Category: EU-U.S. Privacy Shield

Hearing on the legal challenge of SCC and US-EU Privacy Shield before CJEU

17. July 2019

On Tuesday last week, the European Court of Justice (CJEU) held the hearing on case 311/18, commonly known as “Schrems II”, following a complaint to the Irish Data Protection Commission (DPC) by Maximilian Schrems about the transfer of his personal data from Facebook Ireland to Facebook in the U.S. The case deals with two consecutive questions. The initial question refers to whether U.S. law, the Foreign Intelligence Service Act (FISA), that consists a legal ground for national security agencies to access the personal data of citizens of the European Union (EU) violates EU data protection laws. If confirmed, this would raise the second question namely whether current legal data transfer mechanisms could be invalid (we already reported on the backgrounds).

If both, the US-EU Privacy Shield and the EU Standard Contractual Clauses (SCCs) as currently primeraly used transfer mechanisms, were ruled invalid, businesses would probably have to deal with a complex and diffucult scenario. As Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum said, the hearing would have had a particularly higher impact than the first Schrems/EU-US Safe Harbor case, because this time it could affect not only data transfers from the EU to the U.S., but from the EU to all countries around the world where international data transfers are based on the SCCs.

This is what also Facebook lawyer, Paul Gallagher, argued. He told the CJEU that if SCCs were hold invalid, “the effect on trade would be immense.” He added that not all U.S. companies would be covered by FISA – that would allow them to provide the law enforcement agencies with EU personal data. In particular, Facebook could not be hold responsible for unduly handing personal data over to national security agencies, as there was no evidence of that.

Eileen Barrington, lawyer of the US government assured, of course, by referring to a “hypothetical scenario” in which the US would tap data streams from a cable in the Atlantic, it was not about “undirected” mass surveillance. But about “targeted” collection of data – a lesson that would have been learned from the Snowden revelations according to which the US wanted to regain the trust of Europeans. Only suspicious material would be filtered out using particular selectors. She also had a message for the European feeling of security: “It has been proven that there is an essential benefit to the signal intelligence of the USA – for the security of American as well as EU citizens”.

The crucial factor for the outcome of the proceedings is likely to be how valid the CJEU considers the availability of legal remedies to EU data subjects. Throughout the hearing, there were serious doubts about this. The monitoring of non-US citizens data is essentially based on a presidential directive and an executive order, i.e. government orders and not on formal laws. However, EU citizens will be none the wiser, as particularly, referring to many critisists’ conlusion, they do not know whether they will be actually surveilled or not. It remains the issue regarding the independence of the ombudsperson which the US has committed itself to establish in the Privacy Shield Agreement. Of course, he or she may be independent in terms of the intelligence agencies, but most likely not of the government.

However, Henrik Saugmandsgaard Øe, the Advocate General responsible for the case, intends to present his proposal, which is not binding on the Judges, on December 12th. The court’s decision is then expected in early 2020. Referring to CJEU judge and judge-rapporteur in the case, Thomas von Danwitz, the digital services and networking would be considerably compromised, anyways, if the CJEU would declare the current content of the SCC ineffective.

 

 

EU-US Privacy Shield and SCCs facing legal challenge before the EU High Courts

3. July 2019

Privacy Shield, established between the European Union (EU) and the United States of America (US) as a replacement of the fallen Safe Harbor agreement, has been under scrutiny from the moment it entered into effect. Based on the original claims by Max Schrems in regards to Safe Harbor (C-362/14), the EU-US data transfer agreement has been challenged in two cases, one of which will be heard by the Court of Justice of the European Union (CJEU) in early July.

In this case, as in 2015, Mr. Schrems bases his claims elementally on the same principles. The contention is the unrestricted access of US agencies to European’s personal data. Succeeding hearings in 2017, the Irish High Court found and raised 11 questions in regards to the adequacy of the level of protection to the CJEU. The hearing before the CJEU is scheduled for July 9th. The second case, originally planned to be heard on July 1st and 2nd, has been brought to the General Court of the European Union by the French digital rights group La Quadrature du Net in conjunction with the French Data Net and Fédération FDN. Their concerns revolve around the inadequacy of the level of protection given by the Privacy Shield and its mechanisms.
This hearing, however, has been cancelled by the General Court of the EU only days prior to its date, which was announced by La Quadrature du Net through tweet.

Despite the criticism of the agreement, the European Commission has noted improvements to the level of security of the Privacy Shield in their second review of the agreement dating from December 2018. The US Senate confirmed Keith Krach as Under Secretary for Economic Growth, Energy and Environment, with his duties to include being the permanent ombudsman in regards to the Privacy Shield and the EU data protection, on June 20th 2019.

As it is, both cases are apt to worry companies that rely on being certified by the Privacy Shield or the use of SCCs. With the uncertainty that comes with these questions, DPOs will be looking for new ways to ensure the data flow between Europe and the US. The European Commission stated that it wants to make it easier for companies in the future to comply with data transfers under the GDPR. It plans to update the SCCs to the requirements of the GDPR, providing a contractual mechanism for international transfers. Nonetheless, it is unclear when those updates are happening, and they may be subject to legal challenge based on the future Schrems ruling.

FTC takes action against companies claiming to participate in EU-U.S. Privacy Shield and other international privacy agreements

24. June 2019

The Federal Trade Commission (FTC) announced that it had taken action against several companies that pretended to be compliant with the EU-U.S. Privacy Shield and other international privacy agreements.

According to the FTC, SecureTest, Inc., a background screening company, has falsely claimed on its website to have participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. These framework agreements allow companies to transfer consumer data from member states of the European Union and Switzerland to the United States in accordance with EU or Swiss law.

In September 2017, the company applied to the U.S. Department of Commerce for Privacy Shield certification. However, it did not take the necessary steps to be certified as compliant with the framework agreements.

Following the FTC’s complaint, the FTC and SecureTest, Inc. have proposed a settlement agreement. This proposal includes a prohibition for SecureTest to misrepresent its participation in any privacy or security program sponsored by any government or self-regulatory or standardization organization. The proposed agreement will be published in the Federal Register and subject to public comment for 30 days. Afterwards the FTC will make a determination regarding whether to make the proposed consent order final.

The FTC has also sent warning letters to 13 companies that falsely claimed to participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks. The FTC asked companies to remove from their websites, privacy policies or other public documents any statements claiming to participate in a safe harbor agreement. If the companies fail to take action within 30 days, the FTC warned that it would take appropriate legal action.

The FTC also sent warning letters with the same request to two companies that falsely claimed in their privacy policies that they were participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. The APEC CBPR system is an initiative to improve the protection of consumer data moving between APEC member countries through a voluntary but enforceable code of conduct implemented by participating companies. To become a certified participant, a designated third party, known as an APEC-approved Accountability Agent, must verify and confirm that the company meets the requirements of the CBPR program.

WP29 releases opinion on joint review of Privacy Shield

11. December 2017

The Working Party 29 (WP29),  an independent European advisory body on data protection and privacy, has evaluated the Privacy Shield agreement  (framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, see also our report on One year of Privacy Shield).

In its joint review, the WP29 focusses on the assessment of commercial aspects and governmental access to personal data for national security purposes.

Though acknowledging progress, the WP29 still finds unresolved issues on both sides.

It criticizes the lack of guidance and clear information on the principles of the Privacy Shield, especially with regards to onward transfers, the rights of the data subject and remedies.

The US authorities are further requested to clearly distinguish the status of data processors from that of data controllers.

Another important issue to be tackled is the handling of Human Resource (HR)  data and the rules governing automated-decision making and profiling.

Also, the process of self-certification for companies requires improvement.

In terms of access by public authorities, the WP 29 concludes that the US government has made effort to become more transparent.

However, some of the main concerns still are to be resolved by May 25th, 2018.

The WP 29 calls for further evidence or legally binding commitments to confirm non-discrimination and the fact that authorities don’t get access on a generalized basis to data transferred to the USA from the EU.

Aside from these matters, an Ombudsperson still needs to be appointed and her/his exact powers need to be specified. According to the WP 29, the existing powers to remedy non-compliance are not sufficient.

In case no remedy is brought to these concerns in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

One year Privacy Shield

7. November 2017

The EU-US Privacy Shield is intended to protect the data of EU citizens from the US scouting device. Critics, however, have serious doubts as to whether this is currently the case. The transatlantic data package has been in operation for over a year and has now undergone a first review. The Privacy Shield is the successor to the Safe Harbor Agreement, which was repealed in a sensational ruling by the European Court of Justice.

The purpose of the Privacy Shield is to achieve a similar level of data protection in the US as in the EU, so that the data of the EU citizens in the US are just as protected as here on land. In particular, it should be achieved:

the data should be safe from excessive mass surveillance by US authorities (eg the NSA),
an ombudsperson established in the State Department that EU citizens can contact directly,
no indefinite storage of personal data of EU citizens by companies.

2400 companies have been certified for the Privacy Shield since its introduction. These include industry giants like Amazon, Tesla, Facebook and Google. Therefore, the importance of the Privacy Shield as a data protection regulation can not be denied. In addition to the certification remain as a legal basis only standard contractual clauses.

The first review shows, however, that the Privacy Shield is still controversial and the central demands, such as the Ombudsman, have not yet been implemented by the US government. In addition, US President Trump has already shortly after taking office, the privacy of non-Americans by way of a decree.

Nevertheless, responsible EU Justice Commissioner Vera Journová is not dissatisfied with the first year. While it is warned that the Ombudsperson should be appointed as soon as possible, she is confident that the US is now taking the concerns of Europeans seriously.

However, critics continue to complain that too little is done to enforce existing claims and that the Privacy Shield does not meet the requirements set out in the Safe Harbor ruling.

European Union’s justice commissioner Jourová threatens to suspend Privacy Shield

6. March 2017

Vera Jourová, the European Union’s justice commissioner, is willing to suspend Privacy Shield in case the Trump administration budges from the result of the negotiation between the Obama administration and the European Union.

The Privacy Shield pact was meant to replace the Safe Harbor decision of the European Commission that was overturned in October 2015 by the European Court of Justice (ECJ). The pact’s purpose is to enable the transfer of EU citizens’ personal data to the US while ensuring the protection of those data.

Concerns about the effectiveness of the Privacy Shield came up as President Trump passed an executive order in January 2017 saying “agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

Although the US Department of Justice already affirmed the US’s commitment to the Privacy Shield, Jourová stays sceptical and wants to keep an eye on the US government’s stance. In case EU citizens’ personal data are not safe in the US Jourová will not hesitate to suspend the pact.

US court: Google must give foreign e-mails to FBI

9. February 2017

Lately, Google has lost a court case (in Philadelphia) on e-mail data storage on foreign server, so that, according to the judgement, from now on the data should be sent to the US FBI security service.

The Court diverges from the existing case-law since, in a recent case, Microsoft has successfully denied the publication of data stored on servers in the European Union, and referred to the legal requirements in the EU.
As a reason for Google’s publishing obligation, the judge argued that Google is constantly copying data between its data centers, so that it should be only needed a further transfer of the data requested by the FBI to the US, in order for the FBI to access it. Although this could be a violation of the rights of the user, this violation would take place in the USA and because of that again covered by the law. According to the court, the data transfer therefore does not represent any access to foreign data anyway.

Following the proclamation of the judgment, Google has already commented on the procedure and announced to appeal against the decision, and continue to oppose to all official demands that go too far. Google has also explained that data is distributed on the servers around the world for technical reasons and in some cases it is not at all clear where the data is being stored. The verdict shows that each year Google receives from the US investigators somewhat 25,000 information requests.

Trump’s Executive Order Impact on the Privacy Shield

8. February 2017

Background

The Court of Justice of the European Union has invalidated the U.S.-EU Safe Harbor framework (October 2015), which was replaced by the Privacy Shield on 12 July 2016.

Enhancing Public Safety in the Interior of the United States” (Executive Order) was issued by the US President Donald Trump on 25th January 2017. This act’s main aim was the immigration laws enforcement in the U.S.

In its Section 14 we may read: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The so-called “Umbrella Agreement” (signed on 2nd December 2016) between the U.S. and EU, ensured the personal data transfers for law enforcement purposes. This agreement applies also to the pre-existing agreements between the U.S. and EU along with the various Mutual Legal Assistance Treaties (“MLATs”), Passenger Name Records Agreement, and Safe Harbor framework.

Part 19 of the Umbrella Agreement enables every European citizen to seek judicial review in case of an unlawfully disclosure individual’s personal data or denial of the right to access or amend the personal data in agency’s possession.

Before the Umbrella Agreement, there was no such legal possibility, although the Privacy Act of 1974 extended those rights to permanent residents of the U.S. and its citizens. EU would only agree with the Umbrella Agreement once U.S. extends protections to the European citizens under the Privacy Act, so that the U.S. is expected to comply with the Umbrellas Agreement Art. 19.

Moreover, in February 2016 the Judicial Redress Act was passed as the U.S. and EU got along with each other, which extended protections of the Privacy Act (disclosure, access, amendment) to citizens of “covered countries’’ (as named in the Judicial Redress Act).

On 17th of January 2017 Loretta Lynch (new former U.S. Attorney General) designated “covered jurisdictions’’ (as named in the Judicial Redress act) to include in the Judicial Redress Act all the EU Members apart from Denmark and the UK, which has become effective on 1st February.

The Attorneys General designation however, is not subject to administrative or judicial review (within the Judicial Redress Act).

Conclusion

Donald Trump’s Executive Order is believed not to affect the Judicial Redress Act (which is applicable law in the context of data transfers for law enforcement purposes) in terms of the Privacy Act rights to the European citizens extension, so as to say that the Executive Order should not impact Privacy Shield Framework’s legal viability.

Unresolved is still an aspect of “covered countries’’ designation, as the Judicial Redress Act includes a “covered countries’’ designations removal process, which is still subject of a dispute.

Article 29 Working Party released Guidelines on Data Protection Officers, Data Portability & One-Stop Shop

19. December 2016

The European Article 29 Working Party just published Guidelines after their December plenary meeting.

These Guidelines include explanations in terms of the role of the Data Protection Officer, the mechanisms for data portability and how a lead authority will be established with regard to the one-stop shop. Furthermore, some guidance on the EU-U.S. Privacy Shield was also included.

When do you have to appoint a DPO?

Article 37 (1) of the GDPR states that a DPO has to be appointed

a) where the processing is carried out by a public authority or body

b) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale

or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.

How does the Article 29 Working Party define these requirements?

“Core activities” are defined as the “key operations necessary to achieve the controller’s or processor’s goals.” The Article 29 Working Party gives the following example: a hospital needs to process health data as core to its ultimate activity of providing health care services.

Therefore, companies have to ask themselves whether the processing of personal data is a inextricably part for archiving their goals.

 

“Large scale” refers to the number of data subjects and not the company’s size.

The Working Party 29 defines the following identification aspects for a “large scale”:

  • The number of data subjects affected.
  • The volume of data and/or the range of different data items being processed.
  • The duration, or permanence, of the data processing activity.
  • The geographical extent of the processing activity.

However, the Working Party 29 welcomes feedback on the Guidelines from stakeholders through January 2017. Comments can be sent to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr.

 

The viability of the EU-U.S. Privacy Shield under Trump is questioned

8. December 2016

What happened?

As Bloomberg Law Privacy & Data Security just reported, officials of the European Union stated that they will watch carefully for any signs of U.S. President-elect Donald Trump turning around the EU-U.S. Privacy Shield agreement.

Vera Jourova, EU Justice Commissioner, can be quoted that the European Union would “closely monitor the respect of protection standards and the correct implementation” of the EU-U.S. Privacy Shield “under the new U.S. leadership”.

Why are the concerns raised?

The questions are asked is due to the fact that under the EU-U.S. Privacy Shield data transfers are based on respect for European privacy rights in case European personal data is transferred to the USA for commercial purposes. However, as Trump made comments that can be interpreted so that such privacy rights might be disregarded, during the U.S. presidential campaig, concerns are raised.

Adina-Ioana Valean, Member of the European Parliament, gave a speech at the European Data Protection and Privacy Conference in Brussels and explained that “a lot of things were said” during the U.S. presidential campaign. Therefore, she concluded that “we should sit and wait for the next move and then we can judge”.

 

 

Pages: 1 2 3 Next
1 2 3