April 7, 2016
Guest blog post by Spiro Dhapi, Technology Legal and Policy expert, Member Alternate, European Economic and Social Committee (EESC).
The European Commission introduced last February a new transatlantic data transfer scheme, the EU-US Privacy Shield, to replace “Safe Harbour” in an effort to satisfy all the involved parties; the EU judicial authorities, the EU public and technology companies in Europe and the US.
The new proposal came after a rather unexpected Decision from the European Court of Justice (ECJ), which dealt a blow to the very foundation of the Safe Harbour, ruling that the transatlantic data transfer scheme violated the fundamental rights of the EU citizens and the founding Treaties of the EU.
According to the ECJ the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the Data protection Directive (Directive 95/46/EC). Under these rules the Data Protection Authority needs to fully examine if adequate protection is offered to the EU citizens from such transfer of personal data from Europe to the EU.
The Court touched upon the very core of the Snowden revelations noting that the scheme is applicable solely to the United States companies who have adhered to the agreement, while the US public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the US prevail over the Safe Harbour scheme, so that US companies are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such national security requirements. The Court said that access to personal data on a generalized basis without differentiation, limitation or exceptions violates the fundamental rights of the EU citizens.
Another important element of the Courts decision is that the citizens should have access to a procedure which guarantees review of any decisions with regard to their data. The Court said that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
In the aftermath of the decision the European Commission has presented a proposal which is an attempt to address all the concerns mentioned by the Court. The new scheme provides for greater supervision of the involved companies and protection mechanisms including sanctions and eliminations of companies that violate the rules.
There is also a political commitment from the US Administration to establish an Ombudsman, independent from national security agencies, that will follow-up on complaints and enquiries by individuals and inform them whether the relevant laws have been complied with. At the same time the US Government commits that access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data.
Addressing the issue of the availability of legal remedies, the new proposal includes a free of charge Alternative Dispute Resolution, 45 days deadline to resolve the issues, greater cooperation between national Data Protection Authorities and the Federal Trade Commission and an annual monitoring and review mechanism of the scheme.
The proposal from the Commission has been received with mixed responses by stakeholders and the public while there appear to be compromises achieved from both the US and EU representatives. However, it remains to be seen if these answers will be deemed adequate from a future, rather certain, challenge of the scheme before the ECJ, an outcome which will be hugely affected by the eventual form that these new proposals will take in their implementation.
And it is the enforcement on the ground that will eventually give shape to the new scheme and define its legality. Political intentions this far have been questioned from both sides of the Atlantic.F
MEPs and activists have already pointed towards the ambiguity of the language which they say is solely based on political intentions. Further they point that under the new rules, an EU citizen would have to seek justice within a non-EU jurisdiction, the United States, by filing a complaint with the US Department of Commerce and the US Federal Trade Commission. Businesses have also expressed concerns with fines from a potential finding of violation reaching 4% of a company’s annual global revenue.
The discussion is also becoming part of the agenda around security and terrorism, especially after the Brussels attacks. Many suggest that there is a need of increased monitoring of the data flow, which they claim could prevent such attacks from even happening. With Europe at the moment on a shock, such arguments appear to find ground in part of the public opinion and more pressure will be placed to the more liberal parties at the European Parliament.
It is evident that more work needs to be done towards providing satisfactory solutions to all the involved parties, and essentially passing the bar set by the ECJ. Experience from previous decisions of the ECJ dictates that the European Commission needs to ensure that a protection mechanism offers sufficient legal remedies to citizens, one for instance that respects the principle of proximity. The next period until the new Agreement is finalized, likely towards the beginning of the summer, will certainly involve even more political debates among the interested parties and intensified efforts from the Commission to close the loophole left after the Court’s decision.Blogactiv Team