Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
On May 26, coming less than two months after the Article 29 Working Party rebuke of the Privacy Shield, the EU parliament voted 501 to 119 on a resolution calling for negotiations on the agreement to continue. See, “EU Privacy Pushback Prompts Lawyers to Look For Plan B,” in the May 2016 issue of e-Commerce Law & Strategy. Its criticisms of the text echoed that of the Working Party, namely the Privacy Shield's insufficiency in dealing with U.S. mass surveillance, protecting EU individual data rights and protections, and effectively enforcing its regulations.
But the chorus of criticism did not stop there. A few days later, on May 30, the EU's European Data Protection Supervisor (EDPS) Giovanni Buttarelli, a member of the Article 29 Working Party, published an opinion that both highlighted the areas of contention and laid out specific recommendations on how to move forward.
In a statement posted on the EU EDPS website, Buttarelli noted that while the Privacy Shield draft is undoubtedly an improvement on Safe Harbor, this is not the benchmark to which any new agreement should be held. An adequacy decision, he explained, “is to be based on the current EU legal framework,” which includes the current Data Protection Directive, several treaties, and “EU Charter of Fundamental Rights of the European Union, as interpreted by the CJEU.”
He added that the agreement should be forward-looking to consider “new elements of the [General Data Protection Regulation] which are not present in the Directive, such as the principles of privacy by design, privacy by default, or data portability,” and warned that “if the draft decision is adopted and subsequently invalidated by the CJEU, any new adequacy arrangement would have to be negotiated under the GDPR.”
Mass Surveillance
Though mass surveillance in the U.S. has been limited due to legislation and Presidential Policy Directive 28, Buttarelli said that “the scale of signals intelligence and the volume of data transferred from the EU subject to potential collection once transferred and notably when in transit, is likely to be still high and thus open to question. ' Although these practices may also relate to intelligence in other countries, and while we welcome the transparency of the U.S. authorities on this new reality, the current draft decision may be interpreted as legitimizing this routine.”
He specifically singled out how the “Privacy Shield principles can be limited to the extent necessary to meet national security, law enforcement or any public interest requirement,” as well as if they conflict with a statute, regulation or case law. To remedy this, he advised that “purposes for which exceptions are allowed and the requirement of a legal basis should be more precise.”
Yet tackling the domestic surveillance program's inherent incompatibility with EU data wishes is no easy task. Donald Aplin, a privacy and security expert at Bloomberg Law, predicted: “It's probably much more likely that there will be a political solution between the EU and the U.S. over the next couple of years to come up with another data transfer mechanism that everybody can live with, and not have any direct impact on the surveillance activities of the NSA and other government entities in the U.S. The meaningful pressure on the surveillance practices in the U.S. is going to come from the U.S. ' I think that's where the change is, [Congress] or the U.S. courts, not because the EU wants us to.”
Data Privacy
With the upcoming GDPR'modernizing individual data rights across the continent years in two years, the EDPS recommended modifying the existing text to “more clearly prohibit keeping personal data in a form which permits identification of data subjects for longer than necessary,” as well as adding “the requirement that personal information be 'adequate and not excessive' or limited to the information that is necessary for the purposes for which they are collected and/or further processed.”
In addition, he advised creating safeguards for EU citizens who were subject to legal effects or decisions stemming from the automatic processing of their personal data, and clarifying the concept of “purpose” in the agreement, which defines how an organization can use personal data. This would protect against situations such as personal data initially processed for “medical or pharmaceutical research or for human resources purposes” being used for marketing purposes.
The EPDS opinion also squarely takes aim at the lack of individual data protection under U.S. law, as the Privacy Shield “does not fully assess the possibilities for individuals to exercise their rights of access, rectification or erasure concerning data collected or accessed by public authorities for purposes other than national security.”
While Buttarelli does note that the recently passed Judicial Redress Act of 2015'expands the protection afforded under the Privacy Act of 1974, which lets U.S. citizens challenge domestic companies' disclosure of their private data to the U.S. government, to apply also to EU citizens, he noted that this only applies to “'records' transferred from public or private entities of the covered countries (i.e., the EU) directly to U.S. public authorities,” but excludes “personal data transferred between private entities under the Privacy Shield and subsequently requested or accessed by U.S. authorities.”
But this personal data right, like many others, Aplin noted, is not even afforded to U.S. citizens: “The Judicial Redress Act ' it's very narrow, it just deals with the Privacy Act, and the Privacy Act isn't some great grant of privacy rights to people in the U.S. that they are now giving to people in the EU. It only deals with potential government misuse of collected data. It went straight to the question of the NSA or other government collection of data; if you believed it was somehow misused by the government, then you can have the right to go to court. This is all this does.”
He added that the EPDS opinion touches on bigger issues “that are way beyond concerns over government collection and storage and usage of data, or access of data that is sent over by corporations. I don't know what else you could do in terms of the Redress Act, in terms of dealing with these broader issues the EPDS brings up: the consumer privacy issues, corporate use of data. ' I think we are down to the basic thing, which is the EU wants the world to do what they do, and the U.S. is not going to do that,” Aplin said.
Enforcement
Concerns over intelligence processing and gathering were also behind the EDPS' recommendations to further develop the role of the ombudsperson, “so that she is able to act independently not only from the intelligence community, but also from any other authority. In practical terms, the possibility of reporting directly to Congress could be one option in this regard.”
Buttarelli also reiterated the Article 29 Working Party's apprehension over the effectiveness of the ombudsperson, calling on the European Commission to seek “specific commitments that the requests for information and cooperation from the ombudsperson, as well as her decisions and recommendations, will be effectively respected and implemented by all competent agencies and bodies.”
Given the complexity of U.S. statues, rules and case, laws and the different bodies tasked with overseeing data compliance within the U.S., the EDPS also encouraged the European Commission to “explore of the feasibility of involving EU representatives” such oversight mechanisms.
A similar structure, Buttarelli said, is already in place under “the EU-U.S. agreement on the processing and transfer of financial messaging data,” where there is supervision of further processing of financial data by an EU judge, and where “EU DPAs are also currently involved in the oversight of the way U.S. requests are handled.”
The potential increased role of European officials in the U.S., however, has garnered some skepticism on the other side of the Atlantic.
“I don't think the U.S. is going to open the doors wide. ' What company is going to say sure we will sign up for this program, and as a part of that we agree that people from the EU data protection authorities can come over here and look at our stuff? And frankly, the EU DPAs don't have the resources to be doing this. There is a reason you have a self-regulatory program in place,” Aplin said.
Ricci Dipshan is the Deputy Editor of this newsletter's ALM sibling, Legaltech News.
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.