This week heralded some very big news: the EU and US have apparently finalized a replacement for the Safe Harbor: the EU-US Privacy Shield. And just in time, as the moratorium on enforcement was slated to end, ahem, 3 days ago. Regardless, a new deal is good for stability, even if all of my pithy commentary had to be rewritten. Although you can’t blame me for planning ahead, as just a week ago the reported “sticking points” in the negotiation were the same two issues I highlighted from the Schrems decision invalidating the Safe Harbor back in October. The pieces have certainly come together pretty quickly, and while many EU privacy advocates see this as an EU capitulation, it looks poised to be the framework moving forward.
I’ll start with a quick overview of how I’m approaching this issue generally. My primary concern is whether the new Privacy Shield will withstand future legal challenges to the European Court of Justice, which invalidated the original Safe Harbor. In my analysis of Schrems, I highlighted two substantive issues (national security and standing), and one technical (the Safe Harbor didn’t expressly recognize US privacy law as adequate) that were the foundation for invalidating the Safe Harbor. This new agreement must resolve each to present a feasible case in the (likely) case that the Privacy Shield is challenged. The Privacy Shield solves the technical problem easily by fixing the technicality: it will expressly recognize the United States’ “adequacy.” As for the two substantive issues, I’ll be devoting the remainder of this post to their resolution.
I’ll start with EU-citizen standing, which is probably the simpler of the two. The important background here is that individuals cannot sue the US government without the government’s permission, and Congress hasn’t passed a law specifically allowing non-US citizens to sue via the Privacy Act (the most logical place to wage complaints arising from the Privacy Shield). So an EU citizen wishing to challenge, say, US surveillance practices, isn’t allowed to sue in US federal district courts, and only an act of Congress can rectify this situation. The exact extent of the ECJ’s standing argument is somewhat unclear, but it clearly applied to the EU rights to access, rectify, and erase data stored by the US government; at a minimum, this would seem to require a right to sue under the Privacy Act. While the US identified seven other “pathways for EU citizens to address their concerns about compliance,” and the EU reiterated some of these pathways in their public comments, these proposed remedies as of yet don’t amount to much more than a restatement of the remedies offered by the previous Safe Harbor, so it seems unlikely they alone would prove sufficient to survive future legal challenges in the ECJ.
However, as luck would have it, there is currently a bill pending before Congress that would solve this standing quandary. The Judicial Redress Act (JRA) has been touted as a quick fix for the standing issue, so much so that some early EU comments made it a requisite for any new Safe Harbor agreement. Unfortunately, this same bill has been pending since before the Schrems decision, so its chances for success are uncertain. While there has been recent movement, which may suggest the JRA is poised to be passed, I suspect there will still be problems arising from the practical differences between US and EU laws: EU citizens don’t just want standing; they want standing to enforce EU rights.
It is this latter point that makes me hesitant. The JRA essentially provides similar rights to EU citizens as those enjoyed by US citizens under the Privacy Act, but I’m not sure how meaningful these rights would prove when assessed by an EU court. For one, the scope of these rights is explicitly narrower for EU citizens, reaching only “designated agencies,” thereby creating the clear potential for future standing problems when an EU citizen wishes to challenge an “undesignated agency.” For another, the mechanism for actually rectifying or deleting data are likely to be more onerous in the US than the EU, as US law often requires a showing of injury, and the JRA limits some actions to “intentional or willful” violations. And perhaps more fundamentally, the JRA only applies to rights granted in the Privacy Act, which creates the potential for problems when an EU citizen wishes to sue on the basis of an EU right that the US doesn’t recognize, like the right to be forgotten. Even if the new Privacy Shield provides stronger guarantees for EU citizens, the JRA wouldn’t provide an avenue to enforce them, as it only applies to the Privacy Act. While this is probably intended to be resolved through administrative remedies, those details aren’t yet available.
Finally, I worry that the underlying problem with the standing issue is that the types of complaints EU citizens want to raise relate to US national security activities, an area where even US citizens often do not have standing. (Indeed this is often true even in the EU, where the data protection rules differ when dealing with matters of national security.) Viewed in isolation, the JRA may satisfy the ECJ, as it provides a procedure for EU citizens to raise privacy complaints; but from a practical perspective, this could easily amount to little more than a legal right to be told “no.” Which brings me to the second issue…
The majority of the Schrems decision can be viewed as a reaction to the Snowden disclosures, and reflects the strong distrust and dislike of US bulk collection programs in the EU. Given the potential complexity of this aspect of the debate, I think it’s helpful to fall back on the specific language used in Schrems. The ECJ targeted “generalized” surveillance by a government, particularly when it does so without any “objective criteria being specified as to the extent of the data’s use.” The comments from the European Commission on the upcoming agreement emphasized the “need for limitations and safeguards as regards access to data by public authorities,” and “independent oversight and individual redress in the area of national security.” The language in all of these areas is somewhat fuzzy, as the underlying subject matter relates to national security, something that it traditionally afforded a lot of national deference. The EU is looking to create some safeguards and guarantees, while still affording the US deference in this realm.
As such, analysis of this new agreement is difficult. Although the agreement arguably delineates separate substantive requirements and procedural requirements, in practice these issues tend to blend together, with the emphasis ultimately on the latter point. While there are clear calls to stop “generalized” surveillance, arguably a substantive requirement, the European Commission has emphasized instead that the surveillance must be “strictly necessary,” “necessary and proportionate,” and not “indiscriminate,” which looks more procedural. Indeed the European Commission appears willing to accept some “mass surveillance,” provided targeted surveillance isn’t feasible, or if a “very dangerous trend” requires it. While many EU privacy advocates object to this as the “generalized” surveillance decried in Schrems, the ECJ did not go that far for several reasons: (1) it specified data storage, which might allow for a “catch and release” type bulk collection; (2) it emphasized the lack of “limitation, differentiation or exception” to the storage; (3) the ambiguous limits on access by public officials; and (4) the absence of restrictions on subsequent use. These are primarily procedural complaints, and it appears the new Privacy Shield incorporates them.
Which is not to say that the Privacy Shield doesn’t create impactful requirements: the US is agreeing to dual oversight, annual audits, (arguably) more stringent surveillance requirements, and potentially an avenue for redress for EU citizens in national security instances (apparently through an ombudsman). The implementation is all a bit muddy, but seems to be based in part on the USA Freedom Act, in part on Presidential Policy Directives, (specifically PPD28), and in part on administrative discretion. After all, the US has made several major changes to its surveillance law recently, potentially remedying many of the ECJ’s chief complaints, and the deal is premised on the signed agreement of several high ranking administrative officials, like the Director of National Intelligence, who still hold a lot of power in how US surveillance is operated. If these changes and the new obligations in the Privacy Shield can satisfy the procedural requirements the ECJ articulated, this may prove sufficient to withstand future legal challenge. As I mentioned from the outset, the sensitive nature of national security traditionally is afforded different treatment, so the ECJ is unlikely to delve too deeply once its basic concerns are satisfied.
As a final thought on national security, a frequent point of contention is the apparent disparate treatment by the EU of the US as compared to the UK, both of which were revealed by the Snowden disclosures to engage in mass surveillance. The distinguishing feature is simple: the UK is a member-state of the EU, so the rules apply a bit differently. The EU as a body technically does not have jurisdiction over the national security activities of its member-states, and the DPD provides exceptions for member-state national security, so the EU doesn’t have a mechanism for recourse against the UK. While primarily a jurisdictional issue, the reaction of the US is nonetheless predictable: “so mass surveillance is OK so long as it is done by the EU?” While this colors the debate, I doubt it is of much practical importance by itself, as a single member-state’s practices are probably insufficient to mount a compelling argument. Coupled with the controversial new French surveillance law, recent revelations about German spying, and potentially less public information about other EU member-states, this may be a powerful negotiating factor for the US. But from a strict legal perspective, it probably is not important.
The Private Sector?
Rather ironically, for a deal primarily concerned with private sector data transfers, I’ve spent remarkably little time on what this means for them. This is mostly because the private sector requirements are the least controversial aspect of the Privacy Shield. There are more strict requirements for businesses, adopting some ECJ language on the issue, but these changes aren’t likely to be a foundation for challenging the Privacy Shield generally, and aren’t a huge departure from those in the Safe Harbor. Rather, the biggest concern for businesses right now is that the Safe Harbor moratorium is officially over, so the longer the Privacy Shield takes to be finalized, the longer they will be without a general legal basis for trans-Atlantic data transfers. While many of the larger businesses utilize alternate bases, for those who don’t, they are now open to sanction by EU data protection authorities.
Wrapping up, the Privacy Shield definitely attempts to address the issues raised by the ECJ in Schrems, but it’s difficult to say whether it does so successfully. The standing issue may rely heavily on the passage of the Judicial Redress Act, and the national security issue is fundamentally difficult to assess. And even if those issues are resolved, Twitter is already abuzz with new criticisms from EU privacy advocates, raising other potential avenues for challenging the Privacy Shield. Coupled with the upcoming GDPR and a major US election, it’s sure to be a bumpy year for privacy law.