By Michael Baker
The EU Charter of Fundamental Rights (“Charter”) provides Europeans the fundamental right to respect for private and family life; the protection of personal data; the right to have a fair trial; and the right to a legal remedy. These rights are the primary focus in the discussion on how personal data is transferred commercially across the Atlantic. The European Union (“EU”) and the United States (“U.S.”) have worked together for two years to develop a system where companies can transfer personal data from within the EU to servers in the United States. The flow of data between the EU and U.S. is critical for the economic success and political stability of these two Governments.
The current framework to transfer private data of EU citizens to the U.S. is called the EU-U.S. Privacy Shield (“Privacy Shield”). The Privacy Shield agreement ensures European citizen’s data is protected when their information is transferred to the United States via businesses, people or entities. European and U.S. companies who wish to join the Privacy Shield as a member need to certify that their organization adheres to the Principals set by the Department of Commerce. These companies therefore are obligated to comply with the laws and principles or the Federal Trade Commission will enforce the policy.
The Privacy Shield program is already in litigation in European Courts. On September 16, 2016, the Privacy Shield faced its first challenge by Digital Rights Ireland (“DRI”) against the European Commission in Europe’s General Court. The claim is based on an action for an annulment of the European Commission’s “adequacy decision” that seeks to strike down the Privacy Shield program because U.S. privacy law is not adequate for the stricter standards of EU law. A total of ten pleas are listed against the Commission’s decision, covering issues ranging from violations of the Charter to implications of mass surveillance by the United States.
The issue first raised by DRI asks whether the United States provides an adequate level of protection for outbound data transfers to third-parties or third-party countries after the data reaches the United States. The current law, in Article 25(6) of the Data Protection Directive, does not require the laws of the third country to be identical to EU law for data transferring purposes. Nevertheless, the laws of the third country must be “essentially equivalent” to ensure a level of protection of fundamental rights and freedoms. The European Commission argues the principles established by the U.S. Department of Commerce are essentially equivalent to the ones implemented in Directive 95/46/EC and therefore are adequate for data transfer. If the third-party is a Privacy Shield member then transfers of EU personal data are in compliance and there should be no issue of the scope and use of that personal data.
However, a significant problem arises when the data is sent onward to a country or corporation not in compliance with EU law. For compliance, a contract needs to be made between the third-party and the Privacy Shield member. The contract must be approved by the Data Protection Agent who clarifies whether onward transfers to third-parties are allowed.
A working party of members from Data Protection Agencies throughout Europe, called the Article 29 Working Party, helped to formulate the new transatlantic data framework between the U.S. and EU. One of the issues raised by the Article 29 Working Party concerned the onward transfer of data out of the U.S. after the legal transfer into the United States. The notice and choice requirements are lost if the third country does not have adequate laws for protection or consent of EU citizen’s data. The Article 29 Working Party stated in its opinion that a mandatory requirement for Privacy Shield Members should be to check the third country’s laws before the transfers occur because currently that preliminary check is not required. Without prior approval, there is no way to tell what information is being transferred onward to third-parties and for what purposes that data will be used.
Today, there is a weaknesses in the Privacy Shield regarding onward transfers to third-parties after the initial commercial transfer of personal data to the United States. In the joint yearly review of the Privacy Shield this September, the EU may conclude the level of protection is no longer essentially equivalent for onward transfers. The EU may then direct the U.S. to take appropriate measures to address their concerns in a reasonable time. Ideally, the review will be before the final judgment in this case as to avoid embarrassment of another invalidation by an EU court on a data privacy mechanism.
Note: The views expressed above are solely those of the author(s) and do not reflect any official position taken by the Information Security and Privacy Law Student Group, the Washington College of Law, or American University at large