EU data protection authorities, the Article 29 Working Party (WP), have issued a comprehensive analysis of the proposed EU-US data transfer agreement. Privacy Shield, as it’s known, would replace the Safe Harbor agreement struck down by the Court of Justice of the European Union (CJEU) in Schrems. Since the CJEU in Schrems relied heavily on the WP’s earlier critical assessment of Safe Harbor, the WP’s take on Privacy Shield has been eager anticipated. The good news about the WP’s analysis is that the gap between its views and the proposed agreement may be bridgeable, despite the WP’s concerns with both the substance and procedure of US surveillance practices and oversight. The bad news is that bridging that gap may require changes to section 702 of the FISA Amendments Act, as well as rethinking of the State Department Ombudsperson position that Privacy Shield relies on for oversight of US surveillance.
The WP repeatedly praises the improvements made in Privacy Shield, and recognizes the panoply of protections provided under US law, including the review of government certifications by the Foreign Intelligence Surveillance Court (FISC). The WP’s careful analysis of US law represents a major evolution in the transatlantic dialogue about surveillance practices. That step in turn reflects the serious efforts undertaken by US intelligence community officials to educate EU officials about the safeguards in US law, including the protections in place as a result of the process initiated by President Obama’s Presidential Policy Directive 28 (PPD-28).
Yet dialogue is not unconditional approval, and the WP’s analysis also reflects ongoing concerns. (For a cogent analysis of related concerns by a US privacy advocate, see Faiza Patel’s analysis here.) On the substantive side, the WP expresses lingering anxiety that US surveillance will be “indiscriminate.” PPD-28’s limitations on bulk collection, including its enumeration of purposes of surveillance such as combatting counterterrorism and proliferation of WMDs, do not wholly alleviate those anxieties. In particular, the WP singles out a subject targeted noted by Tim Edgar here: section 702’s definition of foreign intelligence information as including matters relating to the “foreign affairs” of the United States. Although, earlier, I had questioned Tim’s emphasis on this provision, the WP’s concerns suggest that he may be right. U.S. officials maintain that section 702 does not entail bulk collection, since collection under this provision is based on specific selectors. However, the WP observed that section 702’s text did not require the use of selectors, or provide any standards for choosing selection terms. That absence of statutory direction highlights the amorphous character of section 702’s “foreign affairs” authority.
To deal with the “uncertainty” that the WP attaches to the scope of surveillance permitted by this provision, Congress may wish to further cabin the “foreign affairs” prong of section 702 surveillance when it takes up reauthorization of the statute in 2017. As an alternative, the US intelligence community may wish to publicly convey to the EU a limiting interpretation of the “foreign affairs” prong.
On the procedural side, the WP doubts the independence of the State Department Ombudsperson designated as furnishing oversight under Privacy Shield. (See my analysis here.) The WP notes correctly that the Ombudsperson will serve at the President’s pleasure, as do other political appointees at cabinet departments. Moreover, the WP observes, the Privacy Shield agreement does not specify the powers of the Ombudsperson, including access to evidence and authority to bind the US intelligence community. In addition, the WP suggests that the current mechanism for forwarding EU residents’ privacy complaints to the Ombudsperson is inadequate; the best approach, according to the WP, is to lodge this responsibility with the authors of the WP analysis: EU data protection authorities. At first blush, this suggestion might seem self-serving; however, EU data regulators’ experience with privacy issues makes them logical candidates for this role.
While the WP’s complaint-forwarding recommendation might be an easy fix, creating a new, truly independent position in the executive branch may be difficult, because of the need for congressional buy-in. Another option is a larger oversight role for the Privacy and Civil Liberties Oversight Board (PCLOB), which the WP singles out for special praise. The WP commends the PCLOB for its willingness to disagree with the President of the United States on the domestic bulk collection of metadata, which has now been taken out of government hands by the USA Freedom Act. As the WP observes, the PCLOB has the statutory responsibility to “ensure that liberty concerns are appropriately considered” in US counterterrorism laws, rules, and policies. Furthermore, Congress established the PCLOB as an independent agency within the executive branch. These attributes seem well-tailored to the WP’s prescriptions. Perhaps US negotiators, who have already recognized that the Ombudsperson will work closely with the PCLOB, should designate the PCLOB for a more central oversight role. That role would be a departure for the PCLOB, but would dovetail with the statute establishing the Board. Moreover, that move would not require additional legislative action—a major plus in this era of gridlock.
In short, US movement on the section 702 “foreign affairs” prong and bolstering of independent oversight would signal engagement with the WP’s serious study. Moves in this direction could well bring the WP on board. Alternatively, the US and the European Commission might proceed without the WP’s blessing. But that path is perilous, given the CJEU’s reliance on the WP’s verdict. A data sharing agreement that cannot win CJEU approval will ultimately send the EU and the US back to the drawing board. EU-US data transfers are too important for such a protracted exercise in futility. In the long term, accepting the WP’s invitation to dialogue is the wiser course.