E.U.-U.S. Privacy Shield: Still Self-Certification but Stronger Transparency Is a Real Improvement in respect of Safe Harbour Agreement

Fabio Di Resta – Attorney, LL.M., Founding partner at Di Resta Lawyers, Member of the Board of Directors at the Master Privacy at the “Roma Tre” University in Rome, Law Department

As is well-known, on October 6 2015, the European Court of Justice with the judgment C-362/14 declared the decision n. 520/2000/EC of the European Commission invalid, this approved the scheme of personal data transfer under the old Safe Harbour framework. The judgment confirmed the Commission’s approach since November 2013 to review the Safe Harbour arrangement, to ensure a sufficient level of data protection as required by EU law.

In its preliminary ruling, the Court recognized to Data Protection Authorities the power to evaluate and monitor the data flows protection of the state of destination (U.S.), and in particular, this power consists of analyzing all the relevant legal aspects to consider this “essentially equivalent” with the European Directive 95/46/EC.

Under the Data Protection law approach, the Court considered the actual U.S. legislation not compliant with the “essentially equivalent ” test and that  of three fundamental rights: the right on personal data protection, on reserved personal and family communications and the right on effective juridical assistance ( articles 7, 8 and 47 of the Charter of Fundamental Rights of the EU).

The impact of the judgment would have been enormous and bursting on the world digital economy, it should also be noted that it has influenced more than about 4,500 American businesses operating on Safe Harbour, including Internet giants such as Apple, Google, Microsoft, Facebook, Yahoo; in particular, until 2013  the adherent companies were around 3,246, of these 51% used to transfer personal data from the E.U. to U.S. on the human resources purpose, meanwhile, 60% of these ones were businesses with less than 250 employees.

On 2 February the U.S. and EU Authorities, after having disputed on subject for months, have finally announced the new signed agreement which replaced the old Safe Harbour.

Under the new agreement called E.U.-U.S. Privacy Shield, according to the official communication by the European Commission, the new international deal is based on three pillars:

  • enforcement of strong obligations on adherent companies handling Europeans’ personal data and implementing measures: although the self-certification system is maintained from the old Safe Harbour, the new agreement is reinforced with “robust obligations” on data processings including publicity of these obligations, as well as the guarantees for the rights protection of European citizens under monitoring and supervision by the U.S. Department of Commerce. In line with the judgment of the Court of Justice, it is stated that any company handling human resources data from Europe has to be compliant with the decisions by European DPAs.
  • clear safeguards and transparency obligations on U.S. government access for the Public Authorities: the US has given the E.U. assurances on the access for the public authorities and for the NSA, the exceptions for limited access must be only to the extent necessary and must be proportionate, any discriminate mass surveillance on the personal data transferred to the U.S. is to be rolled out. To regularly monitor the functioning of the arrangement there will be an annual joint review by the European Commission and the U.S. Department of Commerce, which will also include the issue of national security access, besides, national intelligence experts from the U.S. and European Data Protection Authorities are invited to it;
  • effective protection of E.U. citizens’ rights with several redress possibilities: this is very much alike to the European data subjects’ rights, in fact, any European citizens can complain on companies (included the so-called subject access request); moreover, companies have deadlines to replay to complaints, European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute Resolution will be free of charge. Moreover, a new Ombudsman will be created for complaints on possible access by national intelligence authorities.

Although a new deal has been announced and achieved with great difficulty, actually we should wait for the full text of the agreement to analyze preconditions and effective measures, but it is already clear that this agreement is compromise solution of the problem with little room for a rigorous approach of the application of the European law standards .

More in detail, the draft “adequacy decision” still to be drawn up by European Commission, also through the involvement of WP29, this will happen within the next weeks, after this period we will see if the specific transparency requirements, safeguards and available redresses will be sufficient to the protection of Europeans’ fundamental rights.

It appears clear that one requirement come first in order of priority, transparency requirement is a critical element in this agreement, without effective transparency no protection is possible, when European Commission says “strong obligation” this should be meant, firstly, as the obligation relating to adherent companies to the Privacy Shield to publish adequate privacy policies which should include privacy conditions of “any contracts adherent companies concluded with subcontractors, e.g. cloud computing services”. Situations in which there were onward transfers from Safe Harbour self-certified companies to third parties acting as “agents” needed notifications to Department of Commerce of privacy safeguards to minimize risks, according to European Commission’s statements (COM 847 final, 27.11.2013, page 18).

According to the European Commission the above-mentioned situation was one of the strong weaknesses of the Safe Harbour Agreement. The European Commission also stressed that privacy policy should indicate clearly when exceptions for national security, public interest and law enforcement requirements are applied.

This position is fully coherent with the recent communication of Working Party Article 29 (WP29)which stated last 3 February that: “Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred”.

The WP29 requires that the Privacy Shield guarantees that individuals be “reasonably informed”, exactly in line with the European Commission’s approach since November 2013, publicity of extensive privacy policy with specific reference to exceptions is the precondition to any possible protection of fundamental rights.

Also the US Department of Commerce has recently published a briefing in which it has stressed that the importance of transparency obligations and has stated more in detail that the agreement brings “new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents to improve accountability and ensure a continuity of protection”.

In general terms, on one hand, the “essentially equivalent” test should not be meant as a direct application of the European legislation on the U.S., but common legal requirements to guarantee European fundamental rights should be.

On the other hand, in respect of the Safe Harbour Agreement the solution adopted is a further step towards the alignment between the European and American legislation systems on data protection law, and last but not least this is the reply which provides legal certainty to the numerous enterprises operating in world digital economy.

In conclusion, it is to be considered that this political agreement will give an effective protection to any European citizens to the extent that Europeans will be timely and adequate informed from the companies which will be obliged to timely reply on the request to access their personal data, to fulfill this robust obligation could be not as easy as it could appear, taking also into account the involvement of the European DPAs whose decisions will be binding for the companies.