The Article 29 Working Party has released new procedural documentation concerning complaints under the Privacy Shield scheme, comprising rules of procedure and a form for individuals to submit complaints. This comes against a backdrop of executive action in the US that has caused further concern about the future of the scheme.
Background and Summary
The EU-US Privacy Shield Agreement ("Privacy Shield"), approved by the European Commission (the "Commission") on July 12, 2016, provides a mechanism for transferring personal data from the European Union ("EU") to the US (see our previous alert). Privacy Shield was finalized nine months after the decision of the Court of Justice of the European Union ("CJEU") in Schrems, in which the CJEU invalidated the Commission's Safe Harbor Adequacy Decision.We previously reported on the legal challenges Privacy Shield has faced this past year and the steps organizations must take to certify.
Among other things, Privacy Shield offers the ability for individuals to submit complaints that their personal data is being misused. To facilitate this complaint process, the Article 29 Working Party ("WP29"), composed of representatives of the national data protection authorities ("DPAs"), the European Protection Supervisor, and the Commission, released two forms on February 21, one an internal set of procedural rules for DPAs to follow when receiving Privacy Shield complaints, and the other a form for individuals to use when submitting a complaint to a DPA.
The release of these forms comes against a backdrop of renewed uncertainty regarding Privacy Shield, prompted by President Trump's Executive Order for Enhancing Public Safety in the Interior of the United States, issued on January 25, 2017 (the "Order"). The Order requires, in part, that "Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act of 1974 regarding personally identifiable information," and therefore raised questions about whether it undermines privacy protections negotiated under Privacy Shield. While ultimately it seems likely that the Order will not disrupt the legal viability of Privacy Shield, it has created general unease around EU-US data-sharing relationships going forward.
New Privacy Shield complaints documentation
At its plenary meeting on February 7 and 8, WP29 agreed to a set of procedural rules that outline how DPAs will process Privacy Shield complaints brought to them either by an individual or by a US company that has been accused of wrongdoing. The rules specify that a panel consisting of a lead DPA—generally the DPA that received the complaint—and two additional co-reviewer DPAs will be formed to "work together to reach consensus as to the advice which will be provided to the US company" regarding a resolution to the complaint. If the panel cannot reach a consensus, the WP29 chair will be asked to "mediate a solution." If a company fails to comply with the panel's advice within 25 days "and has offered no satisfactory explanation for the delay," the panel may refer the matter to the Federal Trade Commission, the US Department of Transportation, or another US federal or state enforcement body, or may ask the US Department of Commerce to remove the company from the list of Privacy Shield-compliant companies. As a general rule, the panel will seek to respond to complaints within 60 days of their receipt. The rules add, however, that "advice will be issued only after both sides in a dispute have had a reasonable opportunity to comment and to provide any evidence they wish."
Along with the new rules of procedure for handling complaints, WP29 also released a recommended form for individual complainants to use when submitting complaints to the DPAs. The form requests information regarding which companies are involved in processing the complainant's personal data, the reasons why the data has been transferred, the alleged violation, and what relief is being sought. The form also asks whether the complainant has already tried to resolve the case by contacting the company involved directly, which is the first recommended course of action.
The Order and Privacy Shield?
The announcement of the Order sparked initial concern that US government agencies would no longer be providing non-US citizens the same data privacy protections as those of US citizens. For example, on February 28, the American Civil Liberties Union (the "ACLU") and Human Rights Watch ("HRW") voiced their concerns in a joint letter to Věra Jourová of the European Commissioner for Justice, calling on the Commission to review whether the assurances that were relied on when Privacy Shield was negotiated are still valid (the "ACLU/HRW Letter").
Foundational to the negotiation of Privacy Shield were the Umbrella Agreement (the "UA") and the Judicial Redress Act of 2015 (the "JRA"), which grant privacy rights to Europeans. The UA permits any citizen of the EU the right to seek judicial review in the event a US law enforcement agency unlawfully discloses the individual's personal data or denies the individual the right to access or amend his or her personal data. The JRA extends limited protections under the Privacy Act of 1974 (the "PA") regarding access, amendment and disclosure to citizens of "covered countries," which currently includes all EU Member States. The US Attorney General has discretion to amend the list of JRA-covered countries, and one possible reading of the Order is that it prohibits the Attorney General, as a federal official, from taking discretionary actions that grant privacy rights under the PA.
However, there are strong arguments that the Order does not have a direct impact on Privacy Shield. Firstly, the Order, as drafted, applies to rights under the PA and not to Privacy Shield, and would not be read as prohibiting the Attorney General from taking such discretionary action. The new administration has also given no indication that it will pursue such action. Secondly, as a general matter, the JRA and UA are acts of Congress, which cannot be overridden by executive orders (such as the Order).
This view is supported by a letter sent last month by the US Department of Justice to the Commission stating that the privacy rights of EU-citizens remained unaffected by the Order:
"Section 14 of the Executive Order does not affect the privacy rights extended by the Judicial Redress Act to Europeans. Nor does Section 14 affect the commitments the United States has made under the DPPA (Umbrella Agreement) or the Privacy Shield."
Privacy advocates remain concerned
Nevertheless, privacy organizations and regulators in the EU and the US worry that recent US executive action represents a changed approach to privacy protections for non-US citizens. "You don't need to gaze into a crystal ball to see that the air surrounding Privacy Shield is becoming thinner," said Johannes Caspar, the Hamburg privacy regulator.
The ACLU/HRW Letter urges the Commission to re-examine whether the assurances relied on in developing Privacy Shield and the UA remain valid in light of the Order and the failure of the new administration and the US Senate to fill the current vacancies on the Privacy and Civil Liberties Oversight Board, leaving it with only one of five members and therefore without a quorum to act. It also points out that the JRA does not apply to individuals living in the EU who are non-EU citizens and also does not provide the full range of PA protections that were provided as a matter of policy, prior to the issuance of the Order.
On March 24, the European Parliament's Civil Liberties, Justice and Home Affairs Committee (the "Committee") voted to approve a resolution to voice "key deficiencies" of Privacy Shield at the first annual joint review by the European Commission and the US Department of Commerce, which is due to take place in September. Among other criticisms of Privacy Shield, the Committee expressed concern that "bulk surveillance" by US agencies still remains a possibility, including the collection and distribution of the personal data of non-US citizens without disclosure and potentially in violation of Privacy Shield. If such activities are not disclosed to the affected persons, this will undermine a primary goal of Privacy Shield—that, is, providing a mechanism for legal redress (see discussions in our previous alert).
In late March, Věra Jourová traveled to Washington to discuss Privacy Shield with Federal Trade Commission Chairperson Maureen Ohlhausen, US Secretary of Commerce Wilbur Ross, and US Attorney General Jeff Sessions. Following these discussions, on March 31, Jourová delivered a speech which stressed the importance of placing limitations on government access to personal data for national security reasons and monitoring companies' compliance with Privacy Shield to ensure that individuals are able to exercise their rights under the framework. However, despite these concerns, Jourová reported that the meetings left her with a "very good feeling" about Privacy Shield.
Conclusion and next steps
The new procedural documents governing Privacy Shield complaints should provide transparency about the complaints process and help streamline the oversight procedures that are at the heart of the new regime. However, the relationship between the EU and the US regarding data privacy remains fragile. While the Order may not directly affect the legal viability of the Privacy Shield framework for data transfers, the atmosphere of uncertainty created by the Order may adversely affect Privacy Shield's first annual review and continues the uncertainty surrounding transatlantic data transfers that has persisted for several years.