On 2 February 2016 the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield (see IP/16/216). The Commission presented the draft decision texts on 29 February 2016. Following the opinion of the article 29 working party (data protection authorities) of 13 April and the European Parliament resolution of 26 May, the Commission finalised the adoption procedure on 12 July 2016.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law.
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organisations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organisation makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining the Privacy Shield Framework should review its requirements in their entirety.
The new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.
The EU-U.S. Privacy Shield is based on the following principles:
Since presenting the draft Privacy Shield in February, the Commission has drawn on the opinions of the European data protection authorities (Art. 29 working party) and the European Data Protection Supervisor, and the resolution of the European Parliament to include a number of additional clarifications and improvements. The European Commission and the U.S. notably agreed on additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers.
The “adequacy decision” will be notified today to the Member States and thereby enter into force immediately. On the U.S. side, the Privacy Shield framework will be published in the Federal Register, the equivalent to our Official Journal. The U.S. Department of Commerce will start operating the Privacy Shield. Once companies have had an opportunity to review the framework and update their compliance, companies will be able to certify with the Commerce Department starting August 1. In parallel, the Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his personal data has been used without taking into account the data protection rules.
The EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.
In today’s Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner the Court rules that whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity
The Data Protection Directive (1) provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (“national supervisory authorities”).
Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the “Data Protection Commissioner”), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services, in particular the National Security Agency (the “NSA”), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000 (2) the Commission considered that, under the “safe harbour” scheme (3), the United States ensures an adequate level of protection of the personal data transferred (the “Safe Harbour Decision”).
The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.
In its Judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.
The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.
The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.
Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
The Court considers that that analysis of the scheme is borne out by two Commission communications (4) according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.
For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
(1) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
(2) Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
(3) The safe harbour scheme includes a series of principles concerning the protection of personal data to which United States undertakings may subscribe voluntarily.
(4) Communication from the Commission to the European Parliament and the Council entitled “Rebuilding Trust in EU-US Data Flows” (COM(2013) 846 final, 27 November 2013) and Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU (COM(2013) 847 final, 27 November 2013).
In July 2014, the International Organization for Standardization (“ISO”) and International Electrotechnical Commission (“IEC”) published ISO/IEC 27018 (ISO 27018), a code of practice that sets forth standards and guidelines pertaining to the protection of data consisting of “personally identifiable information” processed by public cloud service providers.
ISO/IEC 27018 is the first International Standard that focuses on protection of personal data in the cloud. Although only a few months old, the new standard should finally give cloud users confidence that their service provider is well-placed to keep data private and secure.
ISO/IEC 27018 specifies certain minimum types of security measures that cloud providers should adopt, if applicable, including encryption and access controls. The cloud standard also requires cloud providers to implement security awareness policies and make relevant staff aware of the potential consequences (for staff, the cloud provider and the customer) of breaching privacy and security rules.
As the first-ever standard that deals with the protection of personal data for the cloud, ISO/IEC 27018 has the following key objectives:
ISO/IEC 27018 provides a practical basis to induce confidence in the cloud industry. At the same time, the public cloud industry will have clear guidance in order to meet some of the legal and regulatory concerns of its clients.
ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect “personally identifiable information” in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of “personally identifiable information” which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as “personally identifiable information” processors via cloud computing under contract to other organizations.
The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as “personally identifiable information” controllers; however, “personally identifiable information” controllers can be subject to additional “personally identifiable information” protection legislation, regulations and obligations, not applying to “personally identifiable information” processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.
As a guiding principle, ISO/IEC 27018 standards and guidelines facilitate the retention by the cloud service customer of authority to determine the scope of any use and handling of its “personally identifiable information”. The following controls and implementation guidelines set forth in ISO/IEC 27018 as generally applicable to cloud service providers processing “personally identifiable information”:
The Safe-Harbour provision, in place since the early years of the tech boom in the late 1990s, allows US companies to satisfy EU rules by signing up to a self-reporting scheme, supervised by the US federal trade commission. It is based on the principle that US data privacy standards are equivalent to those in Europe.
Viviane Reding, the commissioner overseeing data protection, told that her office had begun an assessment of the “Safe Harbour” used by Google and Facebook, as well as thousands of smaller US tech companies.
The Safe Harbor agreement between the EU and US is under review as it may be a “loophole” for data transfers to take place at a lower standard of data protection than EU law permits, the European Commission has said.
The European Union has therefore launched a commission to review the U.S. Department of Commerce’s Safe Harbor agreement. The review comes in the wake of PRISM, the US National Security Agency’s data collection program. Safe Harbor is a voluntary program for U.S.-based companies with operations in the EU to transfer personal data across EU borders.
The EU, indeed, argues that the Safe Harbor program may be using “loopholes” to skirt EU data privacy rules. The International Trade Association (ITA), acknowledges the “criticisms,” but disagrees, saying that the program operates within its framework. Safe Harbor is based on the EU Data Protection Directive, and, as noted by the ITA, is limited when national security or defense matters are in question.
EU officials would like to review Safe Harbor for compatibility with new EU laws on data protection. While the U.S. is open to discussions on Safe Harbor, it is not likely that they will tighten any restrictions on it.
At issue is the reach of the draft EU legislation. It would require non-European companies to comply with EU laws in full when serving European customers – something that US officials argue is extraterritorial. It would also allow Brussels to fine companies that did not comply up to 2 per cent of their total annual turnover.
Advocate General’s Opinion in Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González considers that search engine service providers are not responsible, on the basis of the Data Protection Directive, for personal data appearing on web pages they process.
In early 1998, a newspaper widely circulated in Spain published in its printed edition two announcements concerning a real-estate auction connected with attachment proceedings prompted by social security debts. A person was mentioned as the owner. At a later date an electronic version of the newspaper was made available online by its publisher.
In November 2009 this person contacted the publisher of the newspaper asserting that, when his name and surnames were entered in the Google search engine, a reference appeared linking to pages of the newspaper with these announcements. He argued that the proceedings had been concluded and resolved many years earlier and were now of no relevance. The publisher replied that erasure of his data was not appropriate, given that the publication was effected by order of the Spanish Ministry of Labour and Social Affairs.
In February 2010, he contacted Google Spain and requested that the search results show no links to the newspaper when his name and surnames were entered into Google search engine. Google Spain forwarded the request to Google Inc., whose registered office is in California, United States, taking the view that the latter was the undertaking providing the internet search service.
Thereafter he lodged a complaint with the Agencia Española de Protección de Datos (Spanish Data Protection Agency, AEPD) against the publisher and Google. By a decision on 30 July 2010, the Director of the AEPD upheld the complaint against Google Spain and Google Inc., calling on them to withdraw the data from their index and to render future access to them impossible. The complaint against the publisher was rejected, however, because publication of the data in the press was legally justified. Google Inc. and Google Spain have brought two appeals before the Audiencia Nacional (National High Court, Spain), seeking annulment of the AEPD decision. In this context, this Spanish court has referred a series of questions to the Court of Justice.
In today’s Opinion, Advocate General Niilo Jääskinen addresses first the question of the territorial scope of the application of national data protection legislation. The primary factor that gives rise to its application is the processing of personal data carried out in the context of the activities of an establishment of the controller (according to the Data Protection Directive, the “controller” is the person or body which alone or jointly with others determines the purposes and means of the processing of personal data) on the territory of the Member State. However, Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts merely as commercial representative of Google for its advertising functions. In this capacity it has taken responsibility for the processing of personal data relating to its Spanish advertising customers.
The Advocate General considers that this question should be examined taking into account the business model of internet search engine providers. This normally relies on keyword advertising which is the source of income and the reason for the provision of a free information location tool. The entity in charge of keyword advertising is linked to the internet search engine. This entity needs a presence on national advertising markets and that is why Google has established subsidiaries in many Member States. Hence, in his view, it must be considered that an establishment processes personal data if it is linked to a service involved in selling targeted advertising to inhabitants of a Member State, even if the technical data processing operations are situated in other Member States or third countries. Therefore, Mr Jääskinen proposes that the Court declare that processing of personal data takes place within the context of a controller’s establishment and, therefore, that national data protection legislation is applicable to a search engine provider when it sets up in a Member State, for the promotion and sale of advertising space on the search engine, an office which orientates its activity towards the inhabitants of that State.
Secondly, as for the legal position of Google as an internet search engine provider, Mr Jääskinen recalls that, when the Directive was adopted in 1995, the Internet and search engines were new phenomena and their current development was not foreseen by the Community legislator. He takes the view that Google is not generally to be considered as a “controller” of the personal data appearing on web pages it processes, who, according to the Directive, would be responsible for compliance with data protection rules. In effect, provision of an information location tool does not imply any control over the content included on third party web pages. It does not even enable the internet search engine provider to distinguish between personal data in the sense of the Directive, which relates to an identifiable living natural person, and other data. In his opinion, the internet search engine provider cannot in law or in fact fulfil the obligations of the controller provided in the Directive in relation to personal data on source web pages hosted on third party servers.
Therefore, a national data protection authority cannot require an internet search engine service provider to withdraw information from its index except in cases where this service provider has not complied with the exclusion codes or where a request emanating from a website regarding an update of cache memory has not been complied with. This scenario does not seem pertinent in the present case. A possible “notice and take down procedure” concerning links to source web pages with illegal or inappropriate content is a matter for national civil liability law based on grounds other than data protection.
Thirdly, the Directive does not establish a general “right to be forgotten”. Such a right cannot therefore be invoked against search engine service providers on the basis of the Directive, even when it is interpreted in accordance with the Charter of Fundamental Rights of the European Union (in particular, the rights of respect for private and family life under Article 7 and protection of personal data under Article 8 versus freedom of expression and information under Article 11 and freedom to conduct a business under Article 16).
The rights to rectification, erasure and blocking of data provided in the Directive concern data whose processing does not comply with the provisions of the Directive, in particular because of the incomplete or inaccurate nature of the data. This does not seem to be the case in the current proceedings.
The Directive also grants any person the right to object at any time, on compelling legitimate grounds relating to his particular situation, to the processing of data relating to him, save as otherwise provided by national legislation. However, the Advocate General considers that a subjective preference alone does not amount to a compelling legitimate ground and thus the Directive does not entitle a person to restrict or terminate dissemination of personal data that he considers to be harmful or contrary to his interests.
It is possible that the secondary liability of the search engine service providers under national law may lead to duties amounting to blocking access to third party websites with illegal content such as web pages infringing intellectual property rights or displaying libellous or criminal information. In contrast, requesting search engine service providers to suppress legitimate and legal information that has entered the public domain would entail an interference with the freedom of expression of the publisher of the web page. In his view, it would amount to censorship of his published content by a private party.
Cloud computing relates to IT services and resources – including infrastructure, platforms and software – which can be provided to customers via the internet, rather than by on-site installations of IT hardware and software (for a technical definition of cloud computing see National Institute of Standards and Technology).
Cloud computing allow companies to benefit of financial savings, share of costs with the other customers on the same cloud, and efficiency while their IT infrastructure is constantly upgraded and updated by the cloud computing provider.
Notwithstanding such benefits, cloud computing shall be duly considered in light of the risks involved in it such as – among others – security, performance, service availability, contractual remedies and supplier stability.
From an International Law perspective the key difference between traditional IT outsourcing and cloud computing is “where” the data resides or is processed as data may be dispersed across and stored in multiple data centers all over the world. Moreover, the use of a cloud platform can result in multiple copies of such data being stored in different locations. This is true even for a “private cloud” that is run by a single customer.
In fact, corporate customers shall consider that cloud computing is vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm the relevant systems. Data centers may be located in areas with a high risk of major earthquakes or may be subject to break-ins, sabotage, and intentional acts of vandalism, and to potential disruptions if the operators of these facilities have financial difficulties.
Above all, systems are not fully redundant, and disaster recovery planning cannot account for all eventualities.
In addition, cloud computing products and services are highly technical and complex and may contain errors or vulnerabilities. Any errors or vulnerabilities in such products or services, or damage to or failure of such systems, could result in interruptions in the services, which could reduce revenues and profits, or damage the corporate brand. Finally, internet, technology, and media companies own large numbers of patents, copyrights, trademarks, and trade secrets and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights related to the cloud.
In light of the above, as corporate customer explore cloud computing as IT outsourcing strategy, there are several legal issues that shall be carefully considered. Implications of outsourced data handling, contract terms and conditions, intellectual property rights and proper insurance coverage are among others the key elements to be addressed from an International Law perspective. Therefore, the carry out of a due diligence of the proposed cloud vendor is a crucial risk mitigation step.
Among others, the following key issues shall be addressed: