Blog Post

How good a shield is Privacy Shield?

Privacy Shield was put in place in 2016 to ensure that transfers of personal data from the EU to the US would be in compliance with European Union privacy law, and thus permissible. The institutional framework of Privacy Shield was weak, and depended on the good will of the US administration. Recent actions by the new administration, including the famous executive order forbidding residents from 7 predominantly Muslim countries to enter the US, may have (presumably unintended) effects on Privacy Shield. To preserve the validity of Privacy Shield in European Courts, strong EU-US cooperation and potentially additional agreements may become necessary.

By: Date: February 7, 2017 Topic: Innovation & Competition Policy

The transfer of personal data among developed nations is of vital commercial importance.

Under the EU Data Protection Directive, transfers of personal data to a third country are permissible only if the third country in question ensures an adequate level of data protection. The European Commission certified the United States to be compliant in its Safe Harbour decision of 2000, thus permitting data transfers.

The decision of the European Court of Justice (ECJ) in the Schrems case in 2015 invalidated the Safe Harbour framework that had been in effect since 2000. The Privacy Shield measures that were subsequently taken to re-enable data transfers were institutionally weak, and poorly understood by European policymakers. Their successful implementation depended on the good will of the US administration. With a new administration in place in Washington, the Privacy Shield agreement is now under threat.

Background

The Schrems decision was primarily the result of ECJ concerns that the privacy rights of Europeans could not properly be protected in the face of the widespread surveillance conducted in the US under the George W. Bush administration and subsequently under the Obama administration. The EU and the US successfully negotiated a new framework, Privacy Shield, in 2016 to ensure the uninterrupted flow of data, subject to suitable protections of personal privacy.

Privacy Shield has been broadly welcomed on both sides of the Atlantic; however, there are questions about its viability and effectiveness, not only in the future, but also in the present.

Key concerns include:

  • We begin by distinguishing among different aspects of privacy protection, and then consider each of these aspects in turn.Privacy Shield merely described then-current US presidential guidance. As regards the concerns raised in the Schrems case, no commitments were made going forward. Neither the Commission nor the Parliament appears to have noticed this.
  • Key portions of Privacy Shield are letters from one US department (for instance, the Office of the Director of National Intelligence (ODNI)) to another (the Department of Commerce). Again, these letters merely describe existing US practice – they make no commitments going forward. US courts will not interpret these letters as binding commitments to a foreign government on the future conduct of the United States.See also Gary Clyde Hufbauer and Euijin Jung (2016), The US-EU Privacy Shield Pact: A Work in Progress, PB 16-12, page 3, which independently arrives at similar conclusions. “The letters from the Director of National Intelligence (Annex VI) and the Assistant Attorney General for the Criminal Division of the Department of Justice (Annex VII) are addressed to second-tier officials in the Department of Commerce, not to the European Commission. Accordingly, their standing as executive agreements appears slight or nonexistent. For the most part these letters simply recite existing legislation and procedures.”
  • With minor exceptions, Privacy Shield was created under the executive authority of one US president, which means that it can be amended or revoked under the authority of another president (which to some extent has already been the case).

Distinct aspects of privacy are often conflated

In discussing the protection of consumer privacy, three different aspects are often conflated:

  • Protection of consumer privacy in the face of the interests of commercial firms.
  • Protection of privacy in the face of the interest of government law enforcement.
  • Protection of privacy in the face of government surveillance in the interest of national security.

Law enforcement authorities are under pressure to adhere to national legislative frameworks, since the results of any surveillance may need to be disclosed to a judge. If surveillance was improperly conducted, a judge might refuse to accept the evidence.

National security authorities are not subject to equivalent pressure. Unless a whistle-blower such as Snowden emerges, the results of their surveillance will never become public. Intelligence services are not subject to significant external pressure to adhere to applicable law; consequently, the degree to which internal governance is effective is crucial.

The Schrems verdict was based on concerns over government surveillance in the interest of national security. Privacy Shield deals primarily with commercial privacy, and thus is largely irrelevant to the concerns raised in Schrems.

Protection of consumer privacy from abuse by firms

Relative to measures taken by US firms to protect the consumer privacy of Europeans, the Privacy Shield programme creates a self-certification managed by the US Department of Commerce. A US firm can choose to self-certify compliance with obligations that roughly correspond to European privacy obligations. Failure to comply with the commitments that a firm has made could make it subject to sanctions for unfair or deceptive practices by the Federal Trade Commission (FTC) or, where relevant, by the Department of Commerce or Department of Transportation.

These provisions have broad support from US business, and are likely to remain in place.

Protection of consumer privacy from abuse by the US government

Privacy Shield does surprisingly little to address to the European concerns over US mass surveillance that were raised in the Schrems decision problem it was ostensibly created to solve.

In announcing the Adequacy Decision that represented acceptance of the US government’s undertakings comprising Privacy Shield, the Commission proudly trumpeted numerous claims that turn out, on closer examination to be either misleading or outright false:

Clear safeguards and transparency obligations on U.S. government access

The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area.

Did the US in fact provide such assurances? Are the assurances effective? Are redress mechanisms meaningful and enforceable?

Few assurances were provided as regards intelligence surveillance

The package of documents encompassing Privacy Shield includes two letters to the US Department of Commerce signed by senior officials of the Office of the Director of National Intelligence (ODNI) and one letter to the US Department of Commerce signed by a senior official of the Department of Justice, Criminal Division.

The letter from the Department of Justice notes that law enforcement and regulatory activities in the United States must conform to US law, and that judicial appeal is possible. This is well and good, but the concerns raised in Schrems relate primarily to data gathering for national security purposes, not to data gathering for law enforcement purposes.

The first letter from the ODNI seeks to explain “principles and requirements that apply to all U.S. signals intelligence activities and for all people, regardless of nationality of location”, relying on US Presidential Policy Directive 28 (PPD-28) of 17 January 2014.

PPD-28 is not law, but it has the force of law. The letter, however, appears to have merely been reporting on current arrangements, not creating new ones. US courts are unlikely to view a letter from one US agency to another under these circumstances as conferring new rights on Europeans that were not already manifest in US law or Executive Orders.

In its Adequacy Decision, the Commission states that PPD-28 “has binding force for U.S. intelligence authorities and remains effective upon change in the U.S. Administration.” It is true that PPD-28 remains in effect until it is no longer in effect, but a new President can revoke or amend PPD-28 with a stroke of the pen.

Little real possibility for Europeans to seek redress

Much has been made of the US Judicial Redress Act of 2016, which was intended to enable EU nationals to file suit in US courts to “under the Privacy Act of 1974 against certain U.S. government agencies for purposes of accessing, amending, or redressing unlawful disclosures of records transferred from a foreign country to the United States”.

The Judicial Redress Act enables suit under only one specific Section of the Privacy Act of 1974 – U.S.C. title 5, section 552a(g)(1) – and only under quite narrow circumstances; moreover, law enforcement and national intelligence would tend to be excluded from the scope of the relevant provisions (see for instance U.S.C. title 5, section 552a(j)). The Judicial Redress Act is thus, once again, largely irrelevant to the surveillance concerns raised in Schrems.

Meaningful redress would have to be implemented under the CALEA or FISA acts (for law enforcement or foreign intelligence, respectively).  The previously cited letters from the ODNI claim that this is already possible. Be this as it may, it should be remembered that under the vagaries of US law, these provisions are barely usable by US persons. First, the US government under both the George W. Bush and the Obama administrations has raised numerous roadblocks to suits using an evidentiary privilege known as the state secrets privilege.

Second, it can be difficult to establish that one is an aggrieved party – in the case of national intelligence, the agencies go to great lengths to ensure that the parties do not know that they are subject to surveillance. This can lead to truly bizarre consequences. In the decision of Al-Haramain Islamic Foundation v. Barack H. OBAMA (690 F.3d 1089 (2012)), for instance, the court notes that Al-Haramain Islamic Foundation and its lawyers “claimed that they were subject to warrantless electronic surveillance in 2004 in violation of the Foreign Intelligence Surveillance Act.” 507 F.3d at 1193. At the core of the allegations stood “a classified `Top Secret’ document (the `Sealed Document’) that the government inadvertently gave to [the Al-Haramain organization] in 2004 during a proceeding to freeze the organization’s assets.” We held that the suit itself was not precluded by the state secrets privilege, although the privilege protected the Sealed Document. … Without the Sealed Document, the Al-Haramain organization could not establish that it suffered injury-in-fact and therefore did not have standing to bring suit.”

A recent blog by law firm Hunton & Williams rightly notes that the Judicial Redress Act remains in effect despite the new Executive Order. It goes on to argue, wrongly in our view for the reasons noted above, that as a result of the Judicial Redress Act remaining in force, “absent further action from the U.S. government, we do not expect this Executive Order to impact the legal viability of the Privacy Shield Framework.”

Finally, the US government is apt to change the playing board if they do not like the way that the game is going, as they did when they provided retroactive immunity (with the FISA Amendments Act of 2008) to telecommunications providers that might have violated under colour of law the previous FISA legislation.

Even if redress were fully effective, which it is clearly not in this case, redress as regards surveillance measures should be understood to be at best a limited tool for spot checking compliance. Redress cannot be a substitute for a system of surveillance that is measured and proportionate in the first place.

On a more positive note, Privacy Shield does provide for an Ombudsperson within the US Department of State (their foreign ministry) who can address complaints over suspected violations of the privacy of Europeans. As the European Commission has explained, “The Privacy Shield Ombudsperson is a senior official within the U.S. Department of State who is independent from U.S. intelligence agencies. Assisted by a number of staff, the Ombudsperson will ensure that complaints are properly investigated and addressed in a timely manner, and that you receive confirmation that the relevant U.S. laws have been complied with or, if the laws have been violated, the situation has been remedied. In carrying out its duties, and following up on the complaints received, the Ombudsperson will work closely with and obtain all the information from other independent oversight and investigatory bodies necessary for its response when it concerns the compatibility of surveillance with U.S. law. These bodies are the ones responsible to oversee the various U.S. intelligence agencies.”

Among the letters provided by the US government is a statement by Secretary of State John Kerry in which he names a specific Undersecretary of State as a point of contact for foreign governments that wish to raise concerns about signal intelligence activities. This is a promising mechanism, but its effectiveness will clearly depend on (1) adequate resourcing for the office of the Ombudsperson, (2) independence from the intelligence community, and (3) good faith on the part of the US President, inasmuch as both the office of the Ombudsperson and the intelligence community report to the President. Even this promising step stops short of creating a formal entity with responsibilities that are committed to remain in place beyond the tenure of the Obama administration.

The Commission overstates this in its Adequacy Decision (op. cit.), at paragraph 65: “By letter signed by the Secretary of State and attached as Annex III to this decision the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community.” Article 21 of the so-called “Umbrella Agreement” commits the US to provide for oversight through more than one agency, but is exceedingly vague.

Few commitments made going forward

As already noted, when it comes to surveillance for national security, the US undertakings in Privacy Shield appear only to document current practices (any of which could be changed at the stroke of a pen). There are very few commitments as regards future practice. For that matter, as the Article 29 Working Party (which oversees European privacy arrangements has noted), they document current policy but do not necessarily document current practice).

On a more positive note, the Department of Commerce (Undersecretary for International Trade) made a cautiously worded commitment to make “reasonable efforts” to inform the Commission of relevant “material developments in the law”. How useful this commitment is in practice is unclear,  however, since (1) presidential Executive Orders and Presidential Policy Directives (PPDs) have the force of law, but whether they are law is debatable, and (2) since PPDs relate to national security, many of them are classified, non‑public documents.

Little certainty that Privacy Shield will be maintained or enforced

Source: Congressional Research Service (CRS), Can the President Withdraw from the Paris Agreement?, 5 December 2016. See also the State Department’s procedures on negotiation and conclusion of treaties and other international agreements).

Under the United States constitution, international agreements can constitute either treaties (which must be ratified by the US Senate) or executive agreements. The agreements are generally executed under one of several legal bases, such as the overall executive authority of the President. These agreements are not ratified by the Senate.

In US law, it is not entirely clear whether treaties that have been ratified by the Senate can be altered or revoked by the President, without the consent of the Congress; however it is fairly clear that an agreement entered into under the executive authority of one President could be altered or revoked under the executive authority of another.

Privacy Shield was not subjected to ratification. There are letters on file from the US Department of Commerce, Federal Trade Commission, Office of the Director of National Intelligence, Federal Bureau of Investigation, and Department of Transportation, but there is no law (with the exception of the Judicial Redress Act of 2016, which however has limited scope) or ratified treaty that puts Privacy Shield in place.

There is thus no legal, statutory guarantee that Privacy Shield will continue to function as it has.

Trump’s Executive Order “Enhancing Public Safety in the Interior of the United States”

Trump’s Executive Order of 25 January 2017 barring entry to residents from seven primarily Muslim countries has raised numerous concerns around the world. An easily overlooked aspect is that it risks fundamentally undermining Privacy Shield.

Article 14 of the Executive Order is clearly at odds with the positions taken in PPD-28, and thus with Privacy Shield. “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

It is impossible to square this with PPD-28, which says: “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information.”

It is unlikely that the Trump administration consciously sought to undermine Privacy Shield. It is clear, however, that Privacy Shield could easily suffer “collateral damage” from actions like this.

Risks and concerns going forward

All things considered, even though Privacy Shield was built on shaky foundations, it might have functioned well enough with commitment and good will on both sides of the Atlantic.

Businesses clearly support the substantial portions of Privacy Shield that were put in place to protect consumers against misuse of their data by private firms, and want Privacy Shield to remain in place.

As regards the use of personal data by the US government, especially for purposes of national security, however, the picture is much murkier. In the Schrems case, however, the ECJ made it clear that privacy is a right of Europeans, and cannot be ignored.

If Privacy Shield were to be overturned – for instance, due to suits filed by European privacy activists – there would be unfortunate consequences. The EU-US data transfers that Privacy Shield enables are commercially important, especially to multi-national firms. Policymakers would need to react promptly and effectively. Whether the necessary political will to respond is present today is uncertain.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

View comments
Read article Download PDF More on this topic More by this author

Working Paper

Europe in the midst of China-US strategic competition: What are the European Union's options?

With the trade conflict between the United States and China bringing China-US strategic competition into the open, the European Union faces an urgent question: how to position itself in the competition.

By: Alicia García-Herrero Topic: Global Economics & Governance Date: April 8, 2019
Read article More by this author

Opinion

Europe and the new imperialism

For decades, Europe has served as a steward of the post-war liberal order, ensuring that economic rules are enforced and that national ambitions are subordinated to shared goals within multilateral bodies. But with the United States and China increasingly mixing economics with nationalist foreign-policy agendas, Europe will have to adapt.

By: Jean Pisani-Ferry Topic: Global Economics & Governance, Innovation & Competition Policy Date: April 3, 2019
Read article More on this topic More by this author

Podcast

Podcast

Director’s Cut: How to make Industry 4.0 work for Europe

Bruegel director Guntram Wolff talks to Padmashree Gehl Sampath, a Berkman Klein fellow at Harvard University, on the consequences of ‘new manufacturing’ for European industrial policymaking.

By: The Sound of Economics Topic: Innovation & Competition Policy Date: April 2, 2019
Read article More on this topic

Opinion

Brexit: When in doubt, slow down

Uncertainty over Brexit remains high despite looming deadlines. Here, the authors argue that the UK should take the necessary steps to make time to build consensus around the final shape of Brexit, and that the UK population should be consulted.

By: Maria Demertzis and Nicola Viegi Topic: European Macroeconomics & Governance Date: March 29, 2019
Read article More on this topic More by this author

Opinion

Takeaways from Xi Jinping’s visit to France and Italy and ideas for the EU-China summit

The author appraises China's strategy towards Europe ahead of next month's EU-China summit.

By: Alicia García-Herrero Topic: Global Economics & Governance Date: March 27, 2019
Read article More on this topic More by this author

Blog Post

The shadow of Brexit: Guessing the economic damage to the UK

Under a set of assumptions, this post concludes that UK real income and investment would have been 4% and 6% larger respectively had it not been for the shock of the Brexit referendum result. With somewhat audacious assumptions, the damages already incurred can be scaled up to guess the negative macroeconomic consequence of each of the three possible Brexit outcomes: no-deal, deal or no Brexit.

By: Francesco Papadia Topic: European Macroeconomics & Governance Date: March 21, 2019
Read article More by this author

Blog Post

The Economists’ Statement on Carbon Dividends and the Green New Deal

In the last month two prominent policy proposals that aim to combat climate change have been presented in the United States. The Green New Deal calls for the deployment of substantial government resources to combat climate change. The Economists’ Statement on Carbon Dividends, suggests a market-based and budget-neutral approach through a carbon tax. Michael Baltensperger reviews reactions to both.

By: Michael Baltensperger Topic: Energy & Climate, Global Economics & Governance Date: February 25, 2019
Read article More on this topic More by this author

Podcast

Podcast

Deep Focus: Developing Europe's digital single market

Bruegel senior fellow J. Scott Marcus joins Sean Gibson for this episode of Deep Focus on the 'The Sound of Economics', elaborating on a Bruegel study for the European Parliament into the progress made with the Commission's Digital Single Market Strategy since 2015.

By: The Sound of Economics Topic: Innovation & Competition Policy Date: February 12, 2019
Read article Download PDF More on this topic

External Publication

Contribution to Growth: The European Digital Single Market

Numerous legislative measures have been initiated or enacted in support of the overall achievement of a Digital Single Market (DSM). This in-depth analysis provides a brief stock-taking of what has been achieved in economic terms, of what remains to be done, and of candidate initiatives for the next legislative term.

By: J. Scott Marcus, Georgios Petropoulos and Timothy Yeung Topic: Innovation & Competition Policy Date: February 12, 2019
Read article More on this topic More by this author

Opinion

The EU needs a Brexit endgame

Britain and the EU must try to preserve the longstanding economic, political, and security links and, despite the last 31 months spent arguing over Brexit, they should try to follow a new path toward convergence.

By: Jean Pisani-Ferry Topic: European Macroeconomics & Governance Date: January 31, 2019
Read article More on this topic More by this author

Opinion

What does a possible no-deal Brexit mean?

With Brexit getting closer, it is still extremely difficult to predict which one of the possible outcomes will materialise. Guntram Wolff examines what exactly it would mean for the UK to 'crash out' of the EU, for both parties.

By: Guntram B. Wolff Topic: European Macroeconomics & Governance Date: January 24, 2019
Read article Download PDF More on this topic More by this author

External Publication

Vertical restraints and e-commerce

This article wishes to provide guidance on how the new vertical restraints linked to e-commerce should be treated and recommendations over the priorities and challenges that need to be addressed.  

By: Georgios Petropoulos Topic: Innovation & Competition Policy Date: January 15, 2019
Load more posts