Could California have its own Privacy Shield arrangement separate from the rest of the U.S.? That was the most exciting question that emerged from a discussion about the data-transfer agreement’s third annual review at the European Parliament Thursday.
Members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs discussed in depth the European Commission’s report, issued Oct. 21, with representatives of the European Commission and European Data Protection Board.
Referring to the California Consumer Privacy Act, which took effect Jan. 1, Bruno Gencarelli, the commission’s head of International Data Flows and Protection Unit, said many of those who worked on the EU General Data Protection Regulation and Law Enforcement Directive “would not even have imagined a few years ago that there would be serious discussion in Congress about a federal privacy legislation or that California would have strong privacy rules that have just entered into application.
“We have to keep in mind that the Privacy Shield does not function in a vacuum but is part of a broader context of the evolving privacy landscape in the U.S.,” he said.
Pirate Party MEP Patrick Breyer took the idea further in his question. “The idea and the proposed solution that data protection authorities should individually stop flows of data that are affected by (Privacy Shield) shortcomings is unrealistic because all flows of data are affected by the same shortcomings. Therefore, I hope very much that the court will again invalidate the Privacy Shield regime,” he said.
“In that regard, if the court does invalidate Privacy Shield, and if a U.S. state such as California decided to apply for an adequacy decision, would the commission consider such an application? Is it possible for a single state to make such an application?” Breyer asked, noting that most relevant technology companies are located in California's Silicon Valley.
The response from the commission was, in principle, easy: yes. “The GDPR provides expressly for the possibility to recognize as adequate a territory at sub-federal level, because when we developed the GDPR, we actually anticipated that in some federal systems, certain parts of that system, certain entities, certain states, are competent to decide. So the Californian process is ongoing, as we know, but in principle, the answer is yes, of course.”
GDPR Article 45(1) states, “A transfer of personal data may take place where the commission has decided that the third country [or] a territory within that third country ensures an adequate level of protection,” and 45(3) states, "The implementing act shall specify its territorial application.”
Whether the Californian law would be adequate, whether it would have comparable independent oversight, whether data could technically be retained within California or even whether the state has the constitutional power to ask for such an agreement were not within the scope of Thursday’s hearing.
Gencarelli was keen to emphasize the success of the framework, highlighting the day-to-day implementation of Privacy Shield; in particular, the $5 billion penalty imposed on Facebook and a $575 million penalty imposed on Equifax by the U.S. Federal Trade Commission, as well as “enforcement action against Cambridge Analytica requiring, for instance, the deletion of all the data that had been unlawfully collected.”
However, he added that while “the Federal Trade Commission has clearly stepped up its enforcement action, it should also find ways to share meaningful information on ongoing investigations with the commission and the EU. Enforcement on both sides of the Atlantic would benefit from a better exchange of information between enforcers as they often look at similar cases and practice and can learn from each other.”
German MEP Birgit Sippel, who is also the rapporteur on the controversial ePrivacy Regulation, wanted to know how the commission planned to get the missing information.
“In the report, you state that the FTC has taken enforcement action related to the Privacy Shield in seven cases. But you also criticized that information given to you was a little bit too limited. So my question would be, what is it that you know about the state of play in these cases and possible penalties? And what will you do to get the missing information from the U.S. side?”
Gencarelli explained that the commission had plenty of information on closed cases but what is missing is information on ongoing cases. “As in Europe, the quickest investigations are on the more mundane and routine issues, the administrative or the easy ones, the low-hanging fruit. The more complex and more substantive investigations, of course, are the ones that matter both here and in the U.S. We are waiting for a big decision on Facebook and others of that kind. Enforcers on both sides of the Atlantic are basically investigating on the same practices at the same time, and there would be great benefit in the exchange of information on those ongoing cases,” he said.
The other big area of discussion was, of course, the "Schrems II" litigation pending before the Court of Justice of the European Union, which is relevant for Privacy Shield. “The opinion of the advocate general was issued last month and contains a number of considerations on Privacy Shield,” Gencarelli said. “We'll have to wait, of course, for the judgment of the court to understand what is the exact impact of the case on a number of instruments, including Privacy Shield. Needless to say, if the court would require changes to Privacy Shield the changes, they need to be introduced.”
Sippel asked how the commission can believe that Privacy Shield is legal if there are doubts coming from the CJEU.
Clare Daly, Irish MEP, also wanted to know “how prepared the commission is in the event, maybe not a probability, but the strong possibility of a strike down on that of the Privacy Shield in 'Schrems II.'”
Continuing the exchange of views, Dutch MEP Sophie in’t Veld commented that while Sippel was very diplomatic and unusually mild in her intervention, she herself was more strident.
“Are talking about the same program? Mr. Gencarelli said it was a success. Privacy Shield is inadequate as a safeguard is badly implemented, hardly enforced and weakly scrutinized. This is not the way we can protect our citizens. This doesn't even take the European Union seriously. We make laws. We sit here passing laws. Then, we negotiate with the U.S. and give it all away. We only very timidly ask them if they would be so kind to, at least a little bit, live up to what we have agreed,” she said.
“Why does it have to take three years to appoint an ombudsman who has insufficient powers and also is a chum of President (Donald) Trump? Do we take ourselves seriously; can we go back to our voters and explain this? Well, I can not. Maybe instead of Privacy Shield, we should rename it figleaf!” in’t Veld continued.
She added that the situation made it almost impossible for her to trust the European Commission when it comes to other agreements currently being negotiated, particularly on the eEvidence proposal. “Don’t come back here next year with the same report. It doesn’t work, it’s inadequate, and it isn’t enforced,” she said.
Representing the European Data Protection Board, François Pellegrini from the French data protection authority, the CNIL, highlighted the ongoing concerns over the U.S. national security provisions on access to data. “Because of the limited information that we have access to, it is currently not possible for us to completely exclude that massive and indiscriminate access takes place in the context of the upstream program,” he said.
“Some reports were not available to the Privacy Shield review team because of their classification level. These reports are especially important since the functioning of this piece of legislation could never be discussed during the previous joint reviews.” He added that the review team would be ready to examine additional documents under security clearance, such as took place in relation to the Passenger Name Record and Terrorist Finance Tracking Program agreements.
In terms of testing the ombudsperson mechanism, Pellegrini said the EDPB has not yet received admissible complaints. “We aren’t exactly advertising for them, but we are expecting some,” he said, adding, “it’s a real black box that has not been tested.”
Breyer also said the commission should not turn a blind eye to the national security concerns: “The problem is not just the violation of privacy, but also the ensuing human rights violations in the use of that data.”
However, Ralf Sauer, deputy head of international data flows and protection at the European Commission, defended the U.S. position on bulk collection. “The Foreign Intelligence Surveillance Act explicitly excludes bulk collection — that's sometimes forgotten,” he said. Even for Section 702 of FISA, the provision that usually raises concerns and is the basis for the so-called Prism program requires targeted collection. And what that means is you can only collect on the basis of so-called selectors. The selector is a communication facility, for example, or an email address and not general terms, like "bomb" or "terrorism."
Sauer further made a distinction between "bulk collection" and "mass surveillance" of content claiming it was “not correct to say that bulk collection is generally prohibited” in the EU.
Daly was skeptical. “We should be assured that the (U.S. national security) agencies are now using selectors, so we should believe that the information now is targeted and it's not bulk collection? But there's no detail at all to back up that assertion. There’s actually no detail about the technical basis of the exact methods that are being used to access data, how the selectors are submitted, how the data is accessed, how it’s stored or what the granular oversight is,” she said. “Where you're dealing with is organizations that have been found to be lying and legislation that has found to be inadequate, we need exhaustive scrutiny, not what you've given us here,” concluded Daly.
In’t Veld went further. “There may always be differences in political and even legal appreciation of the situation, but I have listened to your colleague’s more than passionate defense of the American system and the thought that the protection of European citizens’ rights and the defense of European laws is in your hands scares the (expletive) out of me,” she said. Breyer too said he was “ashamed and appalled to hear EU Commission officials defending U.S. mass surveillance practices.”
Photo by Sara Kurfeß on Unsplash