Legally and politically important
(a) Not cleared from scrutiny (b) Cleared from scrutiny; further information requested; drawn to the attention of the Culture, Media and Sport Committee, Justice Committee, Business Innovation and Skills Committee, Science and Technology Committee and the Joint Committee on Human Rights
(a) Commission Implementing Decision pursuant to Directive 95/46/EC on the adequacy of the protection provided by the EU-US Privacy Shield; (b) Commission Communication on Transatlantic Data Flows: Restoring Trust through Strong Safeguards
(a) Article 25(6) of Directive 95/46/EC;—; (b) —
Culture, Media and Sport
(a) (37695), —; (b) (37550), 6651/16, COM(16) 117
7.1The EU-US Privacy Shield agreement, politically agreed in February, will be implemented by this Commission Implementing Decision (EU secondary legislation). This will authorise the data of EU citizens to be transferred to US companies for commercial purposes where US companies comply with certain privacy principles. It will replace the “Safe Harbor” Decision which was invalidated by the Court of Justice (CJEU) in the case of Schrems for failing to comply with EU fundamental rights to privacy and data protection.
7.2Initially, the UK Government was reluctant to deposit the document. It has also been sparing in its comments on compliance of document (a) with fundamental rights protecting EU citizens and their data or on the relevant views of EU data protection bodies. In our last Report we challenged this attitude, highlighted some inaccuracies and inconsistencies in the Government’s approach and raised the question of a recent change to a US federal procedural rule which might facilitate bulk mass processing of data by US authorities. We also pressed the Government to report on further developments in the process for approving the document, including the opinion of the Article 31 committee of national experts.
7.3Separately, at the behest of this Committee, the Clerk to our Committee also wrote to the Permanent Secretary of the Department for Culture, Media and Sport (DCMS) to ask that certain shortcomings in the Government’s scrutiny be addressed in relation to both this document and the proposed Council Decisions relating to the Umbrella Agreement (an agreement providing a legal framework for the transfer of EU citizens’ data to the US for the purposes of law enforcement).
7.4In the meantime, the European Data Protection Supervisor (EDPS) published an opinion on the Privacy Shield agreement. It considered that in terms of ensuring rights to privacy and protection of personal data, Privacy Shield may be a “step in the right direction” but as “currently formulated, it does not adequately include all appropriate safeguards” to protect those rights, including judicial redress. More details of the opinion and the recommendations of the EDPS are set out in the “Background” section of this chapter.
7.5The Under-Secretary of State at the Department for Culture Media and Sport (Baroness Neville-Rolfe) now responds in a letter of 4 July to the questions we raised in our last Report, telling us that a vote on document (a) in the Article 31 Committee of national experts could take place on 8 July: it is now a matter of public knowledge that a vote of approval was carried that day (see further, “Background”). The response also refers to a separate letter of 30 June from the Permanent Secretary of DCMS (Sue Owen) on the scrutiny handling concerns raised.
7.6We thank the Minister for her letter of 4 July 2016 in which she addresses the questions set out in our last Report.
7.7However, we remain unconvinced that the Minister continues to provide sufficient comment on fundamental rights compliance of document (a). We note that, yet again, she fails to mention the publication of an opinion by the European Data Protection Supervisor. On 30 May the EDPS demanded further “significant” improvements to Privacy Shield to provide adequate protection to EU citizens’ right to privacy and data protection. Can she tell us whether the concerns expressed in that opinion have been adequately addressed by the text which went to the Article 31 Committee meeting on 8 July? We note, as on previous occasions, that it is an essential procedural requirement for the adoption of document (b) that the EDPS has been consulted.
7.8Although we now clear the Communication from scrutiny (document (b)), before we consider clearing document (a) we ask the Minister to confirm:
a) the formal outcome of the Article 31 meeting on 8 July; and
b)whether the Government will seek to enter into a similar bilateral agreement with the US when it exits the EU.
7.9We draw the documents and this chapter to the attention of the Culture, Media and Sport Committee, Justice Committee, Business Innovation and Skills Committee, Science and Technology Committee and the Joint Committee on Human Rights.
(a) Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and the Council on the adequacy of the protection provided by the EU-US Privacy Shield: (37695), —; (b) Commission Communication on Transatlantic Data Flows: Restoring Trust through Strong Safeguards: (37550), , COM(16) 117.
7.10On 30 May the EDPS delivered its opinion on Privacy Shield and document (a). It included the following main recommendations:
7.11Additional recommendations are also made and can be found at pages 9–12 of the Opinion, but they appear to consist mainly of more detailed specification of the main recommendations.
7.12In this Press Release, the Commission explains that Member States representatives in the Article 31 Committee approved the final version of the EU-US Privacy Shield. Vice-President Ansip and Commissioner Jourová say of the new text that:
“The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business. It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms. During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.”
7.13The Parliamentary Secretary of State at the Department for Culture, Media and Sport says that she is writing to respond to our Report of 25 May and to put us on notice of a “key vote which is likely to take place later this week in the Article 31 Committee”.
7.14First, she apologises for shortcomings in her department’s scrutiny handling of both this document and those EU documents relating to the Umbrella Agreement, as set out in a letter from the department’s Permanent Secretary of 30 June.
7.15She then focuses on the need, from the point of view of UK businesses, individuals and companies, especially in the light of the Referendum outcome, for the “rapid resolution” of Privacy Shield.
7.16She tells us that:
7.17The Minister adds:
“The UK has no part in the negotiations between the European Commission and the US authorities. It is my expectation however that the agreed revised text will deliver a legally robust adequacy decision which meets the requirements of the Schrems ruling. In turn this will provide clarity to the businesses which transfer data from the EU to the US, and reassure citizens that their rights will be upheld under the new agreement.”
7.18The Minister then addresses the question we asked in our last Report on whether the 7 Annexes to the Privacy Shield are political rather than legally enforceable. She says that the Annexes consist of letters from various officials in the US who expound upon the different elements of the draft agreement, namely:
7.19She comments that:
“For these reasons, I do not believe that the Annexes are solely political in nature. In the same way that Recitals elaborate Articles in a Regulation, these Annexes describe the context against which the Privacy Shield will be implemented. They also serve to demonstrate to the Commission that the US take the commitments provided seriously.”
7.20As we requested, the Minister responds to our question about change to Rule 41 in the US on 28 April. She says that:
7.21But she comments:
“It would not be appropriate for me to comment on pending legislation in other countries, but there are guarantees laid down in the Privacy Shield with regards to respecting EU citizens’ data and providing judicial redress through the Privacy Shield Panel and the Ombudsperson.”
7.22On the question of compliance of the proposal and Privacy Shield with fundamental rights, the Minister comments:
“All of our discussions with the Commission and the US have recognised the need to strike the balance between commercial interests and fundamental rights. I expect to take this position when the final text of the Privacy Shield is issued. I am also mindful that the Privacy Shield does go significantly further in protecting the rights of EU data subjects than the old Safe Harbor agreement (which had remained extant for 15 years).”
7.23Referring to the expected delivery of the Advocate General’s Opinion on the UK’s Data Retention and Investigatory Powers Act, she notes that the CJEU heard the preliminary reference on 12 April and judgment is expected later in the year. She provides no further comment as she says this concerns a policy area for which DCMS is not responsible.
7.24The Minister then explains the possible future progress of document (a):
“In terms of next steps, there has been further Article 31 meetings, where the revised final text of the draft agreement was discussed amongst Member States. It is likely that a vote on the agreement will be held on the 8th of July. However, there is a possibility that a vote may not take place, and that the Chair of the Article 31 Committee, in accordance with Article 4(3) of the Standard Rules of Procedure, decides that a positive opinion has been obtained on the agreement by consensus. Once the Privacy Shield is agreed, either with or without a Member State vote, it will then need to be adopted by all Commissioners.”
(a) and (b): Third Report, HC 71-ii (2016–17),(25 May 2016); (b) Twenty-ninth Report HC 342-xxvii (2015–16), (20 April 2016).
14 Case : Maximillian Schrems v Data Protection Commissioner, 6 October 2015.
15 on the EU-US Privacy Shield.
16 of 8 July 2016.
17 See footnote 3.
18 In the conclusions to our Report of 25 May, we said:
“we note the approval on 28 April by the US Supreme Court to a change to federal procedural Rule 41.43 This occurred subsequent to the issue of the Article 29 WP’s Opinion on 13 April. We understand that this rule change will give federal judges the authority to issue more sweeping search warrants for searching and collecting information from computers anywhere outside their jurisdiction. The changes, which will take effect on 1 December 2016 unless rejected by Congress, could enable the US Government to obtain a single warrant to access and search thousands or millions of computers at once. This mass processing of data was a critical issue in both the Schrems and Digital Rights Ireland cases. We therefore ask the Minister to comment on this development and its impact on document (a).
18 July 2016