EU-US Pri­va­cy Shield: a first overview


As repor­ted here the Euro­pean Com­mis­si­on published the EU-US Pri­va­cy Shield docu­men­ta­ti­on on Febru­ary 29, 2016, 27 days after the announce­ment of the poli­ti­cal agree­ment bet­ween the EU and the US. The docu­men­ta­ti­on inclu­des, among other docu­ments, in par­ti­cu­lar the Prin­ci­pleswhich will app­ly to impu­ted com­pa­nies (> for­mat­ted docu­ment), com­mit­ments by the U.S. govern­ment (of the Depart­ment of Com­mer­ce, of the Secre­ta­ry of Sta­te (Secre­ta­ry of Sta­te) John Ker­ry, the Fede­ral Trade Com­mis­si­on (FTC), of the Secre­ta­ry of Trans­por­ta­ti­on, of the Direc­tor of Natio­nal Intel­li­gence and the US Depart­ment of Justi­ce (DOJ)) and the Draft Com­mis­si­on Ade­qua­cy Decis­i­on..

Enforce­ment and admi­ni­stra­ti­on of the Pri­va­cy Shield program

The admi­ni­stra­ti­on of the Pri­va­cy Shield (PS) on the U.S. side is the respon­si­bi­li­ty of the Depart­ment of Com­mer­ce, which will, among other things, moni­tor com­pli­ance with the Prin­ci­ples by the sub­or­di­na­te com­pa­nies (with the actu­al enforce­ment being the respon­si­bi­li­ty of the FTC) and main­tain the list of sub­or­di­na­te com­pa­nies (“Pri­va­cy Shield List”). The Depart­ment will be able to con­duct ex offi­cio inve­sti­ga­ti­ons of the com­pa­nies con­cer­ned. Appro­pria­te resour­ces have been made available for this purpose.

Enforce­ment, on the other hand, is the respon­si­bi­li­ty of the Fede­ral Trade Com­mis­si­on, the FTC, which has pro­mi­sed to give prio­ri­ty to com­plaints from EU mem­ber sta­tes, as it did for the safe har­bor frame­work. In the case of a com­plaint or on its own moti­on, the FTC can make inqui­ries, open for­mal inve­sti­ga­ti­ons and pro­vi­de admi­ni­stra­ti­ve assi­stance. The FTC can also pur­sue mis­re­pre­sen­ta­ti­ons about a Pri­va­cy Shield vio­la­ti­on if the FTC or the Depart­ment of Com­mer­ce finds such vio­la­ti­ons (a pro­blem that has ari­sen more often under the safe har­bor frame­work; the FTC had dealt with 36 such cases).

Inso­far as alle­ga­ti­ons of data pri­va­cy vio­la­ti­ons rela­te to the trans­por­ta­ti­on sec­tor (e.g., vio­la­ti­ons of data pri­va­cy state­ments by air­lines), enforce­ment lies with the Depart­ment of Trans­por­ta­ti­on. Its Avia­ti­on Enforce­ment Office has the aut­ho­ri­ty to order pre­cau­tio­na­ry mea­su­res and impo­se pen­al­ties (but not to award dama­ges unless the com­pa­ny in que­sti­on accepts com­pen­sa­ti­on payments as part of a settlement).

The Pri­va­cy Shield Principles

The core of the Pri­va­cy Shield con­sists of the Prin­ci­ples (and the Commission’s ade­qua­cy decis­i­on). The Prin­ci­ples (see below, Appen­dix) con­sist of an over­view, the actu­al “Prin­ci­ples” and the “Sup­ple­men­tal Prin­ci­ples”. The Prin­ci­ples them­sel­ves are divi­ded into pro­vi­si­ons on trans­pa­ren­cy (Noti­ce), an opt-out right for data sub­jects (Choice), pro­vi­si­ons on the trans­fer of per­si­on data (Onward Trans­fer), pro­vi­si­ons on data secu­ri­ty (Secu­ri­ty), rules on pro­por­tio­na­li­ty, pur­po­se limi­ta­ti­on and data qua­li­ty (Data Inte­gri­ty and Pur­po­se Limi­ta­ti­on), pro­vi­si­ons on the right of access (Access) and pro­vi­si­ons on legal pro­tec­tion (Recour­se, Enforce­ment and Lia­bi­li­ty). A sum­ma­ry of the con­tent can be found in the Draft Ade­qua­cy Decis­i­on.

The Sup­ple­men­tal Prin­ci­ples con­tain detail­ed pro­vi­si­ons on sen­si­ti­ve (par­ti­cu­lar­ly sen­si­ti­ve) data, media pri­vi­le­ges, lia­bi­li­ty of infras­truc­tu­re pro­vi­ders such as tele­coms or ISPs, data pro­ce­s­sing by listed com­pa­nies, invest­ment banks and lawy­ers, the role of data pro­tec­tion aut­ho­ri­ties (DPAs), self-cer­ti­fi­ca­ti­on and moni­to­ring of cer­ti­fi­ca­ti­on, the right of access, employee data, onward trans­fer, legal pro­tec­tion, tra­vel infor­ma­ti­on, health data, public data, access by aut­ho­ri­ties and other points. An annex then con­ta­ins pro­vi­si­ons on arbi­tra­ti­on bet­ween public aut­ho­ri­ties and data subjects.

The draft Ade­qua­cy Fin­ding essen­ti­al­ly con­ta­ins a sum­ma­ry of the Pri­va­cy Shield and a fin­ding that the­se rules result in ade­qua­te pro­tec­tion of per­so­nal data trans­fer­red to reci­pi­en­ts in the U.S. under the Pri­va­cy Shield. The Ade­qua­cy Fin­ding is to be review­ed peri­odi­cal­ly, as requi­red by the ECJ.

The issue of espio­na­ge acti­vi­ties out­side the U.S.

In con­nec­tion with the mass sur­veil­lan­ce spe­ci­fi­cal­ly cri­ti­ci­zed by the ECJ in the Schrems ruling, the docu­ments (name­ly the Let­ter from the Direc­tor of Natio­nal Intel­li­gence to the U.S. Depart­ment of Com­mer­ce and the U.S. Inter­na­tio­nal Trade Admi­ni­stra­ti­on.) to a direc­ti­ve issued by Pre­si­dent Oba­ma in Janu­ary 2014 (Pre­si­den­ti­al Poli­cy Direc­ti­ve no. 28 – Signals Intel­li­gence Acti­vi­ties, PPD-28 (PDF)), which estab­lished prin­ci­ples for wir­etap­ping acti­vi­ties. The­se prin­ci­ples, which were con­cre­ti­zed by direc­ti­ves from the intel­li­gence agen­ci­es (the “U.S. Intel­li­gence Com­mu­ni­ty”), by no means pro­hi­bit mass sur­veil­lan­ce (“bulk coll­ec­tion”) – on the con­tra­ry; it is even expli­ci­t­ly descri­bed as a neces­sa­ry instru­ment for pro­tec­ting natio­nal secu­ri­ty. Howe­ver, sur­veil­lan­ce and the sto­rage of the cor­re­spon­ding data are slight­ly rest­ric­ted, and the use of data obtai­ned through bulk sur­veil­lan­ce is limi­t­ed to six purposes:

the pur­po­ses of detec­ting and coun­tering: (1) espio­na­ge and other thre­ats and acti­vi­ties direc­ted by for­eign powers or their intel­li­gence ser­vices against the United Sta­tes and its inte­rests; (2) thre­ats to the United Sta­tes and its inte­rests from ter­ro­rism; (3) thre­ats to the United Sta­tes and its inte­rests from the deve­lo­p­ment, pos­ses­si­on, pro­li­fe­ra­ti­on, or use of wea­pons of mass des­truc­tion; (4) cyber­se­cu­ri­ty thre­ats; (5) thre­ats to U.S. or allied Armed Forces or other U.S. or allied per­son­nel; and (6) trans­na­tio­nal cri­mi­nal thre­ats, inclu­ding illi­cit finan­ce and sanc­tions eva­si­on rela­ted to the other pur­po­ses named in this section.

In no event may signals intel­li­gence coll­ec­ted in bulk be used for the pur­po­se of sup­pres­sing or bur­de­ning cri­ti­cism or dis­sent; dis­ad­van­ta­ging per­sons based on their eth­ni­ci­ty, race, gen­der, sexu­al ori­en­ta­ti­on, or reli­gi­on; affor­ding a com­pe­ti­ti­ve advan­ta­ge to U.S. com­pa­nies and U.S. busi­ness sec­tors com­mer­ci­al­ly; or achie­ving any pur­po­se other than tho­se iden­ti­fi­ed in this section.

The Direc­tor of Natio­nal Intel­li­gence also empha­si­zes that for­eign intel­li­gence sur­veil­lan­ce is limi­t­ed to indi­vi­du­al cases or per­sons. It is moni­to­red by the U.S. Depart­ment of Justi­ce (DOJ) and the Office of the Direc­tor of Natio­nal Intel­li­gence (ODNI), among others. For­eign sur­veil­lan­ce was also sub­ject to the juris­dic­tion of a spe­cial court, the US For­eign Intel­li­gence Sur­veil­lan­ce Court, to approve.

The que­sti­on of legal protection

The pri­ma­ry reme­dy for affec­ted indi­vi­du­als is to file a com­plaint with the U.S. com­pa­ny invol­ved. Com­plaints should be ans­we­red within 45 days. In addi­ti­on, a free alter­na­ti­ve dis­pu­te reso­lu­ti­on ser­vice should be established.

In the event of vio­la­ti­ons of the Pri­va­cy Shield rules, the FTC has enforce­ment opti­ons. As the FTC also points out, other U.S. laws also con­vey pro­tec­tions in the area of data pri­va­cy. For exam­p­le, the pro­hi­bi­ti­on on “unfair or decep­ti­ve acts or prac­ti­ces” applies when acts are likely to have an effect in the U.S. or when they take place in the U.S. The FTC also has enforce­ment opti­ons for vio­la­ti­ons of the Pri­va­cy Shield.

Legal pro­tec­tion for non‑U.S. per­sons also exists under the Com­pu­ter Fraud and Abu­se Act, the Elec­tro­nic Com­mu­ni­ca­ti­ons Pri­va­cy Act, the Right to Finan­cial Pri­va­cy Act, and the Free­dom of Infor­ma­ti­on Act. In the area of for­eign sur­veil­lan­ce, per­sons out­side the United Sta­tes are also free to bring claims against mem­bers of U.S. agen­ci­es for unlawful sur­veil­lan­ce acti­vi­ties in FISA court, and willful vio­la­ti­ons are actionable.

The role of the Ombudsman

At Let­ter from the Secre­ta­ry of Sta­te, John Ker­ryThe role of the ombuds­per­son is explai­ned in the report. The office is held by the “Seni­or Coor­di­na­tor for Inter­na­tio­nal Infor­ma­ti­on Tech­no­lo­gy Diplo­ma­cy” in the Mini­stry of For­eign Affairs, at pre­sent Cathe­ri­ne Novel­li. The Ombuds­per­son inve­sti­ga­tes com­plaints con­cer­ning the field of natio­nal secu­ri­ty, with indi­vi­du­als being refer­red to the Ombuds­man only through a – yet to be desi­gna­ted – Euro­pean body.

The Ombuds­per­son is respon­si­ble for inve­sti­ga­ting com­plaints and informing the trans­mit­ting Euro­pean Unit that the rele­vant U.S. law has been com­plied with or that vio­la­ti­ons have been cor­rec­ted. In the event of vio­la­ti­ons, com­plaints must also be for­ward­ed to the rele­vant U.S. aut­ho­ri­ties. The Ombuds­per­son may also refer com­plaints to the Pri­va­cy and Civil Liber­ties Over­sight Board an inde­pen­dent body with an advi­so­ry func­tion. Apart from the­se com­mu­ni­ca­ti­ve and coor­di­na­ti­ve func­tions, howe­ver, the ombuds­per­son has no competences.

Next steps

The Commission’s ade­qua­cy decis­i­on is only a draft. At the end of March 2016, the Artic­le 29 Working Par­ty will dis­cuss the Pri­va­cy Shield at an extra­or­di­na­ry mee­ting. The mem­ber sta­tes will also express their views. After that, the Com­mis­si­on will make a final decis­i­on. In the mean­ti­me, the U.S. aut­ho­ri­ties on their side will prepa­re for the imple­men­ta­ti­on of the Pri­va­cy Shield.

It can be assu­med that Switz­er­land wants to nego­tia­te an ana­log­ous agree­ment with the USA as soon as pos­si­ble. The FDPIC ad inte­rim has on Twit­ter expres­sed in this direction.

Pri­va­cy Shield Principles:




Rela­ted articles