Blog Post

How good a shield is Privacy Shield?

Privacy Shield was put in place in 2016 to ensure that transfers of personal data from the EU to the US would be in compliance with European Union privacy law, and thus permissible. The institutional framework of Privacy Shield was weak, and depended on the good will of the US administration. Recent actions by the new administration, including the famous executive order forbidding residents from 7 predominantly Muslim countries to enter the US, may have (presumably unintended) effects on Privacy Shield. To preserve the validity of Privacy Shield in European Courts, strong EU-US cooperation and potentially additional agreements may become necessary.

By: Date: February 7, 2017 Topic: Innovation & Competition Policy

The transfer of personal data among developed nations is of vital commercial importance.

Under the EU Data Protection Directive, transfers of personal data to a third country are permissible only if the third country in question ensures an adequate level of data protection. The European Commission certified the United States to be compliant in its Safe Harbour decision of 2000, thus permitting data transfers.

The decision of the European Court of Justice (ECJ) in the Schrems case in 2015 invalidated the Safe Harbour framework that had been in effect since 2000. The Privacy Shield measures that were subsequently taken to re-enable data transfers were institutionally weak, and poorly understood by European policymakers. Their successful implementation depended on the good will of the US administration. With a new administration in place in Washington, the Privacy Shield agreement is now under threat.

Background

The Schrems decision was primarily the result of ECJ concerns that the privacy rights of Europeans could not properly be protected in the face of the widespread surveillance conducted in the US under the George W. Bush administration and subsequently under the Obama administration. The EU and the US successfully negotiated a new framework, Privacy Shield, in 2016 to ensure the uninterrupted flow of data, subject to suitable protections of personal privacy.

Privacy Shield has been broadly welcomed on both sides of the Atlantic; however, there are questions about its viability and effectiveness, not only in the future, but also in the present.

Key concerns include:

  • We begin by distinguishing among different aspects of privacy protection, and then consider each of these aspects in turn.Privacy Shield merely described then-current US presidential guidance. As regards the concerns raised in the Schrems case, no commitments were made going forward. Neither the Commission nor the Parliament appears to have noticed this.
  • Key portions of Privacy Shield are letters from one US department (for instance, the Office of the Director of National Intelligence (ODNI)) to another (the Department of Commerce). Again, these letters merely describe existing US practice – they make no commitments going forward. US courts will not interpret these letters as binding commitments to a foreign government on the future conduct of the United States.See also Gary Clyde Hufbauer and Euijin Jung (2016), The US-EU Privacy Shield Pact: A Work in Progress, PB 16-12, page 3, which independently arrives at similar conclusions. “The letters from the Director of National Intelligence (Annex VI) and the Assistant Attorney General for the Criminal Division of the Department of Justice (Annex VII) are addressed to second-tier officials in the Department of Commerce, not to the European Commission. Accordingly, their standing as executive agreements appears slight or nonexistent. For the most part these letters simply recite existing legislation and procedures.”
  • With minor exceptions, Privacy Shield was created under the executive authority of one US president, which means that it can be amended or revoked under the authority of another president (which to some extent has already been the case).

Distinct aspects of privacy are often conflated

In discussing the protection of consumer privacy, three different aspects are often conflated:

  • Protection of consumer privacy in the face of the interests of commercial firms.
  • Protection of privacy in the face of the interest of government law enforcement.
  • Protection of privacy in the face of government surveillance in the interest of national security.

Law enforcement authorities are under pressure to adhere to national legislative frameworks, since the results of any surveillance may need to be disclosed to a judge. If surveillance was improperly conducted, a judge might refuse to accept the evidence.

National security authorities are not subject to equivalent pressure. Unless a whistle-blower such as Snowden emerges, the results of their surveillance will never become public. Intelligence services are not subject to significant external pressure to adhere to applicable law; consequently, the degree to which internal governance is effective is crucial.

The Schrems verdict was based on concerns over government surveillance in the interest of national security. Privacy Shield deals primarily with commercial privacy, and thus is largely irrelevant to the concerns raised in Schrems.

Protection of consumer privacy from abuse by firms

Relative to measures taken by US firms to protect the consumer privacy of Europeans, the Privacy Shield programme creates a self-certification managed by the US Department of Commerce. A US firm can choose to self-certify compliance with obligations that roughly correspond to European privacy obligations. Failure to comply with the commitments that a firm has made could make it subject to sanctions for unfair or deceptive practices by the Federal Trade Commission (FTC) or, where relevant, by the Department of Commerce or Department of Transportation.

These provisions have broad support from US business, and are likely to remain in place.

Protection of consumer privacy from abuse by the US government

Privacy Shield does surprisingly little to address to the European concerns over US mass surveillance that were raised in the Schrems decision problem it was ostensibly created to solve.

In announcing the Adequacy Decision that represented acceptance of the US government’s undertakings comprising Privacy Shield, the Commission proudly trumpeted numerous claims that turn out, on closer examination to be either misleading or outright false:

Clear safeguards and transparency obligations on U.S. government access

The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area.

Did the US in fact provide such assurances? Are the assurances effective? Are redress mechanisms meaningful and enforceable?

Few assurances were provided as regards intelligence surveillance

The package of documents encompassing Privacy Shield includes two letters to the US Department of Commerce signed by senior officials of the Office of the Director of National Intelligence (ODNI) and one letter to the US Department of Commerce signed by a senior official of the Department of Justice, Criminal Division.

The letter from the Department of Justice notes that law enforcement and regulatory activities in the United States must conform to US law, and that judicial appeal is possible. This is well and good, but the concerns raised in Schrems relate primarily to data gathering for national security purposes, not to data gathering for law enforcement purposes.

The first letter from the ODNI seeks to explain “principles and requirements that apply to all U.S. signals intelligence activities and for all people, regardless of nationality of location”, relying on US Presidential Policy Directive 28 (PPD-28) of 17 January 2014.

PPD-28 is not law, but it has the force of law. The letter, however, appears to have merely been reporting on current arrangements, not creating new ones. US courts are unlikely to view a letter from one US agency to another under these circumstances as conferring new rights on Europeans that were not already manifest in US law or Executive Orders.

In its Adequacy Decision, the Commission states that PPD-28 “has binding force for U.S. intelligence authorities and remains effective upon change in the U.S. Administration.” It is true that PPD-28 remains in effect until it is no longer in effect, but a new President can revoke or amend PPD-28 with a stroke of the pen.

Little real possibility for Europeans to seek redress

Much has been made of the US Judicial Redress Act of 2016, which was intended to enable EU nationals to file suit in US courts to “under the Privacy Act of 1974 against certain U.S. government agencies for purposes of accessing, amending, or redressing unlawful disclosures of records transferred from a foreign country to the United States”.

The Judicial Redress Act enables suit under only one specific Section of the Privacy Act of 1974 – U.S.C. title 5, section 552a(g)(1) – and only under quite narrow circumstances; moreover, law enforcement and national intelligence would tend to be excluded from the scope of the relevant provisions (see for instance U.S.C. title 5, section 552a(j)). The Judicial Redress Act is thus, once again, largely irrelevant to the surveillance concerns raised in Schrems.

Meaningful redress would have to be implemented under the CALEA or FISA acts (for law enforcement or foreign intelligence, respectively).  The previously cited letters from the ODNI claim that this is already possible. Be this as it may, it should be remembered that under the vagaries of US law, these provisions are barely usable by US persons. First, the US government under both the George W. Bush and the Obama administrations has raised numerous roadblocks to suits using an evidentiary privilege known as the state secrets privilege.

Second, it can be difficult to establish that one is an aggrieved party – in the case of national intelligence, the agencies go to great lengths to ensure that the parties do not know that they are subject to surveillance. This can lead to truly bizarre consequences. In the decision of Al-Haramain Islamic Foundation v. Barack H. OBAMA (690 F.3d 1089 (2012)), for instance, the court notes that Al-Haramain Islamic Foundation and its lawyers “claimed that they were subject to warrantless electronic surveillance in 2004 in violation of the Foreign Intelligence Surveillance Act.” 507 F.3d at 1193. At the core of the allegations stood “a classified `Top Secret’ document (the `Sealed Document’) that the government inadvertently gave to [the Al-Haramain organization] in 2004 during a proceeding to freeze the organization’s assets.” We held that the suit itself was not precluded by the state secrets privilege, although the privilege protected the Sealed Document. … Without the Sealed Document, the Al-Haramain organization could not establish that it suffered injury-in-fact and therefore did not have standing to bring suit.”

A recent blog by law firm Hunton & Williams rightly notes that the Judicial Redress Act remains in effect despite the new Executive Order. It goes on to argue, wrongly in our view for the reasons noted above, that as a result of the Judicial Redress Act remaining in force, “absent further action from the U.S. government, we do not expect this Executive Order to impact the legal viability of the Privacy Shield Framework.”

Finally, the US government is apt to change the playing board if they do not like the way that the game is going, as they did when they provided retroactive immunity (with the FISA Amendments Act of 2008) to telecommunications providers that might have violated under colour of law the previous FISA legislation.

Even if redress were fully effective, which it is clearly not in this case, redress as regards surveillance measures should be understood to be at best a limited tool for spot checking compliance. Redress cannot be a substitute for a system of surveillance that is measured and proportionate in the first place.

On a more positive note, Privacy Shield does provide for an Ombudsperson within the US Department of State (their foreign ministry) who can address complaints over suspected violations of the privacy of Europeans. As the European Commission has explained, “The Privacy Shield Ombudsperson is a senior official within the U.S. Department of State who is independent from U.S. intelligence agencies. Assisted by a number of staff, the Ombudsperson will ensure that complaints are properly investigated and addressed in a timely manner, and that you receive confirmation that the relevant U.S. laws have been complied with or, if the laws have been violated, the situation has been remedied. In carrying out its duties, and following up on the complaints received, the Ombudsperson will work closely with and obtain all the information from other independent oversight and investigatory bodies necessary for its response when it concerns the compatibility of surveillance with U.S. law. These bodies are the ones responsible to oversee the various U.S. intelligence agencies.”

Among the letters provided by the US government is a statement by Secretary of State John Kerry in which he names a specific Undersecretary of State as a point of contact for foreign governments that wish to raise concerns about signal intelligence activities. This is a promising mechanism, but its effectiveness will clearly depend on (1) adequate resourcing for the office of the Ombudsperson, (2) independence from the intelligence community, and (3) good faith on the part of the US President, inasmuch as both the office of the Ombudsperson and the intelligence community report to the President. Even this promising step stops short of creating a formal entity with responsibilities that are committed to remain in place beyond the tenure of the Obama administration.

The Commission overstates this in its Adequacy Decision (op. cit.), at paragraph 65: “By letter signed by the Secretary of State and attached as Annex III to this decision the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community.” Article 21 of the so-called “Umbrella Agreement” commits the US to provide for oversight through more than one agency, but is exceedingly vague.

Few commitments made going forward

As already noted, when it comes to surveillance for national security, the US undertakings in Privacy Shield appear only to document current practices (any of which could be changed at the stroke of a pen). There are very few commitments as regards future practice. For that matter, as the Article 29 Working Party (which oversees European privacy arrangements has noted), they document current policy but do not necessarily document current practice).

On a more positive note, the Department of Commerce (Undersecretary for International Trade) made a cautiously worded commitment to make “reasonable efforts” to inform the Commission of relevant “material developments in the law”. How useful this commitment is in practice is unclear,  however, since (1) presidential Executive Orders and Presidential Policy Directives (PPDs) have the force of law, but whether they are law is debatable, and (2) since PPDs relate to national security, many of them are classified, non‑public documents.

Little certainty that Privacy Shield will be maintained or enforced

Source: Congressional Research Service (CRS), Can the President Withdraw from the Paris Agreement?, 5 December 2016. See also the State Department’s procedures on negotiation and conclusion of treaties and other international agreements).

Under the United States constitution, international agreements can constitute either treaties (which must be ratified by the US Senate) or executive agreements. The agreements are generally executed under one of several legal bases, such as the overall executive authority of the President. These agreements are not ratified by the Senate.

In US law, it is not entirely clear whether treaties that have been ratified by the Senate can be altered or revoked by the President, without the consent of the Congress; however it is fairly clear that an agreement entered into under the executive authority of one President could be altered or revoked under the executive authority of another.

Privacy Shield was not subjected to ratification. There are letters on file from the US Department of Commerce, Federal Trade Commission, Office of the Director of National Intelligence, Federal Bureau of Investigation, and Department of Transportation, but there is no law (with the exception of the Judicial Redress Act of 2016, which however has limited scope) or ratified treaty that puts Privacy Shield in place.

There is thus no legal, statutory guarantee that Privacy Shield will continue to function as it has.

Trump’s Executive Order “Enhancing Public Safety in the Interior of the United States”

Trump’s Executive Order of 25 January 2017 barring entry to residents from seven primarily Muslim countries has raised numerous concerns around the world. An easily overlooked aspect is that it risks fundamentally undermining Privacy Shield.

Article 14 of the Executive Order is clearly at odds with the positions taken in PPD-28, and thus with Privacy Shield. “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

It is impossible to square this with PPD-28, which says: “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information.”

It is unlikely that the Trump administration consciously sought to undermine Privacy Shield. It is clear, however, that Privacy Shield could easily suffer “collateral damage” from actions like this.

Risks and concerns going forward

All things considered, even though Privacy Shield was built on shaky foundations, it might have functioned well enough with commitment and good will on both sides of the Atlantic.

Businesses clearly support the substantial portions of Privacy Shield that were put in place to protect consumers against misuse of their data by private firms, and want Privacy Shield to remain in place.

As regards the use of personal data by the US government, especially for purposes of national security, however, the picture is much murkier. In the Schrems case, however, the ECJ made it clear that privacy is a right of Europeans, and cannot be ignored.

If Privacy Shield were to be overturned – for instance, due to suits filed by European privacy activists – there would be unfortunate consequences. The EU-US data transfers that Privacy Shield enables are commercially important, especially to multi-national firms. Policymakers would need to react promptly and effectively. Whether the necessary political will to respond is present today is uncertain.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read article

Parliamentary Testimony

European Parliament

The role of independent expertise in legislative process

Testimony before the European Parliament Committee on the Internal Market and Consumer Protection (IMCO).

By: Zsolt Darvas and J. Scott Marcus Topic: European Macroeconomics & Governance, European Parliament, Testimonies Date: July 18, 2018
Read article More on this topic More by this author

Opinion

Ubu ou Machiavel?

L'administration Trump veut imposer une approche transactionnelle des relations économiques gouvernée par le rapport de force bilatéral en lieu et place du contrat multilatéral. Un défi d'une ampleur inédite pour l'Europe.

By: Jean Pisani-Ferry Topic: Global Economics & Governance Date: July 6, 2018
Read article More by this author

Parliamentary Testimony

European Parliament

The potential impact of Brexit on ICT policy

Testimony before the European Parliament's Committee on Industry, Research and Energy (ITRE).

By: J. Scott Marcus Topic: European Parliament, Innovation & Competition Policy, Testimonies Date: June 27, 2018
Read article More on this topic

Blog Post

Trade wars: Just how exposed are EU Member States and industries to the US market?

This blog focuses on how a more restricted access to US final demand could affect EU economies and sectors, by measuring their share of value-added absorbed in the US. The exposure of the EU as a whole in value-added terms is lower compared to that suggested by gross exports to GDP and, overall, gross exports misconstrue the picture of spill-overs through trade linkages. For individual countries, the degree to which gross exports overestimate or underestimate exposure is relatively small, with the important exception of Ireland. However, gross exports significantly overestimate the exposure of EU manufacturing to US final demand.

By: Francesco Chiacchio and Konstantinos Efstathiou Topic: Global Economics & Governance Date: June 1, 2018
Read article

Blog Post

The Iran nuclear deal crisis: Lessons from the 1982 transatlantic dispute over the Siberian gas pipeline

A US president taking a unilateral decision that affects European interests; European policymakers outraged at US interference in their affairs; European businesses fearing losing access to some international markets – sound familiar? This is the story of a crisis that took place in 1982 regarding the Siberian gas pipeline project; its outcome should inspire optimism in the Europeans’ capacity to counteract Donald Trump’s decision to withdraw the US from the Iranian nuclear deal.

By: Emmanuel Mourlon-Druol and Angela Romano Topic: Energy & Climate, European Macroeconomics & Governance Date: May 23, 2018
Read article More by this author

Blog Post

The EU should not sing to Trump’s tune on trade

The US threat of trade sanctions has put the EU in a difficult position. Nevertheless, the EU must respond decisively – not just to protect its own interests but those of the multilateral trading system, and to demonstrate to the US and other partners that trade is not a zero-sum game.

By: Maria Demertzis Topic: European Macroeconomics & Governance, Global Economics & Governance Date: May 17, 2018
Read article Download PDF More on this topic

Working Paper

How big is China’s digital economy?

The rise of influential Chinese digital giants, including Baidu, Alibaba, Tencent and Xiaomi has shown the world that China is a global leader in digital innovation and it is not surprising that China has started to influence the global digital market. But is China exploiting its full potential in this area? To answer this question, the authors assess how big China’s digital economy is relative to the rest of its economy, and how China performs compared to the rest of the world.

By: Alicia García-Herrero and Jianwei Xu Topic: Global Economics & Governance Date: May 17, 2018
Read about event More on this topic

Past Event

Past Event

EU budget post 2020: the next MFF

This is a closed-door event where we will discuss the EU budget post-2020.

Speakers: Barbara Balke, Giacomo Benedetto, Grégory Claeys, Zsolt Darvas, Marcin Kwasowski, Stefan Lehner, Antoine Quero-Mussot, Esperanza Samblas Quintana, Salvatore Serravalle and Laurent Zylberberg Topic: European Macroeconomics & Governance Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: May 16, 2018
Read article More on this topic More by this author

Blog Post

How e-commerce reshapes markets and firms’ strategies

The development of e-commerce has affected both demand and supply fundamentals of markets, changing the way competition works. In the effort to develop a frictionless and welfare maximizing digital single market across the EU, it is necessary to carefully review the disruptive forces on e-commerce on markets and firms’ strategies.

By: Georgios Petropoulos Topic: Innovation & Competition Policy Date: May 7, 2018
Read article More on this topic More by this author

Blog Post

European income inequality begins to fall once again

Following almost a decade of relative stability, income inequality within the EU recorded a sizeable decline in 2016, reaching its lowest value since 1989. The fall of both within- and between-country inequality contributed to the 2016 reduction in overall EU inequality.

By: Zsolt Darvas Topic: European Macroeconomics & Governance Date: April 30, 2018
Read article More on this topic

Opinion

Germany’s export-oriented economic model is caught in a US-Chinese squeeze

The new Merkel government has to reduce the dependencies on exports by stimulating domestic growth forces in Germany and Europe. At the same time, Berlin should push for a more ambitious national and European innovation policy as well as a robust European foreign trade policy.

By: Sebastian Heilmann and Guntram B. Wolff Topic: Global Economics & Governance Date: April 30, 2018
Read article Download PDF

Policy Contribution

Making a reality of Europe’s Capital Markets Union

It is high time to make the CMU project real.The authors of this publication suggest that capital markets will only transform with concrete action and that ESMA reform should be a priority but cannot be the only one. Policymakers need to set priorities that will move the project forward.

By: André Sapir, Nicolas Véron and Guntram B. Wolff Topic: European Macroeconomics & Governance, Finance & Financial Regulation Date: April 27, 2018
Load more posts