Out-Law Analysis | 14 Apr 2016 | 1:53 pm | 4 min. read
The European Commission earlier this year published a draft 'adequacy decision' which outlined its view that data transfers to the US made under the EU-US Privacy Shield would correspond to EU data protection law requirements. However, businesses would be ill-advised to rely on Privacy Shield compliance as demonstrating their compliance with the EU rules unless the Commission can address the "strong concerns" raised by the Article 29 Working Party to strengthen the privacy protections under the framework.
At the moment there would be no certainty that data transfers made in accordance with the Privacy Shield as currently formulated would be held as compliant with EU data protection laws if scrutinised by data protection authorities or the courts.
Privacy campaigners could use the Working Party's criticisms to support a legal challenge to the plan.
Yet, even if it wants to the Commission could find it difficult to resolve the particular concerns the Working Party has expressed, in particular about the scope of US authorities' surveillance activities. Changes to the Privacy Shield would need to be negotiated with the US government.
In its newly issued opinion the Working Party stated (58-page / 612KB PDF) that "massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society". It said, though, that US officials have not ruled out "massive and indiscriminate collection of personal data originating from the EU" in the representations made under the Privacy Shield.
Important reference points in the debate on the legitimacy of powers being exercised in the interests of national security in the context of EU data protection law requirements are expected to be set by the Court of Justice of the EU (CJEU) later this year.
The Working Party said that it anticipates that judgments in cases being handled by the CJEU this year could help define the circumstances in which mass and indiscriminate collection and subsequent use of personal data for the purpose of combating crime would be legitimate. One of those cases concerns the validity of the UK's Data Retention and Investigatory Powers Act (DRIPA), it said.
There is a long-standing tension between EU data protection laws and fundamental rights to privacy and US laws that give authorities the power to access data for national security reasons.
In essence, EU law requires a justifiable interference with the right to privacy and protection of personal data, but the Working Party has expressed the view that there are insufficient parameters on US authorities' data access powers and that their collection and use of data therefore goes beyond what is proportionate. In a world of heightened terrorism risk it is hard to see the US government being willing to compromise on the powers of data access of its security and intelligence agencies.
The Working Party is only an advisory body and the Commission is not bound by its opinion, but if the Commission is unable to obtain further restrictions and controls on US authorities' mass surveillance of EU citizens' data then there is a risk that privacy campaigners could use the Working Party's opinion against the Commission in a legal challenge aimed at invalidating the Privacy Shield.
It could also be argued that any failings in respect of restrictions on US authorities' collection and use of data undermine the validity of other mechanisms businesses rely on for facilitating data transfers from the EU to the US.
At her press conference on Wednesday, chair of the Working Party, Isabelle Falque-Pierrotin, said that businesses can continue to use existing data transfer mechanisms, such as model contract clauses or binding corporate rules (BCRs), to underpin data transfers to the US for now. However, she hinted at how the final decision of the Commission on the Privacy Shield, which is expected in mid-June, could influence the Working Party's views on model clauses and BCRs.
If the Working Party takes a hard line on model clauses and BCRs and its concerns about the Privacy Shield are not addressed then it could effectively serve to cut off data transfers, and therefore much business, between Europe and the US. Businesses could come under pressure from national data protection authorities and privacy campaigners in respect of any EU-US data transfers they carry on with in those circumstances. Data protection authorities in Germany have already signalled a willingness to clamp down on non-compliant US data transfers.
From a commercial perspective, further restrictions on EU-US data transfers would have a profound impact. Real consideration would need to be given to localised data storage options within the EU. This could reduce the choice and push up the prices of data storage and processing services, such as in a cloud computing context.
US technology companies could be affected if the European market, for example for cloud services, shrinks.
Last year, after the CJEU ruled that the Privacy Shield's predecessor 'safe harbor' framework was invalid, Microsoft announced that Deutsche Telekom, through T-Systems, would act as a "data trustee" for it to allow the technology giant to offer cloud computing services in Germany without the company itself having access to the data of its customers. This might be a sign of things to come where industry addresses legal uncertainty through technological solutions driven by their desire to retain European customers.
Some businesses might view the commercial benefits of enabling EU-US data transfers as outweighing the legal risk of those arrangements being deemed non-compliant at the moment. However, the introduction of a stiffer sanctions regime under the new General Data Protection Regulation – where fines could be levied up to 4% of companies' annual global turnover – should cause companies to think again.
Kathryn Wynn and Niels Tacke are data protection experts at Pinsent Masons, the law firm behind Out-Law.com.