Blog Post

How good a shield is Privacy Shield?

Privacy Shield was put in place in 2016 to ensure that transfers of personal data from the EU to the US would be in compliance with European Union privacy law, and thus permissible. The institutional framework of Privacy Shield was weak, and depended on the good will of the US administration. Recent actions by the new administration, including the famous executive order forbidding residents from 7 predominantly Muslim countries to enter the US, may have (presumably unintended) effects on Privacy Shield. To preserve the validity of Privacy Shield in European Courts, strong EU-US cooperation and potentially additional agreements may become necessary.

By: Date: February 7, 2017 Topic: Innovation & Competition Policy

The transfer of personal data among developed nations is of vital commercial importance.

Under the EU Data Protection Directive, transfers of personal data to a third country are permissible only if the third country in question ensures an adequate level of data protection. The European Commission certified the United States to be compliant in its Safe Harbour decision of 2000, thus permitting data transfers.

The decision of the European Court of Justice (ECJ) in the Schrems case in 2015 invalidated the Safe Harbour framework that had been in effect since 2000. The Privacy Shield measures that were subsequently taken to re-enable data transfers were institutionally weak, and poorly understood by European policymakers. Their successful implementation depended on the good will of the US administration. With a new administration in place in Washington, the Privacy Shield agreement is now under threat.

Background

The Schrems decision was primarily the result of ECJ concerns that the privacy rights of Europeans could not properly be protected in the face of the widespread surveillance conducted in the US under the George W. Bush administration and subsequently under the Obama administration. The EU and the US successfully negotiated a new framework, Privacy Shield, in 2016 to ensure the uninterrupted flow of data, subject to suitable protections of personal privacy.

Privacy Shield has been broadly welcomed on both sides of the Atlantic; however, there are questions about its viability and effectiveness, not only in the future, but also in the present.

Key concerns include:

  • We begin by distinguishing among different aspects of privacy protection, and then consider each of these aspects in turn.Privacy Shield merely described then-current US presidential guidance. As regards the concerns raised in the Schrems case, no commitments were made going forward. Neither the Commission nor the Parliament appears to have noticed this.
  • Key portions of Privacy Shield are letters from one US department (for instance, the Office of the Director of National Intelligence (ODNI)) to another (the Department of Commerce). Again, these letters merely describe existing US practice – they make no commitments going forward. US courts will not interpret these letters as binding commitments to a foreign government on the future conduct of the United States.See also Gary Clyde Hufbauer and Euijin Jung (2016), The US-EU Privacy Shield Pact: A Work in Progress, PB 16-12, page 3, which independently arrives at similar conclusions. “The letters from the Director of National Intelligence (Annex VI) and the Assistant Attorney General for the Criminal Division of the Department of Justice (Annex VII) are addressed to second-tier officials in the Department of Commerce, not to the European Commission. Accordingly, their standing as executive agreements appears slight or nonexistent. For the most part these letters simply recite existing legislation and procedures.”
  • With minor exceptions, Privacy Shield was created under the executive authority of one US president, which means that it can be amended or revoked under the authority of another president (which to some extent has already been the case).

Distinct aspects of privacy are often conflated

In discussing the protection of consumer privacy, three different aspects are often conflated:

  • Protection of consumer privacy in the face of the interests of commercial firms.
  • Protection of privacy in the face of the interest of government law enforcement.
  • Protection of privacy in the face of government surveillance in the interest of national security.

Law enforcement authorities are under pressure to adhere to national legislative frameworks, since the results of any surveillance may need to be disclosed to a judge. If surveillance was improperly conducted, a judge might refuse to accept the evidence.

National security authorities are not subject to equivalent pressure. Unless a whistle-blower such as Snowden emerges, the results of their surveillance will never become public. Intelligence services are not subject to significant external pressure to adhere to applicable law; consequently, the degree to which internal governance is effective is crucial.

The Schrems verdict was based on concerns over government surveillance in the interest of national security. Privacy Shield deals primarily with commercial privacy, and thus is largely irrelevant to the concerns raised in Schrems.

Protection of consumer privacy from abuse by firms

Relative to measures taken by US firms to protect the consumer privacy of Europeans, the Privacy Shield programme creates a self-certification managed by the US Department of Commerce. A US firm can choose to self-certify compliance with obligations that roughly correspond to European privacy obligations. Failure to comply with the commitments that a firm has made could make it subject to sanctions for unfair or deceptive practices by the Federal Trade Commission (FTC) or, where relevant, by the Department of Commerce or Department of Transportation.

These provisions have broad support from US business, and are likely to remain in place.

Protection of consumer privacy from abuse by the US government

Privacy Shield does surprisingly little to address to the European concerns over US mass surveillance that were raised in the Schrems decision problem it was ostensibly created to solve.

In announcing the Adequacy Decision that represented acceptance of the US government’s undertakings comprising Privacy Shield, the Commission proudly trumpeted numerous claims that turn out, on closer examination to be either misleading or outright false:

Clear safeguards and transparency obligations on U.S. government access

The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area.

Did the US in fact provide such assurances? Are the assurances effective? Are redress mechanisms meaningful and enforceable?

Few assurances were provided as regards intelligence surveillance

The package of documents encompassing Privacy Shield includes two letters to the US Department of Commerce signed by senior officials of the Office of the Director of National Intelligence (ODNI) and one letter to the US Department of Commerce signed by a senior official of the Department of Justice, Criminal Division.

The letter from the Department of Justice notes that law enforcement and regulatory activities in the United States must conform to US law, and that judicial appeal is possible. This is well and good, but the concerns raised in Schrems relate primarily to data gathering for national security purposes, not to data gathering for law enforcement purposes.

The first letter from the ODNI seeks to explain “principles and requirements that apply to all U.S. signals intelligence activities and for all people, regardless of nationality of location”, relying on US Presidential Policy Directive 28 (PPD-28) of 17 January 2014.

PPD-28 is not law, but it has the force of law. The letter, however, appears to have merely been reporting on current arrangements, not creating new ones. US courts are unlikely to view a letter from one US agency to another under these circumstances as conferring new rights on Europeans that were not already manifest in US law or Executive Orders.

In its Adequacy Decision, the Commission states that PPD-28 “has binding force for U.S. intelligence authorities and remains effective upon change in the U.S. Administration.” It is true that PPD-28 remains in effect until it is no longer in effect, but a new President can revoke or amend PPD-28 with a stroke of the pen.

Little real possibility for Europeans to seek redress

Much has been made of the US Judicial Redress Act of 2016, which was intended to enable EU nationals to file suit in US courts to “under the Privacy Act of 1974 against certain U.S. government agencies for purposes of accessing, amending, or redressing unlawful disclosures of records transferred from a foreign country to the United States”.

The Judicial Redress Act enables suit under only one specific Section of the Privacy Act of 1974 – U.S.C. title 5, section 552a(g)(1) – and only under quite narrow circumstances; moreover, law enforcement and national intelligence would tend to be excluded from the scope of the relevant provisions (see for instance U.S.C. title 5, section 552a(j)). The Judicial Redress Act is thus, once again, largely irrelevant to the surveillance concerns raised in Schrems.

Meaningful redress would have to be implemented under the CALEA or FISA acts (for law enforcement or foreign intelligence, respectively).  The previously cited letters from the ODNI claim that this is already possible. Be this as it may, it should be remembered that under the vagaries of US law, these provisions are barely usable by US persons. First, the US government under both the George W. Bush and the Obama administrations has raised numerous roadblocks to suits using an evidentiary privilege known as the state secrets privilege.

Second, it can be difficult to establish that one is an aggrieved party – in the case of national intelligence, the agencies go to great lengths to ensure that the parties do not know that they are subject to surveillance. This can lead to truly bizarre consequences. In the decision of Al-Haramain Islamic Foundation v. Barack H. OBAMA (690 F.3d 1089 (2012)), for instance, the court notes that Al-Haramain Islamic Foundation and its lawyers “claimed that they were subject to warrantless electronic surveillance in 2004 in violation of the Foreign Intelligence Surveillance Act.” 507 F.3d at 1193. At the core of the allegations stood “a classified `Top Secret’ document (the `Sealed Document’) that the government inadvertently gave to [the Al-Haramain organization] in 2004 during a proceeding to freeze the organization’s assets.” We held that the suit itself was not precluded by the state secrets privilege, although the privilege protected the Sealed Document. … Without the Sealed Document, the Al-Haramain organization could not establish that it suffered injury-in-fact and therefore did not have standing to bring suit.”

A recent blog by law firm Hunton & Williams rightly notes that the Judicial Redress Act remains in effect despite the new Executive Order. It goes on to argue, wrongly in our view for the reasons noted above, that as a result of the Judicial Redress Act remaining in force, “absent further action from the U.S. government, we do not expect this Executive Order to impact the legal viability of the Privacy Shield Framework.”

Finally, the US government is apt to change the playing board if they do not like the way that the game is going, as they did when they provided retroactive immunity (with the FISA Amendments Act of 2008) to telecommunications providers that might have violated under colour of law the previous FISA legislation.

Even if redress were fully effective, which it is clearly not in this case, redress as regards surveillance measures should be understood to be at best a limited tool for spot checking compliance. Redress cannot be a substitute for a system of surveillance that is measured and proportionate in the first place.

On a more positive note, Privacy Shield does provide for an Ombudsperson within the US Department of State (their foreign ministry) who can address complaints over suspected violations of the privacy of Europeans. As the European Commission has explained, “The Privacy Shield Ombudsperson is a senior official within the U.S. Department of State who is independent from U.S. intelligence agencies. Assisted by a number of staff, the Ombudsperson will ensure that complaints are properly investigated and addressed in a timely manner, and that you receive confirmation that the relevant U.S. laws have been complied with or, if the laws have been violated, the situation has been remedied. In carrying out its duties, and following up on the complaints received, the Ombudsperson will work closely with and obtain all the information from other independent oversight and investigatory bodies necessary for its response when it concerns the compatibility of surveillance with U.S. law. These bodies are the ones responsible to oversee the various U.S. intelligence agencies.”

Among the letters provided by the US government is a statement by Secretary of State John Kerry in which he names a specific Undersecretary of State as a point of contact for foreign governments that wish to raise concerns about signal intelligence activities. This is a promising mechanism, but its effectiveness will clearly depend on (1) adequate resourcing for the office of the Ombudsperson, (2) independence from the intelligence community, and (3) good faith on the part of the US President, inasmuch as both the office of the Ombudsperson and the intelligence community report to the President. Even this promising step stops short of creating a formal entity with responsibilities that are committed to remain in place beyond the tenure of the Obama administration.

The Commission overstates this in its Adequacy Decision (op. cit.), at paragraph 65: “By letter signed by the Secretary of State and attached as Annex III to this decision the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community.” Article 21 of the so-called “Umbrella Agreement” commits the US to provide for oversight through more than one agency, but is exceedingly vague.

Few commitments made going forward

As already noted, when it comes to surveillance for national security, the US undertakings in Privacy Shield appear only to document current practices (any of which could be changed at the stroke of a pen). There are very few commitments as regards future practice. For that matter, as the Article 29 Working Party (which oversees European privacy arrangements has noted), they document current policy but do not necessarily document current practice).

On a more positive note, the Department of Commerce (Undersecretary for International Trade) made a cautiously worded commitment to make “reasonable efforts” to inform the Commission of relevant “material developments in the law”. How useful this commitment is in practice is unclear,  however, since (1) presidential Executive Orders and Presidential Policy Directives (PPDs) have the force of law, but whether they are law is debatable, and (2) since PPDs relate to national security, many of them are classified, non‑public documents.

Little certainty that Privacy Shield will be maintained or enforced

Source: Congressional Research Service (CRS), Can the President Withdraw from the Paris Agreement?, 5 December 2016. See also the State Department’s procedures on negotiation and conclusion of treaties and other international agreements).

Under the United States constitution, international agreements can constitute either treaties (which must be ratified by the US Senate) or executive agreements. The agreements are generally executed under one of several legal bases, such as the overall executive authority of the President. These agreements are not ratified by the Senate.

In US law, it is not entirely clear whether treaties that have been ratified by the Senate can be altered or revoked by the President, without the consent of the Congress; however it is fairly clear that an agreement entered into under the executive authority of one President could be altered or revoked under the executive authority of another.

Privacy Shield was not subjected to ratification. There are letters on file from the US Department of Commerce, Federal Trade Commission, Office of the Director of National Intelligence, Federal Bureau of Investigation, and Department of Transportation, but there is no law (with the exception of the Judicial Redress Act of 2016, which however has limited scope) or ratified treaty that puts Privacy Shield in place.

There is thus no legal, statutory guarantee that Privacy Shield will continue to function as it has.

Trump’s Executive Order “Enhancing Public Safety in the Interior of the United States”

Trump’s Executive Order of 25 January 2017 barring entry to residents from seven primarily Muslim countries has raised numerous concerns around the world. An easily overlooked aspect is that it risks fundamentally undermining Privacy Shield.

Article 14 of the Executive Order is clearly at odds with the positions taken in PPD-28, and thus with Privacy Shield. “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

It is impossible to square this with PPD-28, which says: “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information.”

It is unlikely that the Trump administration consciously sought to undermine Privacy Shield. It is clear, however, that Privacy Shield could easily suffer “collateral damage” from actions like this.

Risks and concerns going forward

All things considered, even though Privacy Shield was built on shaky foundations, it might have functioned well enough with commitment and good will on both sides of the Atlantic.

Businesses clearly support the substantial portions of Privacy Shield that were put in place to protect consumers against misuse of their data by private firms, and want Privacy Shield to remain in place.

As regards the use of personal data by the US government, especially for purposes of national security, however, the picture is much murkier. In the Schrems case, however, the ECJ made it clear that privacy is a right of Europeans, and cannot be ignored.

If Privacy Shield were to be overturned – for instance, due to suits filed by European privacy activists – there would be unfortunate consequences. The EU-US data transfers that Privacy Shield enables are commercially important, especially to multi-national firms. Policymakers would need to react promptly and effectively. Whether the necessary political will to respond is present today is uncertain.


Republishing and referencing

Bruegel considers itself a public good and takes no institutional standpoint. Anyone is free to republish and/or quote this post without prior consent. Please provide a full reference, clearly stating Bruegel and the relevant author as the source, and include a prominent hyperlink to the original post.

Read article More on this topic More by this author
 

Opinion

A tale of two pandemics

The two narratives briefly examined here cast light on different aspects of the EU in the times of Covid-19. Euroskeptic nationalists typically propagate claims of EU failure but have been rather subdued during the pandemic as mainstream governments have taken over their trademark policy of closing borders to foreigners. Nonetheless, the grip on power of several pro-EU mainstream leaders, including President Emmanuel Macron in France, Prime Minister Conte in Italy and Prime Minister Pedro Sanchez in Spain, remains tenuous.

By: Michael Leigh Topic: European Macroeconomics & Governance Date: June 23, 2020
Read article Download PDF
 

Policy Brief

Rebooting Europe: a framework for a post COVID-19 economic recovery

COVID-19 has triggered a severe recession and policymakers in European Union countries are providing generous, largely indiscriminate, support to companies. As the recession gets deeper, a more comprehensive strategy is needed. This should be based on four principles: viability of supported entities, fairness, achieving societal goals, and giving society a share in future profits. The effort should be structured around equity and recovery funds with borrowing at EU level.

By: Julia Anderson, Simone Tagliapietra and Guntram B. Wolff Topic: Energy & Climate, European Macroeconomics & Governance Date: May 13, 2020
Read about event More on this topic
 

Past Event

Past Event

An alternative mobile operating environment?

Walking the wire: we discuss risks and benefits involved for the EU should it embark on developing a new smartphone operating system.

Speakers: Hosuk Lee-Makiyama, J. Scott Marcus, Renato Nazzini, Peter Stuckmann and Andreas Zimmer Topic: Innovation & Competition Policy Date: April 29, 2020
Read article More on this topic More by this author
 

Podcast

Podcast

Post-Council commentary

On April 23, EU leaders met virtually to try to come to an agreement for a common European response to the COVID-19 pandemic. What were the measures taken? Will they be sufficient? Did Europe come together for a coordinated response to the crisis? Or did the meeting further highlight the cracks between member states? This week, Guntram Wolff and Giuseppe Porcaro are joined by Maria Demertzis and André Sapir to comment on the EU Council meeting.

By: The Sound of Economics Topic: European Macroeconomics & Governance Date: April 24, 2020
Read about event More on this topic
 

Past Event

Past Event

Technology, data, privacy, and the fight against disease

Reconciling health and privacy needs.

Speakers: Anna Buchta, Bennett Cyphers, Simon Hania, Caroline Louveaux, J. Scott Marcus and Mikko Niva Topic: Innovation & Competition Policy Location: Bruegel, Rue de la Charité 33, 1210 Brussels Date: April 22, 2020
Read article More on this topic More by this author
 

Blog Post

Is the United States reneging on international financial standards?

The new Fed rule is a material breach of Basel III, a new development as the US had hitherto been the accord’s main champion. This action undermines the global order without being ostensibly justified by narrower considerations of US national interest.

By: Nicolas Véron Topic: Finance & Financial Regulation Date: April 16, 2020
Read article More on this topic
 

Opinion

The perils of more debt

Europe must find the “Ways and Means”.

By: Maria Demertzis and Nicola Viegi Topic: European Macroeconomics & Governance Date: April 10, 2020
Read article More on this topic More by this author
 

Podcast

Podcast

Mythbusters: debunking economic myths

Economics seems to be full of myths that are hard to debunk. Will robots take our jobs? Are trade deficits bad? Is China such a big economy simply because of the size of its population? This week, Nicholas Barrett, Maria Demertzis, Marta Domínguez-Jímenez and Niclas Poitiers put on the detective cap and become Bruegel's own economic mythbusters.

By: The Sound of Economics Topic: Global Economics & Governance Date: April 3, 2020
Read article More on this topic More by this author
 

Opinion

Will the economic strategy work?

Because even thriving companies can be killed in a matter of weeks by a recession of the magnitude now confronting the world, advanced-economy governments have reacted in a remarkably similar fashion to the COVID-19 crisis. But extending liquidity lifelines to private businesses and supporting idled workers assumes a short crisis.

By: Jean Pisani-Ferry Topic: European Macroeconomics & Governance Date: April 1, 2020
Read article More on this topic More by this author
 

Podcast

Podcast

The macroeconomic policy response to the COVID-19 crisis

From the European Stability Mechanism (ESM) to "coronabonds", the EU seems to be struggling to find an appropriate mechanism to tackle the economic crisis created by the COVID-19 pandemic. What is really the best option? And how do we ensure that, once the pandemic is over, we return to sustainable debt levels and competitive economies? This week, Giuseppe Porcaro is joined by Lucrezia Reichlin, professor of Economics at the London Business School, Grégory Claeys and Guntram Wolff to discuss the macroeconomic policy response to the COVID-19 crisis.

By: The Sound of Economics Topic: European Macroeconomics & Governance Date: March 31, 2020
Read article More on this topic More by this author
 

Blog Post

The fiscal consequences of the pandemic

The likely economic depression triggered by coronavirus will pose a serious fiscal challenge to some euro-area countries. Given the special circumstances of the pandemic, a European solution is needed, involving more European Central Bank purchases, a significantly increased European Stability Mechanism and some degree of mutualisation of the pandemic-related economic costs.

By: Zsolt Darvas Topic: European Macroeconomics & Governance Date: March 30, 2020
Read article More on this topic
 

Opinion

Europe needs a Covid-19 Recovery Programme

Policymakers need to think long-term and start planning a broad investment scheme to reboot the European economy.

By: Grégory Claeys, Simone Tagliapietra and Guntram B. Wolff Topic: European Macroeconomics & Governance Date: March 27, 2020
Load more posts