Data Protection Committee refuses to endorse EU-US Privacy Shield

This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.

The Article 29 Working Party is a committee comprising data protection commissioners from the member states of the European Union. Its role is advisory. It has no power as such, though the European Commission is obliged to report publically upon how it has or why it has not implemented an opinion of the Article 29 Working Party. The Article 29 Working Party has advised on a whole raft of things in recent years, not always to universal applause. In recent days it has examined the proposed arrangements which are intended to be adopted by the European and US governments to overcome the problems with the old ‘Safe Harbor’ arrangements highlighted in the Schrems case. Its response has not been positive.

The principal criticisms in the Schrems case were that the US government appeared to be able to examine personal data imported from the EU without any limitation or much accountability. To be sure there was some limitation process but as far as the Court of Justice of the European Union could see these were broad and discretionary. Likewise although there was an oversight process (of sorts) it was not robust and gave no rights to the data subject to object. The problem in a nutshell was that when it came to EU personal data the US Government could look at what it wanted to, when it wanted to, how it wanted to and it owed no explanations. This was, on any view, a breach of the principle of privacy enshrined in Article 8 of the European Convention of Human Rights. Nobody was objecting to the state’s wish (some would say “right”) to snoop but the rights which the US government had given itself lacked focus or oversight and more importantly, the data subject had no or little play in the matter.

The EU-US privacy shield was an attempt to overcome these criticisms. Complaint bodies were erected to which EU citizens could complain, causes of action for privacy breach and modifications of the intelligence gathering legislation were hastily enacted in the US legislative assemblies and Presidential decrees were made stating that in future, snooping would be much more limited. Continuous self-certification schemes for industry were also created - though it is not clear how that dealt with the problems which were identified in Schrems since the problem was one of Government and not of industry. However the one thing which did not change was section 1802 of the US code, the one which gave so much power to the US intelligence agencies to snoop in the first place. The Article 29 Working Party noticed and said so. In their view the proposed privacy shield was no more than an attempt to window dress and was not a solution to the Schrems problem.

At present we are living in a sort of hiatus. Technically the EU law states than no transfers may be made to a country which does not provide reciprocal privacy protection. Schrems tells us that the US is, on the basis of its current legal framework, one of those countries. The Article 29 Working Party tells us that the remedial steps taken by the US will not do. Thus anybody exporting personal data to the US is at risk. True enough that some regulators have told us that no action will be taken against potential infringers whilst the situation is being resolved but that is clearly going to take longer than first anticipated, though other regulators have already stated that there are to be no more transfers from the EU to the US.

One piece of advice which does appear to have emerged is that a “safe harbor” of sorts can be created by, within an intra-company structure, using a system of corporate rules which engender a secrecy and privacy system or by entering into contracts with US data importers which promote respect for the privacy of data subjects. We have been told that, for the moment, provided that those means are used for exporting data to the US then that will be regarded as adequate. However users of this sort of system are still at risk since neither of those systems deals with the problem of US Government snooping. The only answer seems to be encryption and to a level which cannot be broken by the US intelligence agencies. That is probably a tall order since the level of sophistication of intelligence service code cracking is in all probability many years ahead of where we believe it to be and in any event would seriously compromise any intelligence gathering even if conducted in an acceptable way.