Legally and politically important
Not cleared from scrutiny; further information requested; drawn to the attention of the Culture, Media and Sport Committee; Justice Committee; Business, Innovation and Skills Committee; Science and Technology Committee and the Joint Committee on Human Rights
(a) Commission Implementing Decision pursuant to Directive 95/46 EC of the European Parliament and the Council on the adequacy of the protection provided by the EU-US Privacy Shield; (b) Commission Communication on Transatlantic Data Flows: Restoring Trust through Strong Safeguards
(a)Article 25(6) of Directive 95/46/EC;—; (b) —
Culture, Media and Sport
(a) (37695), — + ADDs 1–7, —;
3.1The Government has deposited this Commission Implementing Decision (document (a)) with an Explanatory Memorandum specifically as requested in our Report of 30 April Despite the fact that the document takes the form of proposed EU secondary legislation, to be agreed through the comitology process, we consider it significant as it aims to implement the proposed EU-US Privacy Shield Agreement, recently negotiated by the Commission (not the Member States) and the US authorities. This Agreement provides a framework for the transfer of the personal data of EU citizens to the US for commercial purposes and will be important for the conduct of transatlantic trade and commerce. It consists of a series of data protection principles in relation which US companies self-certify their adherence.
3.2However, as a new adequacy decision, document (a) must also comply with the CJEU’s judgment in Schrems which invalidated Privacy Shield’s predecessor, Safe Harbor. The CJEU found that Safe Harbor failed to provide adequate protection for the fundamental rights of EU citizens to private and family life, protection of personal data and to an effective judicial remedy in the US for misuse of data. A more detailed account of Privacy Shield, document (a) and the process for the latter’s adoption are set out at paragraphs 3.15–3.18.
3.3In our Report chapter of 20 April on the Commission’s Communication on Transatlantic Data Flows, document (b), we made clear our expectation that in ongoing scrutiny the Government would comment on the compliance of Privacy Shield and document (a) with fundamental rights, taking account of the concerns in the opinion of the Article 29 Working Party of 13 April on Privacy Shield. The separate opinion of the European Data Protection Supervisor (EDPS), whose consultation is mandatory in the process for adopting document (a), has yet to be issued. We asked the Minister to confirm both opinions would inform Government policy, particularly regarding bulk transfer and processing of data.
3.4The Government now responds to that Report in its letter of 3 May and also provides us with an Explanatory Memorandum on document (a).
3.5We thank the Minister for her letter of 3 May and for her Explanatory Memorandum (EM) on document (a). We are glad that she saw fit to deposit document (a) in Parliament and provide an Explanatory Memorandum. We wonder why the Government hesitated in so doing and comment as follows:
a)The document could hardly be more important. It aims to implement a political agreement negotiated between the authorities of two world powers. The negotiations were prompted initially by the Snowden allegations regarding mass surveillance of personal data, including that of EU citizens. The new agreement must replace a predecessor adequacy decision (Safe Harbor) which was invalidated by the CJEU for breaching the fundamental rights of EU citizens relating to privacy and protection of personal data. New federal legislation has been made in the United States aimed at improving legal redress for EU citizens;
b)The Minister seems to downplay any UK influence on the adoption of document (a). However, the UK has a national expert representative on the Article 31 Committee which has a pivotal role in the comitology process. Indeed, in our experience on many legislative dossiers, the UK’s position has been to push for the Commission to be given implementing rather than delegated powers to legislate, precisely because it considers that the UK can exert more influence via the national expert on the relevant comitology committee.
3.6Given the Commission’s powers to implement legislation in this policy area, it is all the more important that the independent opinions of data protection expert bodies (the EDPS and the Article 29 Working Party) are considered. We are disappointed by the Minister’s dismissive attitude in her letter of 3 May to our suggestion that the Government take them into account, though we welcome the limited comment on opinion of the Article 29 Working Party in her EM. We ask her to note that:
a)Neither of these bodies are simply “respected commentators” as the Minister asserts. Both are bodies which have mandatory roles in the field of EU data protection law and law-making:
i)The EDPS is an independent supervisory authority, set up by Regulation 45/2001 which ensures that the EU institutions and bodies meet their obligations with regard to data protection as laid down in that Regulation. Its importance is reflected in the fact that the Commission has formally consulted it in proposing the Commission Implementing decision, as legally required by Article 28(2) of the Regulation. Indeed, any failure to consult the EDPB would be a legal ground for the instrument’s annulment.
ii)The Article 29 WP takes its name from the respective Article in the current Data Protection Directive (95/46/EC) and is required by Article 30(1)(b) of the Directive to give the Commission an opinion on the level of protection in the Community and in their countries, amongst other matters.
b)It is also irrelevant that the opinions of these bodies are not, in themselves, legally binding as the Minister mentions. Their significance lies in the fact that they will clearly have an impact on the EU instruments adopted in relation to this agreement, which will itself be legally binding. The same argument applies to the Article 31 Committee.
3.7On the nature of the procedure by which the current document will be implemented, we consider that the Minister’s EM on document (a) incorrectly states that the Article 31 Committee, as part of the comitology process, will vote by simple majority. The Article 31 Committee is now governed by the examination procedure requiring qualified majority voting (QMV) and not the old management procedure. The difference is material because obtaining a QMV is harder than a simple majority—in other words, it will be harder for the Commission to obtain the positive decision its needs from that Committee to adopt the measure.
3.8The Minister also implies that the European Parliament (EP) has no role to play in relation to the process for approving the document. However, the “examination” comitology procedure allows the EP (or Council), when the basic act is adopted by the ordinary legislative procedure, to cause the Commission to review the draft act for exceeding the implementing powers, including whether it should be amended or withdrawn. In light of the views already expressed by some leading MEPS on this policy area, such a development might not be unthinkable. Does this process apply in this case?
3.9Reviewing the current document and its annexes, it seems to us that many of the assurances given in letters from the various US authorities are political in nature alone, not legally enforceable. The Minister’s EM does not address this, but we ask her to do so when she next writes.
3.10Continuing this question of level and robustness of protection provided to EU citizens under Privacy Shield, we note the approval on 28 April by the US Supreme Court to a change to federal procedural Rule 41. This occurred subsequent to the issue of the Article 29 WP’s Opinion on 13 April. We understand that this rule change will give federal judges the authority to issue more sweeping search warrants for searching and collecting information from computers anywhere outside their jurisdiction. The changes, which will take effect on 1 December 2016 unless rejected by Congress, could enable the US Government to obtain a single warrant to access and search thousands or millions of computers at once. This mass processing of data was a critical issue in both the Schrems and Digital Rights Ireland cases. We therefore ask the Minister to comment on this development and its impact on document (a).
3.11Finally, we are not convinced by the Minister’s argument in both her letter and her EM that she is prevented from providing a full Government view of the fundamental rights’ implications of the Commission’s implementing decision by the preliminary ruling proceedings relating to DRIPA. We comment as follows, in the expectation that the Minister will provide a fuller fundamental rights analysis when she next writes:
i)From a Parliamentary viewpoint, the “sub judice” rule does not apply to proceedings before the CJEU or, in any court, “when a Ministerial decision is in question”;
ii)The Government’s view can be provided in general manner, without specific reference to submissions in those proceedings and without breaching any rules of confidentiality of the CJEU; and
iii)In any event, we will look to the expected delivery of the Advocate General’s Opinion on 19 July in the preliminary ruling proceedings, for indications of the views of the UK and any other intervening Member States.
3.12Pending a response from the Minister on the information we have requested above, we retain both documents under scrutiny and we also look forward to the Minister’s updates on:
a) further amendments or clarifications to the current document, made to address the concerns of the Article 29 WP; and
b)developments in the comitology process, including if and when the current document is adopted.
3.13We also draw document (a) and this chapter to the attention of the following Departmental Select Committees:
(a) Commission Implementing Decision pursuant to Directive 95/46 EC of the European Parliament and the Council on the adequacy of the protection provided by the EU-US Privacy Shield: (37695), — + ADDs 1–7, —; (b) Commission Communication on Transatlantic Data Flows: Restoring Trust through Strong Safeguards: (37550), , COM(16) 117.
3.14We provide our own description of the content of document (a) and the process for its approval.
3.15On 29 February the Commission published document (a) together with seven Annexes. These contain the US government’s written commitments on the enforcement of the arrangement, including:
3.16Like Safe Harbor, Privacy Shield is based on a system of self-certification by US companies. However, as a key difference paragraph 75 of document (a) provides a section on the “access and use of personal data transferred under the EU-US Privacy Shield by US public authorities”. The Commission states that “there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the US under the EU-US Privacy Shield to what is strictly necessary to achieve the legitimate objective”.
3.17This conclusion is based on the assurances at Annexes III, VI, VII which describe the mechanisms for oversight and judicial redress under the US surveillance programmes. The Commission makes four arguments based on these assurances to reach its adequacy conclusion:
i)US surveillance prioritises targeted collection of personal data, while bulk collection is limited to exceptional situations;
ii)US intelligence activities are subject to extensive oversight by the US executive and courts such as the Foreign Intelligence Surveillance Court;
iii)Mechanisms for redress under US law for EU data subjects depends on the complaint they want to raise: interference under the Foreign Intelligence Surveillance Act (FISA); unlawful, intentional access to personal data by government officials; and access to information under Freedom of Information Act; and
iv)Privacy Shield will introduce a new complaint mechanism, an Ombudsperson who will be an equivalent to an Under-Secretary in the State Department to deal with allegations of misuse or abuse of data in breach of the principles.
3.18As a Commission implementing decision, document (a) will be adopted pursuant to the “examination” comitology procedure. This involves:
3.19Whilst there is no vote in Council for Member States to formally adopt the agreement, it may be open to the Council or EP at any time to inform the Commission that they consider it has exceeded its implementing powers. If so it has to review the act and decide whether to maintain, amend or withdraw it.
3.20The Parliamentary Under-Secretary of State and Minister for Intellectual Property at the Department for Culture, Media and Sport (Baroness Neville-Rolfe) responds to our Report chapter of 20 April in this letter.
3.21In summary, the Minister:
3.22She also points out that she hopes the Government’s difficulties in commenting on the fundamental rights aspects of Privacy Shield will be viewed in the context of her earlier helpfulness to us in providing “regular and fulsome updates” on developments in this area, including the data protection reform package and her continued willingness to “update the Committee as fully as possible on important issues in the data protection area”.
3.23The Minister gives her view of the policy implications of document (a) (and the Privacy Shield) in her Explanatory Memorandum of 12 May 2016. Having set out the background to Privacy Shield, including the reasons for the invalidation of Safe Harbor by the CJEU, the Minster says:
“The scope of the Privacy Shield is the same as that of Safe Harbor, and companies must still “self-certify” themselves for compliance with agreement. The US Department of Commerce has undertaken to make public, and regularly update, the list of organisations that have self-certified to the agreement (the “Privacy Shield List”). It will also make public a list of companies that have been removed from the List, as well as the reasons for the removal.”
3.24The Minister then identifies aspects of Privacy Shield which, in her view, distinguish it from Safe Harbor:
“(a) Stronger obligations on companies and more robust enforcement mechanisms - including oversight mechanisms to ensure that companies abide by the rules, sanctions if they do not comply, and tightened conditions for any onward transfers of data from a Privacy Shield certified company to a non-certified company. Also, under the Choice Principle, data subjects can object if their personal data is disclosed to a third party or used for a “materially different” purpose, and there are special rules for opting out of data transfers for direct marketing purposes.
“(b) Several new redress mechanisms - including complaint resolution by the company or recourse to the relevant EU Data Protection Authority (which therefore continue to play an important role in EU-US data transfers), the possibility of Alternative Dispute Resolution and, as a last resort, arbitration through the new Privacy Shield Panel. This Panel will be composed of at least 20 arbitrators designated by both the Department of Commerce and the Commission.
“(c) Annual joint review mechanism - conducted by the European Commission and the US Department of Commerce, to monitor the functioning of the Privacy Shield and US commitments in relation to access to data for law enforcement and national security purposes.
“(d) Clearer safeguards and transparency obligations - with written assurance from the US government that any access of public authorities to personal data will be subject to clear limitations, safeguards and oversight mechanisms. Significantly, new redress is possible through the Privacy Shield Ombudsperson, who will be independent from the intelligence community. The draft Privacy Shield states that US intelligence agencies may only seek personal data (transferred through the Privacy Shield) if their request complies with the Foreign Intelligence Surveillance Act (FISA) or is made by the Federal Bureau of Investigation based on a National Security Letter (NSL).”
3.25The Minister then considers the question of the “adequacy” and equivalence of protection afforded to EU citizens and their data, compared with EU standards of protection set out in the current Data Protection Directive (95/46/EC). Noting that the document considers that the Privacy Principles issues by the US Department of Commerce do “essentially” ensure such equivalence, she observes that:
“The Commission has indicated that the draft agreement should guarantee a high level of protection of the fundamental rights of EU individuals, due to the above features. They have also stated that any interference of the fundamental rights of EU citizens by US public authorities for national security, law enforcement or other public interest purposes will be ‘limited to what is strictly necessary to achieve the legitimate objective in question’.”
3.26She then comments on the role and some of the views of the Article 29 Working Party issues in their “non-binding Opinion”;
“In relation to the commercial aspects of the agreement, they said that they regarded the principle of purpose limitation (i.e. only using data for the purposes for which it was initially collected) as unclear, as it left open the possibility of data being reused for wider purposes. Moreover, the clauses relating to onward transfers of data from a Privacy-Shield-certified company to a non-Privacy-Shield-certified company did not appear satisfactory to the Working Party.
“The Article 29 Working Party also had concerns with the national security aspects of the agreement, particularly that bulk collection and mass surveillance of data can still take place, and that the Ombudsperson (a role set up specifically for dealing with national security complaints from EU citizens) may not be sufficiently independent.
“However, the Working Party’s Opinion did clearly and forthrightly acknowledge that the Privacy Shield goes significantly further in protecting EU citizens’ data than the Safe Harbor agreement (which had remained extant for 15 years). Furthermore, the Chair of the Working Party recognised that the transfer of data between the EU and the US is needed to tackle terrorism and said that the question of balance between personal privacy and the fight against terror is not one that the Working Party could address but was for policy makers.”
3.27The Minister explains that the Commission’s response to the Article 29 WP’s Opinion has been to engage in more discussions with its US counterparts, in order to make additional amendments and clarifications to the draft text. She says that the Government will review these if and when they are made available, and it “keenly awaits the final Privacy Shield agreement”.
3.28Next, the Minister explains why she feels the Government is unable to comment on whether Privacy Shield complies with EU fundamental rights:
“You will be aware that questions pertaining to the UK’s Data Retention and Investigatory Powers Act 2014 (henceforth DRIPA) are currently under consideration by the Court of Justice of the EU, via the preliminary reference procedure. As legal proceedings relating to DRIPA are ongoing, it would be inappropriate to comment on the UK’s view in respect of fundamental rights and the Privacy Shield at this time. The Shield is, in effect, an assessment of adequacy for the Commission to carry out (since it holds exclusive competence in this area) following negotiations and agreement with the US authorities on the necessary protections.”
3.29But she does give an overall Government view of the Privacy Shield agreement, when she says:
“Finalising the Privacy Shield is in the UK’s interests, because it will be a means for British businesses to continue to transfer data to the US. Equally, we would support an adequacy agreement that also protects the civil liberties and fundamental rights of individual data subjects.”
3.30On the question of timing, the Minister says:
“The Commission still hope to finalise the adequacy decision in June but that will depend on the US. They hope to have a revised text available for the Article 31 committee meeting on 19 May but it is unlikely that it will be a final text on which a formal decision can be made.
After the Article 31 Committee has voted on the Privacy Shield (most probably in June), subject to the conclusion of discussions between the EU and US authorities, the agreement will have to be adopted by the College of Commissioners.”
3.31(a) None, (b) Twenty-ninth Report HC 342-xxvii (2015–16), (20 April 2016).
30 Comitology under the Lisbon Treaty means the making of implementing acts pursuant to Article 291 TFEU by the Commission subject to the oversight of Committees made up of national expert representatives of Member States. There are two types of Comitology procedure: advisory and examination. This Implementing act is subject to the more stringent examination procedure.
31 Other mechanisms for the transfer of data to the US continue include explicit consent of the data subject, binding corporate rules.
32 An adequacy decision is a decision adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC, which establishes that a third country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into. The effect of such a decision is that personal data can flow from the 27 EU Member States and the three European Economic Area member countries (Norway, Liechtenstein and Iceland) to that third country, without any further safeguards.
33 Case : Maximillian Schrems v Data Protection Commissioner.
34 Article 7 of the Charter of the Fundamental Rights.
35 Article 8 of the Charter of Fundamental Rights.
36 Article 47 of the Charter.
37 Twenty-ninth Report HC 342-xxvii (2015–16), (20 April 2016).
38 The Working Party is composed of national data protection authorities, including the UK’s Information Commissioner’s Office, together with the EDPS. For the Opinion see: .
39 On 10 February Congress passed the Judicial Redress Act 2016. The Act grants non-U.S. citizens certain rights, including a private right of action for alleged privacy violations that occur in the U.S. The right to sue is limited to only those citizens of countries that (1) permit the “transfer of personal data for commercial purposes” to the U.S., and (2) do not impose personal data transfer policies that “materially impede” U.S. national security interests.
40 See the Committee’s Rules of Procedure:
41 Jan Albrecht, the EP’s rapporteur on the proposed EU general data protection regulation has criticised the Privacy Shield as no more than a “reheating of Safe Harbor”, saying that provides no legally-binding improvements for EU citizens and it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless ombudsman, who would assess citizens’ complaints. ALDE group First Vice-President Sophie in’t Veld has been even more critical, arguing that, “it is highly implausible that an ombudsman will have sufficient powers to oversee US intelligence services”. She is worried that given this year’s US Presidential election, many of the assurances which are based on political commitments could be undermined.
42 See the list of Annexes at para 14 of this chapter.
44 This refers to the Data Retention and Investigatory Powers Act 2014. See the Court of Appeal’s in the case of Secretary of State for the Home Department v (1) David Davis (2) Tom Watson (3) Peter Brice (4) Geoffrey Lewis. We set out the questions for preliminary reference in Case here. The hearing of this case, joined with Case C-203/15 Tele2 Sverige, began in the CjEU on 12 April 2016. We understand that AG’s Opinion is expected on 19 July.
1 June 2016