by-studio - Fotolia

Storm clouds gather for US-EU Privacy Shield data deal

The European Parliament justice committee launches unprecedented criticism of Privacy Shield, while the Irish Court mulls future of binding corporate contracts

The Civil Liberties, Justice and Home Affairs Committee of the European Parliament, led by its chair, London MEP Claude Moraes, launched a savage attack on the Privacy Shield agreement between the EU and US, which governs the transfer of data between the two blocs.

The highly critical motion for resolution was passed by the European Parliament on Privacy Shield. Four of its 40 paragraphs open with the following words: “deplores”, “is alarmed”, “notes with great concern” and “expresses great concern”.

The European Parliament resolution, put forward on 29 March 2017, questions the assurances about protection of EU data in the US, given by Robert Litt, second general counsel of the Office of the Director of National Intelligence, acting under the authority of recently retired US director of national intelligence James Clapper.

Paragraph 26 the European Parliament “deplores” two things. The first is that neither the Privacy Shield agreement nor the letters from the US, issued under the auspices of its chief spymaster, James Clapper, address the issues raised in the European Court judgement which were rights of effective redress and safety from processing by US public authorities.

The court struck down Privacy Shield’s predecessor Safe Harbour, primarily because the US was conducting “mass and indiscriminate surveillance” on the European data, as recorded in the Irish Court ruling following the case brought by Austrian lawyer Max Schrems against the Irish Data Protection Commissioner.

It was doing so in a situation where there was no legal redress for Europeans in local courts, a fundamental right in the European Charter of Fundamental Rights. Article 47, formally stated in the resolution, provides a fair trial and an effective remedy for EU citizens by a tribunal set up under the laws of the EU.

The Privacy Shield agreement transfers that right to the United States, to US courts and to an Ombudsman to be provided by the US State Department.

Read more about Privacy Shield

The most critical paragraph in the European Parliament’s resolution – and the one that points towards a direct collision with the US – is paragraph 21, which cites the committee’s alarm that the US had engaged in mass surveillance of Europeans through one particular communications service provider on behalf of the National Security Agency and the FBI, even as the presidential directive attempting to assure Europeans it wouldn’t happen was being negotiated.

The Parliament’s resolution requests that the EU Commission seeks full clarification from the US authorities and makes those clarifications available to the European Parliament.

It goes on to say it sees the actions of the US as a reason to “strongly doubt” the assurances brought by the spy chief James Clapper through his legal Council Robert Litt, who, unusually, is named in the resolution.

Critically, the resolution also points out that the presidential directive PPD-28, in which the assurances are embodied, has no congressional backing and could be changed and revoked by an incoming president. Indeed, President Trump already has done so: a point noted in paragraph 25 of the resolution.

The resolution – while several times mentioning the October 2015 judgement of the European Court of Justice which struck down Safe Harbour, Privacy Shield’s predecessor – carefully skirts around the heart of that judgment, which was Prism, the US National Security Agency’s mass surveillance programme.

Within three days of NSA whistleblower Edward Snowden’s revelations about Prism on 5 June 2013, then president Barack Obama had gone on the record to defend Prism as legal. If President Obama was unwilling to halt a surveillance programme that the European Court has questioned, it seems highly unlikely President Trump will do anything other than maintain his predecessor’s position.

Removing protection from non-US citizens

Indeed, the Presidential Executive Order of 25 January 2017, referred to in paragraph 25 of the resolution, indicated Trump’s position as wishing to remove all protection from non-US citizens.

The motion was carried by a majority of the parliament – 306 for, with 240 against and 40 abstentions. The dissent was by the more right wing parties in the assembly. Whether this will lead to an effective review of Privacy Shield due in September remains to be seen.

Nowhere does the resolution mention that the entire European structure of institutional data protection failed to either detect Prism when it was imposed or deal with it afterwards.

The European Court judgement was the result of a single individual’s recourse to the courts. This was Max Schrems, who brought the case at his own expense and relied on the evidence of a single US whistleblower in Edward Snowden.

In effect, the resolution highlights the obstacles the European Commission will need to overcome to make data sharing with the US compliant with European law. It begs the question the commission nor the regulators have taken any concrete steps to resolve, even now, over the lawfulness of US interception, as judged by the European Court of Justice more than 18 months ago. The Moraes motion is silent on this.

Dublin dissents

While those events were unfolding in Brussels, yet another threat to data relations between the US and the EU was being mulled over by Dublin Commercial Court judge Caroline Costello.

She is looking at a challenge to Standard Contractual Clauses, made by the Irish data commissioner Helen Dixon.

When the European Court struck down Safe Harbour in October 2015, it effectively made all transfers of European data to the US unlawful from the date of the judgement.

To get around this, the EU Commission and the 28 EU data regulators allowed the transfer of data using what were called Standard Contractual Clauses, which had preceded and been in use prior to the demise of Safe Harbour. At the same time, the court ordered Dixon to investigate the complaint of Maximilian Schrems, dating from June 2013.

In his complaint, Schrems had criticised Standard Contractual Clauses, but the bulk of his complaint was about Prism.

Standard contractual clauses

Like the European Parliament, the data commissioner has delicately sidestepped Prism, and instead voiced her reservations about Standard Contractual Clauses. Dixon has asked judge Costello to refer her reservations about Standard Contractual Clauses to the European Court.

Costello is now considering that request, having reserved her judgement following 20 days of expensive litigation in the Commercial Court that ended on 20 March.

One of her dilemmas is that the US, which appeared in the recent litigation as a friend of the court, wants to be a litigant in chief at the European Court if the matter goes there. Judge Costello has indicated she is willing to grant this request. But the European Court may not accept it, especially with the European Parliament so critical of the data transfer issue.

Why US mass surveillance is unlawful in Europe

In his findings of fact on 18 June, judge Gerard Hogan of the Irish High Court used the critical words, “mass and indiscriminate surveillance”.

As a matter of law, the then UK investigatory commissioner Anthony May QC had already advised Parliament on 8 April 2014 in his annual report that mass and indiscriminate interception without a warrant is unlawful.

Mass and indiscriminate surveillance involves the interception of emails and the mass theft of personal data.

Judge Hogan’s findings of fact became binding in the UK when the European Court, having examined his findings and judgement, endorsed it and struck down the existing Safe Harbour arrangement for the transfer of data between the EU and US.

Read more on Privacy and data protection