Behind the Privacy Shield

Feature Article

EU and US regulators have agreed on new data transfer laws, with the aim of easing the tensions between the two continents

Although a deal was made at the 25th hour, right at the start of February, one was made nevertheless. In it, US regulators and the EU Commission agreed upon a new framework for transatlantic data flows, after the prior framework, known as the Safe Harbour Agreement, was struck down by the European Court of Justice (EJC) last October.

The Safe Harbour Agreement was struck down by the EUJC on the grounds that the data of European citizens, including information on instant messages, emails and all kinds of internet traffic, were not being sufficiently protected from state surveillance (in this case the NSA) in the US. This decision by the court was very much a reaction to the Snowden revelations from a few years ago. This gave US regulators the task of finalising a new framework with its European counterparts.

The new framework, called the US-EU Privacy Shield, is meant to satisfy those concerns raised by the court in its October ruling. The framework clarifies a number of rules and measures which are meant to do a better job of complying with Europe’s data protection laws. The updated laws include stricter and stronger obligations for companies dealing with outgoing and incoming data flows to and from Europe, making them commit to protecting the individual rights of European citizens. The Department of Commerce will watch over these processes, ensuring that companies will publish their commitments, allowing them to be enforceable in US courts by the country’s Federal Trade Commission, and will also have to comply with DPAs (data protection agencies).

Additionally, the US has guaranteed the EU that law enforcement agencies that wish to obtain the data transferred from Europe is subject to intense scrutiny and oversight, and may face limitations in certain circumstances. The US has also said it will rule out any mass surveillance of the data under the new framework, one of the major flaws causing the invalidity of the prior laws.

Moreover, European citizens will have available to them a range of redress options if they believe that their data has been misused, of which companies will have to meet deadlines to respond to such claims. A new Ombudsperson will be established for complaints involving the unauthorised snooping of national intelligence agencies.

Despite these new rules, some are still not impressed. Notably, Marc Schrems, the Australian academic responsible for bringing the issue to the ECJ in the first place, has been critical. He claimed that, after the initial announcement of the Privacy Shield, it fails to address the fundamental issues. Others from Europe also agree with this remark, but contrastingly, those in the US believe that the new rules are adequate. In an interview with The New York Times, Penny Pritzker, commerce secretary of the US who led the negotiations with Europe, said that the US “looked very carefully at all of the provisions to make sure that the new framework fully met the standards set by the European Court of Justice,” and claimed that the Privacy Shield “provides a bridge between the two regions, acknowledging the effectiveness of both systems.”

The divide between Europe and the US lies deep beneath in their respective roots. The US, scarred by terrorist attacks on its soil, continues its fight against terrorism and, therefore, recognises that security may prevail over privacy in some cases to achieve that. On the other hand, traumatised by Nazism and the bloody uprising against the tyrannical authorities during the French Revolution, Europe has leant towards a tendency to safeguard individual rights and civil liberties, therefore strongly opposing the surveillance programs of the NSA. However, if this new deal is able to sustain through, and overcome the criticism it has faced so far, then perhaps it may prove that despite their differences, the EU and the US can still work harmoniously to develop effective and balanced policy.

Shielding Surveillance

One of the more significant differences from the original safe harbour agreement in the new legal framework is the stronger obligations requiring companies to protect the rights of European citizens. Article 8 of the European Convention on Human Rights gives citizens assurances that their right to privacy is to be respected. More specifically, the Article states “Everyone has the right to respect for his private and family life, his home and correspondence.” In addition, it also states “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary for a democratic society in the interests of national security, public safety or the economic well-being of the country.”

The Privacy Shield requires that member states third parties (essentially countries outside the EU) must comply with Article 8 of the Convention which protects the individual right to privacy. What this means in practice is that companies which transfer data to or from the EU must ensure that the data is protected from surveillance or any unwanted snoopers. In addition , it also requires that companies also abide by the rules, and respect European citizens and their right to privacy under Article 8. This was a critical condition of the negotiations between US and EU regulators to finalise the Privacy Shield.

This forms part of the basis of the new transatlantic. Article 8 was cited frequently in the court case in which the ECJ invalidated the original legal framework. The court recognised that data of citizens which can be generated from the various consumer electronics and digital services, such as a smartphone or Facebook, can form as a centre for information, including of which can be personal or sensitive. Thus, the court acknowledges that, due to this reality, it is important that citizens have their data protected sufficiently by those handling it.

With that, the application of Article 8 to the modern digital age can be combined with the Data Protection Act of 1998 to make the right to privacy more applicable. The DPA is a broad piece of regulation that applies to the obtaining, holding, using or disclosing of personal data. Schedule 8 of the DPA lays out 8 principles that regulate how personal data should be handled. Among them, there is the requirement that “personal data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

The DPA applies to “data controllers”, which can range from individuals to big corporations. The Act defines “data controllers” as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.” Anybody who may fall under this broad definition must ensure that the processing of data, for which they are responsible for, must comply with the Act. However, the Act was only applicable to those residing within the EU, which would have made US companies, like Facebook, and government agencies, like the NSA, exempt from such rules and standards.

The Safe Harbour framework, however, formed in 2000, went further to ensure that third parties (states outside the EU) also complied with Europe’s data protection standards. The former framework established that if an organisation wanted to transfer information beyond EU borders, then it must comply with the standards set by the Safe Harbour. A contract must be signed to ensure that there was an adequate level of privacy protection, a level determined by the details of the framework.

This was the condition of the former framework which the ECJ identified in its latest ruling which had a significant loophole. The court identified that the US had failed to comply with the right to privacy determined by the data protection directive. The rules had become nugatory due to the fact that a State could access data without, what the court deemed, sufficient oversight on a “casual or general basis”, therefore impeding the privacy of European citizens. The court found this to be evident in the transfer of data from Facebook-owned data centres in Ireland to centres located in the US, where it could be subject to surveillance by the NSA.

The new Privacy Shield aims to cover these leaks. Now, the new legal framework requires written assurances that any access to personal data by public authorities would be subject to strict oversight and limitations. In addition, US authorities have agreed to comply with new rules which prohibit mass surveillance. However, bulk collection is permitted under certain circumstances, such as when combatting terrorism or other criminal activity. This may still cause controversy as privacy advocates may argue that bulk collection and mass surveillance is ineffective in tracking down or stopping malicious actors and their intentions.

Atlantic Gridlock

One difficulty EU and US regulators have faced when negotiating this new deal is the distinct difference in how the laws are structured in Europe and the US. In particular, in the US there is no real single overarching digital privacy law, unlike the EU which has the data protection directive which directly addresses such issues. Instead, a range of varying court cases have provided different interpretations of privacy, and no landmark decision has been able to clarify its place in the context of the digital age.

For example, last year a federal court judge in California dismissed a lawsuit worth $15 million accusing Facebook of secretly tracking the internet activities of its users using embedded cookies. The social media giant was able to track all of the websites visited by a user with the cookies even after the user had logged off. The court dismissed the plaintiffs claim on the basis that they had failed to show sufficient injury. In other words, they were unable to demonstrate how an invasion of their privacy led to them suffering any identifiable damage. They were unable to link the value of their data to the harm or loss which would have occurred had that data been compromised or misused. Though the specifics of privacy-related issues differ from the case to case, the overall consensus is that none of the cases so far have been able to identify how invasions of privacy equate to some kind of loss. Thus, the US does not, as of now, recognise invasions of digital privacy as an act of negligence because the appropriate remedies for such acts have not been determined.

However, the Privacy Shield provides ways for European citizens several redress opportunities if they believe that their personal data has been misused. One of those includes the ability for European citizens to raise their concerns through an independent Ombudsman who will handle and solve the filed complaints. The US Department of Commerce, as well as the Federal Trade Commission, will also work with EU regulators to solve the issues and complaints brought forward. In addition, President Obama signed the US Judicial Redress Act, which will “give EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the US for law enforcement purposes.”

Despite this, the process for redress has been criticised by some. Marc Rotenburg of Georgetown University Law Centre in Washington DC says that even though the process for redress under the original safe harbour was difficult (the US Federal Trade Commission received only four complaints in fifteen years) the new Privacy Shield does not do much to make it any easier. He claims that despite it costing nothing to file a complaint, the amount of compensation which can be obtained would be mere.

But the Judicial Redress Act is supposed to be a mechanism to provide those remedies. The Act specifically enables European citizens to obtain compensation or seek remedies for any improper handling of data in a criminal or terrorist investigation.

Finding Consensus Amid Controversy

The Privacy Shield is still yet to be finalised. Until then it may still be subject to changes and amendments recommended by observers, DPAs, privacy advocates and others. Even in the early stages, it has faced criticism. But it is imperative that an arrangement can be settled upon, for the sake of both sides. The digital economies of both the US and the EU are relying heavily on a deal to be settled upon; billions of dollars, which the digital economies generate, are at stake. If a deal can be reached and established as law, it will be proof that, despite the scars and traumas that have shaped both continents, the US and Europe can come together and find a middle-ground of which both are happy to work with. Otherwise, the differences on privacy, national security and other related issues will prevail, inducing an awkward relationship. Mrs Pritzker believes that businesses, governments and individuals can rely on the Privacy Shield. Let’s hope that this will be the case.