The European Commission on the Privacy Shield: All Bark and No Bite?

By: Kimberly A. Houser[*] and W. Gregory Voss[**]

Introduction

Much has been written about the difference in the privacy laws of the European Union and the United States and ideologies behind the two regimes.[1]  One risk of the increasing divergence in views on privacy is the potential halting of data transfers from the European Union to the United States by the European Commission (EC).  As data is a significant driver of the world economy,[2] special care must be taken both to ensure that data is able to cross borders easily, and individuals’ rights to data protection are respected.

The General Data Protection Regulation (GDPR)[3] prohibits the transfer of personal data outside of the European Economic Area (EEA) to countries without “adequate” privacy protections.  As the United States is considered to have insufficient protections, the EC requires that an approved mechanism, such as the Privacy Shield—its agreement with the United States that permits U.S. companies to self-certify that they will meet certain minimum privacy protections[4]—be used for such transfers.  Alternative mechanisms include standard contractual clauses (SCCs).[5]  Suspension of any one approved mechanism may call into question the legitimacy of the others.

Although the Privacy Shield survived its first EC review in 2017, many called for the EC to suspend the Privacy Shield at its second review[6] due to a number of factors: the continuation of the Schrems case; the failure of the U.S. government to enact the recommendations made in the 2017 Privacy Shield review; and recent U.S. government actions demonstrating disregard for data privacy protection; the EC chose to back down instead of proceeding to a clash.[7]  On In a report issued on December 19, 2018 (2018 Report), the EC indicated that the Privacy Shield had passed its second review, subject to the United States appointing a permanent Privacy Shield Ombudsperson by February 28, 2019.  Before analyzing the 2018 Report, it is important to understand why the U.S.’s commitment to the Privacy Shield mechanism seems tenuous, at best.

I.                Maximillian Schrems and the Safe Harbor

The initial complaint in the Schrems case related to Facebook’s transfer of Maximillian Schrems’ personal data from Ireland to the U.S. as permitted under the predecessor to the Privacy Shield, the Safe Harbor Framework.[8]  It permitted US companies to self-certify that they provided certain privacy protections.[9]  Following the 2013 Edward Snowden revelations,[10] Schrems bought an action against Facebook (Schrems I) with the Irish Data Protection Commissioner alleging that Facebook could not provide the minimum privacy protections required by the Safe Harbor due to the U.S. government’s surveillance activities.

As a result, in 2015, the ECJ invalidated the use of the Safe Harbor Framework.[11]  This case established that certification into the Safe Harbor by U.S. companies did not exclude examination and challenge by EU member state data protection authorities.[12]  Companies, including Facebook, immediately turned to SCCs as a way to continue the transfer of personal data.  Ultimately and hurriedly, the U.S. Department of Commerce and the EC replaced the Safe Harbor with the Privacy Shield in July 2016,[13] allowing data transfers to the U.S. to continue after the Schrems I decision.[14]

Following the invalidation of the Safe Harbor, Schrems reformulated his lawsuit (Schrems II) to object to Facebook’s use of SCCs to transfer personal data to the U.S. for reasons similar to those of Schrems I.  In April 2018, the Irish High Court transferred the case to the ECJ[15] for consideration of eleven questions.[16]  The underlying substantive issue is whether the U.S. government’s surveillance program violates the right to data protection under the European Charter of Fundamental Human Rights.  If so, not only does Facebook’s use of SCCs not meet the “adequacy” requirement, but the Privacy Shield could be declared invalid if the ECJ determines that continued U.S. intelligence agency surveillance exists and violates the promised privacy protections.

In May 2018, Facebook appealed the referral to the ECJ, which the Irish High Court immediately denied.  Facebook then appealed to the Irish Supreme Court indicating the High Court had failed to take the GDPR into consideration.  Facebook also argued against the factual determination of the existence of “mass surveillance” by the United States and refuted the assertion that EU citizens did not have a tribunal at which to seek remedies.[17]  In a surprising turn of events, the Irish Supreme Court granted Facebook’s request for an appeal on July 31, 2018.[18]  The case is expected to be concluded prior to the hearing by the ECJ on the 11 questions.

II.               2017 Privacy Shield Review

On October 10, 2017, the European Commission released its first annual review of the Privacy Shield.[19]  Although the report (2017 Report) concluded that adequate protections were in place, it made a number of recommendations to the U.S. government, including:

  • More proactive and regular monitoring of companies’ compliance . . . .
  • More awareness-raising for EU individuals about how to exercise their rights . . . .
  • Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • To appoint a permanent Privacy Shield Ombudsperson and fill the empty posts on the Privacy and Civil Liberties Oversight Board (PCLOB).[20]

Prior to the deadline for Privacy Shield review, FTC had only brought a handful of enforcement actions against companies falsely claiming to have applied for Privacy Shield certification[21] and no actions were initiated by the FTC for a company failing to comply with the Privacy Shield.[22]  In addition, FISA was renewed for another term without substantive changes.[23]  Finally, President Trump neglected to nominate any members to the PCLOB until March 2018 and the three nominees were not approved by the Senate until 7 days prior to the second review.[24]

These deficiencies have been noted by both the EC Commissioner of Justice Věra Jourová and the European Parliament.[25]  In June 2018, the European Parliament passed a resolution to suspend the Privacy Shield if the U.S. failed to meet its obligations under it by September 1, 2018.  The resolution’s recitals include references to the Schrems case, Cambridge Analytica, and the U.S. government “access to data,” as well as reiterating deficiencies cited in the 2017 Report.[26]  The resolution, which specifically references a GDPR provision allowing withdrawal of an adequacy determination, seems to place part of the blame for Cambridge Analytica on the U.S. government for its failure to enforce the Privacy Shield.[27]

III.             Recent U.S. Government Actions Demonstrating a Lack of Commitment to Data Privacy Protection

Recent actions by the U.S. government have also called into question the U.S.’s commitment to the Privacy Shield.  The Cloud Act of 2018 amended the Stored Communications Act to allow federal law enforcement agencies to compel U.S. tech companies storing data overseas to provide requested data per subpoena or warrant.[28]  Subpoenas only require a showing that the information sought is “relevant” to a crime being investigated, rather than the probable cause standard of a warrant.[29]  The Justice Department justifies the use of subpoenas because non-U.S. persons abroad do not benefit from Bill of Rights protections.  This difference contrasts with European privacy law which is intended to protect the data of those located in the EEA, regardless of nationality.  The U.S. government was aware of its obligations under the Privacy Shield and the coming applicability date of the GDPR when the Cloud Act was adopted.[30]

In January 2018, Section 702 of the Foreign Intelligence Surveillance Act (FISA) was reauthorized for six additional years, allowing the U.S. government to obtain the communications of foreigners outside of the United States without a warrant,[31] based in part on their reduced constitutional protections.[32]  The EC had previously recommended that the Obama-era protections contained in the PPD-28 be encoded into Section 702 when it came up for renewal[33] (PPD-28 is a Presidential Directive designed to provide oversight into U.S. intelligence data collection overseas.[34]).  No such changes were made.

IV.            2018 Privacy Shield Review

Despite the EU Parliament’s call to suspend the Privacy Shield, and the failure of the U.S. to comply with all of the recommendations in the 2017 Report, the Privacy Shield has passed its second review.  The following are the 2018 Report’s findings relative to the main items in the 2017 Report.

  1. More proactive and regular monitoring of companies’ compliance – the 2018 Report states that the Department of Commerce has “strengthened the certification process and introduced new oversight procedures” and has indicated it will conduct “random spot checks.”[35] Although the Department of Commerce represented that it had referred over 50 cases to the FTC, as of October 18, 2018, only 4 companies were listed on the FTC’s website as having entered into settlement agreements for falsely claiming Privacy Shield.[36]
  2. More awareness-raising for EU individuals about how to exercise their rights – The 2018 report indicates that the DoC has added a “factsheet” to its website informing European and Swiss individuals about the Privacy Shield and updated its answers to frequently asked questions.[37] Despite European DPAs adding complaint forms to their own websites, there appears to be no other outreach by the U.S. to make European’s aware of their rights under the Privacy Shield.
  3. Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA) – although the 2018 Report acknowledges that the reauthorization of FISA did not incorporate PPD-28, and thus failed to satisfy one of the items in the 2017 Report, “neither did it restrict any of the safeguards contained in the Act which were in place when the Privacy Shield was adopted.”[38] In other words, the EC concluded that the U.S. did not make the situation worse.
  4. To appoint a permanent Privacy Shield Ombudsperson and fill the empty posts on the Privacy and Civil Liberties Oversight Board (PCLOB) – Approximately one week before the Second Review, the Senate confirmed three appointees to the PCLOB which constitutes a quorum (but two open positions remain unfilled).[39] Although the Report acknowledges that a Privacy Shield Ombudsperson has not been appointed, it indicates that the “process is well underway.”[40] Nonetheless, if the U.S. does not meet the February 28, 2019 deadline for the permanent Privacy Shield Ombudsperson’s appointment and inform the EC about the nominated individual, the EC “will then consider taking appropriate measures,” under the GDPR,[41] which could involve suspension or repeal of the Privacy Shield.

V.              Conclusion

In spite of Brussels’ warning to the U.S. administration that it must comply with demands made under the Privacy Shield or “risk throwing the deal into jeopardy,” [42] it appears that the EC’s position was all bark and no bite.  Despite a few actions taken by the U.S. in the months leading up to the October Review, the failure to appoint a Privacy Shield Ombudsperson or make any progress on the Cambridge Analytica investigation did nothing to forestall the 2018 Report’s conclusion that the U.S. has “continued to ensure an adequate level of protection for personal data.”  It is very clear that the U.S. government has not, in fact, implemented all the recommended actions from the 2017 Privacy Shield review and has taken action that indicates a disregard for the protection of EU citizens’ data privacy.  Furthermore, various examples of the lack of adequate data protection by self-certified companies, such as the Cambridge Analytica affair, have shown that Privacy Shield protections are not effective.  For these reasons alone, the Privacy Shield should have failed its second review.  It is likely that the EC’s decision had less to do with protecting EU citizen’s privacy rights and more to do with the key economic role that data plays in the United States – European Union trade relationship.  Now, the EC must send its report to the European Parliament, the Council and the European Data Protection Board,[43] however, this decision is not necessarily the final word, even if the United States appoints a Privacy Shield Ombudsman on time.  The outcome of the Schrems II case will most certainly impact the viability of the Privacy Shield, perhaps showing that, rather than the EC, it is the ECJ that is the true guarantor of Europeans’ fundamental right to data protection in the context of cross-border data flows.


[*] Kimberly A. Houser is an Assistant Professor of Business Law at Oklahoma State University. Houser serves as Co-Chair of the Technology Section of the Academy of Legal Studies in Business (U.S.) and is the author of The Legal Guide to Social Media, one of the first books exploring the risks of posting and hosting online.  She recently spoke at SXSW in Austin, Texas; TNW in Amsterdam, and Sage Ocean in London on the legal and societal issues resulting from advances in emerging technologies.  Houser received her Juris Doctor from the University of Illinois College of Law and her B.B.A. in International Business from the University of Texas.  She can be reached at k.houser@okstate.edu.

[**] W. Gregory Voss is Associate Professor of Business Law at Toulouse Business School (TBS).  Voss is an Associate Member of IRDEIC – Research Institute in European, International and Comparative Law, a Jean Monnet Centre of Excellence, Toulouse 1 Capitole University, and a member of the Board of Directors of the French Academy of Legal Studies in Business (AFD&M).  Voss obtained a Juris Doctor from the University of Michigan Law School, a D.E.S.S. in Law and Information Systems from Toulouse 1 Capitole University and a B.S.F.S. from Georgetown University’s School of Foreign Service.  He teaches on TBS’s Toulouse, Barcelona and London campuses and may be reached at g.voss@tbs-education.fr.

[1] See, e.g., Kimberly Houser & W. Gregory Voss, GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy?, 25 Rich. J. L. & Tech. no. 1 (2018), https://jolt.richmond.edu/gdpr-the-end-of-google-and-facebook-or-a-new-paradigm-in-data-privacy/ (discussing the differences in U.S. and EU privacy law and what U.S. companies will need to do under GDPR).

[2] See, e.g., Ajay S. Banga, A Global Economy Powered by Data, World Econ. F. (Jan. 27, 2016), https://www.weforum.org/agenda/2016/01/a-global-economy-powered-by-data/ (discussing the economic impact of data mining).

[3] Regulation 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (May 4, 2016) [hereinafter GDPR].

[4] Transatlantic Data Flows: Restoring Trust Through Strong Safeguards, COM (2016) 117 final (Feb. 29, 2016). For the text of the Privacy Shield, see Dept. of Commerce, Privacy Shield Framework, https://www.privacyshield.gov/EU-US-Framework.

[5] GDPR art. 46(2)(c)-(d).

[6] This review took place in October 2018, and the report was issued on December 19, 2018.

[7] It did, however, give the U.S. a deadline of February 28, 2019, to appoint a permanent Privacy Shield ombudsperson to handle complaints by EU citizens.

[8] In 2000, the EC determined that the Safe Harbor Framework met the adequacy requirement for data transfers. Commission Decision 2000/520 of 26 July 2000 Pursuant to Directive 95/46 of the European Parliament, 2000 O.J. (L 215).

[9] See Martin A. Weiss and Kristin Archick, U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield, CONG. RESEARCH SERV. (2016) (describing the self-certification procedures).

[10] Ewen Macaskill & Gabriel Dance, NSA Files: Decoded, The Guardian, (Nov. 1, 2013), https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded#section/1.

[11] Case C-362/14, Maximillian Schrems v. Data Prot. Comm’r, 2015 EUR-Lex CELEX 62014CJ0362, (Oct. 6, 2015).

[12] See Lee Matheson, Understanding ‘Schrems 2.0’, iapp (Oct. 3, 2017), https://iapp.org/news/a/understanding-schrems-2-0/ (discussing the implications of Schrem case).

[13] EU-US Privacy Shield, Eur. Comm’n, available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en#eu-us-privacy-shield.

[14] Commission Implementing Decision (EU) 2016/1250 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield, C (2016) 4176 final (July 12, 2016), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG.

[15] The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, h 2016 No. 4809 P., Oct. 3, 2017, http://www.europe-v-facebook.org/sh2/HCJ.pdf.

[16] The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, h 2016 No. 4809 P., Apr. 12, 2018, http://www.europe-v-facebook.org/sh2/ref.pdf.

[17] The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, supra note 14.

[18] The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, Ir.S.C. 2018/68, Jul. 31, 2018, http://www.supremecourt.ie/Judgments.nsf/1b0757edc371032e802572ea0061450e/885e85764e300172802582db0046b6aa?OpenDocument.

[19] First Annual Review of the EU-U.S. Privacy Shield, Eur Comm’n (Oct. 18, 2017), http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619.

[20] Press Release, EU-U.S. Privacy Shield: First Review Shows It Works but Implementation Can Be Improved, Eur. Comm’n (Oct. 18, 2017), http://europa.eu/rapid/press-release_IP-17-3966_en.htm.

[21] Press Release, FTC, Three Companies Agree to Settle FTC Charges They Falsely Claimed Participation in EU-US Privacy Shield Framework (Sept. 8, 2017), https://www.ftc.gov/news-events/press-releases/2017/09/three-companies-agree-settle-ftc-charges-they-falsely-claimed. Although more actions have been taken since then. Press Release, FTC, FTC Reaches Settlements with Four Companies That Falsely Claimed Participation in the EU-U.S. Privacy Shield (Sept. 27, 2018), https://www.ftc.gov/news-events/press-releases/2018/09/ftc-reaches-settlements-four-companies-falsely-claimed.

[22] U.S. Implementation, Oversight And Enforcement Of The Eu-U.S. And Swiss-U.S. Privacy Shield Frameworks (Jan. 2017–May 2018), https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t0000000QS04.

[23] See infra Section IV.

[24] The White House, President Donald J. Trump Announces Key Additions to his Administration, (Mar. 13, 2018), https://www.whitehouse.gov/presidential-actions/president-donald-j-trump-announces-key-additions-administration-33. PN929 — Adam I. Klein — Privacy and Civil Liberties Oversight Board

115th Congress (Oct. 11, 2018), https://www.congress.gov/nomination/115th-congress/929. Note that the Board requires 5 members, not 3.

[25] Mehreen Kahn, EU warns US over enforcement of Obama-era privacy deal, Financial Times, https://www.ft.com/content/f5c4795e-91b0-11e8-b639-7680cedcc421.

[26] European Parliament Resolution (2018/2645(RSP)), http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P8-TA-2018-0315&language=EN&ring=B8-2018-0305.

[27] Id. at ¶ 12.

[28] Orin S. Kerr, Summer 2018 Case Supplement to Computer Crime Law 33 (4th ed. 2018), https://ssrn.com/abstract=3221599.

[29] Greg Nojeim, Cloud Act Implementation Issues, LAWFARE (July 10, 2018, 8:00 AM), https://www.lawfareblog.com/cloud-act-implementation-issues.

[30] Hayley Evans & Shannon Togaw             a Mercer, Privacy Shield on Shaky Ground: What’s Up With EU-U.S. Data Privacy Regulations, LAWFARE (Sept. 2, 2018 2:31 PM), https://www.lawfareblog.com/privacy-shield-shaky-ground-whats-eu-us-data-privacy-regulations.

[31] Ted Barrett & Ashley Killough, Senate Passes FISA Section 702 Reauthorization, CNN Politics, (Jan. 18, 2018), https://www.cnn.com/2018/01/18/politics/fisa-reauthorization-senate-vote/index.html.

[32] Jessica Schneider, What is Section 702 of FISA, Anyway?, CNN (Jan. 12, 2018 0249 GMT (1049 HKT)), https://www.cnn.com/2018/01/11/politics/trump-fisa-section-702-surveillance-data/index.html.

[33] Hayley Evans & Shannon Togaw             a Mercer, supra note 51.

[34] The White House, Presidential Policy Directive — Signals Intelligence Activities POLICY DIRECTIVE/PPD-28, (Jan. 17, 2014), https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities.

[35] REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the second annual review of the functioning of the EU-U.S. Privacy Shield, Eur Comm’n (Dec. 18, 2018), [2018 Report] at 2.

[36] Press Release, FTC, FTC Reaches Settlements with Four Companies That Falsely Claimed Participation in the EU-U.S. Privacy Shield, (Sept. 27, 2018) https://www.ftc.gov/news-events/press-releases/2018/09/ftc-reaches-settlements-four-companies-falsely-claimed.

[37] COMMISSION STAFF WORKING DOCUMENT Accompanying the document REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the second annual review of the functioning of the EU-U.S. Privacy Shield, Eur. Comm’n (Dec. 18, 2018) [2018 Working Document] at 22.

[38] Id. at 27.

[39] Jedidiah Bracy, Senate confirms PCLOB members ahead of Privacy Shield second-annual review, iapp (Oct. 12, 2018) https://iapp.org/news/a/senate-confirms-three-pclob-members-ahead-of-privacy-shield-second-annual-review/.

[40] 2018 Report at 4.

[41] Id. at 5-6.

[42] Mehreen Khan, EU warns US over enforcement of Obama-era privacy deal, FT (July 30, 2018 03:01Z), https://www.ft.com/content/f5c4795e-91b0-11e8-b639-7680cedcc421.

[43] Press Release, EU-U.S. Privacy Shield: Second review shows improvements but a permanent Ombudsperson should be nominated by 28 February 2019, Eur. Comm’n (Dec. 19, 2018), http://europa.eu/rapid/press-release_IP-18-6818_en.htm.