Preliminary remarks to new data protection scheme

Source: S.H. (Sophie) in 't Veld i, published on Wednesday, February 3 2016.
  • 1. 
    The ECJ ruling requires that the collection and storage of data should be limited to what is necessary and proportionate. The Commission seems to rely on the Presidential Policy Directive 28 issued in January 2014, in response to the worldwide outrage over the revelations of NSA mass surveillance by Edward Snowden. PPD28 offers some limitations and safeguards, but it is questionable if they can be considered adequate, and a PPD does not have the status of law.
  • 2. 
    The Commission will get "written assurances" by the Obama administration. The legal status of such assurances is unclear. It reminds us of the "undertakings" offered by the US in the context of the EU-US PNR agreement, which were not deemed adequate by the EU at the time.
  • 3. 
    There will be an annual joint review. However, the value of such a review depends largely on unlimited access to all relevant information. It is highly unlikely that reviewers will get access to information held by the NSA and other intelligence agencies. The experience with the TFTP and PNR agreements shows that such joint reviews in practice are fairly meaningless, in some cases Parliament was even denied access to the review reports.
  • 4. 
    Judicial redress offered by the Judicial Redress Act (yet to be adopted by US Congress) will be patchy and limited. Only EU citizens will have the right to judicial redress (all other persons in the EU are excluded), judicial redress will be granted by the US on condition that the country of origin of the complainant shares information with US agencies and this may be revoked at any given time, and judicial redress will only be granted by agencies designated by the US.
  • 5. 
    An Ombudsman with a "real capacity to act" will be appointed to handle complaints. However, it is unclear what "capacity" to act means in the context of complaints against intelligence agencies. In addition, it is unlikely a citizen will be aware of his personal data being processed by any specific US agency or indeed of a violation of the criteria set by the ECJ. So this clause will be meaningless in practice. Moreover, an Ombudsman hardly counts as "independent oversight" over the use of personal data by intelligence services.
  • 6. 
    Individual complaints are to be resolved by companies and by the Federal Trade Commission. But complaints concerning violations of fundamental rights cannot be settled by companies or the FTC, as they have no competence in that area. According to the Commission, the national DPAs of the member states can play a role, but it is not clear what role that could be.
  • 7. 
    The commitments of the US will be made binding by letters with "signatures at the highest political level". As a letter does not have the status of law, it is not clear what "binding" really means in this context. Nor is it clear if a future administration, for example after the Presidential elections, will be bound equally by such letters.
  • 8. 
    The Commission states that it can undo the decision for the new Privacy Shield decision at any given moment. But if the Commission sees no objections at this stage, how likely is it that it will ever withdraw its decision in the future? The Commission for many years refused to withdraw the previous Safe Harbor ruling, ignoring the repeated and urgent requests from the European Parliament and the highly critical evaluation report.
  • 9. 
    The weaknesses and uncertainties around the new Privacy Shield arrangement risks that it too will be shredded by the ECJ. This is unfortunate as one of the aims of the Privacy Shield is to create legal certainty for businesses.
  • 10. 
    The Commission is the guardian of the Treaties, and must be seen to uphold the law. Citizens have lost trust in the EU as an entity that will protect their rights and interests. If the Commission takes a decision that is unsound for all to see, and clearly taken under the pressure of the US and businesses, scepticism will only deepen further.
  • 11. 
    National DPAs have the competence to verify if the processed data is protected according to EU legislation, and has the competence to challenge an adequacy decision before a national court. This court can then refer the question of validity to the EU Court of Justice. The national Data Protection Authorities, gathered in the Working Group 29, will issue an opinion. What will the European Commission do if the WP29's judgment of the new Privacy Shield is negative?