The European Commission issued a draft adequacy decision to EU members as a first step to ensuring that transatlantic data flows continue unabated. The move follows an EU court ruling that determined the U.S. was not adequately protecting the privacy of EU citizens’ personal data.
The court case stemmed in part from classified documents leaked by former National Security Agency contractor Edward Snowden.
“The Commission has carefully analyzed U.S. law and practice,” the EC said in its draft, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organizations in the United States.”
The EC findings specifically note that the Privacy Shield is based on self-certification by U.S. companies that commit to abiding by EU privacy requirements when they’re handling private information of European citizens. U.S. organizations have to commit to a series of privacy principles, which include notice, security, data integrity and accountability.
Along with the draft adequacy decision, the European Justice Minister also released the full details of the Privacy Shield negotiated earlier this year between the U.S. government and the European Commission.
Now that the EC has presented the Privacy Shield and its adequacy proposal to the EU as a whole, there are some additional steps, any of which could derail the whole thing. First is an opinion by the member states data protection authorities and the European data protection supervisor. Any of the authorities in the member states can object to the Privacy Shield proposal and request changes.
The data protection authorities are operating under provisions of what the EU calls an Article 29 Working Party. Next is approval from the Article 31 Committee, which is comprised of representatives of each of the EU member states. The European Parliament can change or withdraw the adequacy provisions at any time.
Meanwhile, the U.S. must commit to protecting European data, including protection from indiscriminate or mass surveillance. The U.S. must also provide redress procedures, including an ombudsman. Fortunately, those redress procedures are in the works and will probably be in place before the EU finishes its approval process.
The Privacy Shield and the EU process for agreeing that the US provides adequate protection for the private data of Europeans is a major issue in the transfer of data by U.S. companies between the two continents. The lack of an existing agreement and the actions of some U.S. agencies have caused deep distrust of the U.S. government and its motives by Europeans and their government.
European Commission Finds Privacy Shield Adequate to Protect EU Data
While the recently negotiated Privacy Shield is a major step, the EU insisted on an annual review of actual practices, especially actions by the US government. The Privacy Shield agreement includes sanctions if the agreement isn’t upheld, including a complete block to all data flow.
As you might imagine, a number of U.S. companies, such as Facebook or computer hardware manufacturers such as Apple, depend heavily on the ability to make use of the protected data of EU citizens. This is one reason why Apple CEO Tim Cook is fighting the government’s demands that it open up a terrorist’s iPhone.
Unfortunately, this whole agreement can be undone by the actions of U.S. government officials more interested in their own convenience than in the rule of law. An obvious example of this is the continuing effort by the U.S. Department of Justice for force Microsoft to open the email account of a suspected drug dealer who is an EU citizen on a server located in the EU. While the Microsoft case hasn’t been mentioned by EC members, it’s exactly the sort of thing that European officials are concerned about.
The reason Europeans are worried is that in the Microsoft email server case, there already exist laws and procedures that were negotiated in a legal assistance treaty that was ratified by Congress. This treaty is the law of the land in the U.S., yet the DoJ has felt no need to abide by it in the name of expediency. Thus there is this demand for an annual assessment to ensure that the U.S. isn’t violating its own laws and the agreement with Europe.
Documents leaked by Snowden showed that the NSA was routinely looking at data passing between the U.S. and Europe. To some extent the NSA has a rationale for its actions, since the mission of that agency is to spy on the actions of people outside the U.S. and on people who are not US citizens.
What bothered the EU wasn’t the fact that the NSA was spying. After all, the Europeans have their own spy agencies, some of which target the U.S., but rather the wholesale nature of the spying. The fact that all traffic, including things like personal emails and routine financial transactions were swept up in the NSA’s computers was naturally unsettling to the EU.
Unfortunately, there’s no guarantee that even though the U.S. has agreed to protect the data of Europeans, that it will actually happen. U.S. agencies’ track record, notably the DoJ’s, is marked more by the violation than observance of established rules. If I were the EU data protection officials, I’d be worried, too.