Privacy Shield Said Unlikely To Withstand Scrutiny From European Union High Court
Privacy Shield probably won't withstand scrutiny by Europe's highest court if and when the draft trans-Atlantic data protection agreement is challenged after the European Commission adopts it, said two legal experts during an FCBA panel Monday. A third panelist, Andrea Glorioso, counselor for the digital economy with the EU delegation to the U.S., spoke off the record during the discussion, he told us after the event.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Chris Calabrese, Center for Democracy and Technology vice president-policy, said Privacy Shield has some good elements. He cited an improved complaint process for EU citizens on data handling by the U.S. government, the establishment of an ombudsperson in the State Department (see 1603110057) to oversee the process, the requirement of some Policy Directive-28 (PPD-28) policies (see 1602020040), and more direct engagement by the FTC.
But Calabrese said the framework likely won't withstand a European Court of Justice (ECJ) challenge because it doesn't meet the standards of the Schrems decision (see 1510060001). He cited the notion of essential equivalence, in which a non-EU country must have an adequate level of data protection under the Data Protection Directive and the EU Charter of Fundamental Rights. He said there's "some confusion" and "mistaken perception" that the U.S. must be essentially equivalent to the existing practices on the EU side. While CDT is concerned by some surveillance practices or proposals by EU members such as France and the U.K., Calabrese said the court will judge the framework not on existing practices but on the EU directive and charter.
Calabrese said the Foreign Intelligence Surveillance Act Amendments (FISA) Act Section 702, which permits surveillance of non-U.S. persons, needs to be amended for the agreement to pass muster. He cited NSA's upstream surveillance program (see 1503100036) collecting virtually all Internet communications flowing out of the U.S. "So they’ve kind of differentiated in a way that I don’t think the European court would between acquisition and collection," he said. "Acquisition being, 'Oh, we have it but we don’t really collect it until we search it, until we use a search term.' I don't think the European court is going to find that distinction reasonable.” He also said the U.S. government's collection of foreign intelligence information is "incredibly broad" and can include an "extraordinary" amount of information, meaning it wouldn't meet the European court's privacy law standard for limitations on the purpose of collection.
Other reasons why it may not pass ECJ muster include the U.S. insufficiently outlining protections and inadequate redress of abuses, said Calabrese. He also said the FISA court approves only the oversight mechanisms and processes, and intelligence agencies don't actually need court approval for a search of an individual.
Butzel Long attorney Ira Hoffman said he didn't think the agreement would withstand ECJ scrutiny based on "the different nature of values associated with privacy" between the U.S. and Europe, the different institutional structures and some of the legally nonbinding documents as part of Privacy Shield. He called the letter from General Counsel Robert Litt of the Office of the Director of National Intelligence about its oversight mechanisms for data collection and internal review "a very good legal brief" but it's nonbinding even if in good faith. "If push came to shove, judges will [ask] how is this binding?" said Hoffman. "There are a number of statements in [Privacy Shield] that ... the [European] commission is counting on the good faith of U.S. government agencies making their representations that they will in fact do that." But he said he doesn't think it would address the ECJ concerns.
Hoffman criticized the establishment of the ombudsperson position, saying the role exists in several federal agencies but has "never carried any weight" and doesn't have binding authority. Hoffman also wondered why the Commerce Department was the lead negotiator since its main mission is to promote commerce, not privacy. He said DOJ probably would have better represented the U.S. government's position since it puts together the case law and the administration's position in interpreting the 1974 Privacy Act. While the FTC has invoked Section 5 of the FTC Act to protect privacy, Hoffman said it's a "bit of a stretch" that it protects privacy except maybe in the recently decided Wyndham Worldwide case (see 1512090023).