North Carolina Journal of International Law

"Connecting North Carolina to the World of International Law"

The Privacy Shield’s First Test

By: Leigh Edwards

 

 

 

 

 

 

 

On July 26, 2017, the European Union’s top court, the Court of Justice of the European Union (“CJEU”), issued what might seem like a fairly obscure ruling in a case challenging an agreement between European Union (“EU”) and Canada on the transfer and processing of airline passenger data.[1]  However, the CJEU’s decision may have far-reaching consequences and impact similar agreements, including the EU-U.S. Privacy Shield agreement (“Privacy Shield”).[2]

 

The PRN Agreement:

 

On July 26, 2017, the CJEU held that the envisaged agreement between the EU and Canada on the transfer of Passenger Name Record data (“PRN Agreement”) interferes with the fundamental right to respect for private life and the right to the protection of personal data, and therefore is incompatible with the EU in its current form.[3]  In particular, it is incompatible with the Charter of Fundamental Rights of the EU and with provisions relating to the respect for private life and data protection.[4]

 

The PRN Agreement, signed in 2014, allows the systematic transfer, retention, and use of all air passengers’ data to Canadian authorities for the purposes of combating terrorism and other serious transnational crimes.[5]  PRN data includes a complete travel itinerary, travel habits, relationships existing between two or more people, information on the passenger’s financial situation, and may even include other high-sensitive information about passengers.[6]  By way of an automated process, the PRN Agreement permits the transferred data to be used, retained for up to five years, and possibly transferred to other authorities and other countries.[7]

 

Shortly after the agreement was signed, the European Parliament (“Parliament”) asked the CJEU to rule on the matter.[8]  In its opinion, the CJEU confirms its position that the court accepts the necessity of processing large amounts of personal data to promote public security and protect against terrorism.[9]  However, the CJEU explained the envisaged agreement could not be concluded in its current form because several provisions were not limited to what was “strictly necessary” to achieve that objective.[10]  Further, the draft pact did not provide enough protections for sensitive data, and gave individuals insufficient notice about additional data transfers beyond initial recipient.[11]

 

Impact on the Privacy Shield:

 

The EU must now re-negotiate the PRN Agreement with Canada before it can be implemented.[12]  However, the PRN ruling is likely to have broader implications because it is the first time the court has discussed the general conditions under which the EU may allow cross-border data transfers through treaties.[13]  Therefore, although PRN data is just one kind of personal data, the CJEU’s latest ruling is likely to impact all personal data flows leaving the EU.[14]  More specifically, Sophie in’t Veld, a centrist Dutch European lawmaker, believed that court’s opinion would have “far-reaching consequences” for the EU’s deals with the US and other data sharing agreements.[15]

 

The CJEU’s ruling is a reminder that the global legal regime around data protection is still unresolved.[16]  That said, what does it mean for the future of the EU-U.S. Privacy Shield?  Technically speaking, the CJEU’s decision has no legal impact on the current transfer of PRN data.[17] Therefore, at least in the short term, the ruling does not appear to be a sign that the EU will need to suspend or re-negotiate the Privacy Shield.  This is significant because the Privacy Shield is an important document for the digital economy.[18]  The agreement provides a framework for transatlantic exchanges of personal data that is transferred from the EU to U.S. companies that have self-certified their compliance with EU approved privacy principles.[19]  To date, nearly 2,500 US companies, including Google and Facebook Inc., have self-certified, while tens of thousands of EU companies rely it on it transfer data legally.[20]

 

Considering it is such an important document for the digital economy, the foundations of the mechanism are pretty unstable.[21]  This is part of the reason that the Privacy Shield agreement is subject to joint annual reviews.  In fact, on September 17, the European Commission (“Commission”) representatives met with the U.S. Department of Commerce for the first joint annual review to assess whether the agreement was working as it should.[22]  EU Commissioner Vera Jourova has repeatedly emphasized the importance of the annual review given the concerns of European stakeholders and because the option “of suspending the Privacy Shield [would be] real” if the U.S. had committed “big systematic errors.”[23]  As a result of the annual reviews, there are still considerable legal hurdles clouding the future of the Privacy Shield.[24]  Therefore, many have wondered if the Commission would use the CJEU’s ruling as a tool to suspend or negotiate more robust privacy protections.[25]

 

The Privacy Shield’s First Annual Review –Will it Survive?

 

Despite the behind the scenes dissatisfactions, both the Commission and U.S. have consistently reiterated the importance of the Privacy Shield to transatlantic commerce.[26]  For example, Jourava has said that the “transfer of data underpins our huge trade relations and is bread and butter for many European and American companies.”[27]  Additionally, in a joint statement issued on September 20 at the conclusion of the first joint review, Jourova and U.S. Commerce Secretary Wilbur stated their support for the framework.[28]  Further, Jourava said she “had a positive impression” and was “pleased that the new administration is committed to the Privacy Shield.”[29] She went on to explain that the review allowed them to “identify some areas that can be improved in terms of practical validation.”[30]  Therefore, it is fair to say that ruling had a minimal impact that the Commission considered during the first review.

 

Although the first joint annual review had positive results, it is clear the Privacy Shield has a long way to go.  Therefore, the CJEU’s ruling may have a long-term impact on the Privacy Shield.  If the Privacy Shield is sent to the CJEU, it seems likely that the PRN-focused standards would apply to the Privacy Shield.[31]  The real question, then, is whether the Privacy Shield will ever be evaluated by the CJEU.[32]  According to Jorg Jladkik, a European data protection lawyer at Jones Day, because the Privacy Shield was drafted to address questions raised by the court’s Safe Harbor ruling, it would be unlikely that challenges would be sent to the court.[33]  On the other hand, critics point to the fact that the pact is already facing legal challenges in both Ireland and France.[34]  Campaigners claim that the Privacy Shield does not in fact adequately protect the rights of European citizens in the U.S.[35]  Still, the presence of these legal challenges does not indicate that the agreement does not work because issues will always be present when dealing with sensitive data. However, it does suggest that the Privacy Shield has some weaknesses.

 

A Higher Level of Scrutiny?

 

Considering the fact the CJEU’s opinion has opened ways for potential Privacy Shield challenges, would the pact survive the PRN standard of scrutiny?  This is uncertain.[36]  However, it seems likely the CJEU’s ruling could put pressure on the EU and U.S. to tweak the agreement before it could reach the CJEU.[37]  What is the new standard?  The PRN ruling and U.S.-EU Safe Harbor ruling, which the Privacy Shield replaced, give insight into what standards the CJEU may use to analyze the Privacy Shield.[38]  In both instances, the CJEU focused on whether the agreement’s provisions were limited to what was “strictly necessary,” and on the overarching privacy principles of necessity, proportionality, and retention.[39]  Additionally, in the CJEU’s latest opinion, the court took a step-by-step approach to the PRN analysis.[40]  This appears to forecast how detailed the court will be in the future.[41]  Therefore, because the CJEU’s opinion includes more detailed requirements compared with the provisions set out in the Safe Harbor judgment, it seems likely that the July opinion would have some impact on the assessments of the Privacy Shield.

 

Further, several of the provisions the CJEU took issue with highlight the gaps and weak spots within the Privacy Agreement.[42]  For example, the CJEU was not completely convinced that the Canadian oversight office for the proposed PRN had “complete independence.”[43]  According to Justin Antonipillai, CEO of privacy and security company WireWheel.io, the Privacy Shield’s independent U.S. oversight authority provisions are likely to face similar skepticism because the European Parliament has already questioned if it had complete independence.[44]  Additionally, the CJEU took issue with PRN agreement’s five-year data retention provision.[45]  Although the CJEU did not find that the period was beyond what was strictly necessary for the purpose of preventing terrorism, it said it should be subject to review of an independent supervisory authority.[46]  Antonipillai believed that the Privacy Shield might also fall short here.[47]

 

The flow of data across international borders is the currency of the 21st century.[48]  Accordingly, the continuing function of data transfer agreements is extremely important.  However, because the global legal regime around data protection is unstable, many agreements, like the Privacy Shield, are still at risk of being challenged.  The Commission plans to issue its Privacy Shield report next month.[49]  Therefore, companies should pay close attention to the conclusions that will be drawn by the European Commission after the joint review.

 

[1] See Glyn Moody, Transatlantic Data Flows Under Renewed Threat Following Top EU Court’s Ruling,  (July 31, 2017), https://www.privateinternetaccess.com/blog/2017/07/transatlantic-data-flows-renewed-threat-following-top-eu-courts-ruling/.

[2] See id.

[3] reported as CELEX No. 615CV0001

[4] Id.

[5] Highly-sensitive information about the air passengers includes “racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union memberships or a person’s health or sex life.” See Press Release, Court of Just. of the Eur. Union, Opinion 1/15 (July 26, 2017) (No 84/17).

[6] Id.

[7] Id.

[8] See Moody, supra note 1.

[9] See Philip Torbol et. al., Court of Justice of the EU: the EU-Canada Agreement on the Transfer of Passenger Name Record May not Be Concluded in its Current Form, Lexology (Aug. 30, 2017), https://www.lexology.com/library/detail.aspx?g=7117e2a7-829e-4ce4-a143-37dda6b1fabe/.

[10] See id.

[11] George Lynch, EU Court Ruling May Signal Problems for Data Privacy Shield, 34 Int’l Trade Rep. (BNA), No. 33 (Aug. 17, 2017).

[12] See Moody, supra note 1.

[13] See Lynch, supra note 10.

[14] See id

[15] Mike Corder, EU Court: EU-Canada Passenger Data Deal Breaches Privacy, U.S. News (July 26, 2017, 12:14 PM), https://www.usnews.com/news/business/articles/2017-07-26/eu-court-eu-canada-passenger-data-deal-breaches-privacy (noting the CJEU ruling could impact the U.S.’s passenger and banking data).

[16] See Politico Staff, Bridging the trans-Atlantic data divide: Privacy Shield and What’s Next, (Nov. 11, 2016, 9:10 PM), http://www.politico.com/story/2016/10/bridging-the-trans-atlantic-data-divide-privacy-shield-and-whats-next-229645.

[17] See Torbot et. al., supra note 8.

[18] See Jimmy H. Koo, U.S. Assures EU Minister as Data-Transfer Privacy Review Begins (Corrected), 34 Int’l Trade Rep. (BNA), No. 37 (Sept. 21, 2017).

[19] Id.

[20] See Lynch, supra note 10.

[21] See id.

[22] See Koo, supra note 17.

[23] Id.

[24] See Political Staff, supra note 15.

[25] See Lynch, supra note 10.

[26] Stephanie Bodini, If Trump Spoils Privacy Pact, We’ll Pull It, EU Official Warns, 34 Int’l Trade Rep. (BNA), No. 10 (March. 09, 2017).

[27] Id.

[28] Press Release, Eur. Comm’n, Joint Press Statement from Secretary Ross and Commissioner Jourova on the Privacy Shield Review (21 Sept., 2017) (Statement/17/3342)

[29] Joyce E. Cutler, U.S.-EU Privacy Cooperation Positive, EU Official Reports, 16 Privacy & Security Law Rep. (BNA), No. 38 (Sept. 25, 2017).

[30] Id.

[31] See Lynch, supra note 10.

[32] Id.

[33] Id.

[34] See Julia Fioretti, EU-U.S. Data Pact Faces First Major Test of Credibility, Reuters, Sept. 16, 2017, 6:11 AM, http://www.reuters.com/article/us-eu-dataprotection-usa/eu-u-s-data-pact-faces-first-major-test-of-credibility-idUSKCN1BR09W.

[35] See Id.

[36] See Lynch, supra note 10.

[37] See id.

[38] See id.

[39] See id.

[40] See Id.

[41] See id.

[42] See id.

[43] Id.

[44] Id.

[45] Id.

[46] Id.

[47] Id.

[48] See Koo, supra note 17.

[49] Id.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *