14 minute read
EXECUTIVE SUMMARY
Introduction
On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US “Privacy Shield” agreement, concerned US government surveillance powers are not limited as required by EU law, and that EU persons do not have effective means of redress. The judgment upheld the validity of standard contractual clauses to allow data transfers under the General Data Protection Regulation (GDPR), but requires data controllers to assess the level of data protection in the recipient’s country and to adopt “supplementary measures” if needed. In this context the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs(LIBE) requested this study on reforms to the legal framework for the exchange of personal and other data between the EU and the USA to ensure EU law requirements are satisfied and EU citizens’ rights are respected.
Advertisement
European data protection standards
In the EU, data protection is a fundamental right, enshrined in primary law. While activities of Member State authorities for national security purposes are outsideEU competence, national constitutions and the European Convention on Human Rights apply. Moreover, the exemption does not apply to the imposition of legal obligations on private sector organisations, or to non-EU countries. Under the GDPR, personal data can only be freely transferred to countries held by the European Commission to provide “adequate”/“essentially equivalent” protection. Otherwise, “appropriate safeguards” must be adopted by the EU data exporter. Athird country’s laws can only be said to provide such protection if they meet the standards set out in the European Data Protection Board (EDPB) Adequacy Referential. And in relation to access to personal data by a third country’s intelligence agencies, its laws can only be said to provide this protection if they meet the standards set out in the EDPB’s European Essential Guarantees for surveillance. Both documents fully reflect the CJEU’s case law.
US privacy and surveillance laws
A US Congressional Research Service review found a “patchwork” of federal data protection laws which “primarily regulate certain industries and subcategories of data.” The rather limited protections accorded to “US persons” by the Fourth Amendment are largely non-existent in relation to non-US individuals outside the USA, while “privacy torts” are too limited to even compare to EU data protection concepts. The Federal Trade Commission (FTC) Act gives powers to the FTC to act against “unfair or deceptive acts or practices” by most commercial entities. Companies are bound by their data privacy and security promises, and certain privacy practices are held to be unfair. However, these broad principles cannot be relied on to read all of the many detailed requirements of EU data protection law into US law – in particular, a private right of action. Several broad federal privacy bills have been introduced to Congress since 2019, and the House of Representatives Energy and Commerce Committee staff have produced a “bipartisan discussion draft.” While such legislation would offer very significant improvements in protection of personal data, as currently drafted, none of them achieve “essential equivalence” to the GDPR. Consumer privacy bills have been passed or introduced in dozens of the individual states. California’s Privacy Rights Act (CPRA) (which will enter fully into force in 2023) is closest to the GDPR, but still falls
short of “essential equivalence” in scope and exceptions. Nor is it likely any other US state will adopt a law going beyond the CPRA. The Foreign Intelligence Surveillance Act (FISA) regulates US national security and foreign intelligencerelated electronic surveillance. Outside the US, electronic surveillance activities of the US intelligence community targeting non-US persons are generally governed by Executive Order 12333. Presidential Policy Directive 28 (PPD-28) contains limits on the use of signals intelligence collected in “bulk” by the intelligence community. The CJEU invalidated the Privacy Shield adequacy decision because FISA
s.702 and E.O. 12333, even as limited by PPD-28, are too permissive to meet the GDPR’s standards of necessity and proportionality and do not provide EU data subjects with effective judicial redress.
Analysis and recommendations Our analysis shows that no US federal or state privacy law is likely to provide “essentially equivalent” protection compared to the EU GDPR in the foreseeable future. Indeed, there are serious and in practice insurmountable US constitutional and institutional as well as practical/political obstacles to the adoption of such laws.
The EU–US Safe Harbour and Privacy Shield agreements were attempts to overcome these US legal/constitutional constraints, by setting out detailed rules to reflect EU data protection law, with US companies self-certifying their compliance – which gave the FTC the right to sanction them if they did not. However, the way in which this was done was clearly defective: self-certification related to sets of watered-down principles rather than to the actualones in the EU instruments, set out in impenetrable collections of different documents, and subject to limited enforcement by the FTC, which lacked the powers to effectively enforce the arrangements.
For the FTC to become an effective supervisory authority on the lines of the EU authorities, the FTC Act would likely have to be expanded or a new statute passed. Additionally, new or expanded Memoranda of Understanding should be signed among multiple US agencies,
creating shared, coordinating enforcement teams. The FTC Act would need give the FTC the power to seek penalties for any violations of voluntarily accepted GDPR requirements; allow a broader range of entities to self-certify; allow the FTC to issue “trade regulation rules”; and instruct the FTC to formally cooperate with the EDPB.
It may not be possible to provide a right of action for individuals as broad as that envisaged in the GDPR. However, Congress could still significantly strengthen the right of action – and standing – of individuals, including non-US persons, who are significantly affected by privacyrelated “unfair or deceptive acts or practices” committed by private entities.
If (i) the US and the EU were to take the legislative steps we outline relating to substance, enforcement and individuals’ rights of action and(ii) the US were to reform its surveillance laws and practices, then a new EU-US arrangement for self-certification by US entities could be achieved, under which the EU could issue a new positive adequacy decision on the USA, limited to personal data transferred from the EU to entities that had self-certified their voluntary compliance with the EU GDPR substantive standards. Without these reforms, EU data protection authorities will be required to consider suspending transfersof personal data to the US even following an adequacy decision by the European Commission.
We reach this conclusion somewhat reluctantly, given the strong views on self-certification of the European Parliament. However, we believe it is the only workable solution, given the issues cannot be resolved by new federal or state privacy laws. We should stress that we are not talking about a revival
of the disastrous and untenable Safe Harbour/Privacy Shield arrangements, but about a fundamentally different, enhanced system of self-certification, with the self-certification itself relating to the entire GDPRand much stronger enforcement by the FTC. In our view, it would be a positive quid pro quo if the EU were to offer the USA (and the rest of the world) the introduction of a genuine “American-style” class action remedy in relation to any violations of the GDPR, which anyone affected by such a violation (whatever their nationality, status, or place of residence) could join. Legal academics and civil society groups are clear federal surveillance legislative reform will also be required to provide EU data subjects with “an effective remedy before…an independent and impartial tribunal”. Such complaints could be initially investigated by US intelligence agency Privacy and Civil Liberties Officers, with their findings referred to the agency Inspector General or the Privacy and Civil Liberties Oversight Board (PCLOB). The complainant would be given standing to obtain judicial review from the Foreign Intelligence Surveillance Court. Legislative reform will also be required to ensure the necessity and proportionality of US surveillance of data transferred under any adequacy finding. US civil society groups have recommended limiting bulk collection; narrowing the definition of foreign intelligence information and setting stronger standards to justify surveillance targets; reducing the default retention period for collected information from five years to three; and increasing transparency. US academics and civil society groups have also called for much stricter limits on US “secret law”. If the EU institutions are to be able to review the “essential equivalence” of a reformed US legal regime with GDPR protections, such authoritative legal interpretations or requirements affecting EU data subjects must be shared with them by the US authorities, along with any changes to the E.O. 12333 regime. Enough detail should be made public to be “adequately accessible”. The EU institutions should stand up for the rule of law and demand both the Member States and third countries bring their intelligence practices and domestic law frameworks fully in line with international human rights law. A pragmatic starting point would be the development and ratification of a
“minilateral” treaty covering intelligence activities of, in particular, the 30 EU/EEA states and the
“Five Eyes” countries (USA, UK, Australia, Canada and New Zealand). This should include clear rules on the states concerned not surreptitiously spying on each other, with transparent arrangements for mutual assistance, subject to crucial rule of law and human rights safeguards and openness about practice. Our recommendations effectively come down to four (we discuss their prioritisation after summarising them):
Recommendation No. 1 (achieving general adequacy pacethe issue of undue access):
The EU and the US should enter into discussions on the establishment of a much enhanced and strengthened self-certification scheme for US corporations. Criteria/rationale:
We somewhat reluctantly concluded that, since no US federal or state privacy law is likely to provide “essentially equivalent” protection compared to the EU GDPR in the foreseeable future (or ever), general adequacy can only be achieved under a new self-certification scheme enforced through the FTC.
However, any such new self-certification scheme would have to apply to all substantive requirements of the EU GDPR; the FTC would need to be given wider and stronger powers; and EU data subjects should be accorded rights of standing in relation to breaches of the scheme.
Recommendation No. 2 (addressing the issue of undue access to data by US intelligence agencies):
The US should be urged to reform its federal surveillance legislation as a matter of urgency. This should involve limiting bulk collection; narrowing the definition of foreign intelligence information and setting stronger standards to justify surveillance targets; reducing the default retention period for collected information from five years to three; increasing transparency about surveillance activities; and providing EU data subjects with “an effective remedy before…an independent and impartial tribunal” – which can be achieved by granting EU complainants standing to obtain judicial review from the Foreign Intelligence Surveillance Court. Criteria/rationale:
Given the strong and unambiguous stand taken by the CJEU in its Schrems II judgment, unless such reform is carried out, no new positive “adequacy” decision on the USA can be issued by the EU Commission. (If one were to be issued in defiance of the judgment, that would both seriously undermine the credibility of the Commission as a guardian of the Treaties and lead to yet another defeat – a “third strike” – in the Court. That should be beyond contemplation.)
Recommendation No. 3 (bringing surveillance generally under the rule of law):
The EU institutions and in particular the European Parliament should stand up for the rule of law and demand that both the Member States and third countries bring their intelligence practices and domestic law frameworks fully in line with international human rights law. They should urge, as a pragmatic starting point, the urgent development and ratification of a “minilateral” treaty covering intelligence activities of, in particular, the 30 EU/EEA states and the “Five Eyes” countries (USA, UK, Australia, Canada and New Zealand). As an interim measure, these 35 countries should agree not to spy on each other’s citizens (and their data) without the notification and agreement of the citizen’s home state. Criteria/rationale:
The intelligence agencies of the constitutional democracies have operated for too long outside of a clear and acknowledged framework of (international, and often even constitutional) law. As the European Court of Human Rights Grand Chamber judgment in the Big Brother Watch case makes clear, the ECHR (as interpreted and applied by that Court) is insufficient for this purpose. While, regrettably in our view, the activities of the EU Member States in relation to national security are outside the scope of EU law, the EU (working with the Council of Europe) can be a midwife to a new international agreement in this area. However, this would take some years. We therefore hope that an interim, less formal, “no spying on allies” agreement can be achieved in the meantime, within a relatively short timeframe.
Recommendation No. 4 (strengthening representative/class actions in the EU):
The EU should offer the USA (and the rest of the world) the introduction of a genuine US-style class action remedy in relation to any violations of the GDPR, which anyone who suffered material or nonmaterial damage as a result of a violation (whatever their nationality, status, or place of residence) could join.
Criteria/rationale:
As the case of Max Schrems shows, EU data subjects’ rights and interests are often not effectively enforced, or the individuals concerned supported, by the EU Member States’ supervisory authorities, and court actions are costly and pose serious (financial) risks to them. In that regard, the EU can learn from the US (although the “Article III” jurisdictional issue imposes limits there too). Overall, we concluded that if the above four recommendations were to be implemented, transfers of personal data from the EU to the USA could again be facilitated under the new self-certification scheme, with a new adequacy decision issued by the EU Commission that would not be invalidated by the Court. Until this achieved, transfers of personal data from the EU to the USA must be based on “appropriate safeguards” including standard contractual clauses (SCCs) and Binding Corporate Rules (BCRs), or in due course approved codes of conduct or certifications issued by appropriate, accredited certification authorities – but in effectively all these cases, “supplementary measures” such as strong encryption will be required to protect transferred data against undue access by the US intelligence agencies. And no effective supplementary measures have yet been identified that could protect against such undue access if the data have to be accessible to the data importer in the USA in the clear. Some measures, such as audits, logs and reporting mechanisms could possibly be used in some such contexts (in particular, where the data are clearly not at all sensitive – in a broad sense – and unlikely to be of interest to the US intelligence agencies). But for sensitive data in the broad sense (sensitive data in the formal sense of the GDPR and other, more generally sensitive data such as communications data, financial data and travel data), these willgenerally not suffice. The issues therefore need to be addressed urgently. This brings us to the final matter: prioritisation.
Prioritisation:
We believe the issues are best addressed in this order:
1. The EU should identify stop-gap measures such as audits, logs and reporting mechanisms that can possibly be used to allow some transfers of non-sensitive data – but also identify categories of data (and/or of controllers and processors or contexts) in relation to which these will not suffice. The European Parliament should ask the EDPB to address these matters in yet further guidance on EU–US data transfers, drawing on the work of the Commission in relation to the Digital Services Act and the Digital Markets Act. We believe this can be done in a matter of a few months at most.
2. The European Parliament should urge the EU Member States and the “Five Eyes” to adopt as a matter of urgency an interim, somewhat informal, “no spying on allies” agreement, while at the same time; 3. The EU Member States and the “Five Eyes” should commence a formal process towards the adoption of a formal “minilateral” agreement. We believe that (if the political will is there) an interim agreement could be possible within a few months – but ratification of a full treaty (which would also have to have internal effect in the USA – which not all US international agreements do) would take several years. 4. In parallel with the above, the EU should urge the USA to start the reforms of its surveillance laws and of the FTC Act that have been suggested by expert academics and civil society groups in the USA and the EU. It would be important to have a working group established on this issue that can exchange views on what is necessary (and possible) and report on progress; this working group should include representatives of the European Parliament.
We believe that significant reforms could be achieved in US law this (executive order)/next (statutory) year (again, if the political will is there, and the EU forcefully urges this).
- o – O – o -
