On 29th February, 2016, the European Commission published details of the legal text which will be the building blocks for the EU-US Privacy Shield. The NSA’s bulk collection of the data EU users’ data has been a contentious issue since the Snowden revelations. The new agreement will replace the Safe Harbour agreement which had been struck down by the Court of Justice of the European Union in the Schrems judgment, where the Court rendered the existing provisions as inadequate and incapable of protecting data.

The European Commission today issued a Communication summarizing the actions taken to replace the data protection standards. The Commission announced a number of steps to restore trust in the flow of transatlantic data.  It finalised the reform of EU Data protection rules, which apply to all companies providing services on the EU market negotiated the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes, and built a promising framework for commercial data exchange- the EU-U.S. Privacy Shield.

A preliminary dissection of the collective text indicates a commitment to build a stronger framework towards protecting transatlantic data. The European Commission in its draft adequacy decision published yesterday, provides for the establishment of an enhanced regime, stating that the EU-US Privacy Shield will continue to be based on a system of self-certification where U.S. organisations will commit to the EU-U.S. Privacy Shield Framework Principles.  Article 4 of the Draft Decision provides that:

“The Commission will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder from the Union to organisations in the United States.”

Intricacies of the Agreement

Under the new agreement, American companies will have to register to be on the Privacy Shield List and self-certify that they meet the requirements set out. This process will be carried out each year with periodic reviews. The Privacy Shield includes the crucial principles of: consent of the user the choice of the user to opt out of divulging personal information; the security of the transmitted information, the purpose limitation principle to ensure that the information is not used for any other purpose but the one the user had consented to.

Aside from these guidelines, the draft decision lists out accountability and transparency provisions for the companies engaging in data transfers and carves out a redressal mechanism for aggrieved users. The FAQs accompanying the Privacy Shield framework, provides that the complaints have to be resolved by the companies within 45 days.

The framework also provides for an alternate dispute resolution process: “A free of charge alternative dispute resolution [ADR] solution will be available. EU citizens can also go to their national data protection authorities, who will work with the US department of commerce, and Federal Trade Commission to ensure that unresolved complaints by EU citizens are investigated and resolved.”  Roping in the recently passed U.S. Judicial Redress Act, the FAQ notes that the Privacy Shield will provide EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the US for law enforcement purposes. The Judicial Redressal Act however encompasses the last minute amendment which caters to US security interests as an exception to the safe harbour guarantee.

The Article 29 Working Party, in its statement issued recently, outlined on a four-part guideline whenever personal data is transferred from the EU to the United States, to other third countries, as well as to other EU Member States. The statement recommends the following:

“1. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;

1. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
2. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
3. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.”

The new agreement factors in all the recommendations mentioned above. The 3rd recommendation mentions the need for an independent oversight mechanism. This mechanism also resurfaces as an essential criteria in the communication from the Commission to the European parliament and the Council as well as in the draft adequacy decision, both of which were released yesterday. The new agreement creates an “Ombudsperson” to deal with complaints from the EU citizens on how their data has been used by the NSA, however, the autonomy of the oversight authority is debatable.

The draft also provides for suspension of adequacy decision “if the Commission concludes that there are clear indications that effective compliance with the Privacy Principles in the United States might no longer be ensured, or that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offenses do not ensure the required level of protection. Alternatively, the Commission may propose to amend this decision, for instance by limiting the scope of the adequacy finding only to data transfers subject to additional conditions.”

Conclusion

The protection of data has been treated as a paramount right in the EU unlike in the US set-up where pro-privacy norms are a rare delight. The Schrems judgment did stir up the status quo and the negotiation process has resulted in the revised agreement. However, The NSA has found its way into the new agreement, visibly so in the exception appended to bulk collection of data. The draft decision envisages six contingencies in the event of which US would be permitted to collect signals intelligence in bulk. These exceptions include detecting and countering certain activities of foreign powers; counter-terrorism; counter-proliferation; cyber-security; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion. The New York Times had recently reported that the bulk collection of data by the NSA will be shared with other U.S. agencies including the FBI and the CIA without removing the identifying information. This marks the meeting point of data processing for commercial purposes and for the purpose of surveillance. In light of the recent FBI-Apple duel, such collision should be viewed cautiously.