Privacy Shield and the General Data Protection Regulation: More Key Developments
Developments on the European data protection front continue at a fast pace. As the process of implementation of the now-final General Data Protection Regulation (GDPR) begins, the Article 29 Working Party (WP29) is announcing a workshop on implementation questions in Brussels in July. Meanwhile, uncertainty continues for trans-Atlantic data transfers as both the European Parliament and the European Data Protection Supervisor (EDPS) weigh in with views for negotiators on the EU-U.S. Privacy Shield, and the Irish Data Protection Commissioner (IDPC) announces the intention to initiate proceedings in the Irish High Court that may put before the Court of Justice of the European Union (CJEU) the validity of EU standard contractual clauses (or model contracts).
Significantly, none of the EU authorities commenting on — and criticizing — the Commission’s draft adequacy decision in support of the Privacy Shield has fully addressed the CJEU’s standard of essential equivalence between the EU and U.S. legal orders for privacy and data protection. The Parliament, WP 29 and EDPS each focuses only on their perceived inadequacies regarding the U.S. system. They do not compare the U.S. to the actual legal order in the EU, which includes a margin of discretion for Member States regarding surveillance and includes the EU’s international trade law obligations under Article 216 of the Treaty on the Functioning of the European Union (TFEU). The actual EU legal order permits surveillance as set out in the case law of the European Court of Human Rights (ECtHR), which tests national systems (surveillance methods and safeguards) as a whole, to assess whether there is sufficient protection against abuse. Without such a full comparison, “equivalence” cannot be meaningfully judged. Moreover, as demonstrated in Sidley’s Essentially Equivalent Report, it turns out that the safeguards, oversight, redress and other checks and balances over national security surveillance practices in the U.S. are within the margin of discretion permitted under ECtHR case law. Unless EU authorities take full account of the EU legal order, they will go beyond the legal standard prescribed by the CJEU and risk infringing the EU’s international trade law obligations.
The Irish development initiates a process regarding the principal alternative to Safe Harbor and the Privacy Shield that is likely to unfold over the next year or more. The WP29 consultation begins to address numerous questions of interpretation that need to be addressed over the next two years. Both warrant close attention.
Irish Review of Model Contracts
While the status of the Privacy Shield remains uncertain, many companies are making use of other international data transfer tools such as model contracts and binding corporate rules. The WP29 reaffirmed the validity of these mechanisms. Now the validity of model contracts looks to be soon tested by the IDPC. This development raises the specter of whether a similar challenge involving binding corporate rules could be next.
The IDPC has had before her a complaint by Max Schrems, the Austrian law student whose case led to invalidation of Safe Harbor, that model contracts suffer from the same defects as the Safe Harbor. In a statement, the IDPC acknowledged a question as to whether model contract clauses offer EU citizens the redress required under EU Charter of Fundamental Rights against U.S. companies if European data protection rights have been impinged. Accordingly, the IDPC announced a plan to apply to the Irish High Court for declaratory relief as to the validity of model contracts. As model contracts derive from EU law, the Irish High Court in turn will have to consider whether it is competent to determine the issue or should refer the question to the CJEU.
Invalidation of model contracts could cause a huge shake-up of global data transfers because following the invalidation of Safe Harbor, model contracts are the most popular international data transfer tool, and thousands of companies rely on them. While the initiative from the IDPC adds to the uncertainty surrounding the transfer of EU citizens’ data to the U.S. in the wake of the CJEU’s Schrems judgment last October, it also could spill over to transfers to many third countries other than the U.S.
EU Consultation on GDPR and Workshop on July 26
In addition to dealing with international data transfers, companies face the need to assess the impact of the GDPR, which entered into force on May 25, 2016 and will become directly applicable in Member States on May 25, 2018. As the implementation deadline approaches, there are numerous questions of interpretation.
To assist in answering such questions, Article 70(1) of the GDPR calls for guidance on several issues from the new European Data Protection Board (EDPB) prior to implementation. This includes examining many questions covering the application of the GDPR and issuing guidelines, recommendations and best practices to encourage a consistent application of it; issuing guidelines, recommendations and best practices for further specifying the criteria and conditions for decisions based on profiling; or issuing guidelines, recommendations and best practices for the purpose of further specifying the criteria and conditions for personal data transfers.
The WP29 work plan issued on February 29 indicates the intention to address an action plan for transitioning into the new legal framework, starting with setting up procedures for the operation of the EDPB. Other questions addressed in the work plan are how to prepare the “one-stop shop” and consistency mechanism, issue guidance for controllers and processors and establish communications around the EDPB and GDPR. We understand that the WP29 will soon announce two days of meetings in Brussels on July 26 and 27 on the issues framed in its work plan. The first day will be a workshop with stakeholder associations, the second day will involve discussions with the European Commission. Companies should consider how they may use the opportunity of the upcoming July workshops to present issues through relevant umbrella organizations.
Article 70 (1) and the GDPR present numerous additional questions not yet addressed in the WP29 work plan. These include:
- Territorial Scope — What amounts to offering of goods or services to EU citizens and monitoring their behavior, which will subject non-EU companies to GDPR jurisdiction?
- Consent — Can individuals contract out of their right to withdraw consent?
- Children — In what form should consent from a parent be given for a child under 16 years, or under 13 years if determined by Member States?
- Right to Erasure — How should exemptions from the right to erasure, such as for reasons of public interest, be applied?
- Data Portability — How should the term “structured, commonly used format” be interpreted in the context of the right to data portability?
- Profiling — Every individual has a right not to be subject to profiling that produces “legal effects … or significantly affects him or her.” How should these terms be defined and applied?
We also understand the WP29 is eager for concrete input from stakeholders on implementation issues, and is considering what form future consultations will take. Given the number and complexity of the issues involved in implementing the GDPR, we believe a continuing process of written notice and comment could be invaluable in informing decision-makers and guiding businesses in how to interpret and apply the GDPR. Companies should also consider additional questions and concerns to shape the interpretation of the GDPR and the process over the next two years and what more concrete and detailed issues of implementation they may want to present by way of written comments in July or afterward.
European Parliament Resolution on Privacy Shield
On May 26, the European Parliament approved a nonbinding resolution on the EU-U.S. Privacy Shield documentation. This resolution generally supported the proposals for Privacy Shield for advances such as the appointment of an ombudsperson in the U.S. Department of State, the prominent role given to EU data protection authorities to investigate claims relating to data protection and the introduction of a redress mechanism for individuals.
The European Parliament nevertheless identified some “deficiencies” in the current draft of the Privacy Shield, namely the current complexity of the redress system and the need to make this more “user-friendly”; the lack of independence of the proposed U.S. ombudsperson and the inadequacy of the powers to effectively carry out his or her duties; and the lack of clarity on the “written assurances” provided by the U.S. in relation to the proposed safeguards for bulk collection of EU citizens’ personal data for national security purposes.
Accordingly, the European Parliament has asked the European Commission to take the following steps to address these deficiencies: implement in full the recommendations of the WP29’s Opinion on the Privacy Shield draft adequacy decision; conduct periodic robust reviews of the adequacy decision, particularly in light of the recent adoption of the GDPR; and continue negotiations with the U.S. to combat the perceived current deficiencies under the Privacy Shield arrangement.
This resolution is nonbinding on the Commission. Nevertheless, the Parliament’s actions add weight to the April 13 WP29 Opinion on the Privacy Shield. With the probability of having to defend the Privacy Shield framework before the CJEU, it is likely that the Commission will wish to take into account these issues in its revised adequacy decision, which it will present to the Article 31 Committee at the beginning of June. Despite pointing out certain perceived deficiencies, the European Parliament stated that the Privacy Shield has achieved “substantial improvements” over Safe Harbor, and this would suggest that the Commission may not be far from a final adequacy decision.
EDPS Opinion on Privacy Shield
On May 30, the EDPS, Giovanni Buttarelli, issued his opinion on Privacy Shield. He describes the Commission’s draft adequacy decision on the Privacy Shield as “a step in the right direction” but said it ultimately needs “robust improvements” to cover all safeguards for EU individuals deemed essential. According to the EDPS, significant improvements are needed including the Commission’s getting additional reassurances from the U.S. in terms of necessity and proportionality of access to data by U.S. authorities. In relation to transfers for commercial purposes, the Commission should make its determination by looking to the future and the requirements under the GDPR. While the opinion acknowledges that the assessment of whether EU data protection regimes are “essentially equivalent” under the CJEU standard “should be performed in global terms though respecting the essence” of the EU data protection framework, the EDPS (like WP29 before him) appears to insist that every EU principle be recapitulated in the Privacy Shield documentation separately and in quite a granular way.
Perhaps the most concerning part of the EDPS opinion for international businesses of all kinds relates to possible “indirect” effects on model contracts and binding corporate rules as alternatives to the Privacy Shield to legitimate transfers not only to the U.S. but also to other third countries. The EDPS opinion states:
“many of the elements considered in our Opinion are indirectly relevant for both the Privacy Shield and other transfer tools, such as the Binding Corporate Rules (hereafter: BCRs) and Standard Contractual Clauses (hereafter: SCCs). It also has a global relevance, as many third countries will be closely following it against the background of the adoption of the new EU data protection framework.”
Specifically, the EDPS finds that the Privacy Shield needs more specific language to address these issues:
- data retention (additional language to clarify data should not be kept for longer than necessary for the purpose for which the data were collected)
- automated processing (human intervention for automated decisions that produce legal effects or significantly affect an individual)
- purpose limitation (clarification of purpose limitation by using the term “(in)compatible purpose” in the Privacy Shield documents)
- limiting and clarifying the various exceptions in the Privacy Shield documents such as for journalistic material
- onward transfers, right to access and right to object (“should be improved”)
- right of redress and oversight (requiring further development, greater independence, enforcement by U.S. authorities and continuing involvement of EU data protection authorities, and streamlining to be less complicated and more effective).
The EDPS goes further than the WP29 in expressing concerns over the reservation in the Privacy Shield documents for the Office of Director of National Intelligence (ODNI) to conduct bulk surveillance in certain circumstances. The WP29 acknowledged that EU jurisprudence has not ruled out untargeted surveillance and looked to guidance from the case law of the ECtHR. In contrast, the EDPS notes the “constitutional traditions common to the Member States,” but does not mention the ECtHR case law. Similarly, the EDPS Opinion mentions that surveillance practices “may also relate to intelligence in other countries,” but does not refer to international trade obligations regarding equal treatment, which have been quoted in every Article 25(6) decision to date. Instead, the EDPS takes an assertive stance, urging the Commission to use the Privacy Shield as a signal not only to the U.S. but also to Member States “given the obligations incumbent on the EU under the Lisbon Treaty” so as to prevent “legitimising this routine” of surveillance, which “should only take place as an exception.”
The assertiveness of the EDPS appears to be aimed not only at the Commission but also at the U.S. Congress and intelligence agencies. While the EDPS “welcomes the efforts towards increased transparency” in the information provided by ODNI and acknowledges the guidance provided in President Obama’s Presidential Policy Directive 28 to expand safeguards for U.S. citizens to people outside the United States, he calls for further policy and legislative amendments in the U.S. to “help meet the adequacy requirements.” The EDPS also suggests involving EU representatives in U.S. intelligence oversight where U.S. national security agencies process personal data transferred from the EU. In addition, although the CJEU judged that self-regulatory data transfer mechanisms are permissible so long as they are backed by supervision and redress adequate to ensure compliance, the EDPS expressed the view that, as a self-regulatory mechanism, the Privacy Shield should be only a short-term measure and should be replaced in the long term by more binding commitments.