deal mar­keted as the “EU-U.S. Pri­vacy Shield” on the same day as the Ar­ti­cle 29 Work­ing Party met.

Through­out the ne­go­ti­a­tions, the United States has main­tained their po­si­tion that it al­ready of­fers an ad­e­quate level of pri­vacy pro­tec­tion. Com­mis­sioner An­drus An­sip in­di­rectly con­firmed that he is of the same opin­ion at the press con­fer­ence in­tro­duc­ing the EU-U.S. Pri­vacy Shield by ref­er­enc­ing the progress made by the United States fol­low­ing Pres­i­dent Oba­ma's speech on mass sur­veil­lance in 2014. Con­tra­dic­to­rily, the ECJ rul­ing is clear in its dis­missal of the pri­vacy pro­tec­tion of­fered in the United States. Pe­ter Swire, pri­vacy ex­pert at the Geor­gia In­sti­tute of Tech­nol­ogy and for­mer ad­viser to the Clin­ton and Obama ad­min­is­tra­tions, how­ever be­lieves that a fun­da­men­tal er­ror in the ECJ rul­ing is that it did not take into ac­count as­pects of U.S. pri­vacy pro­tec­tion that are ab­sent in the EU. While there may be some logic to that in­ter­pre­ta­tion, Max Schrems, the pri­vacy ac­tivist who brought the case to the ECJ dis­misses the crit­i­cism. “I think many of the pro­tec­tions in the United States are great but they are not avail­able to me [as a Eu­ro­pean]”.

Max Schrems

Max Schrems, the Aus­trian pri­vacy ac­tivist who brought the case against Face­book.

A key as­pect that the new frame­work thus aims to ad­dress is the lack of ac­cess to jus­tice for Eu­ro­peans in the United States. The pro­posed mea­sures varies de­pend­ing on whether it con­cerns com­pa­nies mis­han­dling data, use by law en­force­ment agen­cies, or for na­tional se­cu­rity pur­poses. Most con­tro­ver­sial in the con­text is likely to be is­sues con­cern­ing U.S. na­tional se­cu­rity where pri­vacy pro­tec­tion will be en­sured by an om­budsper­son. Ac­cord­ing to the Com­mis­sion, the om­budsper­son will be in­de­pen­dent from the in­tel­li­gence ser­vices and will re­port di­rectly to the Sec­re­tary of State. Ad­di­tion­ally, the om­budsper­son will work in the con­text of ex­ist­ing U.S. over­sight mech­a­nisms such as the In­spec­tor-Gen­er­als, and the Pri­vacy and Civil Lib­er­ties Over­sight Board. Mr. Swire claims that se­crecy is one of the fun­da­men­tal strengths of pri­vacy pro­tec­tion in the United States. “We have peo­ple with top se­cu­rity clear­ance that eval­u­ate le­gal com­pli­ance”, and he points out that this does not hap­pen in the EU. In this con­text the om­budsper­son is a wel­comed ad­di­tion but ques­tions re­main on the level of in­sight that the new om­budsper­son will have, and to what ex­tent any po­ten­tial in­fringe­ments will be shared with Eu­ro­pean coun­ter­parts given that the Com­mis­sion it­self is not privy to dis­cus­sions con­cern­ing na­tional se­cu­rity.

Like­wise, the Ju­di­cial Re­dress Act would give Eu­ro­peans the pos­si­bil­ity to bring civil ac­tions un­der the U.S. Pri­vacy Act against U.S. law en­force­ment agen­cies. The Ju­di­cial Re­dress Act is in doubt how­ever with an amend­ment in­tro­duced at the last mo­ment be­fore the vote in the Sen­ate Ju­di­ciary Com­mit­tee adding the ex­emp­tion that “to qual­ify as a cov­ered coun­try, a for­eign coun­try must per­mit com­mer­cial data trans­fers with the United States and may not im­pede the na­tional se­cu­rity in­ter­ests of the United States.” In ad­di­tion to de­lay­ing the bill by send­ing it back to the House of Rep­re­sen­ta­tives, the added ex­emp­tion can also serve as a limit on EU na­tional data pro­tec­tion au­thor­i­ties to in­ter­fere on is­sues con­cern­ing U.S. na­tional se­cu­rity or lose the rights af­forded by the Re­dress Act.

Justin An­tonip­il­lai, Deputy Gen­eral Coun­sel at the U.S. De­part­ment of Com­merce and a mem­ber of the U.S. ne­go­ti­at­ing team says that while “we have great re­spect for the thought put into the case by the Eu­ro­pean Court of Jus­tice, in 15 years there is no record of com­pa­nies not meet­ing pri­vacy oblig­a­tions. What is the prob­lem?” To the U.S. ne­go­tia­tors, it is not about the Snow­den rev­e­la­tions, but about “fo­cus­ing on the [con­firmed] facts” as pointed out by Mr. An­tonip­il­lai. The U.S. trump card in the ne­go­ti­a­tion process was thus ar­guably their cat­e­gor­i­cal re­fusal to recog­nise any pri­vacy in­fringe­ments re­vealed by Snow­den. The ECJ how­ever made it clear that the Snow­den rev­e­la­tions were an im­por­tant con­sid­er­a­tion in its con­clu­sion. Robert Litt, Gen­eral Coun­sel at the Of­fice of the Di­rec­tor of Na­tional In­tel­li­gence and an­other mem­ber of the U.S. ne­go­ti­at­ing team clar­i­fies the po­si­tion of the United States on in­dis­crim­i­nate sur­veil­lance of every in­ter­net user. “We're not in­ter­ested, we could­n't do it even if we wanted to, and we have bet­ter things to do.” In re­sponse to the Snow­den al­le­ga­tions, he added cat­e­gor­i­cally that “the sug­ges­tion that the NSA is sweep­ing up every­thing is false. End of dis­cus­sion.”

Mass sur­veil­lance is thus an­other as­pect that is clouded by ob­scu­rity. Ac­cord­ing to Mr. Swire, U.S. se­cu­rity per­sonel have no di­rect ac­cess to in­di­vid­ual data but only to the re­sults pre­sented by al­go­rithms that fil­ter out ir­rel­e­vant in­for­ma­tion. The num­ber of peo­ple ul­ti­mately af­fected by U.S. snoop­ing af­ter fil­ter­ing is thus “not mass sur­veil­lance and in­dis­crim­i­nate” ac­cord­ing to Mr. Swire. Mr. Schrems how­ever points out that it boils down to ter­mi­no­log­i­cal dif­fer­ences. “We are talk­ing about mass sur­veil­lance but have dif­fer­ent un­der­stand­ings. In Eu­rope, tap­ping into the ca­ble is mass sur­veil­lance.” When ques­tioned for this ar­ti­cle, the Com­mis­sion failed to clar­ify whether the promised writ­ten as­sur­ances that the United States “do not carry on in­dis­crim­i­nate mass sur­veil­lance of Eu­ro­peans” in­cluded a clear de­f­i­n­i­tion of mass sur­veil­lance. A lack of such a de­f­i­n­i­tion is not sur­pris­ing given the ur­gency of the deal, but it is a wor­ry­ing in­di­ca­tion that the EU-U.S. Pri­vacy Shield is but an­other bu­reau­cratic house of cards built on a mis­taken un­der­stand­ing of fun­da­men­tal terms.

Mr. Litt would be one of the best-placed peo­ple for clar­i­fy­ing any mis­un­der­stand­ings but he was re­luc­tant to of­fer more con­crete in­for­ma­tion on how U.S. sur­veil­lance work, and added that it is not ap­pro­pri­ate to dis­cuss se­cu­rity ser­vice meth­ods with the Com­mis­sion due to the fact that it is not tak­ing part in the na­tional se­cu­rity de­bate. That the ne­go­ti­at­ing teams where fac­ing dif­fi­cul­ties in reach­ing a deal un­der those cir­cum­stances is un­sur­pris­ing, but it is re­mark­able that the Com­mis­sion now says that the United States of­fers ad­e­quate pri­vacy pro­tec­tion given that they are not privy to dis­cus­sions con­cern­ing sur­veil­lance.

Ac­cord­ing to Mr. Schrems how­ever, the chal­lenges to reach­ing a wa­ter­tight deal go deeper still. “The com­mis­sion is bound by the court rul­ing and the De­part­ment of Com­merce by na­tional se­cu­rity and none have the au­thor­ity to make a deal”. If the con­se­quences of a re­stric­tion to data trans­fers be­tween the United States and Eu­rope and a balka­ni­sa­tion of the in­ter­net is not daunt­ing enough, Mr. Swire thinks that the im­pli­ca­tions might be fur­ther reach­ing still. “There would be a re­newed de­bate about a trade agree­ment if there is a com­plete ban on trans­fers of data to the United States”. But Mr. Schrems is cat­e­gor­i­cal in his con­dem­na­tion of the busi­ness prac­tices of the large in­ter­net com­pa­nies based in the United States. “They are used to not fol­low EU law.” Un­for­tu­nately, the le­gal limbo is likely to re­main un­til an­other court case on the new EU-U.S. Pri­vacy Shield reaches the ECJ.