Monday, 19 September 2016

Privacy Shield – history, key links

This blog contains a chronology and key official links regarding the EU-US Privacy Shield, which replaced the EU-US Safe Harbor scheme, as a resource for ease of historical reference. As I’m UK-based, this inevitably has a UK slant, so any suggestions of further links would be welcome. (I aim to record official links only, not links to news stories, unless they provide useful information not available officially)

Snowden’s revelations of mass surveillance by US and other countries’ intelligence or security authorities kickstarted Safe Harbor’s demise and its replacement by the Privacy Shield. With a few exceptions, the chronology below starts with the Schrems ruling by the Court of Justice of the European Union (CJEU) on 6 October 2015, where the CJEU invalidated the EU-US Safe Harbour framework.

I hope to cover the changes between the draft, intermediate and final versions of the Privacy Shield documents more fully in a future blog.

Key current links

US:

Commission:

  • Privacy Shield webpage
  • See also the 12 July 2016 entry (in red) in the Chronology below, for Commission and US links on the finalised Privacy Shield framework.

WP29 guidance on the finalised Shield documents will be linked to here when it is available.

Pinsent Masons note on the final Privacy Shield (full disclosure – I was involved in this); also Out-Law articles

Chronology (reverse order)

For abbreviations, see the end.

31 Oct 2016

Re-certifications under Safe Harbor will no longer be accepted (see US Department of Commerce Safe Harbor webpage).

19 Sept 2016

Subscribers to Privacy Shield as at this date (see the list) include, among cloud providers, Amazon, Google, Microsoft, Salesforce and Workday, but not yet Dropbox, Facebook, IBM or Twitter.

2 Aug 2016

US:

1 Aug 2016

Privacy Shield Framework in force.

Commission:

US Department of Commerce note about commencement date (on old Safe Harbor webpage)

26 July 2016

WP29:

  • Press release – statement on the decision of the European Commission on the EU-U.S. Privacy Shield, noting:
    • the continuing lack of ‘specific rules on automated decisions and of a general right to object’
    • lack of clarity regarding how the Privacy Shield’s principles apply to processors
    • guarantees regarding the Ombudsperson were less strict than ‘expected’
    • lack of ‘concrete assurances’ that US authorities do not engage in mass indiscriminate data collection (despite ODNI’s commitment not to do so)
    • the first joint annual review of the Privacy Shield will be a ‘key moment’ for assessing its robustness and efficiency, and the review’s results regarding US authorities’ access to data transferred under the Privacy Shield ‘may also impact’ Mechanisms such as SCCs and BCRs
      • Does this imply that most DPAs will hold off from taking action regarding SCCs or BCRs until the first annual review?

12 July 2016

Privacy Shield adequacy decision adopted by Commission.

Commission:

US Department of Commerce:

Other:

  • Criticism by Max Schrems and MEP Jan-Philipp Albrecht, Irish Times

8 July 2016

Art. 31 Committee meeting approving Privacy Shield.

Commission:

Art. 31 Committee:

1 July 2016

WP29:

30 May 2016

European Data Protection Supervisor (EDPS):

26 May 2016

European Parliament:

25 May 2016

Ireland:

  • Irish Data Protection Commissioner announces it is to refer the validity of SCCs to the CJEU
    • Note: the model clauses Decisions suffer from the same flaw regarding DPA powers as the Safe Harbor Decision, see Schrems summary below, and the Commission has not corrected that defect despite its November 2015 Communication (see below), so the SCCs Decisions could well be invalidated on that basis alone, regardless of US surveillance issues

13 April 2016

WP29 issued its opinion on draft Privacy Shield documents and a document on essential guarantees regarding state surveillance.

WP29:

  • Press release - statement on the opinion on the EU-US Privacy Shield
  • Opinion 01/2016 on the EU–U.S. Privacy Shield draft adequacy decision (WP238):
    • ‘Significant improvements’ over Safe Harbour, but 3 key concerns…
      • no obligation to delete personal data that had served its purpose
      • no full exclusion of massive and indiscriminate data collection; and
      • the sufficiency of the proposed Ombudsperson’s powers and independence.
    • Also:
      • key EU data protection law principles were not reflected in the draft Shield documents (notably purpose limitation, data retention/deletion and automated decision-making)
      • ‘onward transfers’ were ‘insufficiently framed’, especially their scope, purpose limitation and ‘guarantees’ applying to transfers to agents
      • the proposed new recourse mechanisms seemed difficult for individuals to use and needed further clarification; and
      • the draft decision contained only limited information regarding the complex issue of access to Privacy Shield data by US law enforcement authorities.
    • The Privacy Shield will need review after the GDPR becomes applicable in 2018.
  • Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees) (WP237) - 4 essential guarantees regarding intelligence activities, based on Schrems and other relevant EU and European Court of Human Rights case law:
    1. Clear, precise, accessible rules for processing, enabling individuals to have reasonable foreknowledge of what might happen to their personal data
    2. Demonstrating necessity and proportionality regarding the legitimate objectives pursued (generally national security)
    3. An independent, effective oversight mechanism; and
    4. Effective remedies for individuals before an independent body.

18 Mar 2016

European Parliament:

 

29 Feb 2016

Draft Privacy Shield documents released.

EU:

WP29:

US:

11 Feb 2016

ICO:

3 Feb 2016

WP29:

2 Feb 2016

Political agreement between EU and US on new Privacy Shield.

Commission:

US:

 

6 Nov 2015

Commission Communication on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM(2015) 566 final

  • Model clauses (SCCs) and BCRs still usable for transfers to US; also derogations
  • The Commission is ‘shortly’ preparing a decision, to be adopted pursuant to the applicable comitology procedure, replacing the provision limiting DPAs’ powers (one of the bases on which the Schrems court invalidated the Safe Harbour Decision) in all existing adequacy decisions (pgs. 14-15)
    • No such decision has been issued as at 19 September 2016

27 Oct 2015

ICO:

  • The US Safe Harbor – breached but perhaps not destroyed!
    • There is still a measure of protection for personal data transferred under the scheme – the privacy principles that members sign up to are still positive, for instance. But the assurance that meant Safe Harbor was automatically considered to provide the adequate protection required under the 8th data protection principle is no longer there
    • Don’t panic, take stock, make your own mind up (self-assessment of adequacy)
    • We’re certainly not rushing to use our enforcement powers
    • We’ll consider complaints from affected individuals, whatever transfer mechanism you’re relying on, but we’ll be sticking to our published enforcement criteria

26 October 2015

Germany:

  • Rhineland-Pfalz’s DPA asked 122 large organizations how they were implementing their US transfers; 53% answered satisfactorily, with the DPA remarking, without mentioning SCCs, that their privacy-protective positions regarding ‘no-cloud policies’ or preference of EU providers had paid off

21 October 2015

Germany:

  • DSK Position Paper - Special meeting of the Conference of Data Protection Commissioners (DSK) (German DPAs) in Frankfurt
    • Transfers to the US based ‘exclusively’ on Safe Harbor are ‘inadmissible’
    • The admissibility of transfers to the US based on model clauses (standard contractual clauses) or binding corporate rules (BCR), is also questionable
    • For the time being, [German] data protection authorities will not issue any new permission for data transfers to the  US  based on binding corporate  rules  (BCR) or data  export contracts. 
      • Presumably “data export contracts” are ad hoc contracts not model clauses, which strictly under the DPD should not require authorisation
  • Numerous individual German DPA positions – not linked to here

16 Oct 2015

WP29:

  • Statement on implementing Schrems
    • transfers to the US relying on Safe Harbour are invalid
    • ‘massive and indiscriminate surveillance’ was a ‘key element’ of the CJEU’s analysis
    • urgent ‘legal and technical’ solutions needed to enable transfers to ‘the territory’ of the US ‘that respect fundamental rights’
    • SCCs and BCRs still usable (although DPAs could still investigate complaints)
    • if, by the end of January 2016, no appropriate solution was found with the US, and depending on its assessment of transfer tools, EU DPAs were ‘committed to take all necessary and appropriate actions, which may include coordinated enforcement actions’.
       

6 Oct 2015

C-362/14 Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, CJEU

  • Commission’s 2000 Safe Harbour Decision was invalid:
    • Art. 1 was invalid – it did not comply with Art. 25(6) DPD or the Charter as it did not find, duly stating reasons, that that the US in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. No need to consider content of Safe Harbour principles.
    • Art. 3 was invalid – it constrained national DPAs’ powers ‘under restrictive conditions establishing a high threshold for intervention’, which the Commission had no legislative competence to do because DPAs must have ‘complete independence’ to review data subject claims under Art. 28 DPD and the Charter
    • As Art. 1 and Art. 3 were inseparable from the rest of the Decision, the entire Decision was invalid
  • No Commission adequacy decision may prevent national DPAs from examining individuals’ claims regarding the inadequate protection of their personal data transferred to a third country; but neither national courts nor DPAs can declare Commission decisions invalid, only the CJEU can do so
  • When considering the ‘adequacy’ of protection in a third country for the purposes of a Commission Art.25(6) decision, the test is whether the country’s legal regime provides ‘essentially equivalent’ protection
  • Although strictly the court’s decision rested on the Safe Harbor Decision being invalid for the reasons stated above, but it also outlined requirements for EU legislation interfering with the Charter’s fundamental rights to private life and data protection to be valid (drawn on by WP29 in its April 2016 opinion)
  • Note: all other Commission adequacy decisions, eg on SCCs or ‘whitelisting’ certain countries for transfers, contain the same wording as the invalidated Art. 3 of the Safe Harbour Decision - so they are all also at risk of invalidation for that reason alone

US:

10 April 2014

WP29:

2013

US:

Commission:

News breaks in June 2013 regarding NSA contractor Edward Snowden’s revelations, notably, from the Guardian:

(for a detailed timeline of stories see https://wiki.openrightsgroup.org/wiki/Guardian_and_Snowden_revelations_2013)

Abbreviations

Art. 31 Committee – a Committee of EU Member State representatives, under Art.31 DPD, that votes on Commission adequacy (or inadequacy) decisions proposed under Art. 25(6) or 25(4) DPD, and certain other decisions under the DPD (flowchart of Art. 31 Committee voting and decisions)
CharterEU Charter of Fundamental Rights
CJEU - Court of Justice of the European Union
Commission – European Commission
DPA – EU national data protection authority
DPDEU Data Protection Directive 95/46/EC
FTC – US Federal Trade Commission
ICO – UK Information Commissioner
Member State – EU Member State (see diagram on the differences between the EU, EEA, EFTA etc)
Model clauses – see SCCs
SCCs – standard contractual clauses, aka ‘model clauses’, for enabling transfers of personal data outside the EEA, under various Commission Decisions
WP29 – Article 29 Working Party, comprising EU data protection regulators, with an advisory function under Art.29 DPD.