The first European rule about data protection was a directive enacted in 1995 at the beginning of Internet and the digital market. These new numeric tools always had a real impact on the European citizens’ rights guaranteed by European Treaties. With the General Data Protection Regulation (GDPR) the EU-authorities elaborated the first global measures focused on personal data protection within each member state – in order to let the package to be effective. In parallel complementary measures have been elaborated to support this global regulation across the EU.
Beside this European package, which ensures a strong protection of personal data for European citizens, EU-authorities are negotiating an agreement with the United States focused on the transfer of European data to American companies. This agreement, has been intensely debated as ‘Privacy Shield’ does not provide the same level of data protection that the EU-law does. Furthermore part of EU-authorities – the executive one – agree with this compromise, despite the European Treaties and law.
These legislation movements, instigated by and with the European institutions, are both focused on the same subject – personal data protection – while going in the opposite direction.
An enforced digital strategy across the EU :
The main foreseen steps are the implementation of these new rules inside each EU-member state, along with the elaboration of tools to put it in practice, and the completion of the package by adding two main measures.
The first one is the regulation 45/2001, which is focused on the treatment of personal data by the European institutions, thanks to an independent supervisor, the European Data Protection Supervisor (EDPS).The second one is a directive with the purpose to reform the 1995-measures : the e-privacy directive 2002/58/EC, proposed in January by the European Commission to be implemented in mid-2017 as part of the Digital Single Market Strategy. This last still focus on telecommunication farming and has become fundamental as this market is rapidly evolving and the old rules are now obsolete with respect to new digital services.
European authorities want to implement these rules in the same time of the GDPR, which is planned for May 2018, with another directive specifically focused on the police and security services and their skills in the e-privacy area. In this field, the EU-institutions are very careful about the balance between privacy – personal data protection and security since the Snowden scandal and the members of the European Parliament (MEPs) asked for stricter rules.
The EPDS has been implemented in 2004 and provided since then to « ensure that EU institutions and bodies respect people’s right to privacy when processing their personal data ». Giovanni Buttarelli, the EDPS Director, said that the challenge today is to create tools and guidelines for the European legislator and national authorities. This concept of ‘toolkits’ is the key of this digital reform to better equip the European institutions in charge of preparation and supervision of these new measures. Next year, the agenda of the Supervisor will be focused on the GDPR package, specifically to elaborate detailed recommendations to support and facilitate the implementation across the EU-member states. The supervisor will provide advices until the deadline in May 2018: it is short but necessary to support the Single Digital Market and the digital economy. Along with the monitoring of the implementation, he will continue to cooperate with the other European authorities and national governments to prepare the European Data Protection Board (EDPB) and substitute it with the Article 29 Working Party (WP29), which is the main element of the reform of data protection. New initiatives focused on data ethic and big data and the consequences of these measures are also studied with respect to the European law in the digital area. Privacy and personal data protection are fundamental rights protected by the articles 7 and 8-2 of the Charter of Fundamental Rights of the EU and article 12 of the Universal Declaration for Human Rights.
The numeric market requests rules and creates new duties for the EU : thanks to the Supervisor, EU-authorities have a organe which is able to monitoring the EU-policy about data protection, advising on policies that affect e-privacy and cooperating with the other European stakeholders to ensure consistent data protection by recommending resources, communication and evaluation for each digital policy.
The EU-institutions built thereby an independent organ in charge of the digital area and worked with him to create a global numeric policy across the EU – the GDPR – which is attached to increase the personal data protection for European citizens. But at the same time, the executive is also negotiating an agreement with the US focused on the transfer of these data to American companies through the TAFTA (Trans Atlantic Free Trade agreement). This ‘Privacy Shield’ is already less protective than the GDPR.
A lighter regulation with the partners : the cleaving Privacy Shield :
American citizens have not the same guarantees or the same digital rights of Europeans concerning protection of personal data. So the deal involved a compromise between the two parties. The text of the Privacy Shield was accepted by the EU and the US-authorities at the beginning of February 2016, but they are still negotiating because the EU-authorities – specifically the European Parliament – highlighted gaps, which were denounced by the MEPs through their non-legislative resolution of the 26th May. According to the Privacy Shield, data of personal activities as social media or shopping can be sold to American companies and advertisers: everything you do online is registered, and these data can be sold to help them to figure out how to best target potential customers. According to the Law, Each European citizen, should be allowed to choose who can use his informations, who can make money of it and who knows something about him.
The actual negotiations are focused on safeguard of protection of European personal data to respect the European Law. And this is precisely why Europeans and Americans need to negotiate a new agreement: the Privacy Shield “predecessor”, the Safe Harbor, was invalidated by the European Court of Justice the 6th October 2015 because of lacks of security. The new agreement remains not clear, specifically in the part dedicated to privacy protection. It also comprises several other breaches that MEPs showed in their resolution, which could invalidated it just as the Safe Harbor : the Privacy Shield is basically like « a Safe Harbor again ». The main issue remains the difference between the European and the American standards of protection, and what the corporations can do with these data. The Law in the US is more intrusive with the Patriot Act as the Snowden Scandal has showed in 2013.
The Privacy Shield has been « teeny tiny » amended, but two fundamental elements remain sensitive. The first one is the US-government surveillance. A new measure establishes a ‘big change’ with the creation of an ombudsman that can be addressed to obtain detailed informations. But the MEPs have reservations about the independence of the instrument and, furthermore, EU is an area of Freedom, Security and Justice not compatible with the US-mass surveillance. Furthermore, the non legislative resolution passed by the group of MEPs showed that the principles of necessity and proportionality, enforced at the time by the WP29, are not respected, even with the new compromise of the 6-criteria-safeguards (which will be developed later). The members of this Group elaborate guidelines to adapt this key-concepts to the protection of personal data and private life, which are not absolute rights. Three criteria are framing these principles: « in accordance with the law, in pursuit of one of the legitimate aims set out in article 8-2 of the Charter of Fundamental Rights in the EU » and then the measure have to be « necessary in a democratic society ».
The second issue concerns the commercial sector and what the GAFA (and the other companies) can do with the European data. The new agreement raises « teeny tiny limitations » that do not respect the European law, although privacy is a fundamental right since the Lisbon Treaty.
The Privacy Shield, an exemple of the Realpolitik of the European authorities :
Why did the European Commission agree with these measures and the Privacy Shield despite the European fundamental Treaties? At least for two reasons.
For the European executive a partial and incomplete deal is better than no deal at all. Since the Safe Harbor is illegal, the need of a new data protection transfers agreement to regulate transatlantic data flows is urgent, hence the importance of the Privacy Shield to be implemented quickly: the European Commission wants to see the Privacy Shield implemented within this summer. And this urgence can be explained by the importance of the numeric for the Economy: the digital markets are boosters for the economic growth, fundamental in time of global crisis.
Furthermore, in order to get the same level of protection between the EU and the US, American law needs to be changed, but, of course, the European Commission – and the EU – are not able to pressure enough American authorities to amend the Patriot Act. However, the GAFA and other Silicon Valley’s companies and start-ups are very sensitive and interested in the European digital market. This last is a business target indeed, and surveillance laws promoted by Washington are damaging their business. Together, these companies could have the potential power to pressure American Congress and eventually get an amendment of the Patriot Act – even if the actual terrorism risk decreases the odds.
Another reflection on the Privacy Shield is that while it seems a first step in filling the normative gap, it does not provide a durable solution. In this perspective, the European Commission’s position is a form of Realpolitik, insomuch as the Privacy Shield gets two main improvements over the Safe Harbor.
Firstly, recourses before an American Court are now possible for European citizens. This option remains partial, because the European citizens can access to the American Justice only if the data transmitted to American authorities are made public, but the procedures are complicated and unclear on the possible use of the data. Despite these vague measures, in cases of data protection security breaches an obligation of information of the European citizens is now included. However, in the US the concept of ‘State secret’ is central and with the eaves dropping of the American agencies this last measure could be skirted.
Above all,the Privacy Shield offered a compromise in focusing on mass surveillance of American agencies, based on six criteria: « transfers only to prevent, investigate, detect or prosecute criminal acts, including terrorism, in the framework of police and judicial cooperation ». The goal is here to block the use of European citizens data retrospectively for another purpose, according to the European Commission, which expects these criteria to avoid problems with the unclear recourses rule. These criteria are a complement of an other deal, the ‘Umbrella agreement’, which offers a comprehensive high level data protection framework for EU-US law enforcement cooperation and covers all personal data exchanged between EU-US companies. In March 2016 the Judicial Redress Act has been introduced in the American Congress to implement the Umbrella agreement, also the change seems to be coming, very slowly but it is, because it asks a revision of the US Privacy Act of 1974. However, to ratify that framing across the EU the European Parliament has to agreed, and a majority of the MEPs is still reluctant because the EU-authorities signed this agreement during the meeting with the American negotiators in Amsterdam on the 2nd June.
Towards a global digital regulation across the World ? :
The deadline to implement the Privacy Shield is intended for this summer. This hurry can be explained by an other central issue : terrorism and the cooperation through the digital data. The Umbrella agreement seems a complement of the Passengers Name Record (PNR), while the Swift / TFTP agreement focused on bank transactions.
Furthermore, the Privacy Shield seems to manage more security risks management than a real will to protect personal data and private life. With the GDPR the European authorities showed that personal data protection is still an important issue, which is partly offset by the lacks of the Privacy Shield across the EU. The dissensions between the US and the EU show the real need of a global digital regulation across the international community.
Emmanuelle Gris
To find out more :
- Regulation 45/2001 :
https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/pid/86#regulation
- EDPS Glossary :
https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/Glossary/pid/84
- EDPS Annual Report 2015 :
- European Parliament: resolution on Privacy Shield (May 2016) :
- Questions and Answers on the EU-US data protection « Umbrella agreement » :
http://europa.eu/rapid/press-release_MEMO-15-5612_fr.htm
- Article 29 Working Party Opinion 01/2014 on the application of necessity and proportionality concepts and data protection within the law enforcement sector
- Adopted on 27 February 2014 :