Irony Alert: US Could Block Personal Data Transfers To Ireland, European Home Of Digital Giants, Because GDPR Is Not Being Enforced Properly

from the biter-bit dept

Last year, the EU's top court threw out the Privacy Shield framework for transferring personal data between the EU and US. The court decided that the NSA's surveillance practices meant that the personal data of EU citizens was not protected to the degree required by the GDPR when it was sent to the US. This was the second time that such an agreement had been struck down: before, there was Safe Harbor, which failed for similar reasons. The absence of a simple procedure for sending EU personal data to the US is bad news for companies that need to do this on a regular basis. No wonder, then, that the US and EU are trying to come up with a new legal framework to allow it, as this CNBC story notes:

Officials from the EU and U.S. are "intensifying negotiations" on a new pact for transatlantic data transfers, trying to solve the messy issue of personal information that is transferred between the two regions.

Even if they manage to come up with one, there's no guarantee that it won't be shot down yet again by the courts, unless the underlying issues of NSA surveillance are addressed in some way -- no easy task. Meanwhile, there's been a fascinating development on the US side, reported here by The Irish Times:

The US Senate is to debate a proposal to limit foreign countries' access to US citizens' personal data and to introduce a licence requirement for foreign companies that trade in this information.

The draft "Protecting Americans' Data From Foreign Surveillance Act", presented on Thursday by Democratic Senator Ron Wyden of Oregon, is aimed primarily at curbing the sale and theft of data by "shady data brokers" to "hostile" foreign governments such as China.

The law may be aimed primarily at China, but its reach is wide, and it could hit an unlikely target. As the Irish Council for Civil Liberties (ICCL) explains, the new Bill (pdf) aims to stop the personal data of US citizens being transferred to locations with inadequate data protection -- just as the EU's GDPR does. But according to the ICCL, one country that may fall into this category of dodgy data handling is Ireland:

ICCL understands from those who wrote the draft Bill that Ireland's failure to enforce the GDPR is of particular concern. The Bill intentionally uses language from the GDPR, and targets this enforcement failure. The draft Bill makes clear that merely enacting strong data protection law such as the GDPR is not enough. That law must be enforced.

Most digital giants have their European headquarters in Ireland. Under the GDPR, it is Ireland's Data Protection Commission (DPC) that must investigate and ultimately fine these companies for their GDPR infringements anywhere in the EU. The DPC has opened many data privacy inquiries (pdf), but has so far failed to impose serious fines. Without strict enforcement by the Irish authorities, there is a growing feeling that the GDPR could be fatally undermined. Hence the risk that the US might not allow personal data to be transferred to Ireland, if the new "Protecting Americans' Data From Foreign Surveillance Act" becomes law. Given the long-standing concerns over the protection of personal data flows from the EU to the US, that would be a rather ironic turn of events.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: data brokers, data transfers, gdpr, ireland, privacy, privacy shield, ron wyden, surveillance, us

As Expected, US Surveillance Of Social Media Leads To EU Court Of Justice Rejecting EU/US Privacy Shield

from the now-what? dept

This one sounds boring, but stick with it because it's important. Because the US and the EU have vastly different privacy regulation regimes, there has always been some conflict over how (mainly) US internet companies handle data from the EU. For years, this was "settled" by a weird and mostly useless "EU-US data protection safe harbor" agreement, in which US companies would have to get "certified" that they kept EU-originated data protected at an "equivalent" level to how it would be protected in the EU when transferring it across the Atlantic to US-based data centers. It was a bit of a nuisance as a company (we went through the process ourselves), but in 2015 the entire safe harbor agreement was invalidated by the EU Court of Justice because of the NSA's ongoing snooping on data from those internet companies, as revealed by Ed Snowden.

The EU and US freaked out, and had a frantic negotiation to come up with a new "safe harbor" agreement with the catchier name of "Privacy Shield," but as we pointed out when it was announced, the problem wasn't the text of the agreement, but rather the NSA's surveillance practices with regards to internet data. Here's what I wrote four years ago:

The real issue here is mass surveillance overall. The only real way to fix this issue is to stop mass surveillance and go back to saying that intelligence agencies and law enforcement need to go back to doing targeted surveillance using warrants and true oversight. But, instead, the EU and the US keep trying to paper over this by coming up with a new agreement.

Since then, the Privacy Shield was challenged and the challenge took its sweet time to go through the courts -- again brought by Max Schrems, whose lawsuit had sunk the original safe harbor as well. And, now, finally, four years later exactly what we expected to happen has happened. The CJEU has invalidated the Privacy Shield agreement, by basically saying "hey, the US surveillance regime remains the same, and that was the problem all along." You can read the full decision if you want to get deep into the details.

But the short summary is that while the Privacy Shield framework offered a few ways for EU residents to seek redress from some forms of surveillance, the CJEU says that's not nearly enough:

While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited … and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show “standing” …, which restricts access to ordinary courts …

As you may recall, Executive Order 12333 is the tool under which the US does most of its foreign surveillance totally outside of the oversight of Congress. This has always been a massive problem, and here the CJEU is basically saying "if the US doesn't do wholesale surveillance reform, there's going to be a serious problem with transferring data from the EU to the US."

Now, there is some argument here that EU surveillance is just as bad, and it's perhaps more than a little silly that the CJEU basically ignores that as if it's not important.

Either way, the key point to all of this is that if US companies want to be able to transfer data over from the EU to the US long term (there are ways they can do it for now), the US government needs to vastly reform its surveillance practices. Well, assuming there was a competent government that actually cared about these things. I'm a bit worried that the current administration will just ignore this or use it to attack the EU, which would be somewhat disastrous for US internet companies.

I've seen some people saying that this is a ruling against the internet companies and their data collection practices, but that's not really accurate. The problem is not so much that -- it's how the NSA spies on people with that data (with or without cooperation of the companies). This really should lead to the US internet industry pressuring the US government to stop mass surveillance -- just like we said four years ago.

Filed Under: data protection, eu, gdpr, mass surveillance, max schrems, nsa, privacy shield, surveillance
Companies: facebook, noyb

Top EU Court's Adviser Says Personal Data Can Be Transferred Using 'Standard Contractual Clauses' -- But Also Suggests That Privacy Shield Should Be Ruled Invalid

from the sting-in-the-tail dept

As is usual for cases being considered by the EU's highest court, the Court of Justice of the European Union (CJEU), before the main ruling a senior legal adviser offers a preliminary opinion. Although the view by the Advocate General is not binding on the court, it often gives a good idea of how things will go. That makes some of the issues raised in a new opinion by Advocate General Saugmandsgaard Øe (pdf) concerning the EU's GDPR privacy regulation particularly interesting. The case is yet another one triggered by a complaint from the privacy activist Max Schrems as a result of Snowden's revelations. The background is summed up well by the press release on the Advocate General's opinion (pdf):

The data of Facebook users residing in the EU, such as Mr Schrems, are transferred, in full or in part, from Facebook Ireland, the Irish subsidiary of Facebook Inc., to servers located in the United States, where they are processed. In 2013, Mr Schrems lodged a complaint with the Irish authority responsible for monitoring the application of the provisions relating to the protection of personal data ('the supervisory authority'), taking the view that, in the light of the revelations made by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency or 'NSA'), the law and practices of the United States do not offer sufficient protection against surveillance, by the public authorities, of the data transferred to that country. The supervisory authority rejected the complaint, on the ground, inter alia, that in a decision of 26 July 2000 the Commission had considered that, under the 'safe harbour' scheme, the United States ensured an adequate level of protection of the personal data transferred.

As Techdirt reported, the "safe harbor" framework was thrown out by the CJEU in 2015, because it failed to offer enough protection for EU data. It was swiftly replaced by the Privacy Shield framework -- a slightly tweaked version of the safe harbor scheme. Both made transfers of EU personal data to the US legal by certifying that US data protection standards are "adequate".

But there is another way to make such transfers legally. Instead of relying on a general framework, individual companies can use standard contractual clauses (SCC), which are simply a promise that EU personal data will be protected in the US (or elsewhere) according to EU standards. The key issue considered by the Advocate General in advance of the CJEU ruling is whether the use of SCCs for the transfer of personal data to non-EU countries is valid. On that point, the court adviser has now said that in his view SCCs can be used as an alternative to things like the Privacy Shield framework. The main reason is that SCCs can be cancelled at any time -- for example, if evidence emerges that EU personal data is not sufficiently protected under foreign laws. The Advocate General goes further, saying:

there is an obligation -- placed on the data controllers [in a company, for example] and, where the latter fail to act, on the supervisory authorities [of each EU nation] -- to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.

So the good news for companies is that SCCs are a perfectly legitimate way of transferring EU personal data to the US. The bad news is that the data protection authorities in the EU must check whether the personal data is really protected according to EU norms, and if not, to block the flows immediately. In his press release on the opinion (pdf), Schrems says this is a huge step for the enforcement of the GDPR if it is followed by the CJEU: "At the moment, many data protection authorities simply look the other way when they receive reports of infringements or simply do not deal with complaints." In particular, Schrems says the Irish Data Protection Commissioner (DPC) would have to suspend the data flows between Facebook Ireland and Facebook Inc. because the DPC has already agreed EU data is not sufficiently protected by the latter. More generally, Schrems thinks this will lead to "More privacy for EU consumers, massive issues for certain US business":

If the Court follows today's opinion to have a "targeted approach" [on a case-by-case basis], there would be no impact on most EU data transfers. EU data protection authorities may however stop transfers to US companies that fall under FISA 702 ("electronic communication service providers"). This includes companies like Facebook, Google, Microsoft, Amazon Web Services or Yahoo.

Although it's subsidiary to the main issue of whether SCCs are valid, the Advocate General concludes with something of a legal bombshell. As the press release puts it:

According to the Advocate General, the resolution of the dispute in the main proceedings does not require the Court to rule on the validity of the 'privacy shield' decision, since that dispute concerns only the validity of Decision 2010/87 [regarding SCCs]. Nevertheless, the Advocate General sets out, in the alternative, the reasons that lead him to question the validity of the 'privacy shield' decision in the light of the right to respect for private life and the right to an effective remedy.

The Advocate General is saying that the EU's top court doesn't have to consider whether today's Privacy Shield offers enough protection of EU personal data sent to the US, but if it chooses to do so, he thinks it ought to rule that it's invalid. If the CJEU agrees, and throws out Privacy Shield as it threw out the safe harbor framework, that would have a major impact on today's digital world. We'll find out some time next year whether the judges are happy to do that.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: cjeu, eu, personal data, privacy, privacy shield

EU Tells US: Ban Strong Encryption, And Privacy Shield Data Sharing Agreement Could Be At Risk

from the question-of-adequacy dept

As a recent post underlines, law enforcement agencies around the world are still trying to argue that things are "going dark", and that strong encryption is bad and should be made illegal. Techdirt and many others have pointed out what an extremely stupid idea this would be. Here's a further reason why the US shouldn't ban strong encryption: it might lead to the EU making data transfers across the Atlantic much harder. The possibility has emerged thanks to some formal questions to the European Commission (pdf) submitted by a Member of the European Parliament, Moritz Körner. They include the following:

According to the news website Politico, the US government is considering a ban on encryption.

1. Would the Commission consider a similar ban in the EU to be useful?

2. Would a ban on encryption in the USA render data transfers to the US illegal in light of the requirement of the EU GDPR for built-in data protection?

The answers from the European Commission have now been published (pdf). The first response is as follows:

Encryption is one of the means of protecting confidentiality as well as privacy and is widely recognised as an essential tool for security and trust in open networks. No ban on encryption is being considered.

That's good, but:

At the same time, the use of encryption should be without prejudice to the powers of competent authorities to protect important public interests in accordance with the procedures, conditions and safeguards set forth by law. In particular, access to communications data by national authorities may be justified in individual cases by the objective of preventing or investigating criminal offences, as long as such measures are necessary, proportionate and respect due process rights.

The boilerplate caveat doesn't say how the EU aims to provide lawful access to communications data when strong encryption is employed, and so doesn't really illuminate EU policy here. By contrast, the response to the second question about the impact a US ban on strong encryption might have does provide new information:

Should the U.S. enact new legislation in this area, the Commission will carefully assess its impact on the adequacy finding for the EU-U.S. Privacy Shield, a framework which the Commission has found to provide a level of data protection that is essentially equivalent to the level of the protection in EU, thus allowing for the transfer of personal data from the EU to participating companies in the U.S. without any further restrictions.

Privacy Shield governs the flow of EU citizens' personal data to the US -- something of vital importance to US Internet companies, and many others. Because of the GDPR's requirements, that flow can only take place if the European Commission issues an "adequacy decision" -- essentially confirming that a country outside the EU offers a sufficient level of data protection. Without adequacy, US companies would be forced to take additional, more onerous measures to guarantee that EU personal data was protected to the level required by the GDPR.

The European Commission's reply indicates that adequacy could be at risk if the US were to ban strong encryption. That's surprising, because the Commission has generally tried to ignore criticisms -- from the European Parliament, for example -- about the level of data protection in the US. This may just be a little saber-rattling on the Commission's part. But it's a useful hint that a US ban would not just be bad for the Internet, but could also turn out to be bad for the US.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: encryption, eu, privacy, privacy shield, us

Facebook Fails To Block EU Court Case That Could Rule Against Most Transatlantic Data Flows

from the privacy-shield-not-looking-so-doughty dept

Last August, we wrote about the latest development in an important case moving through the EU's legal system. At risk is the huge volume of data that flows from the EU to the US, currently authorized by the Privacy Shield scheme. The original complaint was brought by that indefatigable defender of privacy, Max Schrems. Given the importance of the outcome, the Irish High Court referred the case to the EU's top court, the Court of Justice of the European Union (CJEU). It posed eleven quite searching questions that it asked the CJEU judges to rule on.

Schrems's specific complaint concerns Facebook, which took the unusual step of appealing against the High Court's decision. The received wisdom was that this was not an option, but the Irish Supreme Court disagreed, and said it would consider the appeal. Facebook alleged that the questions sent by the High Court to the CJEU contained factual errors that were serious enough to require the request to be thrown out. The Irish Supreme Court has now handed down its judgment (pdf) -- against the appeal. Ireland's Chief Justice explains why:

having analysed each of the remaining heads of appeal, I am satisfied that in each category it is more appropriate to characterise the criticisms which Facebook seeks to make of the judgment of the High Court as being directed towards the proper characterisation of underlying facts rather than towards those facts themselves. In those circumstances, I would not propose making any order overturning any aspect of the High Court judgment. If there had been an actual finding of fact as such, rather than a characterisation of facts, which I considered was not sustainable on the evidence before the High Court in accordance with Irish procedural law, I would have been happy to propose an order overturning that fact. However, it does not seem to me that any such matter has been established on this appeal.

In his press release on the decision (pdf), Schrems writes:

Facebook likely again invested millions to stop this case from progressing. It is good to see that the Supreme Court has not followed Facebook's arguments that were in total denial of all existing findings so far. We are now looking forward to the hearing at the Court of Justice in Luxembourg next month.

That hearing is something Facebook really wanted to stop. Afterwards, the CJEU will rule whether the Privacy Shield framework should suffer the same fate as its predecessor, Safe Harbor. If it is ruled invalid, it will be a big headache not just for Facebook, but for the many US companies that depend upon Privacy Shield to make the transfer of personal data about EU citizens legal under the region's strict data protection laws.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: cjeu, eu, ireland, max schrems, privacy, privacy shield
Companies: facebook

Facebook Granted 'Unprecedented' Leave To Appeal Over Referral Of Privacy Shield Case To Top EU Court

from the never-a-dull-moment dept

Back in April, we wrote about the latest development in the long, long saga of Max Schrem's legal challenge to Facebook's data transfers from the EU to the US. The Irish High Court referred the case to the EU's top court, asking the Court of Justice of the European Union (CJEU) to rule on eleven issues that the judge raised. Facebook tried to appeal against the Irish High Court's decision, but the received wisdom was that it was not an option for CJEU referrals of this kind. But as the Irish Times reports, to everyone's surprise, it seems the received wisdom was wrong:

The [Irish] Supreme Court has agreed to hear an unprecedented appeal by Facebook over a High Court judge's decision to refer to the European Court of Justice (CJEU) key issues concerning the validity of EU-US data transfer channels.

The Irish Chief Justice rejected arguments by the Irish Data Protection Commissioner and Schrems that Facebook could not seek to have the Supreme Court reverse certain disputed findings of fact by the High Court. The judge said that it was "at least arguable" Facebook could persuade the Supreme Court that some or all of the facts under challenge should be reversed. On that basis, the appeal could go ahead. Among the facts that would be considered were the following key points:

The chief justice said Facebook was essentially seeking that the Supreme Court "correct" the alleged errors, including the High Court findings of "mass indiscriminate" processing, that surveillance is legal unless forbidden, on the doctrine of legal standing in US law and in the consideration of other issues including safeguards.

Facebook also argues the High Court erred in finding the laws and practices of the US did not provide EU citizens with an effective remedy, as required under the Charter of Fundamental Rights of the EU, for breach of data privacy rights.

Those are crucial issues not just for Facebook, but also for the validity of the entire Privacy Shield framework, which is currently under pressure in the EU. It's not clear whether the Irish Supreme Court is really prepared to overrule the High Court judge, and to what extent the CJEU will take note anyway. One thing that is certain is that a complex and important case just took yet another surprising twist.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cjeu, eu, eu court of justice, ireland, max schrems, privacy shield
Companies: facebook

EU And Japan Agree To Free Data Flows, Just As Tottering Privacy Shield Framework Threatens Transatlantic Transfers

from the cooperation-not-confrontation dept

The EU's strong data protection laws affect not only how personal data is handled within the European Union, but also where it can flow to. Under the GDPR, just as was the case with the preceding EU data protection directive, the personal data of EU citizens can only be sent to countries whose privacy laws meet the standard of "essential equivalence". That is, there may be differences in detail, but the overall effect has to be similar to the GDPR, something established as part of what is called an "adequacy decision". Just such an adequacy ruling by the European Commission has been agreed in favor of Japan:

This mutual adequacy arrangement will create the world's largest area of safe transfers of data based on a high level of protection for personal data. Europeans will benefit from strong protection of their personal data in line with EU privacy standards when their data is transferred to Japan. This arrangement will also complement the EU-Japan Economic Partnership Agreement, European companies will benefit from uninhibited flow of data with this key commercial partner, as well as from privileged access to the 127 million Japanese consumers. With this agreement, the EU and Japan affirm that, in the digital era, promoting high privacy standards and facilitating international trade go hand in hand. Under the GDPR, an adequacy decision is the most straightforward way to ensure secure and stable data flows.

Before the European Commission formally adopts the latest adequacy decision, Japan has agreed to tighten up certain aspects of its data protection laws by implementing the following:

A set of rules providing individuals in the EU whose personal data are transferred to Japan, with additional safeguards that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data, the conditions under which EU data can be further transferred from Japan to another third country, the exercise of individual rights to access and rectification. These rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.

A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority.

It is precisely these areas that are proving so problematic for the data flow agreement between the EU and the US, known as the Privacy Shield framework. As Techdirt has reported, the European Commission is under increasing pressure to suspend Privacy Shield unless the US implements it fully -- something it has failed to do so far, despite repeated EU requests. Granting adequacy to Japan is an effective way to flag up that other major economies don't have any problems with the GDPR, and that the EU can turn its attention elsewhere if the US refuses to comply with the terms of the Privacy Shield agreement.

The new data deal with Japan still has several hurdles to overcome before it goes into effect. For example, the European Data Protection Board, the EU body in charge of applying the GDPR, must give its view on the adequacy ruling, as must the civil liberties committee of the European Parliament -- the one that has just called for Privacy Shield to be halted. Nonetheless, the European Commission will be keen to adopt the adequacy decision, not least to show that countries are still willing to reduce trade barriers, rather than to impose them, as the US is currently doing.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: data flows, eu, japan, privacy, privacy shield, surveillance, us

European Parliament Turns Up The Pressure On US-EU Privacy Shield Data Transfer Deal A Little More

from the how-much-longer-can-it-last? dept

Many stories on Techdirt seem to grind on forever, with new twists and turns constantly appearing, including unexpected developments -- or small, incremental changes. The transatlantic data transfer saga has seen a bit of both. Back in 2015, the EU's top court ruled that the existing legal framework for moving data across the Atlantic, Safe Harbor, was "invalid". That sounds mild, but it isn't. Safe Harbor was necessary in order for data transfers across the Atlantic to comply with EU data protection laws. A declaration that it was "invalid" meant that it could no longer be used to provide legal cover for huge numbers of commercial data flows that keep the Internet and e-commerce ticking over. The solution was to come up with a replacement, Privacy Shield, that supposedly addressed the shortcomings cited by the EU court.

The problem is that a growing number of influential voices don't believe that Privacy Shield does, in fact, solve the problems of the Safe Harbor deal. For example, in March last year, two leading civil liberties groups -- the American Civil Liberties Union and Human Rights Watch -- sent a joint letter to the EU's Commissioner for Justice, Consumers and Gender Equality, and other leading members of the European Commission and Parliament, urging the EU to re-examine the Privacy Shield agreement. In December, an obscure but influential advisory group of EU data protection officials asked the US to fix problems of Privacy Shield or expect the EU's top court to be asked to rule on its validity. In April of this year, the Irish High Court made just such a referral as a result of a complaint by the Austrian privacy expert Max Schrems. Since he was instrumental in getting Safe Harbor struck down, that's not something to be taken lightly.

Lastly, one of the European Parliament's powerful committees, which helps determine policy related to civil liberties, added its voice to the discussion. It called on the European Commission to suspend the Privacy Shield agreement unless the US fixed the problems that the committee discerned in its current implementation. At that point, it was just a committee making the call. However, in a recent plenary session, the European Parliament itself voted to back the idea, and by a healthy margin:

MEPs call on the EU Commission to suspend the EU-US Privacy Shield as it fails to provide enough data protection for EU citizens.

The data exchange deal should be suspended unless the US complies with EU data protection rules by 1 September 2018, say MEPs in a resolution passed on Thursday by 303 votes to 223, with 29 abstentions. MEPs add that the deal should remain suspended until the US authorities comply with its terms in full.

It's important to note that this vote is largely symbolic: if the US refuses to improve the data protection of EU citizens, there's nothing to force the European Commission to comply with the demand of the European Parliament. That said, the call by arguably the most democratic part of the EU -- MEPs are directly elected by European citizens -- piles more pressure on the European Commission, which is appointed by EU governments, not elected. If nothing else, this latest move adds to the general impression that Privacy Shield is not likely to survive in its present form much longer.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: data protection, data transfer, eu, eu parliament, privacy shield, safe harbors, us

EU Politicians Tell European Commission To Suspend Privacy Shield Data Transfer Framework

from the US-must-try-harder dept

A couple of months ago, we wrote about an important case at the Court of Justice of the European Union (CJEU), the region's highest court. The final judgment is expected to rule on whether the Privacy Shield framework for transferring EU personal data to the US is legal under EU data protection law. Many expect the CJEU to throw out Privacy Shield, which does little to address the earlier criticisms of the preceding US-EU agreement: the Safe Harbor framework, struck down by the same court in 2015. However, that's not the only problem that Privacy Shield is facing. One of the European Parliament's powerful committees, which helps determine policy related to civil liberties, has just issued a call to the European Commission to suspend the Privacy Shield agreement unless the US tries harder:

The data exchange deal should be suspended unless the US complies with it by 1 September 2018, say MEPs, adding that the deal should remain suspended until the US authorities comply with its terms in full.

There are a couple of reasons why the European Parliament's committee has taken this unusual step. One is the recent furore surrounding Cambridge Analytica's use of personal data collected by Facebook, which the EU politicians incorrectly call a "data breach". However, as they correctly point out, both companies were certified under Privacy Shield, which doesn't seem to have prevented the data from being misused:

Following the Facebook-Cambridge Analytica data breach, Civil Liberties MEPs emphasize the need for better monitoring of the agreement, given that both companies are certified under the Privacy Shield.

MEPs call on the US authorities to act upon such revelations without delay and if needed, to remove companies that have misused personal data from the Privacy Shield list. EU authorities should also investigate such cases and if appropriate, suspend or ban data transfers under the Privacy Shield, they add.

The other concern is the recently-passed Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which grants the US and foreign police access to personal data across borders. This undermines the effectiveness of the privacy protections of the data transfer scheme, since it would allow the personal data of EU citizens to be accessed more easily. The head of the civil liberties committee, Claude Moraes, is quoted as saying:

While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.

The mention of the new GDPR there is significant, since it raises the bar for the Privacy Shield framework's compliance with EU data protection laws. A greater stringency makes it more likely that the European Commission will suspend the deal, and that the CJEU will strike it down permanently at some point.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cjeu, data, eu, eu commission, eu parliament, privacy, privacy shield, safe harbor, surveillance, us
Companies: facebook

Bad News For 'Privacy Shield': As Expected, EU's Top Court Will Examine Legality Of Sending Personal Data To US

from the knock-on-effects-could-be-rather-serious dept

Last October, Techdirt wrote about an important decision by the Irish High Court in a case concerning data transfers from the EU to the US. The original complaint was brought by Max Schrems in the wake of revelations by Edward Snowden back in 2013 that the NSA had routine access to user information held by companies like Facebook. As the post explained, the judge found that there were important legal issues that could only be answered by the EU's highest court, the Court of Justice of the European Union (CJEU). The High Court said that it intended to refer various questions to the CJEU, but has done so only now, as Schrems explains in an update on the case (pdf). He points out that the eleven questions sent to the CJEU (found at the end of the document embedded below) go further than considering general questions of law:

While I was of the view that the Irish Data Protection Authority could have decided over this case itself, but I welcome that the issue will hopefully be dealt with once and forever by the Court of Justice. What is remarkable, is that the High Court also included questions on the 'Privacy Shield', which has the potential for a full review of all EU-US data transfer instruments in this case.

That more or less guarantees that the CJEU will rule definitively on whether the Privacy Shield framework for transferring EU personal data to the US is legal under EU data protection law. And as Mike noted in his October post, it is hard to see the CJEU approving Privacy Shield, which does little to address the court's earlier criticisms of the preceding US-EU agreement, the Safe Harbor framework, which the same court struck down in 2015. That would be a serious problem for companies like Facebook and Google whose data is routinely accessed by the NSA. As Schrems suggests:

In the long run the only reasonable solution is to cut back on mass surveillance laws. If there is no such political solution between the EU and the US, Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation.

In theory, a ruling that Facebook has broken EU privacy laws by allowing the NSA to access the personal data of EU citizens would not necessarily be an issue for other companies not involved in these surveillance programs. However, there is a cloud on the horizon even for them. As Schrems explains, data transfers from the EU to the US typically use contract law in the form of "Standard Contractual Clauses" (SCCs) to lay down the legal framework. Schrems says he is fine with that approach, because the Irish Data Protection Commissioner (DPC) can use an "emergency clause", built in to SCCs, to halt dodgy data sharing in cases like Facebook. However:

The Irish Data Protection Commissioner took the view that there is a larger, systematic issue concerning SCCs. The DPC took the view, that as the validity of the SCCs is at stake the case should therefore be referred to the CJEU.

The danger with this decision to ask the CJEU to examine the validity of SCCs is that if it rules against them, it would affect every company using them, whether or not they were involved in NSA surveillance. Schrems has a theory as to why the DPC has taken this risky route:

I am of the view the Standard Contractual Clauses are perfectly valid, as they would allow the DPC to do its job and suspend individual problematic data flows, such as Facebook's. It is still unclear to me why the DPC is taking the extreme position that the SCCs should be invalidated across the board, when a targeted solution is available. The only explanation that I have is that that they want to shift the responsibility back to Luxembourg [where the CJEU sits] instead of deciding themselves.

Given the massive knock-on effects that the ruling could have on digital flows across the Atlantic, including political consequences, the desire for the Irish DPC to give that responsibility to someone else is plausible. The CJEU is unlikely to feel intimidated in the same way, which means that US companies must now worry about the prospect of SCCs being struck down along with Privacy Shield.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cjeu, data protection, eu, ireland, irish data protection authority, max shrems, privacy shield, surveillance
Companies: facebook