As reported here the European Commission published the EU-US Privacy Shield documentation on February 29, 2016, 27 days after the announcement of the political agreement between the EU and the US. The documentation includes, among other documents, in particular the Principleswhich will apply to imputed companies (> formatted document), commitments by the U.S. government (of the Department of Commerce, of the Secretary of State (Secretary of State) John Kerry, the Federal Trade Commission (FTC), of the Secretary of Transportation, of the Director of National Intelligence and the US Department of Justice (DOJ)) and the Draft Commission Adequacy Decision..
Enforcement and administration of the Privacy Shield program
The administration of the Privacy Shield (PS) on the U.S. side is the responsibility of the Department of Commerce, which will, among other things, monitor compliance with the Principles by the subordinate companies (with the actual enforcement being the responsibility of the FTC) and maintain the list of subordinate companies (“Privacy Shield List”). The Department will be able to conduct ex officio investigations of the companies concerned. Appropriate resources have been made available for this purpose.
Enforcement, on the other hand, is the responsibility of the Federal Trade Commission, the FTC, which has promised to give priority to complaints from EU member states, as it did for the safe harbor framework. In the case of a complaint or on its own motion, the FTC can make inquiries, open formal investigations and provide administrative assistance. The FTC can also pursue misrepresentations about a Privacy Shield violation if the FTC or the Department of Commerce finds such violations (a problem that has arisen more often under the safe harbor framework; the FTC had dealt with 36 such cases).
Insofar as allegations of data privacy violations relate to the transportation sector (e.g., violations of data privacy statements by airlines), enforcement lies with the Department of Transportation. Its Aviation Enforcement Office has the authority to order precautionary measures and impose penalties (but not to award damages unless the company in question accepts compensation payments as part of a settlement).
The Privacy Shield Principles
The core of the Privacy Shield consists of the Principles (and the Commission’s adequacy decision). The Principles (see below, Appendix) consist of an overview, the actual “Principles” and the “Supplemental Principles”. The Principles themselves are divided into provisions on transparency (Notice), an opt-out right for data subjects (Choice), provisions on the transfer of persion data (Onward Transfer), provisions on data security (Security), rules on proportionality, purpose limitation and data quality (Data Integrity and Purpose Limitation), provisions on the right of access (Access) and provisions on legal protection (Recourse, Enforcement and Liability). A summary of the content can be found in the Draft Adequacy Decision.
The Supplemental Principles contain detailed provisions on sensitive (particularly sensitive) data, media privileges, liability of infrastructure providers such as telecoms or ISPs, data processing by listed companies, investment banks and lawyers, the role of data protection authorities (DPAs), self-certification and monitoring of certification, the right of access, employee data, onward transfer, legal protection, travel information, health data, public data, access by authorities and other points. An annex then contains provisions on arbitration between public authorities and data subjects.
The draft Adequacy Finding essentially contains a summary of the Privacy Shield and a finding that these rules result in adequate protection of personal data transferred to recipients in the U.S. under the Privacy Shield. The Adequacy Finding is to be reviewed periodically, as required by the ECJ.
The issue of espionage activities outside the U.S.
In connection with the mass surveillance specifically criticized by the ECJ in the Schrems ruling, the documents (namely the Letter from the Director of National Intelligence to the U.S. Department of Commerce and the U.S. International Trade Administration.) to a directive issued by President Obama in January 2014 (Presidential Policy Directive no. 28 – Signals Intelligence Activities, PPD-28 (PDF)), which established principles for wiretapping activities. These principles, which were concretized by directives from the intelligence agencies (the “U.S. Intelligence Community”), by no means prohibit mass surveillance (“bulk collection”) – on the contrary; it is even explicitly described as a necessary instrument for protecting national security. However, surveillance and the storage of the corresponding data are slightly restricted, and the use of data obtained through bulk surveillance is limited to six purposes:
the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.
In no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially; or achieving any purpose other than those identified in this section.
The Director of National Intelligence also emphasizes that foreign intelligence surveillance is limited to individual cases or persons. It is monitored by the U.S. Department of Justice (DOJ) and the Office of the Director of National Intelligence (ODNI), among others. Foreign surveillance was also subject to the jurisdiction of a special court, the US Foreign Intelligence Surveillance Court, to approve.
The question of legal protection
The primary remedy for affected individuals is to file a complaint with the U.S. company involved. Complaints should be answered within 45 days. In addition, a free alternative dispute resolution service should be established.
In the event of violations of the Privacy Shield rules, the FTC has enforcement options. As the FTC also points out, other U.S. laws also convey protections in the area of data privacy. For example, the prohibition on “unfair or deceptive acts or practices” applies when acts are likely to have an effect in the U.S. or when they take place in the U.S. The FTC also has enforcement options for violations of the Privacy Shield.
Legal protection for non‑U.S. persons also exists under the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Right to Financial Privacy Act, and the Freedom of Information Act. In the area of foreign surveillance, persons outside the United States are also free to bring claims against members of U.S. agencies for unlawful surveillance activities in FISA court, and willful violations are actionable.
The role of the Ombudsman
At Letter from the Secretary of State, John KerryThe role of the ombudsperson is explained in the report. The office is held by the “Senior Coordinator for International Information Technology Diplomacy” in the Ministry of Foreign Affairs, at present Catherine Novelli. The Ombudsperson investigates complaints concerning the field of national security, with individuals being referred to the Ombudsman only through a – yet to be designated – European body.
The Ombudsperson is responsible for investigating complaints and informing the transmitting European Unit that the relevant U.S. law has been complied with or that violations have been corrected. In the event of violations, complaints must also be forwarded to the relevant U.S. authorities. The Ombudsperson may also refer complaints to the Privacy and Civil Liberties Oversight Board an independent body with an advisory function. Apart from these communicative and coordinative functions, however, the ombudsperson has no competences.
The Commission’s adequacy decision is only a draft. At the end of March 2016, the Article 29 Working Party will discuss the Privacy Shield at an extraordinary meeting. The member states will also express their views. After that, the Commission will make a final decision. In the meantime, the U.S. authorities on their side will prepare for the implementation of the Privacy Shield.
It can be assumed that Switzerland wants to negotiate an analogous agreement with the USA as soon as possible. The FDPIC ad interim has on Twitter expressed in this direction.