Strasbourg, 02/02/2016 (Agence Europe) - On Tuesday 2 February, the European Commission announced that an agreement had been reached with the US on a new framework (“the EU-US Privacy Shield”) This will organise a “commercial” transfer of Europeans' personal data to the US, whose first Safe Harbor version goes back to 2000. This was invalidated in October 2015 by the European Court of Justice (Schrems ruling) (see EUROPE 11404).
This new mechanism was concluded during the day at the end of the most recent negotiations, particularly those between European Commissioner for Justice Vera Jourova and her US counterpart, Penny Pritzker, the Secretary of State for Trade. It respects the three-month deadline that the national data protection authorities set out for the two parties in November, failing which reprisal measures would be taken. These will be officially announced on Wednesday, after a meeting with the Commission.
The agreement will be put into practice by way of the Commission drafting a new appropriation decision in the next few weeks, which will replace the 2000 decision. It will also immediately put an end to the legal insecurity in which thousands of small businesses found themselves. They had to fall back on alternative data transfer instruments and could not depend on the same legal inventiveness as that used by giants such as Facebook and Google in meeting the demands of this court ruling. DIGITALEUROPE therefore gave a warm and swift welcome to this announcement.
The agreement, however, has another major objective, that of providing new guarantees to European citizens that have to face US mass surveillance programs, whilst attempting to prevent the decision ending up at the European Court of Justice again. In this respect, a preliminary discussion between Jourova and the civil liberties committee of the European Parliament on Monday 1 February demonstrated that the Commission did not entirely succeed in obtaining what it wanted.
The commissioner acknowledged that the negotiations had been “difficult” and “we have worked day and night over the past three months”. Her counterpart for the Digital Economy, Andrus Ansip, said that this new “shield” was a response to the commitment made at the beginning of the Commission mandate, which promised that European data transferred to the US would be done within a “safe framework”. The two leaders believe that this new mechanism is “solid” and contains the necessary safeguards to European citizens. It will have binding legal value because it has been signed by the director of US national intelligence.
On Monday, Commissioner Vera Jourova had already given MEPs the main brushstrokes to the draft agreement. She added: “We have been working flat out to obtain the necessary commitments that respect the legal requirements” stemming from the Schrems ruling.
The commissioner therefore highlighted the progress made in four areas: the limits and safeguards created on the public authorities' access to data transferred within the Safe Harbor initiative; - independent controls and individual appeals; - handling and resolving submitted complaints and the need for binding commitments from the US.
On the first point, the public authorities' access to data must be “limited and strictly necessary”, Jourova explained. This US initiative has developed since the revelations made by Edward Snowden and “we have received precise written guarantees that this access for the public authorities to personal data transferred from Europe is limited to what is necessary and proportionate”. The commissioner stated that “these assurances should confirm that there is no mass indiscriminate surveillance and that US safeguards for Americans can apply to non-Americans”. She also pointed out that a joint annual assessment would be carried out in respect of these commitments.
The commissioner did not, however, rule out the fact that the public authorities' access to this data, which must remain “targeted”, could, in theory, be slightly more broad than expected, for crucial reasons pertaining to the general interest, for example, or public security. According to Max Schrems, the Austrian student who prompted the ruling on 6 October, broader access would contravene the guidelines laid down by the Court, he said on Twitter.
On the second point, Jourova indicated that the opportunities for European appeals remained restricted to examples involving national intelligence operations, but that the EU had been working to obtain the appointment of an independent ombudsman from their US counterparts. In response to complaints from Europeans, this body would have access to the information from the US national security organisation. According to the Commission, this Ombudsman (Ombudswoman) would have real powers.
With regard to resolving complaints against companies for violation of private life, the Commissioner stated: “we are working on a mechanism to guarantee that each individual complaint is resolved in one way or another: ideally, as demonstrated by experience, the complaint would be resolved by the company itself”. She added that if this is not the case, “the citizen concerned can use an alternative resolution mechanism, which would be free. Citizens can also approach their respective national data protection authority in charge of submitting complaints to the US Trade Department”. The EU would also like a “last minute” mechanism that would help guarantee that each complaint is treated and resolved by way of a binding decision.
MEPs still unsatisfied. MEPs did not hide their disappointment on Monday evening, the day before the agreement was due to be concluded. Although the representative from the EPP Group, Axel Voss from Germany, said that the project went in the right direction, Birgit Sippel (S&D, Germany) had concerns regarding the independence of the future Ombudsman, the definition of the so-called necessary surveillance, as well as a recent amendment to the Judicial Redress Act by a US Senate committee, which puts a few barriers in the way of Europeans' right to appeal on US soil. Sophie in t'Veld (ALDE, Netherlands) asked about the legal value of an agreement based on an exchange of letters, as well as the role by the Ombudsman. The Liberal MEP said: “Will it take action at the NSA (Ed: National Security Agency)? That would be a surprise”. She also said that the US had not been sincere or frank and said that she had not felt reassured. “We have to be able to trust you”, the MEP told the commissioner. Cornelia Ernst, (GUE/NGL, Germany), said that this draft agreement appears “very, very lame”. “What is this exchange of letters? We need to be reassured that there are real safeguards”, she said. Jan Philipp Albrecht (Greens/EFA, Germany), said it was very difficult to get an idea without there being a detailed text and that there were still too many grey areas, such as the issue of proportionality regarding data collection, appeals and the status of the Ombudsman.
On Tuesday, Jourova and Ansip highlighted the fact that they had received very precise guarantees on the modes of access to this data. The Ombudsman should be located “at a very high level of the US hierarchy” and should be “independent at an operational level and able to interrogate the appropriate services in concrete cases”.
Jourova also said that she was confident that with regard to the future US government that emerges after the November elections, there would be “continuity” and the terms of the agreement will not be jeopardised. (Original version in French by Solenn Paulic)