From its very beginning, rising from the ashes of the debunked Safe Harbor, Privacy Shield has been on shaky ground. However, fresh concern from the European Parliament and a referral to the European Court of Justice have put its future in more doubt than before.
On April 12, British MEP Claude Moraes, head of the European Parliament’s Civil Liberties Committee, presented a motion questioning the “adequacy of the protection” afforded by the EU-U.S. Privacy Shield.
In his text, Moraes said that “the U.S. authorities have failed to proactively fulfill their commitment to provide the [European] Commission with timely and comprehensive information about any developments that could be of relevance for the Privacy Shield, including the failure to notify the Commission of changes in the U.S. legal framework,” adding that “the reauthorization of Section 702 of the FISA (Foreign Intelligence Surveillance Act) for six more years calls into question the legality of the Privacy Shield.”
Moraes’ views on the transatlantic data flow agreement were supported by fellow politicians from the left, though not the European People’s Party nor the European Conservatives and Reformists.
However, his timing is excellent. The same day as Moraes presented his motion, the Irish High Court decided to refer a set of questions in the so-called Schrems II case to the European Court of Justice.
Essentially, Moraes is concerned as to whether the current Privacy Shield arrangement “provides the adequate level of protection required by EU data protection law and the EU Charter as interpreted by the European Court of Justice.” Ireland's High Court five-page referral in effect asks the exact same question.
The Privacy Shield deal was struck between the EU and the U.S. as a result of the first Schrems case, when the ECJ struck down Safe Harbor on the grounds that it did not give Europeans’ sufficient protection from U.S. surveillance.
After successfully demolishing Safe Harbor, Max Schrems’ second case went after the other main legal instrument for transatlantic data transfers, so-called standard contractual clauses. However, the referral from the High Court seems to go beyond SCCs, calling into question the entire Privacy Shield arrangement. The ECJ has asked whether European data protection authorities should suspend data flows if the company moving the data outside the EU is subject to “surveillance laws.”
As well as referring to the Schrems case, Moraes points out in his motion that both the European Data Protection Supervisor, and the Article 29 Working Party (made up of all Europe’s national data protection authorities) have repeatedly found fault with the agreement.
The Article 29 WP had said if outstanding issues with Privacy Shield were not resolved by May 25, it could refer the matter to the courts. With the Irish High Court referral, that may no longer be necessary — as it now seems pretty much guaranteed the ECJ will rule on the whole Privacy Shield framework.
It is very difficult to imagine judges finding that Privacy Shield offers sufficient data protection under EU law, since that the major reasons for striking down Safe Harbor have not been sufficiently addressed.
“Given the case law, the question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-U.S. data transfers. What is remarkable, is that the High Court also included questions on the Privacy Shield, which has the potential for a full review of all EU-US data transfer instruments in this case,” agreed Schrems in a statement.
Moreas, who stops just short of asking the European Commission to suspend Privacy Shield outright, also wants DPAs to have the power to suspend or prohibit data transfers under the Privacy Shield, where appropriate.
“In view of the recent revelations of misuse of personal data by companies certified under the Privacy Shield such as Facebook and Cambridge Analytica,” Moraes wants the U.S. authorities to do more to enforce Privacy Shield and if needed, “to remove such companies from the Privacy Shield list.”
Facebook has until April 30 to lodge an application to block the Irish court’s referral. If it fails to do so, a ruling from the ECJ is likely to take around 18 months.
As well as referring to the Schrems case, Moraes points out in his motion that both the European Data Protection Supervisor (EDPS), and the Article 29 Working Party (made up of all Europe’s national data protection authorities) have repeatedly found fault with the agreement. Even in its first annual review on the functioning of Privacy Shield, the Commission itself made 10 recommendations to the U.S. authorities in order to address issues of concern.
Many of these are still cause for concern in Moraes’ motion, including:
- The delay in appointing a permanent Ombudsperson is not contributing to mutual trust and that his/her powers vis-à-vis the intelligence community will need to be better clarified as well as the level of effective remedy of his/her decisions.
- That three of the five seats of the FTC remain vacant is deplorable. Morae’s calls on the U.S. government to appoint the remaining Commissioners as soon as possible, as the FTC is the enforcing agency of the Privacy Shield principles by the U.S. organizations.
- The lack of sufficient oversight and supervision after self-certification risks to lead to enforcement gaps; that better rules on oversight by independent public authorities should be established if this approach is maintained, (including ‘sweep,’ onsite verifications, etc.).
- In order to ensure transparency and avoid false certification claims, the DoC should not tolerate U.S. companies making public representations about their Privacy Shield certification before it has finalized the certification process and has included them on the Privacy Shield list.