Data retention and national law: whatever the CJEU rules, data retention may still survive!

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Matthew White, Ph.D candidate, Sheffield Hallam University

Should governments be able to retain data on everyone’s use of the Internet and their phones – because it might arguably aid the fight against terrorism and serious crime? This ‘data retention’ issue raises fundamental questions about the balance between privacy and security, at both national and EU level. Initially, in the electronic privacy (e-Privacy)Directive, EU legislation set out an option for Member States to adopt data retention rules, as a derogation from the normal rule of confidentiality of communications in that Directive. Subsequently, in 2006, at the urging of the UK government in particular, the EU went a step further. It adopted the Data Retention Directive (DRD), which requiredtelecom and Internet access providers to keep data on all use of the Internet and phones in case law enforcement authorities requested it.

However, on 8 April 2014, the Court of Justice of the European Union (CJEU) ruled that the latter Directive went too far. In its Digital Rights Ireland judgment (discussed here), that Court said that the EU’s Data Retention Directive (DRD) was invalid in light of a lack of compliance with the rights to privacy and data protection set out in Articles 7 and 8 of the EU Charter of Fundamental Rights (CFR) (para 69 and 73). This left open an important question: what happens to national data retention laws? Can they also be challenged for breach of the EU Charter rights, on the grounds that they are linked to EU law (the derogation in the e-Privacy Directive)? If so, do the standards in the Digital Rights Ireland judgment apply by analogy?

Instead of addressing this matter urgently, the United Kingdom government sat on its hands for a while and then unprecedentedly rushed through the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). DRIPA 2014 was intended to be a reactionto the Digital Rights Ireland ruling, giving the UK as a matter of national law the power to retain data that had been struck down by the CJEU as a matter of EU law.

In 2015, Tom Watson (now the deputy leader of the UK Labour Party), David Davis (a Conservative party backbencher) and others challenged s.1 of DRIPA 2014 arguing that the powers to obligate data retention on public telecommunication operators set out in that section of DRIPA did not sufficiently reflect what the CJEU ruled in Digital Rights Ireland. Although that CJEU ruling only applied to EU legislation, they argued that it also applied by analogy to national legislation on data retention, since such legislation fell within the scope of the option to retain communications data set out in the derogation in the e-Privacy Directive, and so was linked to EU law (and therefore covered by the Charter). Even though the e-Privacy Directive only related to publicly available electronic communications services (Article 3(1)), it is submitted that any extension of the definition of public telecommunications operator would fall within the Data Protection Directive, and thus the CFR would still apply. The High Court (HC) ruled in the claimants’ favour inDavis where an order was made for s.1 of DRIPA to be disapplied by the 31st of March 2016, insofar as it is incompatible with Digital Rights Ireland (para 122). This was in the hopes that it would give Parliament sufficient time to come up with a CFR compliant data retention law (para 121).

The government appealed to the Court of Appeal (CoA) which took a radically different approach maintaining that ‘the CJEU in Digital Rights Ireland was not laying down definitive mandatory requirements in relation to retained communications data’ (para 106). But for the sake of caution, the CoA made a preliminary reference to the CJEU asking:

(1) Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?

(2) Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?

The CoA was not the only national court to make a preliminary reference to the CJEU on matters regarding data retention and the reach of Digital Rights Ireland. On the 4th May 2015, the Force was with Kammarrätten i Stockholm when it asked the CJEU:

Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC [the electronic privacy Directive], 1 taking account of Articles 7, 8 and 15(1) of the Charter?

If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:

access by the national authorities to the retained data is determined as [described below under paragraphs 7-24], and

security requirements are regulated as [described below under paragraphs 26-31],

and all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as [described below under paragraphs 25]?

The way in which the first question in Davis and Watson is asked doesn’t specify whether the general obligation applies to every service provider under the state’s jurisdiction or specific service providers to retain what they individually process. The assumption is the former as ‘all means of electronic communication and all traffic data without any distinctions’ implies a catch all to the relevant services. The Home Secretary (and indeed the government) may argue that if the CJEU rules in the negative (note that Article 15(1) of the e-Privacy Directive only applies to publically available electronic communications services, thus the justification for retaining data from other services would have to be found in the Data Protection Directive (DPD)) it would mostly have affected cl.78 of theInvestigatory Powers Bill (IPB) (currently before Parliament) which would grant the Secretary of State the power to issue retention notices on a telecommunications or any number of operators to retain for e.g. any or all data for 12 if the power in cl.1 of the draft Communications Data Bill (dCDB) had been replicated. The dCDB was a legislative measure introduced in 2012 to allow public authorities to keep up to date with the sophistication of e-Crime. Clause 1 maintained that:

1 Power to ensure or facilitate availability of data

(1) The Secretary of State may by order—

(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or

(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.

(2) An order under this section may, in particular—

(a) provide for—

(i) the obtaining (whether by collection, generation or otherwise) by telecommunications operators of communications data,

(ii) the processing, retention or destruction by such operators of data so obtained or other data held by such operators.

This measure was, however abandoned because the Liberal Democrats (in the then Coalition Government) did not approve of the far reaching nature of the proposal. In regards to cl.1, it clearly was a general power, as no distinction was made on who the obligation to retain may fall upon, and thus it is submitted that this power is analogous to the power which is the subject of the question being asked of the CJEU. Clause 78(1) of the IPB on the other hand, makes the distinction that a data retention notice may require a telecommunications operator to retain relevant communications data. Though there are two possible conflicts, the first, based on the assumption that the CJEU rules in the negative (to the first question) is cl.78(2)(a) and (b). This gives the Secretary of State the discretion to issue retention notices on any description of operators to retain all or any description of data. This could be considered a general obligation because it could affect all telecommunications operators and then be classed as a general obligation.

Secondly, retention ‘without distinction’ or ‘exceptions’ may be important when it comes to traffic data pertaining to journalists, politicians, and the medical and legal professions. But because the reference doesn’t mention specific service providers it cannot be said with certainty how much this would affect cl.78(1) which doesn’t make distinctions or exceptions.

When it comes to limitations on data retention, there is at least one, which was first noted in s.1(5) of DRIPA 2014 which allowed for a 12 month maximum period of retention. This is replicated in cl.78(3) and takes on board the recommendation of the Advocate General’s opinion (AG) in Digital Rights Ireland (para 149).

The President of the CJEU felt it was desirable to combine both preliminary references. The questions of access by both the Swedish and UK courts do not directly affect the cl.78 issuing of retention notices (insofar that it at least doesn’t involve everytelecommunications operator) nor does answering whether Article 7 and 8 was intended to extend beyond Article 8 ECHR jurisprudence. The security arrangements are dealt with by cl.81 (whether they are adequate is a different matter) and thus not relevant to the issuing of retention notices.

This, however, proceeds on the assumption that the CJEU will rule in the negative to the Swedish preliminary reference regarding retention being lawful for the purposes ofaccess, because if it does not, cl.78(2)(a) and (b) would not be affected at all. Moreover, the HC in Davis felt that the CJEU believed that data retention genuinely satisfied an objective of general interest (para 44) and that it must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the CFR (para 70). The CoA was silent on this matter, and therefore for the mean time, it is understood that if the CJEU rules in the positive, cl.78 would not be affected as a matter of EU law.

On the matter of whether the HC or the CoA had interpreted Digital Rights Irelandcorrectly, it is important to highlight one of the justifications for the CoA conclusions. It maintained in relation to mandatory requirements, that in the opinion of the AG, he was at least, not looking for the Directive to provide detailed regulation (para 77). Yet the CoA failed to mention his conclusions, where it was stated that the DRD was invalid as a result of the absence of sufficient regulation of the guarantees governing access to (by limiting access, if not solely to judicial authorities, at least to independent authorities, or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary (para 127)) the data collected/retained and that the DRD should be suspended until the EU legislature adopts measures necessary to remedy the invalidity, but such measures must be adopted within a reasonable period (para 157-158). So at least in this regard the AG actually supports the stance of the HC (even though no reference was made on this point) and may therefore have had implications for the IPB (which does not require judicial or independent authorisation/review) in relation to access to communications data without a word from the CJEU.

Many thanks to Steve Peers for helpful comments on an earlier draft.

La sécurité digitale à l’heure des crises migratoire et terroriste, le noeud gordien de l’interconnexion des fichiers

ORIGINAL PUBLISHED ON CDRE SITE (20 AVRIL 2016)

par Pierre Berthelet, CDRE

La situation que connaît actuellement l’Union européenne n’aura échappé à personne. Qu’il s’agisse de la crise migratoire ou de la crise terroriste générée par les attentats à répétition en 2015 et en 2016, le remède préconisé par les États membres par la voix du Conseil et du Conseil européen, consiste à vouloir sécuriser davantage les frontières extérieures de l’Union européenne.

La protection renforcée de celles-ci constitue l’enjeu majeur de la lutte menée contre le phénomène terroriste, dont l’agenda converge désormais clairement avec la politique européenne en matière migratoire, comme l’atteste la communication de la Commission du 6 avril 2016 intitulée « des systèmes d’information plus forts et plus intelligents pour les frontières et la sécurité ». Le texte affirme à cet égard très clairement une « interconnexion dynamique » entre police, migration et gestion des frontières.

La crainte actuelle est, en particulier, le phénomène des combattants de l’État islamique venant d’Irak et de Syrie. L’organe de coordination antiterroriste belge, l’OCAM, a d’ailleurs souligné, le 19 avril 2016, un risque considérable d’attentat de la part de ces combattants, des Européens partis faire le Jihad au Moyen-Orient et rentrant aguerris (phénomène dit des « returnees »).

Nouveaux défis, mais anciennes solutions donc. L’observateur ne peut qu’avoir une impression de déjà-vu : les choix de ces derniers mois formulés par les chefs d’État et de gouvernement, inspirant les orientations contenues dans cette communication, ressemblent, à bien des égards, à ceux des Conseils européens de Laeken de 2001, de Séville de 2002 ou encore de Thessalonique 2003. À l’époque, l’Union était déjà confrontée aux problématiques du terrorisme et d’échouage de migrants sur les côtes européennes. Les agendas antiterroriste et migratoire se mêlaient alors autour de la sécurisation des frontières extérieures pour éviter toute intrusion possible d’agents d’Al-Quaïda dans l’UE, dissimulés dans les colonnes de migrants, jetant ainsi les fondations du projet des frontières électroniques (smart borders).

Anciennes solutions, mais nouveaux défis néanmoins. La communication du 6 avril 2016, accompagnée d’une proposition de règlement instituant le « Système Entrée-Sortie » (correspondant à une révision du précédent projet présenté en 2013, jugé trop onéreux par les États membres), marque un nouvel épisode dans la création des frontières électroniques européennes. Elle s’inscrit dans le contexte d’enjeux très actuels : la protection des frontières extérieures au prisme de la lutte antiterroriste a trait à deux problèmes distincts, celui des « combattants étrangers » (1) et celui de la fraude documentaire (2).

Dans le premier cas, il s’agit de contrôler les flux de voyageurs sortants pour empêcher ces « combattants étrangers » (foreign fighters), c’est-à-dire les jeunes Européens désireux de partir faire le Jihad au Moyen-Orient. Dans le deuxième cas, il s’agit de contrôler les flux de population, pour la plupart fuyant la guerre dans cette région. En réalité, ces deux problématiques se recoupent car la fraude documentaire concerne le contrôle des titre de voyage dont sont porteurs les flux de voyageurs, y compris les migrants irréguliers rassemblés dans les hotspots. Elle a trait aussi à l’identification des « combattants étrangers » franchissant les frontières Schengen avec de faux papiers. Les solutions apportées concernent, dans un cas comme dans l’autre, un meilleur déploiement des fichiers et une plus grande interconnexion de ceux-ci (3).

Analyser la manière dont l’Union s’efforce de répondre à ces deux problématiques distinctes mais sécantes est instructif. Cette réponse s’exprime de façon commune, le recours à la sécurité digitale, c’est-à-dire l’utilisation accrue des systèmes d’information et de communication et ce, en écho au phénomène de digitalisation de la vie sociale observable dans d’autres secteurs à l’ère du Big Data, tels que la santé digitale. Les problématiques secondaires, fraude documentaire et combattants étrangers, se trouvent au cœur de la résolution des crises migratoire et terroriste, elles-mêmes étroitement imbriquées. Il s’opère à ce propos un phénomène d’intrication immigration-terrorisme dans un contexte où s’échafaudent des capacités de gestion de crise horizontale, c’est-à-dire de polycrises.

L’interopérabilité des systèmes d’information devient alors un enjeu central, crucial même, car de son succès dépend la protection effective de l’Union. La sécurité digitale, expression archétypale dusolutionnisme technologique, constitue un nœud gordien au sens où le sort de lutte antiterroriste dépend de la réussite de l’interopérabilité des systèmes d’informations, qu’ils soient à finalité sécuritaire ou migratoire, l’une et l’autre apparaissant désormais mêlées.

1. Verrouiller les frontières pour résoudre le problème des combattants étrangers 

Continue reading

(Legislative Alert) : The EU Directive on Passenger Name Record (PNR)

DIRECTIVE (EU) 2016/… OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of … on the use of passenger name record (PNR) data  for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular point (d) of Article 82(1) and point (a) of Article 87(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee[1],

After consulting the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure[2],

Whereas:

(1)          On 6 November 2007 the Commission adopted a proposal for a Council Framework Decision on the use of passenger name record (PNR) data for law enforcement purposes. However, upon entry into force of the Treaty of Lisbon on 1 December 2009, the Commission proposal, which had not been adopted by the Council by that date, became obsolete. Continue reading

The Commission’s draft EU-US Privacy Shield adequacy decision: A Shield for Transatlantic Privacy or Nothing New under the Sun?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS 

by Dr. Maria Tzanou (Lecturer in Law, Keele University)

On 6 October 2015, in its judgment in Schrems, the CJEU invalidated the Commission’s decision finding that the US ensured an adequate level of protection for the transfer of personal data under the Safe Harbour framework on the basis that US mass electronic surveillance violated the essence of the fundamental right to privacy guaranteed in Article 7 EUCFR and the right to effective judicial protection, enshrined in Article 47 EUCFR (for an analysis of the judgment, seehere).

On 2 February 2016, the Commission announced that a political agreement was reached on a new framework for transatlantic data flows, the EU-US Privacy Shield, which will replace the annulled Safe Harbour. On 29 February 2016, the Commission published a draft Privacy Shield adequacy decision followed by seven Annexes that contain the US government’s written commitments on the enforcement of the arrangement. The Annexes include the following assurances from the US:
Annex I, a letter from the International Trade Administration of the Department of Commerce, which administers the programme, describing the commitments that it has made to ensure that the Privacy Shield operates effectively;
Annex II, the EU-US Privacy Shield Framework Principles;
Annex III, a letter from the US Department of State and accompanying memorandum describing the State Department’s commitment to establish a Privacy Shield Ombudsperson for submission of inquiries regarding the US’ intelligence practices;
Annex IV, a letter from the Federal Trade Commission (FTC) describing its enforcement of the Privacy Shield;
Annex V, a letter from the Department of Transportation describing its enforcement of the Privacy Shield;
Annex VI, a letter prepared by the Office of the Director of National Intelligence (ODNI) regarding safeguards and limitations applicable to US national security authorities; and,
Annex VII, a letter prepared by the US Department of Justice regarding safeguards and limitations on US Government access for law enforcement and public interest purposes.

Similar to its predecessor, Privacy Shield is based on a system of self-certification by which US companies commit to a set of privacy principles. However, unlike Safe Harbour, the draft Privacy Shield decision includes a section on the ‘access and use of personal data transferred under the EU-US Privacy Shield by US public authorities’ (para 75). In this, the Commission concludes that ‘there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the US to what is strictly necessary to achieve the legitimate objective.’ This conclusion is based on the assurances provided by the Office of the Director of National Surveillance (ODNI) (Annex VI), the US Department of Justice (Annex VII) and the US Secretary of State (Annex III), which describe the current limitations, oversight and opportunities for judicial redress under the US surveillance programmes. In particular, the Commission employs four main arguments arising from these letters to reach its adequacy conclusion:

Firstly, US surveillance prioritises targeted collection of personal data, while bulk collection is limited to exceptional situations where targeted collection is not possible for technical or operational reasons (this captures the essence of the principles of necessity and proportionality, according to the Commission).

Secondly, US intelligence activities are subject to ‘extensive oversight from within the executive branch’ and to some extent from courts such as the Foreign Intelligence Surveillance Court (FISC).

Thirdly, three main avenues of redress are available under US law to EU data subjects depending on the complaint they want to raise: interference under the Foreign Intelligence Surveillance Act (FISA); unlawful, intentional access to personal data by government officials; and access to information under Freedom of Information Act (FOIA).

Fourthly, a new mechanism will be created under the Privacy Shield, namely the Privacy Shield Ombusdperson who will be a Senior Coordinator (at the level of Under-Secretary) in the State Department in order to guarantee that individual complaints are investigated and individuals receive independent confirmation that US laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied.

The draft Privacy Shield framework may have been hailed as providing an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the US, but despite the plethora of privacy-friendly words (‘Privacy Shield’, ‘robust obligations’, ‘clear limitations and safeguards’) one cannot be very optimistic that the new regime will fully comply with the Court’s judgment in Schrems.

A first problematic aspect with the US assurances is that they merely describe the US surveillance legal framework and the relevant safeguards that already exist.

In fact, the only changes that were introduced in the US following the Snowden revelations was the issuance of Presidential Policy Directive 28 (PPD-28) (in January 2014) which lays down a number of principles on the use of signal intelligence data for all people; and the passing of the USA Freedom Act which modified certain US surveillance programmes and put an end to the mass collection of Americans’ phone records by the NSA (in June 2015).

Finally, in February 2016, the US Congress passed the Judicial Redress Act which was signed into law by President Obama. Given that one can reasonably assume that the Court was aware of these developments when laying down its judgment in Schrems in October 2015, it seems that, with the exception of the Ombusdperson, Privacy Shield does not change much in US surveillance law. In fact, the Commission has entirely based its draft adequacy analysis on a mere detailed description of this law without any further commitment that this will improve in any way in order to comply with EU fundamental rights as interpreted by the CJEU.

While the assurance that US surveillance is mainly targeted and does not take place in bulk is important, there is no reference to the fact that US authorities access the content of the personal data that was deemed to violate the essence of the right to privacy in Schrems.

Furthermore, even if the US authorities engage only in targeted surveillance, the CJEU has held in Digital Rights Ireland that the mere retention of private-sector data for the purpose of making them available to national authorities affects Articles 7 and 8 EUCFR and might have a chilling effect on the use by subscribers of platforms of communication, such as Facebook or Google and, consequently, on their exercise of freedom of expression guaranteed by Article 11 EUCFR.

Individuals, when faced with surveillance, cannot know when they are targeted; nevertheless, the possibility of being the object of surveillance has an effect on the way they behave. Insofar as Article 47 EUCFR and the right to effective judicial protection is concerned, the Commission itself notes in its draft adequacy decision that the avenues of redress provided to EU citizens do not cover all the legal bases that US intelligence authorities may use and the individuals’ opportunities to challenge FISA are very limited due to strict standing requirements.

The creation of the Ombusdperson with the important function of ensuring individual redress and independent oversight should be welcomed as the main addition of the draft Privacy Shield. Individuals will be able to access the Privacy Shield Ombusdperson without having to demonstrate that their personal data has in fact been accessed by the US intelligence activities and the Ombusdperson, who will be carrying out his functions independently from Instructions by the US Intelligence Community will be able to rely on the US oversight and review mechanisms.

However, there are several limitations to the function of the Privacy Shield Ombusdperson. First, the procedure for accessing the Ombudsperson is not as straightforward as lodging a complaint before a national Data Protection Authority (DPA). Individuals have to submit their requests initially to the Member States’ bodies competent for the oversight of national security services and, eventually a centralised EU individual complaint handling body that will channel them to the Privacy Shield Ombusdperson if they are deemed ‘complete’. In terms of the outcome of the Ombusdperson’s investigation, the Ombusdperson will provide a response to the submitting EU individual complaint handling body –who will then communicate with the individual- confirming (i) that the complaint has been properly investigated, and (ii) that the US law has been complied with, or, in the event of non-compliance, such non-compliance has been remedied. However, the Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Ombudsperson confirm the specific remedy that was applied.

Finally, Annex III stipulates that commitments in the Ombudsperson’s Memorandum will not apply to general claims that the EU-US Privacy Shield is inconsistent with EU data protection requirements. In the light of the above, the Privacy Shield Ombudsperson does not seem to provide the redress guarantees of a supervisory authority such as the DPAs as the AG had asked in his Opinion in Schrems.

Draft Privacy Shield is problematic for another reason as well: it puts together the regulative framework for commercial transactions with the regulation for law enforcement access to private sector data. These are, however, different issues and they should be dealt with separately. It is important to encourage and facilitate transborder trade, thus flexible mechanisms allowing for undertakings self-compliance with data protection principles should continue to apply. But, the challenges of online surveillance on fundamental rights are too serious to be covered by the same regime and some ‘assurances’ that essentially describe the current US law.

Two solutions could possibly deal with this problem: Either the US adheres to the Council of Europe Convention No. 108 and abandons the distinction between US and EU citizens regarding rights to redress or a transatlantic privacy and data protection framework that ensures a high level of protection of fundamental rights and the transparency and accountability of transnational counter-terrorism operations (the so-called ‘umbrella agreement’) is adopted. Regrettably, the current form of the umbrella agreement is very problematic as to its compatibility with EU data protection standards- or even human rights standards in general, and, therefore, does not seem to provide an effective solution to the issue.

A recently leaked document reveals that the Article 29 Working Party has difficulties in reaching an overall conclusion on the Commission’s draft adequacy decision and supports the view that Privacy Shield does not fully comply with the essential guarantees for the transfer of personal data from the EU to the US for intelligence activities.

Should the Commission nevertheless decide to proceed with the current draft, it is highly possible that the CJEU will be called in the future to judge the adequacy of Privacy Shield in aSchrems 2 line of cases.

(Legislative Alert) Data Protection : the draft Directive covering public security policies

ORIGINAL TEXT ACCESSIBLE IN ALL EU LANGUAGES ON THE EU COUNCIL SITE 

Nota bene : the text below is the Council “position” which will be adopted in the coming hours by written procedure by the Coreper and sent to the EP for the second reading (currently foreseen for the APRIL  session plenary together with the EU  General Regulation on data protection and the draft Directive on the so called “EU PNR”). For the time being these passages foreseen by art. 294 TFEU are seen by the institutions as mere formalities as an “informal” agreement on the draft Council Position has already been reached on December 17/18 with an “informal” vote of the relevant Parliamentary committee (LIBE).

Following the “informal” practice of interinstitutional “early agreements” the Chairman of the Parliamentary Committee has already informed the Council that no amendments will be submitted by LIBE when the text of the Council position will be formally submitted to the EP. Therefore since last December the text  below has already been revised from the Jurist linguistsso that it can be published on the official Journal maybe already in May or June after the formal vote of the EP and the  final adoption by the Council as well as the signature of the EP and Council Presidents.

Below the text of the Council Position as well as of the Statement of reasons which according to the Treaty  should explain to the EP why the text is different from the one voted by the latter. Again this has become a pure formality as the EP has already negotiated with the Council the amendments to the original Commission Proposal. One can guess if the loser of this “informal” way of proceeding where a “Position” of an institution is already a consolidated compromise is the ordinary European citizen who has no real means to understand who between the EP and the Council should be taken accountable for the different choices made to reach the “compromise”. 

Comments on the content of the “Council Position” below will follow

EDC 

(Draft) Statement of the Council’s reasons on the  Position of the Council on DIRECTIVE (EU) 2016/… OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of … on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

INTRODUCTION Continue reading

(Legislative Alert) Data Protection :the new EU general Regulation

ORIGINAL TEXT ACCESSIBLE IN ALL EU LANGUAGES ON THE EU COUNCIL SITE 

Nota bene : the text below is the Council “position” which will be adopted in the coming hours by written procedure by the Coreper and sent to the EP for the second reading (currently foreseen for the APRIL  session plenary together with the EU Directive on data protection in the security sector and the draft Directive on the so called “EU PNR”). For the time being these passages foreseen by art. 294 TFEU are seen by the institutions as mere formalities as an “informal” agreement on the draft Council Position has already been reached on December 17 with an “informal” vote of the relevant Parliamentary committee (LIBE).

Following the “informal” practice of interinstitutional “early agreements” the Chairman of the Parliamentary Committee has already informed the Council that no amendments will be submitted by LIBE when the text of the Council position will be formally submitted to the EP. Therefore since last December the text  below has already been revised from the Jurist linguists so that it can be published on the official Journal maybe already in May or June after the formal vote of the EP and the  final adoption by the Council as well as the signature of the EP and Council Presidents.

Below the text of the Council Position as well as of the Statement of reasons which according to the Treaty  should explain to the EP why the text is different from the one voted by the latter. Again this has become a pure formality as the EP has already negotiated with the Council the amendments to the original Commission Proposal. One can guess if the loser of this “informal” way of proceeding where a “Position” of an institution is already a consolidated compromise is the ordinary European citizen who has no real means to understand who between the EP and the Council should be taken accountable for the different choices made to reach the “compromise”. 

Comments on the content of the “Council Position” below will follow

EDC 

(Draft) Statement of the Council’s reasons on the 

Position of the Council at first reading with a view to the adoption of a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 

Continue reading

“EU-US Privacy Shield” : Towards a new Schrems 2.0 Case ? 

NOTA BENE : This is not a final version (San Francisco, April 3rd 2016)

By Max SCHREMS

INTRO

In the past weeks I was repeatedly asked by policy makers, MEPs, DPAs and interested lawyers and individuals about a written summary of my assessment of the proposed “Privacy Shield” system. This document is a quick response to these requests. Due to the limited time it may contain some typos and minor errors.

The debate on “Privacy Shield” is ongoing and a full proper academic review of the more than 120 page draft Commission decision, in context of the European and US laws and decisions, is a substantive project outside of the scope of this document, which was written as a citizen over the course of a weekend. This document can therefore only highlight some potential issues identified in summarize an initial examination of the proposed “Privacy Shield” and does not constitute a final or deep review.

The European Commission and the US government, as well as some lobby groups, have extensively promoted the positive sides of “Privacy Shield” and the improvements compared to the previous “Safe Harbor” system. I will not repeat these points in this document. Instead this document focuses on possible problems, shortcomings and issues of the proposed system, to allow overall balanced view.

The level of knowledge varies between persons requesting this document. Unfortunately this means that some elements may be irrelevant, too generalized or explained in very simple terms for experts in the field of data protection and/or EU law.

In the following comments I am primarily (but not exclusively) focusing on a legal analysis. As an initial political comment, I would therefore like to highlight that I am of the view that the EU and the US should reach an agreement that replaces “Safe Harbor”. The aim of case C-362/14 was to create a situation where the political leaders on both sides of the Atlantic have to work towards a new deal that remedies the obvious problems disclosed by Snowden. I unfortunately feel that the current policy makers within the European Commission have not seen this situation as an opportunity to work towards an improved framework that would protect the fundamental right to privacy, but instead as a problem, that shall now be swept under the rug.

1.PRIVATE SECTOR / PRIVACY SHIELD PRINCIPLES Continue reading