The EU-U.S. Privacy Shield two years on

Giovanni Buttarelli

Where I come from, we have a pleasing little idiom: conoscere i propri polli – literally, to know one’s own chickens.  It means to have an intimate appreciation of a character or a familiar situation. We in Europe certainly need to get better acquainted with our own way of safeguarding public security, as the ongoing debate on international commercial data flows illustrates.


Symbiotic relationship between lawful surveillance and data protection

After the Snowden revelations now almost five years ago, the European Union came encouragingly closer to recognising and reflecting on its own record on surveillance. EU leaders in the European Council in October 2013 acknowledged citizens’ deep concerns and the need for respect and trust in the work of and cooperation between secret services. In June 2014 they noted that it was crucial to ensure the protection and promotion of fundamental rights, including data protection, whilst addressing security concerns, also in relations with third countries, and to adopt a strong EU General Data Protection framework by 2015.  Thus in the same sentence the European Council explicitly recognised that the construction of a solid framework for data protection must include not only data protection rules but also a new equilibrium in security cooperation with strategic partners. This was a clear acknowledgment that surveillance is intrinsically part of a discussion on data protection, something that requires an organic basis for third country agreements.  

The EU has of course made excellent progress in updating its data protection rules, bringing them up to speed with a digitised society and a post-Lisbon Treaty legal order in the Union. The implementation of the other side of the promise remains unclear, however. We understand this is a delicate matter, but four years on we still do not know where we stand. The sustainable new deal on the limits of monitoring individuals for security purposes remains incomplete.

Let us be honest. Every sovereign country needs well-functioning intelligence services. This need presupposes invasive techniques and interferences with privacy for the purpose of an important public interest. This need inevitably reflects the size, complexity and relative power of the state in question. Problems arise when strategic partners, like the EU and the United States, expect reassurances that their respective practices, like the use of personal data, will be mutually compatible.


On the competence of the EU

The EU is bound by the case law of the European Court of Human Rights, which requires domestic law to be sufficiently precise to indicate to citizens in what circumstances and on what terms the public authorities are empowered to interfere with privacy.  This information must be foreseeable as to its effects, that is, it must be formulated with sufficient precision to enable any individual — if need be with appropriate advice — to regulate his conduct.  (See the judgments in Rotaru v. Romania paragraphs 50, 52 and 55 and also Amann v. Switzerland from paragraph 50, milestones of jurisprudence that have formed the basis for more recent case law). The implication is that a surveillance measure is more likely to be legitimate if it is transparent. Without such transparency, any bilateral accord is weak.

The EU does not have the legal competence to discuss matters pertaining to the activities of domestic secret services. But, as we have said in previous EDPS Opinions, the EU is entitled to consider the approaches adopted by third countries insofar as they have consequences for citizens in the EU. Indeed, the EU is also entitled to deliberate on the approaches of one of its own Member States where they may be in conflict with the Union’s fundamental values, such as the rule of law.

Why, therefore, does the EU address itself to questions of security and the surveillance activities of a third country such as the United States in the context of data protection? Because the very same data protection framework which states that personal data may not be transferred to a third country unless certain safeguards apply (GDPR Article 44) also exempts (GDPR Article 2(2)(d)) data processing by competent authorities in the Member States for purposes of law enforcement and preventing threats to public security.

We know that the Court of Justice of the EU applies an exacting standard in assessing whether laws and international agreements respect the data protection principles of necessity and proportionality. The Court’s Schrems judgment of October 2015 on Safe Harbour is entirely consistent with its previous ruling on Digital Rights Ireland 2014 and Tele2/Watson in December 2016. The Court’s Opinion 1/15 last year on the draft EU-Canada PNR agreement reiterates the central importance of the structural and functional independence of supervisory authorities concerned with data processing for security and law enforcement purposes.

In a recent paper on Surveillance for public security purposes, the Assistant EDPS Wojciech Wiewiórowski reviewed the stream of case law from the CJEU as well as the European Court of Human Rights, which set conditions for these activities to be regarded as an acceptable interference with the fundamental right to privacy.

Very recently, we have seen national jurisdictions backing the CJEU in bringing more stringent conditions for domestic surveillance programs, as with the England and Wales Court of Appeals ruling  in a case against the UK Data Retention and Investigatory Powers Act (DRIPA), a predecessor to the Investigatory Powers Act, passed in 2016.


Privacy Shield

Under EU law and its interpretation by the courts, where a third country requires access to personal data concerning people in the EU it must provide clarity as to the purposes for accessing the data and ensure real safeguards for the individuals affected.

The EU does not interfere and does not purport to interfere in the surveillance activities conducted by the United States or any other third country insofar as they are directed at their own citizens. But if secret services of a third country want to access data concerning people in the EU require collected for commercial purposes, then clarity and specific safeguards are essential.

In September 2017, an EU delegation composed of representatives of the Commission and several European data protection authorities (including a representative of the EDPS) attended in Washington the first joint review of implementation of the agreement, taking into consideration both commercial and law enforcement aspects.

The Privacy Shield framework for data transfers certainly brings certain substantive and procedural improvements compared with its predecessor, particularly as regards standards for transfers of commercial data.

Moreover, we do not seek any further clarification of US policy on surveillance. The previous Safe Harbour agreement was premised on the assumption that access to commercially-held data for national security was an exception. By contrast, the annexes to the Privacy Shield agreement which discuss the bulk collection of signals intelligence by the US Intelligence Community are an unprecedented and unparalleled exercise in transparency, because they indicate access to be not an exception but routine. This deserves recognition. It is essential to legitimise the Privacy Shield. Clearly there is a lot of data which are transferred for commercial purposes, hence the need for accuracy in this regard.

But more tangible measures are awaited on the side of controls and safeguards, in particular regarding the operational effectiveness of the Ombudsman, the PCLOB and the Federal Trade Commission. The renewal of section 702 of the US Foreign Intelligence Surveillance Act (FISA) earlier this year has of course sparked passionate discussions on the breadth and depth of intrusion by the state into people’s private lives. But the renewal, regardless of its alleged merits or risks, does not represent - and was probably never meant to represent - the sort of assurance which is needed to secure the longer term viability of the Privacy Shield.

Safeguards envisaged by the Privacy Shield have therefore to be activated, otherwise the accord has little value, and may be no more sustainable than the moribund Safe Harbour.  

The findings of the joint review were reported by the Article 29 Working Party in November last year. The Working Party is calling for these issues to be addressed with changes to the agreement necessary if it is to withstand legal challenges before the courts, including the European Court of Justice.


The path to a more sustainable solution

Mass surveillance encompasses not only the random searches of data collected which, according to the November 2013 report on the Ad hoc EU-US working group, do not take place under Section 702; surveillance also means the collection of massive amounts of private communications data in the first place. (The underlying issues with regard to the Privacy Shield are well explained by Prof. Gert Vermeulen in this paper, which was updated in 2017.)  

Yet we continue lack precise information about mass surveillance in practice. The Privacy Shield cannot be viewed as a legitimation of routine access by the authorities of any state, in the EU or elsewhere, to the personal data of EU individuals.  We need a more comprehensive map of the legal bases used for data processing for law enforcement and intelligence purposes so that independent supervisory authorities can make a proper assessment.

The EU a while ago acknowledged the problem. That is the first, difficult step. The next step, still harder, is to find and implement a lasting solution before the Shield eventually cracks.

People in the EU are right to demand a high level of protection for their fundamental rights, whoever is responsible for processing their data. The strong opposition to the proposed Intelligence and Security Services Act in the Netherlands last week, and the concerns expressed by the European Parliament about Section 702, further demonstrate unease in the EU at these trends. They should not be expected to wait until the next joint review of the Privacy Shield, or indeed the next revelation of disproportionate spying activity.

The wider lesson of the Privacy Shield applies to the EU’s own chickens as much as to anyone else.