EU bodies have called on the Commission to renegotiate the proposed replacement for Safe Harbor.

We recently reported on the criticism of the European Commission’s Privacy Shield proposals by the EU’s Article 29 Working Party.  There has now been further criticism from both the European Data Protection Supervisor (EDPS) and Members of the European Parliament (MEPs).

Schrems and the invalidation of Safe Harbor

As reported previously, the US-EU Safe Harbor regime was based on a decision by the European Commission in July 2000 that the “Safe Harbor Privacy Principles” implemented in the US afforded an adequate level of protection to EU data subjects with regards to the processing of personal data.  The effect of the decision was to allow the transfer of EU personal data to the US without relying on the data subject’s unambiguous agreement, binding corporate rules or model clauses.

The Schrems proceedings before the Court of Justice of the European Union (CJEU) had originated with a complaint brought by an Austrian privacy campaigner regarding Facebook Ireland’s transfer of data to the US, in light of the Snowden revelations in 2013.  In the decision of October 2015, the CJEU  held that Article 25(6) of the Data Protection Directive (95/46/EC), upon which the Commission’s Safe Harbor decision was based, required the level of protection in the respective non-EU country to be “essentially equivalent” to that guaranteed by law within the European Union.

US legislation allowing for the storage of all personal data and permitting public authorities access on a generalised basis to the content of electronic communications fell short of that requirement.  The Safe Harbor decision of the Commission was therefore invalidated.

Privacy Shield and Article 29 Working Party criticisms

In February 2016, following negotiations with the US, the Commission put forward a draft adequacy decision to replace Safe Harbor, including greater protections.  The “Privacy Shield” proposal included redress for data subjects, annual self-certification by the US companies involved, written assurances from the US government on access and a new US ombudsman.

On 13 April 2016 the EU’s Article 29 Working Party raised a number of concerns about the Privacy Shield proposal and requested that a number of points be clarified, as we detailed here.

European Parliament resolution

In a resolution of 26 May 2016, the European Parliament passed a resolution welcoming the substantial improvements on the invalidated Safe Harbor decision, but noting substantial deficiencies in the proposed new “Privacy Shield” regime, particularly:

• US authorities’ access to data transferred under the Privacy Shield;
• the potential for collection of bulk data that does not meet the criteria of “necessity” and “proportionality” laid down in the EU Charter of Fundamental Rights;
• the proposed new US ombudsman being neither sufficiently independent or powerful; and
• the need for the redress mechanism to be more “user-friendly and effective”.

The resolution calls on the Commission to, amongst other things, fully implement the Article 29 Working Party’s recommendations and to continue the dialogue with the US Administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies.

See the resolution here and the press release here.

European Data Protection Supervisor’s Opinion

Four days later, the European Data Protection Supervisor, Giovanni Buttarelli, published an Opinion similarly welcoming the improvements on the Safe Harbor regime but stating that it falls short of the requirement of essential equivalence described by the CJEU in the Schrems decision:

“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”

The EDPS reiterated a number of the criticisms made by the Article 29 Working Party and made three main recommendations:

• Integrating all main data protection principles, to include substantive details in respect of data retention and automated processing and clarifying the purpose limitation principle.  Exceptions should be better-specified and provisions regarding onward transfers, right of access and right to object should be improved.
• Limiting derogations, including more precise purposes for which exceptions based on national security, law enforcement or legal requirements are allowed.
• Improving redress and oversight mechanisms, including developing the role of the Ombudsperson to ensure independence and the implementation of their decisions.  The EU Commission is encouraged to propose the involvement EU representatives in assessing the oversight system and in notification that certain categories of personal data are to be processed by US authorities.

Amongst other recommendations, the EDPS also suggested that the Privacy Shield should incorporate new measures such as privacy by design and default and data portability, which will become relevant in May 2018 with the implementation of the General Data Protection Regulation.

See the EDPS’s Opinion here and press release here.

WAB Comment

Max Schrems, the Austrian privacy campaigner who started the challenge that resulted in Safe Harbor being invalidated, said the Privacy Shield was, “basically Safe Harbor once again”.  Each of the three EU bodies that have commented on the proposal acknowledge that it represents an improvement, but not enough of one.

The European Union’s data protection regime is highly developed, strongly emphasises the rights of data subjects and imposes controls on governmental and commercial activities. It may be difficult to negotiate “essentially equivalent” protections from the US government in order to make the Privacy Shield proposals work.  Fortunately, as we have previously noted, there remain alternatives to Safe Harbor or its replacement where European personal data is to be transferred to the US.