The Evolution of the Right to Privacy Between Europe and the United States

Introduction

Our present legal concept of privacy originated in the United States in the late nineteenth century, as an extension of the right to private property aimed at ensuring the protection of feelings and emotions against the growing intrusiveness of print media.[1] Subsequently, this right developed in other countries, extending its scope to include the protection of personal data against improper use by third parties.

Privacy has thus also become the individual’s right to control information relating to their personal sphere, to know at any time if someone is collecting information on their account, and, if so, to decide whether to allow such data collection.

The Internet – and especially the recent development of social networks – has revolutionised the concept of privacy, placing it in the context of a virtual world in which personal information has become public.[2] Personal data has, in fact, become the main currency of the so-called digital economy, in which users give their personal information in exchange for services that are free at the point of use.

At present, the dominant business model on the Internet is based precisely on the collection and exploitation (such as through increasingly targeted advertising) of blocks of personal information unprecedented in quantity, level of detail, and relevance to inhomogeneous groups of individuals.[3]

At the same time, the potential offered by the huge amount of personal data on the Internet has also become of interest to some national governments, which have begun to use them for control purposes. This phenomenon, as Edward Snowden’s revelations proved incontrovertibly in 2013,[4] is not limited to authoritarian regimes, but also involves Western democracies, especially the United States.

Whereas previously the attention of national and non-national legislators was mainly focused on the need to protect individuals against the undue exploitation of personal data by private organisations, it has become necessary to also take into consideration the surveillance programs adopted by nation states. Thus, the need to delicately balance the community’s interest of being correctly informed and individuals’ interests to see their privacy protected, is accompanied by the need to prevent national governments from using today’s technological tools to exercise mass control over the entire population.

The revelations regarding the global surveillance program adopted by the US after 11 September 2001 made EU institutions’ aware of the delicate issue relating to the risk that EU citizens’ personal data could be subject to indiscriminate use by the US government. This led the European Commission to initiate negotiations for the modification of the Safe Harbor Agreement. Since 2000 it has regulated the US companies’ transfer of  EU citizens’ personal data from Europe to the US.

This agreement was finally invalidated by the European Court of Justice on 6 October 2015 (case C-362/14, Maximillian Schrems v. Data Protection Commissioner). Subsequently, on February 2, 2016, the European Commission and the US government reached an agreement on a new regime for transatlantic exchanges of personal data for commercial purposes: the EU-US Privacy Shield. For the purpose of better understanding the characteristic features of Privacy Shield, we will retrace the process that led to its signing.

2. Two different approaches

European Regulation

Historically, the EU and the US have had profoundly different approaches to regulating the protection of personal data.[5] According to European legislation, the right to the protection of personal data is a fundamental right of the individual, in line with the provisions of art. 8 of the European Convention on Human Rights. Under this article every person has the right to freedom from interference in their private and family life, their home and their correspondence. Moreover, the Charter of Fundamental Rights of the European Union,[6] adopted in 2000 includes the right to the protection of personal data among the fundamental principles of EU law. It not only protects the general right to freedom from interference in one’s private life, but also the more specific right to the protection of personal data.

More specifically with regard to digitised data, as early as the 1990s, Community Directive 95/46/EC was concerned with implementing this principle, setting rules and criteria with which the collection and use of personal data should comply.[7] This directive protects European citizens’ personal data within EU borders and takes into due consideration the ease with which such data can be transferred outside those borders. Thus it provided (article 25, paragraph 6) that the transfer to a third country of personal data that is subject to processing or intended to be processed can only take place if the third country guarantees an adequate level of protection.

In essence, while stating that the transfer of data outside the EU territory is not generally prohibited, the directive places a condition on the legitimacy of this transfer; namely, the third country to which the data are transferred must guarantee a level of protection, substantially coinciding with that offered by the acquis communautaire.

The American Way

On the other hand, US legislation on the protection of personal data undoubtedly presents a more fragmented regulatory framework. At the constitutional level, privacy – and indirectly also personal data – finds protection under the Fourth Amendment to the Constitution,[8] which prohibits unreasonable searches and seizures.[9] The protection offered by the Fourth Amendment suffers, however, from numerous limitations, which strongly affect its extension. Firstly, the guarantees contained therein operate exclusively in favour of American citizens. Furthermore, the scope of protection of the constitutional provision is further limited by the application of the principle of the so-called third party doctrine, under which individuals cannot have a legitimate expectation of privacy regarding the information they have voluntarily transferred to third parties.[10] Consequently, once the subject has consented to the use of his personal data by, for example, the telephone service provider, the latter is free to transfer it to third parties, even without the original subject’s knowledge.

Furthermore, the right to privacy is protected by federal, sectoral, and fragmentary legislation, composed of a series of laws – the US Privacy Act of 1974, which applies only to US citizens and those foreign citizens who are lawfully admitted for permanent residence; the Freedom of Information Act (FOIA); and the E-Government Act of 2002 – which do not guarantee a homogeneous level of protection of individuals’ private spheres.

Comparisons

This concise representation of the features that characterize the privacy protection regime in these two jurisdictions, highlights a difference in approach that would be hard to reconcile. That is, unless political opportunities linked to the need not to hinder commercial traffic between Europe and the US are taken into consideration.

Until the Snowden revelations in 2013, the potential discrepancy between the two regulatory structures was limited by the adoption of a series of general rules that allowed an individual transferring personal data from Europe to the US to meet the protection requirements imposed by Directive 95/46/EC.[11]

These principles, contained in the Safe Harbor Agreement, were established with the decision of the European Commission 2000/520/EC.[12] They were substantially in harmony with the criteria established by Directive 95/46, under which the legitimacy of the processing is assessed on the basis of the principles of notification, choice, security, data integrity, access, and guarantee of application. This agreement created a presumption of adequacy of protection in favour of those US organizations committed to comply with these principles.

Safe Harbor, stipulated before the tragic events of 11 September 2001,[13] was structured at a time when the main concerns of the EU institutions regarding the misuse of the personal data of European citizens were related to the processing of data carried out by private organizations.

This was clearly expressed in the text of the aforementioned decision, where the Commission focused on US civil law on the processing of personal data and on the remedies made in favour of the individual. It made no reference to any exceptions to the principles of data protection personnel granted to the public administration and its intelligence authorities.

As is known, following the attack on the Twin Towers, the US adopted a series of measures that profoundly affected citizens’ freedoms to ensure greater government control.

In particular, through the Patriot Act of October 26, 2001, which amended Title V of the Foreign Intelligence Surveillance Act of 1978 (FISA), certain measures were adopted to greatly expand the investigative powers of the intelligence authorities in the fight to terrorism, authorizing these authorities to have free access to various public and private databases, with evident compression of American citizens’ private spheres.

The documents released by Snowden revealed the essential features of the mass surveillance programs implemented by US intelligence agencies, clearly highlighting how the regulatory updates following the 2001 terrorist attacks had expanded beyond their legitimate limit and investigative powers.

Thus it was deduced that the system set up by Safe Harbor actually allowed US public authorities to collect data legitimately transferred to US territory, in accordance with Safe Harbor procedures.

More precisely, as highlighted by the European Commission in its communication COM (2013) 847 def., since all companies participating in the PRISM program (a large-scale information collection program), allowing US authorities to have access to data stored and processed in the US, are certified under the Safe Harbor framework, this system “has thus become one of the access platforms of the American intelligence authorities to the collection of personal data initially processed in the [Union]”.

The gap between the protections provided by the EU legal system and the pervasive interference of the US government authorities in the private sphere of individuals had exceeded the balance point, which was guaranteed up to that moment by the Safe Harbor Agreement.

The context, which has profoundly changed from when the agreement was concluded, represents the legal and factual substratum that first led to the maturation of the communications COM (2013) 846 and COM (2013) 847 by which the Commission requested a review of the Agreement, and, subsequently, to the European Court of Justice’s ruling (case C-362/14, Schrems to invalidate the aforementioned decision 2000/520 / EC, which had declared the conformity of the Safe Harbor principles to EU standards.

3. The Schrems case

The jurisprudential line inaugurated by the Court of Justice with the Digital Rights judgment of 8 April 2014,[14] which declared the invalidity of Directive 2006/24 / EC, concerning the retention of personal data by telecommunication operators originated from its decision in the Schrems case.

In fact, the grounds of the Digital Rights ruling have their roots in the excessive compression of the right to privacy and the protection of personal data, in consideration of elements such as the absence of limits in the data collection phase, as well as the absence of suitable third-party guarantees regarding their use and retention periods.

The Court found similar profiles of illegitimacy in the Safe Harbor system, given the vast investigative powers that were ultimately granted to US intelligence authorities with respect to data from the EU, notably by the clause that allowed derogations from privacy principles for national security reasons.

The Schrems case originated from a claim presented by the Austrian citizen, Maximillian Schrems, before the Irish Data Protection Authority (DPA). Following the Snowden revelations, the applicant requested, on the basis of the inadequacy of the US law to prevent indiscriminate control of personal data by US intelligence, to prevent the transfer of his personal data from Facebook’s Irish subsidiary to its US counterpart.

The DPA rejected the appeal, both for lack of evidence regarding the fact that the applicant alleged that his personal data had been accessed by US public authorities, and because the adequacy of the data transfer to the United States was positively assessed on the basis of Commission Decision 2000/520 / EC.

Schrems consequently appealed to the Irish Court of Appeal, which found that effective massive and undifferentiated access to personal data would be “manifestly contrary to the principle of proportionality and the fundamental values protected by the Irish Constitution”. It asserted that Decision 2000 / 520 / EC was no longer adequate to meet the requirements of articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

The Court of Appeal therefore referred the question to the Court of Justice of the EU (CJEU), asking it to assess whether a decision adopted pursuant to art. 25 of Directive 95/46 / EC – such as the Commission’s decision on Safe Harbor – may preclude a national supervisory authority from ruling on an appeal concerning the inadequacy of the level of protection ensured by a third country and to block the transfer of data to that country.

3.1. The reasoning of the Court of Justice of the European Union

The CJEU, as will be detailed below, has transcended the boundaries of the question submitted by the Irish Court of Appeal, reaching the point of declaring the decision 2000/520 / EC invalid. Its reasoning is based on the preliminary consideration according to which the existence of a decision by the European Commission – declaring the adequacy of the level of protection of personal data offered by a third country – does not preclude the possibility for national authorities to exercise supervisory powers provided for by the Charter of Fundamental Rights and Directive 95/46 / EC.

Therefore, even if the European Commission had adopted an adequacy decision pursuant to article 25 of this directive, the national authorities, in the course of a trial, would have the power to independently examine whether the transfer of personal data to a third country complies with the requirements established by the directive. However, this power does not extend to the possibility of declaring a Commission’s decision invalid. This power is reserved exclusively to the CJEU, to which national courts must refer for a preliminary ruling if they have doubts about the validity of a Commission decision.

Moving on to the examination of the validity of the European Commission’s decision on Safe Harbor, the CJEU recalls that it should have verified the adequacy of the level of protection offered by the third country, in this case the US. This parameter, the CJEU specifies, should consist of a level of protection substantially equivalent to that guaranteed within the EU under directive 95/46 / EC.

In particular, the Commission should have assessed the content of the rules applicable in that country, examining the national legislation, international constraints, and the practice aimed at ensuring compliance with these rules. It should also have periodically verified that the adequacy of the level protection insured by the third country persisted over time.

On the contrary, the assessment conducted by the Commission was limited to assessing the adequacy of the protection offered in the US, based on the Safe Harbor principles. But it failed to take into account the overall level of protection offered by US national legislation.

This lack of an overall assessment took on particular importance in the CJEU’s judgment, due to the possibility, provided for in Annex I of Decision 2000/520 / EC, to limit the applicability of the Safe Harbor principles if this was required for reasons of national security, public interest or by the administration of justice by legislative or regulatory provisions or judicial decisions, when such sources involve conflicting obligations.

In this perspective, Decision 2000/520 essentially establishes the primacy of the “requirements of national security, public interest or administration of justice of the United States” over the principles of the Safe Harbor, under which US companies that receive personal data from the EU are required to disapply these principles when they interfere with or are incompatible with them these requirements.

Moreover, the CJEU notes the Safe Harbor system’s lack of a protection mechanism against interference by US public authorities, since the remedies provided (private arbitration and proceedings before its Federal Trade Commission) are limited to disputes in commercial matters, arising from the failure of US companies to comply with the principles of Safe Harbor. They are not applicable in the context of disputes concerning the legitimacy of intelligence agencies’ actions.

These considerations formed the basis of the reasoning, which led the CJEU to declare the invalidity of Decision 2000/520 / EC and, consequently, the Safe Harbor regime.

4. The transition to the Privacy Shield

The need for the terms of Safe Harbor to be revised had already been expressed by the European Commission in the aforementioned communication of 27 November 2013. This related to a series of elements including the exponential increase in data flows and in the number of US companies adhering to the Safe Harbor regime, and available information on the extent of US intelligence programs. Such issues had raised concerns about the level of protection the regime was able to provide.

Based on the information emerging from the work of the EU-US contact group on privacy[15] and that on US intelligence programs,[16] the European Commission made thirteen recommendations for a review of the Safe Harbor regime.

These called for the strengthening of substantive principles on privacy, through greater transparency of privacy policies by US companies adhering to the regime, a more incisive action by US authorities in terms of verification, supervision and control of compliance with these principles, the existence of affordable dispute resolution mechanisms, and the need to limit the use of the exception for reasons of national security to what is strictly necessary.

In 2014, the Commission initiated a dialogue with US authorities to discuss a strengthening of the Safe Harbor regime, in line with the thirteen recommendations made in its communication. As anticipated, these talks were significantly accelerated following the Schrems case, aimed at adopting a new decision on the adequacy that meets the requirements of art. 25 of Directive 95/46 / EC.

The Commission presented the draft text of the decision on 29 February 2016. Following the opinion of the Working Party pursuant to art. 29,[17] and after the resolution of the European Parliament dated 26 May, on 12 July 2016 the Commission completed the procedure for the adoption of a new Agreement, the EU-US Privacy Shield.

The salient features of the new agreement will be examined below, in the light of Implementing Decision 2016/1250 with which the Commission declared the adequacy of the level of protection of personal data transferred from the European Union to the United States of America on the basis of Shield.

4.1. Principles of the Agreement

In line with the previous Safe Harbor Agreement, the Privacy Shield has not changed the accreditation system of companies wishing to join. This confirmed the previous self-certification mechanism, which in any case was not censored by the Schrems ruling. According to this, for a US organisation to join the Shield,  a commitment was required by the company to comply with the new regime’s principles.

In addition to the accreditation system, the Privacy Shield also presented other elements of continuity with the previous regime. For example, the principles of Privacy Shield are not dissimilar from the criteria that informed Safe Harbor.

After all, the aspects that determined the decision to invalidate Safe Harbor did not concern the content of the principles, but the ease with which they could be evaded both by organisations adhering to the regime and by US intelligence authorities.

In detail, Privacy Shield required the organisation that intended to join the Shield to comply with the following principles:

1. An information principle, according to which the interested party is required to be made aware of a series of information about the manner in which his personal data will be processed (for example, the type of data collected, purpose of the processing, right of access and choice, conditions applicable to further transfer, liability);
2. A principle of data integrity and purpose limitation, according to which the data must be collected and used exclusively for the purposes highlighted in the privacy notice sent to the data subject, and the integrity of the data must in any case be preserved;
3. A principle of security, for which, taking into account the risks inherent in data processing and their nature, “reasonable and adequate” security measures must be adopted;
4. A principle of access, which establishes the right of the data subject to be informed by the organisation if it processes their personal data;
5. A principle of recourse, control and responsibility, under which the organisation adhering to the Shield must provide solid mechanisms aimed at guaranteeing compliance with the principles, and guaranteeing the possibility of recourse to the EU data subject, whose personal data have not been treated in accordance with these principles.
6. A principle of liability in the event of further transfer to third parties. In fact, said transfer can lawfully take place only for specific and limited purposes, on the basis of a contract that provides for the same level of protection guaranteed by the principles, including the condition that allows the application of the principles to be limited only to meet national security needs, administration of justice or other public interest purpose.

4.2. Management and supervision of the Shield

The Shield provided for supervisory and control mechanisms on its implementation, aimed at verifying that those companies that had declared to adhere to the regime implemented the principles, and to take action in case of non-compliance.

The authority responsible for supervising the proper fulfilment of the Privacy Shield Agreement by the organisations adhering to it was the US Department of Commerce (DoC), with the assistance of the Federal Trade Commission and the Department of Transportation.[18] To this end, the DoC was required to prepare a list of organisations that had declared their participation in the Shield. They also had to periodically verify the actual fulfilment of the obligations assumed by the companies adhering to the Shield, deleting from the list any organisations that have repeatedly violated its provisions. Furthermore, it should check the organisations that, having voluntarily withdrawn or not renewed the certification, are no longer members of the Shield, to verify whether they intend to return, delete or keep the personal data received under the Shield. Lastly, the DoC should check cases of vaunted adherence to the Shield and misuse of the relative certification mark.

The Shield offered various complaint mechanisms to private individuals who believe they have suffered damage as a result of the violation of the Agreement by an organisation adhering to the regime.

First of all, every company adhering to the Shield was obliged to prepare an internal complaint resolution mechanism, which ensured effective protection for the complainant’s reasons.

The interested party should be able to lodge a complaint directly with the organisation – whose internal complaint resolution mechanism should ensure an effective protection of the applicant’s rights – or to an independent dispute resolution body, or even to the national data protection authority or the Federal Trade Commission.

Ultimately, after having completed all the aforementioned remedies, the injured party had the right to request binding arbitration from an arbitration panel, made up of arbitrators chosen from a list of at least twenty arbitrators prepared by the DoC and by the European Commission on the basis of independence, integrity and competences in US privacy law and EU data protection legislation.

With the exception of the arbitration panel, which could only be contacted after having used the aforementioned means of dispute, the interested party was free to choose the appeal mechanism he prefered, without any obligation to address one rather than another or to follow a specific sequence.

4.3. Exemptions for national security requirements

The EU institutions’ concerns regarding the excessive investigative powers of the US intelligence authorities are reflected in the text of the Privacy Shield Agreement. It contains a detailed description of the main laws that allow government authorities to access the personal information of US and foreign citizens.

This greater transparency regarding the operation of the surveillance mechanism adopted by US intelligence allows EU institutions to achieve greater control over potential abuses of personal data from Europe.

However, the safeguard clause in favour of the intelligence authorities, already affirmed in the Safe Harbor regime, remained firm; this clause in fact provided that compliance with the principles set out in the Privacy Shield finds its limits if and to the extent necessary to meet the needs of national security, public interest or the administration of justice.

The maintenance of this principle exposed the personal data of EU citizens to the wide investigative powers that US legislation grants to government agencies, and allowed any changes in the regulations on the subject to affect the freedom of EU citizens  by means of the aforementioned clause.

Nonetheless, in light of the changes that have occurred in recent years, the European Commission considered that the US regulatory framework provided sufficient guarantees regarding the restrictions on access and use of personal data by US public authorities.

More precisely, the Commission examined the two central legal instruments through which the US president, in his capacity as head of government, implements this principle: Presidential Decree 12333 (Executive Order 1233319)[19] and Presidential Directive 28 (PPD-28).

Focusing in particular on the latter, the Commission highlighted a clear step in the right direction in the legislative provisions likely to limit indiscriminate access by public authorities. Presidential Directive 28, issued on January 17, 2014 by President Obama, established a series of general principles, which govern data collection in the field of signal intelligence and limit their indiscriminate use.[20]

The directive ensures fair treatment between US citizens and foreigners. For non-US citizens it provides that the intelligence activities should respect the limits set expressly for US citizens with regard to the conservation and disclosure of personal information within signal intelligence.

Furthermore, it establishes the principle according to which data collection must be authorised by law or presidential provision, in compliance with the Constitution and the law.

The data collection must also take place exclusively for the purposes of external intelligence or counter-espionage, and must always be conducted in a targeted manner, avoiding, when possible, collection in bulk.

Also in the latter case, the PPD-28 limits the use of the information thus detected to six national security purposes,[21] to protect everyone’s privacy and civil liberties, regardless of citizenship or domicile.

Data collected in violation of the aforementioned provisions cannot be kept for more than five years, unless the Director of National Intelligence expressly states that the extension of the conservation is in the interest of US national security.

Following this analysis, the European Commission, in recital no. 76 of the decision, concluded that, although not formulated in the same legal terms, these principles essentially reflected the principles of necessity and proportionality.

Moving on to analyse the individual legal institutions that authorise public authorities to access and collect the personal data of European citizens once they are transferred to the US, the Commission highlighted that US intelligence agencies could only obtain them if the request is compliant to FISA or if it is filed by the Federal Bureau of Investigation (FBI) under a National Security Letter (NSL).[22]

FISA, in particular, is the legal instrument through which US authorities can access such data: in addition to article 104, which contemplates traditional personalised electronic surveillance, and in article 402, relating to the installation of interception devices for incoming and outgoing communication information, the two central tools are article 501 (pursuant to article 215 of the U.S. Patriot law) and article 702.

On this point, the Commission noted that the introduction of the USA Freedom law, adopted on 2 June 2015, prohibits the collection of data in bulk according to article 402 of the FISA (power to intercept information data of incoming and outgoing communication) and article 501 of the FISA and through the National Security Letters, instead requiring the use of specific selectors.

Also the surveillance programs called PRISM and Upstream also passed the Commission’s scrutiny in the light of the legislative changes that have occurred since Snowden’s revelations, which – at least according to the Commission’s judgment – had severely limited their pervasiveness.

The collection of data carried out on the basis of this tool finds a considerable limitation in the principles established by the presidential provision PPD-28: the search is made targeted through the use of single selectors that identify specific communication devices, such as the address e-mail address or the phone number of the target, but not keywords or targets’ names.

Furthermore, the data collected are subject to a time limit for archiving which, in principle, is set at five years, unless storage for a longer period is considered in the interest of national security by virtue of a legal provision or of a decision of the director of National Intelligence.

In light of the considerations relating to the overall system of safeguards in place regarding the methods of collecting and storing personal data by the US intelligence authorities, the Commission came to the conclusion that in the US there are rules intended to limit any interference in the fundamental rights of the person to what is strictly necessary to achieve national security objectives.

On the basis of these considerations, the Commission therefore specified that the US operated in accordance with the criteria established by the CJEU in the Schrems judgment. This which required that legislation involving an interference with the fundamental rights guaranteed by articles 7 and 8 of the EU Charter of Fundamental Rights provides for:

clear and precise rules governing the scope and application of the measure in question and imposing minimum requirements so that the persons whose personal data are concerned have sufficient safeguards to effectively protect their data against the risk of abuses as well as against any illegal access and use of the aforementioned data.

4.4. Supervision and individual appeal

The European Commission continued the analysis of the agreement, evaluating the supervisory mechanisms set up by US legislation to verify that intelligence activity took place in compliance with the limits established by law. It also studied the mechanisms available to EU citizens who argue that their privacy has been violated by US public authorities.

Under the first profile, the Commission noted that US intelligence is subjected to various control and supervisory mechanisms dependent on the three powers of the Federal State, and in particular on the branches of the executive power, various congressional committees, and for activities covered by FISA, for the supervision of the judiciary.[23]

The Commission then went on to verify one of the weaknesses of the previous Safe Harbor regime which proved decisive in determining the CJEU’s choice to declare it invalid. Namely, the absence of a legal remedy that allows EU citizens to access personal data concerning them, or to obtain the correction or suppression of such data.

From this point of view, the Commission noted that US legislation provides EU citizens with various means of knowing whether US intelligence has processed personal data concerning them and, if so, whether the restrictions imposed by US law have been respected in the different stages of data processing.

FISA, as well as the regulatory laws of specific sectors,[24] provide for the possibility of promoting a civil proceedings against the US or against US government agents for financial compensation when information about the person concerned has been used or disclosed unlawfully and with intent.

Although the US law offers – at least in principle – a range of possibilities for appeal, there are a limited number of reasons for which legal action can be taken, and the application filed by a person is declared inadmissible if the applicant does not demonstrate its legitimacy to act. From a practical point of view, the aspects highlighted have the effect of limiting the possibility of applying this type of appeal.

In response to the legitimate objections of the EU institutions regarding the effectiveness of judicial protection against the unlawful processing of personal data, the US government has created a new mediation mechanism, which is aimed at ensuring that every complaint receives adequate examination and treatment. and that an independent source confirms to the person that the laws of the United States have been complied with or, if they have been violated, that the breach has been remedied in the meantime.

However, this body was not set up specifically to respond to requests related to the application of the Privacy Shield, but falls within the scope of the tools provided for by the presidential directive PPD-28, to perform the function of interlocutor for foreign governments with regard to signals intelligence activities conducted by the US.

Its functions have therefore been extended to the scope of the Privacy Shield, to provide an alternative to the court-based justice system, in the proceedings concerning the (alleged) injuries of personal data by US government agencies.

The mediation body, referred to in the Shield Mediator Agreement (ombudsperson), is composed of a ‘first coordinator’, appointed directly by the secretary of state, and other supervisory bodies competent to control the various services of the intelligence community, on the collaboration of which the ombudsperson of the shield relies for the handling of complaints.

In particular, if someone’s complaint concerns the compatibility of surveillance with US law, the ombudsperson can rely on independent supervisory bodies with investigative powers (such as inspectors general or the Authority protecting privacy and civil liberties). In any case, the US secretary of state ensures that the ombudsperson has the means to ensure that the response made to the request takes into account all necessary information. This composite structure allows the mediation mechanism to ensure independent supervision and the possibility of individual redress.

The complaint can be lodged with the supervisory authority, competent in the EU member state for the supervision of national security services, or the processing of personal data by public authorities, which submits it to a centralized EU body, or both, after which it is forwarded to the Shield mediator.

The mediation mechanism extends the scope of protection granted by the courts. It allows the injured party to make a complaint without having to prove that, in the context of signal intelligence activities, the US government has actually had access to personal data of said subject. The complaint leads in each case with a response from the ombudsman, which may consist of a statement confirming that the complaint has been properly investigated and that applicable US law has been complied with or, where applicable, that the non-compliance was in the meanwhile healed.

Overall, the Commission concluded that the mechanism ensured that each complaint case is thoroughly investigated and resolved and that – at least as regards vigilance – independent supervisors with the necessary technical expertise and investigative powers are involved, as well as an Ombudsperson capable of carrying out his functions without undue interference, in particular of a political nature.

4.5. The decision of the European Commission

After the European Commission reviewed the principles of the Privacy Shield and, particularly, the operating mechanism of US intelligence, with the aim of verifying whether the exemptions envisaged for public security purposes were likely to undermine the correct functioning of the system, it came to the conclusion (recital 136) that the US ensured an adequate level of protection of personal data transferred under the Shield from the EU to US organisations that have self-certified as members of the scheme.

By specifying the concept in the subsequent recitals, the Commission highlighted how the new regime had remedied the main flaws that had determined the CJEU’s overturning of the Safe Harbor Agreement.

In the Commission opinion, supervisory and appeal mechanisms had been prepared to allow for the identification of the violations of the principles committed by the organisations adhering to the regime, the reaction to said violations, and the provision of means of recourse to protect the data subject. This allowed the data subject to access their own personal data concerning and to obtain its correction or cancellation.

Therefore, the Commission concluded by considering that the criteria set out in article 25 of Directive 95/46 / EC were satisfied, since the interference with the fundamental rights of the person, carried out by the US public authority for reasons of national security, administration of justice, or other purposes, would be limited to what is strictly necessary to achieve a specific legitimate objective.

4.6. Periodic review of the Agreement

To prevent changes in US legislation on the protection of personal data from compromising the overall consistency of the Shield Agreement, the European Commission would periodically verify that US legislation ensures a level of protection substantially equivalent to that offered by the EU, in light of the definitive application of the regulation 2016/679.[25]

This provision gave content to the indications referred to in paragraph 76 of the Schrems judgment, where the CJEU, after specifying that the level of protection ensured by a third country may evolve, stated that:

it is incumbent upon the Commission, after it has adopted a decision pursuant to Article 25(6) of Directive 95/46, to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified.

In this perspective, the Privacy Shield Agreement is subject to annual joint reviews by the Commission, the US Department of Commerce, and the Federal Trade Commission. These reviews cover all aspects of the Shield’s functions, including exceptions to the principles for security reasons and the administration of justice.

If, on the basis of these verifications, the Commission found that the level of protection offered by the Shield could no longer be considered substantially equivalent to that of the EU,  it can require the adoption of adequate measures to promptly resolve potential cases of non-compliance.

In the end, should the US authorities fail to demonstrate that the Shield continued to ensure this effective compliance, the Commission can initiate a procedure for its total or partial suspension or termination.

5. Invalidation of Privacy Shield

The transfer of personal data from the EU to the US took a new turn following the judgment of the CJEU of 16 July 2020, rendered in case C-311/18, Data Protection Commissioner / Maximilian Schrems and Facebook Ireland. It declared Privacy Shield to be invalid too.

On the other hand, the criticisms expressed by the CJEU were anticipated. Its primary concern about the legitimacy of the Privacy Shield,[26] had already been expressed in the immediate aftermath of the European Commission’s decision on the adequacy of the protection offered by the EU-US privacy shield regime n. 2016/1250.[27]

The sudden interruption of the mechanism governed by the Safe Harbor, however, imposed, as seen, the need to conclude in a short time a new agreement that would restore and regulate the flow of data, while trying to correct the defects of the previous agreement.

Although this purpose has been partially achieved by Privacy Shield, the new agreement also allows the US to deviate from the principles set out therein based on national security needs, and submits personal data from Europe to the broad investigative powers that US law grants its government agencies.

Similarly to the Safe Harbor, the subsequent agreement was also reached in the context of Directive 95/46. The directive allowed the transfer of data to a third state as long as the latter guaranteed adequate security measures.

The concept of adequacy was specified already in recital 56, according to which the adequacy of the protection offered by a third country had to be assessed in the light of all the circumstances relating to a transfer or a category of transfers and by the following recital. It emphasised the need to prohibit the transfer of personal data to a third country which does not offer an adequate level of protection.

The same concept is reaffirmed in article 25, in which it is specified, in more precise terms, that:

The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination , the rules of law, both general and sectoral , in force in the third country in question and the professional rules and security measures which are complied with in that country.

As discussed above, the adequacy of the agreement was subject to a positive evaluation by the European Commission pursuant to the aforementioned article 25 of the directive in question. It held that the protection regime granted in the US, for the purposes of data protection, was adequate compared to the EU’s standards. This decision was invalidated by the CJEU’s ruling in the Schrems II case.

The proceedings before the CJEU were initiated following the preliminary reference made by the Irish High Court in the case brought by Mr Schrems, who argued, in particular, that US law requires Facebook Inc. (now Meta Platforms, Inc.) to make the personal data it processes available to US authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

The same judge found that the US carries out massive data processing, without guaranteeing a protection substantially equivalent to that guaranteed by articles 7[28] and 8[29] of the Charter of Fundamental Rights of the EU.

After reiterating that the transfer of data to a third state in effect constitutes “data processing”[30] pursuant to article 2, paragraph 1 of EU Reg. 679/16 (GDPR), the CJEU made the possibility of transfer subject to compliance with the adequacy requirement as established by the regulation itself, which in the meantime has replaced Directive 45/96 by repealing it.

With its entry into force, transfers of personal data outside the European Economic Area are allowed, if the recipient guarantees an adequate level of data protection, starting from the discipline provided for by the repealed directive.

The adequacy requirement can be certified in different ways, first of all through the decision of the European Commission pursuant to art. 45 EU Reg. 679/16.

In this regard, a third country should not be expected to guarantee a level of protection identical to that guaranteed in the legal system of the EU. Rather, the expression “adequate level of protection” must be understood as requiring that the state effectively ensures a level of protection of fundamental freedoms and rights that is substantially equivalent to that guaranteed within the EU by virtue of the Regulation, read in the light of the Charter. This should take into account the third-party states’ national legislation or international commitments.

In the absence of such a requirement, the aforementioned objective would be breached.[31] To this end, in the context of a transfer, consideration should be given to the contractual clauses agreed between the controller or the processor established in the EU. It should also consider the recipient of the transfer established in the third country, any access by public authorities of that country to the data transferred, and the relevant elements of its legal system.

However, the interference resulting from the surveillance programs[32] would not be subject to requirements that guarantee, in compliance with the principle of proportionality, a level of protection substantially equivalent to that guaranteed by Article 52, paragraph 1, second sentence, of the EU’s Charter. This must be taken into consideration when assessing whether the legal system of the third-party state provides adequate guarantees. According to this article, the limitations on the exercise of rights and freedoms can only be made where they are necessary and effectively respond to purposes of general interest recognized by the EU or the need to protect the rights and freedoms of other individuals.

On the basis of national security, on the other hand, US authorities can proceed to a “bulk collection of a relatively large volume of information or data in the field of intelligence” with the impossibility of “making the collection targeted by resorting to a identifier associated with a specific objective”.[33]

Such a structure – states the CJEU – is not suitable for guaranteeing a level of protection substantially equivalent to that guaranteed by the EU’s Charter of Fundamental Rights. According to that, to satisfy the principle of proportionality, a legal basis that allows interference with fundamental rights must define the scope of the limitation on the exercise of the right in question and provide for clear and precise rules governing the scope and application of the measure and imposing minimum requirements.[34]

Furthermore, the lack of guarantees for foreign citizens potentially subject to such programs is also highlighted. “Guarantees” here means the methods of effective administrative and judicial remedy for those concerned whose personal data are being transferred.

Recital 104 of the GDPR specifies that the third-party state should ensure effective independent control of data protection and should provide for cooperation mechanisms with the data protection authorities of EU member states.

The inadequacy, highlighted among other things by the European Commission itself, derives from the impossibility of qualifying the ombudsperson as a judicial body. In fact, although the ombudsperson is described as “independent from the US intelligence community”, this figure is characterised by the close connection with the US secretary of state, to whom they must report directly.[35]

The institution of the ombudsperson[36] is not sufficient to satisfy the necessary presence of a right to an effective remedy and to an impartial judge[37] contemplated in article 47 of the Charter of Fundamental Rights of the EU which must be read in support of article 45 of the GDPR and which affects the adequacy of the protection provided by the third-party state.

For these reasons, the CJEU deemed it necessary to declare the invalidity of Decision 2016/1250 on the adequacy of the protection offered by the EU-US privacy shield regime.

To avoid legal gaps – which in any case in the CJEU’s opinion would not exist due to the application of art. 49 GDPR[38] – the adequacy requirement can also be certified through the use of the so-called “Standard Contractual Clauses (SCC)” adopted by the European Commission through an ad hoc procedure, provided for in Article 46 par. 2 lett. c.

With reference to the aforementioned SCCs, in fact, the CJEU confirms the validity of the relative decision (n.2010 / 87 / EC of 5 February 2010), as these do not refer to the legal system in force in a single state but are limited to identifying a series of clauses ideally suited to guaranteeing an adequate level of protection, without prejudice to the need to assess, from time to time, the context in which these clauses will be applied.[39]

Conclusion

In conclusion, the role played by the national supervisory authorities appears clear for the purposes of protecting these types of data rights.

In fact, since states cannot adopt measures contrary to an adequacy decision and consequently suspend or prohibit the transfers of personal data to a third state, until the invalidity of that decision has been pronounced, that same decision cannot prevent or restrict the power of the national supervisory authorities to examine, in full independence, whether the transfer of data complies with the requirements of the GDPR. This makes them unable to lodge (if necessary) an appeal before the national courts for the latter to proceed examination of the aforementioned validity, where a subject has activated the complaint procedure relating to the protection of their rights and freedoms with respect to the processing of personal data concerning them.[40]

 

End notes

[1] The issue of privacy was addressed for the first time in 1888, by Judge Thomas Cooley in a treatise on torts and delicts: (Thomas) COOLEY, A Treatise on the Law of Torts or the Wrongs which Arise Independent of Contract, Chicago, 1888, 29. In this treaty, privacy is defined as the right to be alone. Two years later, the same topic was explored by the lawyers (Samuel) WARREN and (Louis) BRANDEIS in the essay entitled The Right of Privacy, in HLR, 1890. For a reconstruction of the evolution of the concept of privacy in the United States, see BALDASSARRE, Privacy e Costituzione. L’esperienza statunitense, Roma, 1974, and RODOTÀ, Tecnologie e diritti, Bologna, 1995, 19.

[2] In 2010, Facebook founder Mark Zuckeberg predicted the end of privacy, arguing that people had lost all interest in protecting their personal sphere www.theguardian.com.

[3] In commenting on the results obtained by Facebook in the first quarter of 2016, the New York Times estimated that, with reference to the United States and Canada, the social network would have collected, for advertising, 11.86 dollars for each of its users. Another fact that allows us to represent the economic value achieved by personal information is given by the fact that the acquisition of the Whatsapp messaging service by Facebook cost 19 billion dollars, which corresponds to about 30 euros for each of its 450. millions of users. According to the report published in March 2014 by the European Data Protection Authority, Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy, the overall value of personal data disseminated on the Internet amounted to 300 billion euros. It was destined to triple by 2020.

[4] In June 2013, Edward Snowden, a former CIA contractor, publicly revealed to the international press the existence of the largest mass telecommunications surveillance program developed by the US government, the PRISM, hitherto kept secret.In this regard, see the article GREENWALD, NSA Collecting Phone Records of Millions of Verizon Customers Daily, The Guardian, June 6, 2013, available on www.theguardian.com, and the article, published on the same date by the Washington Post,  NSA Slides Explain the PRISM Datacollection Program, available on www.washingtonpost.com. 

[5] On the differences in approach to the subject by the two continents, see BENNET, Regulating Privacy: Data Protection and Public Policy in Europe and the United States, Ithaca, 1992, and WHITMAN, The Two Western Cultures of Privacy: Dignity Versus Liberty, in Yale LJ, 2004, 1151 et seq.

[6] The Charter became legally binding in the EU with the entry into force of the Lisbon Treaty in December 2009, and now has the same legal value as the EU treaties. For a comment on the Charter, see BARBERA, La Carta europea dei diritti e la costituzione italiana, in Le libertà e i diritti nella prospettiva europea: studi in memoria di Paolo Barile, Padova, 2002, 108 et seq., and AA.VV., Carta dei diritti fondamentali dell’Unione europea, in POCAR, BARUFFI (a cura di), Commentario breve ai Trattati dell’Unione europea, Second Edition, Padova, 2014, 1651 et seq.

[7] Directive 95/46 / EC has been replaced by regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free circulation of such data. In doctrine, with reference to Directive 95/46 / EC, see DASSI, La direttiva del 24 ottobre 1995 sulla protezione dei dati e la direttiva 96/9/CE dell’11 marzo 1996 sulle banche dati, in Resp. civ. prev., 1997, 600 et seq.; see also DELFINO, La direttiva comunitaria 46/95 “Sulla protezione dei dati personali e sulla libera circolazione di tali dati”, in Contr. imp./Europa, 1996, 888.

[8] ATKINSON, The Fourth Amendment’s National Security Exception: Its History and Limits, in Vanderbilt L. Rev., 2013, 1343, 1381.

[9] The interpretation of this principle, provided by the Supreme Court of the United States of America, has proved to be progressively inclusive over the years: in fact, while in the 1928 case, Olmstead v. United States, 277 U.S. 438, the applicability of the Fourth Amendment was limited only to intrusions in physical places, in 1976, in Katz v. United States, 389 U.S. 347, this provision was also applied to wiretapping and electronic surveillance methods, considering that the aforementioned rule is intended to protect “people not places”.

[10] On the third party doctrine, see KERR, The Case for the Third-Party Doctrine, in Michigan LR, 2009, 561.

[11] On this topic, see BIGNAMI, RESTA, Transatlantic Privacy Regulation: Conflict and Cooperation, in LCP, 2015, 101.

[12] The Safe Harbor Principles system was made up of 7 general principles and 15 frequently asked questions (FAQs), which bound the American importer of personal data from the EU to the same essential obligations that Directive 94/46 / EC prescribes for European subjects that operate data processing, thus substantially exporting the European model of regulation of the right to privacy. The Safe Harbor Principles mechanism was based on a self-certification system that allowed the US company to import personal data from the European Union, declaring to the Department of Commerce its adherence to the Safe Harbor principles.

[13] 50 USC 1861 − Access to Certain Business Records for Foreign Intelligence and International Terrorism Investigations.

[14] For a commentary on the judgment, see IRION, The Court of Justice and the Data Retention Directive in Digital Rights Ireland: Telling Off the EU Legislator and Teaching a Lesson in Privacy and Data Protection, in ELR, 2014, 835.

[15] Council of the European Union, Final Report by EU-US High Level Contact Group on information sharing and privacy and personal data protection, document number 9831/08 dated May 28, 2008, available at: www.europarl.europa.eu.

[16] Report on the Findings by the EU Co-chairs of the ad hoc EU-U.S. Working Party on Data Protection, dated November  27, 2013; available at: ec.europa.eu.

[17] The Working Party for the protection of individuals with regard to the processing of personal data,  established by art. 29 of Directive 95/46 / EC, is an advisory and independent body, which includes a representative of the personal data protection authorities designated by each Member State, the EDPS (European Data Protection Supervisor), as well as a Commission. Among its most relevant tasks, it should be noted that art. 30, lett. c) of said directive assigns to the Working Party the role of advising the Commission, not only on any project to amend the directive itself, but also on any project of additional or specific measures to be taken for the purpose of protecting rights and freedom of individuals with regard to the processing of personal data, as well as with regard to any other draft Community measures affecting these rights and freedoms.

[18] The commitments of the Federal Trade Commission and the Department of Transport are contained, respectively, in Annex IV and V of the Privacy Shield.

[19] EO 12333: United States Intelligence Activities, Federal Register, vol. 40, n. 235 (8 dicembre 1981). The decree defines the purposes, guidelines, tasks and responsibilities of US intelligence in their activities (including the role of the various services of the intelligence community) and sets the general parameters for the conduct of such activities (in particular the need to adopt specific procedural rules).

[20] By signal intelligence (SIGINT) we mean the activity of collecting information through the interception and analysis of signals, both emitted between people and between machines, or a combination of the two. According to the US National Security Agency, SIGINT is intelligence derived from electronic signals and systems used by foreign targets, such as communications systems, radars, and weapons systems; on this topic see www.nsa.gov.

[21] Security purposes include measures aimed at identifying and countering threats deriving from activities of espionage, terrorism, weapons of mass destruction, threats to cyber security, threats to the armed forces or military personnel and transnational criminal threats inherent to five other purposes.

[22] Through the National Security Letters, the Federal Bureau of Service can request a telecommunications service provider to transmit data relating to a person’s communications, without prior authorization from a judicial authority. On the FBI’s abuse of this investigation tool, see the article published on March 14, 2008 by the Washington Post, FBI Found to Misuse Security Letters, available at: www.washingtonpost.com.

[23] First, the executive power exercises substantial supervision over the intelligence activities conducted by the US authorities. Pursuant to PPD-28, the policies and procedures of the intelligence community services must provide for adequate measures to facilitate the supervision of the implementation of guarantees to protect personal information, including measures that provide for periodic checks.

To this end, there are various levels of supervision: Inspectors General, the Office for the Protection of Privacy and Civil Liberties of the Office of the National Director of Intelligence, the Authority for the Protection of Privacy and Civil Liberties and the Presidential Intelligence Supervisory Authority.

To facilitate the exercise of supervision, the services of the intelligence community develop IT systems that allow the monitoring, recording and verification of queries or other searches for personal information.

The supervisory and compliance control bodies periodically check the practices followed by the intelligence services to protect the personal information contained in the intelligence of the signals and compliance with the related procedures.

Secondly, in addition to the aforementioned supervisory mechanisms framed in the executive, the Congress of the United States of America, and more precisely the Justice and Intelligence commissions of the House of Representatives and the Senate, has supervisory powers on the activities of US-led external intelligence, including signal intelligence.

Moreover, the President ensures that the congressional commissions dealing with intelligence are kept perfectly informed and updated on the intelligence activities conducted by the US.

[24] More specifically, the law on computer fraud and abuse, the law on privacy in electronic communications, and the law on the right to financial privacy.

[25] See note 7.

[26] Mastracci, Evoluzione del Diritto alla Privacy tra Europa e Stati Uniti: dal Safe Harbor Al Privacy Shield,  La comunità Internazionale, 2016, Vol. LXXI, at 578.

[27] In the Conclusions European Parliament Resolution on the adequacy of the protection offered by the EU-US Privacy Shield (2018/2645 (RSP) the European Parliament states: “Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 25 May 2018, and with the EU Charter, so that adequacy should not lead to loopholes or competitive advantage for US companies; and “Deplores that the Commission and the competent US authorities did not restart discussions on the Privacy Shield arrangement and did not set up any action plan in order to address as soon as possible the deficiencies identified”.

[28] Charter of Fundamental Rights of the European Union, Article 7 – Respect for private and family life. Everyone has the right to respect for his or her private and family life, home and communications.

[29] Charter of Fundamental Rights of the European Union, Article 8 – Protection of personal data. 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with the rules shall be subject to control by an independent authority.

[30] Non potendo detto trasferimento rientrare tra le eccezioni ivi previste; see by analogy, as regards Article 3 (2) of Directive 95/46, judgment of 10 July 2018, Jehovan todistajat, C-25/17, EU: C: 2018 : 551, point 37.

[31] As confirmed by recital 104 of Regulation 679/16.

[32] Based on article 702 of the Foreign Intelligence Surveillance Act (FISA) and on the E.O. 12333.

[33] Letter dated June 21, 2016 Office of the Director of National Intelligence to the United States Department of Commerce and the Administration of International Trade, contained in Annex VI of the Privacy Shield decision.

[34] CJEU, judgment of 16 July 2016, Case c-311/18, par. 178.

[35] Already the Working Party art. 29 in the opinion of 13 April 2016 regarding the lack of independence of the figure of the Ombudsperson, expressed doubts, as well as on the lack of independence of the Ombudsperson, also on his powers of control, limited by the difficulty in having access to all the relevant information to express his assessment and by the lack of an effective taxing power vis-à-vis the intelligence authorities: «First of all, concerns exist as to whether the Ombudsperson can be considered (formally and fully) independent, especially due to the relative ease with which political appointees can be dismissed. Secondly, concerns remain regarding the powers of the Ombudsperson to exercise effective and continuous control. Based on the available information in Annex III, the WP29 cannot come to the conclusion that the Ombudsperson will at all times have direct access to all information, files and IT systems required to make his own assessment nor that he can really compel the intelligence agencies in charge to end any non-compliant data processing, certainly in case of disagreement over the question if the data processing is in compliance with the law or not».

[36] Provided pursuant to Annex A of Annex III of the Privacy Shield decision.

[37] See Conclusions of Advocate General Henrik Saugmandsgaard Øe, December 19, 2019, in Case C-311/18, par. 291, 292 and 297.

[38] This article provides that in the absence of an adequacy decision pursuant to Article 45 (3) or adequate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a combination of transfers of personal data to a third country or an international organization only for a series of conditions provided for in the same article.

[39] CJEU, judgment of 16 July 2016, Case c-311/18, paragraph 133.

[40] CJEU, judgment of 16 July 2016, Case c-311/18, paragraph 120.

Image credit: Getty Images Pro under Canva licence.