Tweet This
The European Commission announced today via Commissioner Vera Jourová the time frame and remaining conditions for reaching agreement on Privacy Shield, the framework "agreement" to replace the invalid Safe Harbor EU-U.S. data transfers agreement.
Exterior views of the European Commission http://ec.europa.eu/avservices/ Feb. 8, 2016
Jourová, Commissioner in charge of Safe Harbor replacement negotiations, announced that a new EU-U.S. privacy/data transfers pact, Privacy Shield, would be reached during the second half of this month. She further stated that the “ EU-U.S. Privacy Shield is part of wider effort to restore trust in transatlantic data flows. Adoption of Judicial Redress Act is now key. ”
We're now finalising texts and will unveil the #Privacy Shield 2nd half of February @Ansip_EU
— Věra Jourová (@VeraJourova) February 8, 2016
Implicit in the announcement is the major precondition that the new privacy agreement needs to be passed by the European Commission in the form of a decision; for that to happen the EC will be relying on the opinion of the advice of the group of national data protection authorities, Working Party 29 (WP29). WP29 has announced it will issue its opinion by the end of March.
What WP29 will determine is whether Privacy Shield will hold up if tested in the European Court of Justice (CJEU)—the ultimate authority on enforceability of the new pact. Just as the U.S. Supreme Court can strike down U.S. laws it deems to be unconstitutional, the CJEU can do the same with EU laws—a power it exercised previously in invalidating Privacy Shield’s predecessor, Safe Harbor, in the case of Schrems.
US mass surveillance still problematic
Key to the CJEU’s Schrems decision was the finding that the “national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with U.S national security, public interest and law enforcement requirements.”
CJEU further indicated that, under EU law, "legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made,” adding that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.”
Assurances have reportedly been given by the U.S. to the EU regarding adequate restrictions on surveillance. In Jourová's initial announcement of Privacy Shield, she stated, "[i]n the context of the negotiations for this agreement, the U.S. has assured that it does not conduct mass or indiscriminate surveillance of Europeans," adding that the parties had established an annual joint review in order to monitor implementation of the agreement.
Schrems decision
These prouncements were in response to Schrems’s complaint being based on the finding that the U.S. did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged by the public authorities, referring “ in this regard to the revelations made by Edward Snowden concerning the activities of the United States intelligence services, in particular those of the National Security Agency (‘the NSA’).”
The CJEU referred in particular to the Schrems complaint’s allegation that “the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies.”
Judicial Redress Act
As previously reported, it is clear the EC at least as of this past January 31 was not happy with pending US legislation, the Judicial Redress Act, that would conditionally extend jurisdiction in US courts to EU citizens for complaints that arise under breaches of EU citizen’s rights by US authorities.
A critical last-minute amendment was made to that law to provide that, in order to qualify as a covered country, a foreign country must "permit commercial data transfers with the United States and may not impede the national security interests of the United States.”
It was reported that this legislation has been passed to the Senate floor from passage by the Senate Judiciary Committee. It has been further reported that the Senate could consider the legislation this week and if there are no objections, send it back to the House.
FOIA to release Privacy Shield earlier
The announcement of Jourová this morning regarding timing is consistent with the statement of EC spokesperson Christian Wigand over the weekend, who wrote in response to inquiry regarding the FOIA request filed by the Electronic Privacy Information Center, that:
The College has mandated Vice-President Ansip and Commissioner Jourová to prepare a draft "adequacy decision" in the coming weeks, which could then be adopted by the College according to the foreseen procedure. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman. The two sides have agreed on the political level on Tuesday, everything has to be formalised now. The texts will then be made public in a couple of weeks.
As to the current status of what is being referred to as the Privacy Shield "agreement," Wigand state, "the Privacy Shield is neither secret nor legally an "agreement".
Currently data transfers from the EU-U.S. are technically illegal, but thus far the Data Protection Authorities have been indicating they would not yet begin to bring proceedings. Time of abeyance is at the discretion of each individual authority.
