Non-EU Use
Commission Implementing Decision (EU) 2016/1250
of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176) (Text with EEA relevance)
EN
Official Journal of the European Union
L 207/1
COMMISSION IMPLEMENTING DECISION (EU) 2016/1250
of 12 July 2016
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield
(notified under document C(2016) 4176)
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1), and in particular Article 25(6) thereof,
After consulting the European Data Protection Supervisor (2),
1. INTRODUCTION
(1)
Directive 95/46/EC sets the rules for transfers of personal data from Member States to third countries to the extent that such transfers fall within its scope.
(2)
Article 1 of Directive 95/46/EC and recitals 2 and 10 in its preamble seek to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms (3).
(3)
The importance of both the fundamental right to respect for private life, guaranteed by Article 7, and the fundamental right to the protection of personal data, guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union, has been emphasised in the case-law of the Court of Justice (4).
(4)
Pursuant to Article 25(1) of Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer. The Commission may find that a third country ensures such an adequate level of protection by reason of its domestic law or of the international commitments it has entered into in order to protect the rights of individuals. In that case, and without prejudice to compliance with the national provisions adopted pursuant to other provisions of the Directive, personal data may be transferred from the Member States without additional guarantees being necessary.
(5)
Pursuant to Article 25(2) of Directive 95/46/EC, the level of data protection afforded by a third country should be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations, including the rules of law, both general and sectoral, in force in the third country in question.
(6)
In Commission Decision 2000/520/EC (5), for the purposes of Article 25(2) of Directive 95/46/EC, the ‘Safe Harbour Privacy Principles’, implemented in accordance with the guidance provided by the so-called ‘Frequently Asked Questions’ issued by the U.S. Department of Commerce, were considered to ensure an adequate level of protection for personal data transferred from the Union to organisations established in the United States.
(7)
In its Communications COM(2013) 846 final (6) and COM(2013) 847 final of 27 November 2013 (7), the Commission considered that the fundamental basis of the Safe Harbour scheme had to be reviewed and strengthened in the context of a number of factors, including the exponential increase in data flows and their critical importance for the transatlantic economy, the rapid growth of the number of U.S. companies adhering to the Safe Harbour scheme and new information on the scale and scope of certain U.S. intelligence programs which raised questions as to the level of protection it could guarantee. In addition, the Commission identified a number of shortcomings and deficiencies in the Safe Harbour scheme.
(8)
Based on evidence gathered by the Commission, including information stemming from the work of the EU-U.S. Privacy Contact Group (8) and the information on U.S. intelligence programs received in the ad hoc EU-U.S. Working Group (9), the Commission formulated 13 recommendations for a review of the Safe Harbour scheme. These recommendations focused on strengthening the substantive privacy principles, increasing the transparency of U.S. self-certified companies’ privacy policies, better supervision, monitoring and enforcement by the U.S. authorities of compliance with those principles, the availability of affordable dispute resolution mechanisms, and the need to ensure that use of the national security exception provided in Decision 2000/520/EC is limited to an extent that is strictly necessary and proportionate.
(9)
In its judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (10), the Court of Justice of the European Union declared Decision 2000/520/EC invalid. Without examining the content of the Safe Harbour Privacy Principles, the Court considered that the Commission had not stated in that decision that the United States in fact ‘ensured’ an adequate level of protection by reason of its domestic law or its international commitments (11).
(10)
In this regard, the Court of Justice explained that, while the term ‘adequate level of protection’ in Article 25(6) of Directive 95/46/EC does not mean a level of protection identical to that guaranteed in the EU legal order, it must be understood as requiring the third country to ensure a level of protection of fundamental rights and freedoms ‘essentially equivalent’ to that guaranteed within the Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights. Even though the means to which that third country has recourse, in this connection, may differ from the ones employed within the Union, those means must nevertheless prove, in practice, effective (12).
(11)
The Court of Justice criticised the lack of sufficient findings in Decision 2000/520/EC regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security, and the existence of effective legal protection against interference of that kind (13).
(12)
In 2014 the Commission had entered into talks with the U.S. authorities in order to discuss the strengthening of the Safe Harbour scheme in line with the 13 recommendations contained in Communication COM(2013) 847 final. After the judgment of the Court of Justice of the European Union in the Schrems case, these talks were intensified, with a view to a possible new adequacy decision which would meet the requirements of Article 25 of Directive 95/46/EC as interpreted by the Court of Justice. The documents which are annexed to this decision and will also be published in the U.S. Federal Register are the result of these discussions. The privacy principles (Annex II), together with the official representations and commitments by various U.S. authorities contained in the documents in Annexes I, III to VII, constitute the ‘EU-U.S. Privacy Shield’.
(13)
The Commission has carefully analysed U.S. law and practice, including these official representations and commitments. Based on the findings developed in recitals 136-140, the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.
2. THE ‘EU-U.S. PRIVACY SHIELD’
(14)
The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organisations commit to a set of privacy principles — the EU-U.S. Privacy Shield Framework Principles, including the Supplemental Principles (hereinafter together: ‘the Principles’) — issued by the U.S. Department of Commerce and contained in Annex II to this decision. It applies to both controllers and processors (agents), with the specificity that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles (14).
(15)
Without prejudice to compliance with the national provisions adopted pursuant to Directive 95/46/EC, the present decision has the effect that transfers from a controller or processor in the Union to organisations in the U.S. that have self-certified their adherence to the Principles with the Department of Commerce and have committed to comply with them are allowed. The Principles apply solely to the processing of personal data by the U.S. organisation in as far as processing by such organisations does not fall within the scope of Union legislation. (15) The Privacy Shield does not affect the application of Union legislation governing the processing of personal data in the Member States (16).
(16)
The protection afforded to personal data by the Privacy Shield applies to any EU data subject (17) whose personal data have been transferred from the Union to organisations in the U.S. that have self-certified their adherence to the Principles with the Department of Commerce.
(17)
The Principles apply immediately upon certification. One exception relates to the Accountability for Onward Transfer Principle in a case where an organisation self-certifying to the Privacy Shield already has pre-existing commercial relationships with third parties. Given that it may take some time to bring those commercial relationships into conformity with the rules applicable under the Accountability for Onward Transfer Principle, the organisation will be obliged to do so as soon as possible, and in any event no later than nine months from self-certification (provided that this takes places in the first two months following the day when the Privacy Shield becomes effective). During this interim period, the organisation must apply the Notice and Choice Principle (thus allowing the EU data subject an opt-out) and, where personal data is transferred to a third party acting as an agent, must ensure that the latter provides at least the same level of protection as is required by the Principles (18). This transitional period provides a reasonable and appropriate balance between the respect for the fundamental right to data protection and the legitimate needs of businesses to have sufficient time to adapt to the new framework where this also depends on their commercial relationships with third parties.
(18)
The system will be administered and monitored by the Department of Commerce based on its commitments set out in the representations from the U.S. Secretary of Commerce (Annex I to this decision). With regard to the enforcement of the Principles, the Federal Trade Commission (FTC) and the Department of Transportation have made representations that are contained in Annex IV and Annex V to this decision.
2.1. Privacy Principles
(19)
As part of their self-certification under the EU-U.S. Privacy Shield, organisations have to commit to comply with the Principles (19).
(20)
Under the Notice Principle, organisations are obliged to provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability). Further safeguards apply, in particular the requirement for organisations to make public their privacy policies (reflecting the Principles) and to provide links to the Department of Commerce’s website (with further details on self-certification, the rights of data subjects and available recourse mechanisms), the Privacy Shield List (referred to in recital 30) and the website of an appropriate alternative dispute settlement provider.
(21)
Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject. Organisations must ensure that personal data is reliable for its intended use, accurate, complete and current.
(22)
Where a new (changed) purpose is materially different but still compatible with the original purpose, the Choice Principle gives data subjects the right to object (opt out). The Choice Principle does not supersede the express prohibition on incompatible processing (20). Special rules generally allowing for the opt-out ‘at any time’ from the use of personal data apply for direct marketing (21). In the case of sensitive data, organisations must normally obtain the data subject’s affirmative express consent (opt in).
(23)
Still under the Data Integrity and Purpose Limitation Principle, personal information may be retained in a form identifying or rendering an individual identifiable (and thus in the form of personal data) only for as long as it serves the purpose(s) for which it was initially collected or subsequently authorised. This obligation does not prevent Privacy Shield organisations to continue processing personal information for longer periods, but only for the time and to the extent such processing reasonably serves one of the following specific purposes: archiving in the public interest, journalism, literature and art, scientific and historical research and statistical analysis. Longer retention of personal data for one of these purposes will be subject to the safeguards provided by the Principles.
(24)
Under the Security Principle, organisations creating, maintaining, using or disseminating personal data must take ‘reasonable and appropriate’ security measures, taking into account the risks involved in the processing and the nature of the data. In the case of sub-processing, organisations must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation.
(25)
Under the Access Principle (22), data subjects have the right, without need for justification and only against a non-excessive fee, to obtain from an organisation confirmation of whether such organisation is processing personal data related to them and have the data communicated within reasonable time. This right may only be restricted in exceptional circumstances; any denial of, or limitation to the right of access has to be necessary and duly justified, with the organisation bearing the burden of demonstrating that these requirements are fulfilled. Data subjects must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Principles. In areas where companies most likely resort to the automated processing of personal data to take decisions affecting the individual (e.g. credit lending, mortgage offers, employment), U.S. law offers specific protections against adverse decisions (23). These acts typically provide that individuals have the right to be informed of the specific reasons underlying the decision (e.g. the rejection of a credit), to dispute incomplete or inaccurate information (as well as reliance on unlawful factors), and to seek redress. These rules offer protections in the likely rather limited number of cases where automated decisions would be taken by the Privacy Shield organisation itself (24). Nevertheless, given the increasing use of automated processing (including profiling) as a basis for taking decisions affecting individuals in the modern digital economy, this is an area that needs to be closely monitored. In order to facilitate this monitoring, it has been agreed with the U.S. authorities that a dialogue on automated decision-making, including an exchange on the similarities and differences in the EU and U.S. approach in this regard, will be part of the first annual review as well as subsequent reviews as appropriate.
(26)
Under the Recourse, Enforcement and Liability Principle (25), participating organisations must provide robust mechanisms to ensure compliance with the other Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. Once an organisation has voluntarily decided to self-certify (26) under the EU-U.S. Privacy Shield, its effective compliance with the Principles is compulsory. To be allowed to continue to rely on the Privacy Shield to receive personal data from the Union, such organisation must annually re-certify its participation in the framework. Organisations must also take measures to verify (27) that their published privacy policies conform to the Principles and are in fact complied with. This can be done either through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the organisation’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing or random checks. In addition, the organisation must put in place an effective redress mechanism to deal with any complaints (see in this respect also recitals 43) and be subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or another U.S. authorised statutory body that will effectively ensure compliance with the Principles.
(27)
Special rules apply for so-called ‘onward transfers’, i.e. transfers of personal data from an organisation to a third party controller or processor, irrespective of whether the latter is located in the United States or a third country outside the United States (and the Union). The purpose of these rules is to ensure that the protections guaranteed to the personal data of EU data subjects will not be undermined, and cannot be circumvented, by passing them on to third parties. This is particularly relevant in more complex processing chains which are typical for today’s digital economy.
(28)
Under the Accountability for Onward Transfer Principle (28), any onward transfer can only take place (i) for limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group (29)) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles, which includes the requirement that the application of the Principles may only be limited to the extent necessary to meet national security, law enforcement and other public interest purposes (30). This should be read in conjunction with the Notice and, in the case of an onward transfer to a third party controller (31), with the Choice Principle, according to which data subjects must be informed (among others) about the type/identity of any third party recipient, the purpose of the onward transfer as well as the choice offered and can object (opt out) or, in the case of sensitive data, have to give ‘affirmative express consent’ (opt in) for onward transfers. In the light of the Data Integrity and Purpose Limitation Principle, the obligation to provide the same level of protection as guaranteed by the Principles presupposes that the third party may only process the personal information transmitted to it for purposes that are not incompatible with the purposes for which it was originally collected or subsequently authorised by the individual.
(29)
The obligation to provide the same level of protection as required by the Principles applies to any and all third parties involved in the processing of the data so transferred irrespective of their location (in the U.S. or another third country) as well as when the original third party recipient itself transfers those data to another third party recipient, for example, for sub-processing purposes. In all cases, the contract with the third party recipient must provide that the latter will notify the Privacy Shield organisation if it makes a determination that it can no longer meet this obligation. When such a determination is made, the processing by the third party will cease or other reasonable and appropriate steps have to be taken to remedy the situation (32). Where compliance problems arise in the (sub-) processing chain, the Privacy Shield organisation acting as the controller of the personal data will have to prove that it is not responsible for the event giving rise to the damage, or otherwise face liability, as specified in the Recourse, Enforcement and Liability Principle. Additional protections apply in the case of an onward transfer to a third party agent (33).
2.2. Transparency, Administration and Oversight of the EU-U.S. Privacy Shield
(30)
The EU-U.S. Privacy Shield provides for oversight and enforcement mechanisms in order to verify and ensure that U.S. self-certified companies comply with the Principles and that any failure to comply is addressed. These mechanisms are set out in the Principles (Annex II) and the commitments undertaken by the Department of Commerce (Annex I), the FTC (Annex IV) and the Department of Transportation (Annex V).
(31)
To ensure the proper application of the EU-U.S. Privacy Shield, interested parties, such as data subjects, data exporters and the national Data Protection Authorities (DPAs), must be able to identify those organisations adhering to the Principles. To this end, the Department of Commerce has undertaken to maintain and make available to the public a list of organisations that have self-certified their adherence to the Principles and fall within the jurisdiction of at least one of the enforcement authorities referred to in Annexes I and II to this decision (‘Privacy Shield List’) (34). The Department of Commerce will update the list on the basis of an organisation’s annual re-certification submissions and whenever an organisation withdraws or is removed from the EU-U.S. Privacy Shield. It will also maintain and make available to the public an authoritative record of organisations that have been removed from the list, in each case identifying the reason for such removal. Finally, it will provide a link to the list of Privacy Shield-related FTC enforcement cases maintained on the FTC website.
(32)
The Department of Commerce will make both the Privacy Shield List and the re-certification submissions publicly available through a dedicated website. Self-certified organisations must in turn provide the Department’s web address for the Privacy Shield List. In addition, if available online, an organisation’s privacy policy must include a hyperlink to the Privacy Shield website as well as a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. The Department of Commerce will systematically verify, in the context of an organisation’s certification and re-certification to the framework, that its privacy policies conform to the Principles.
(33)
Organisations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List and must return or delete the personal data received under the EU-U.S. Privacy Shield. In other cases of removal, such as voluntary withdrawal from participation or failure to recertify, the organisation may retain such data if it affirms to the Department of Commerce on an annual basis its commitment to continue to apply the Principles or provides adequate protection for the personal data by another authorised means (e.g. by using a contract that fully reflects the requirements of the relevant standard contractual clauses approved by the Commission). In this case, an organisation has to identify a contact point within the organisation for all Privacy Shield-related questions.
(34)
The Department of Commerce will monitor organisations that are no longer members of the EU-U.S. Privacy Shield, either because they have voluntarily withdrawn or because their certification has lapsed, to verify whether they will return, delete or retain (35) the personal data received previously under the framework. If they retain these data, organisations are obliged to continue to apply the Principles to them. In cases where the Department of Commerce has removed organisations from the framework due to a persistent failure to comply with the Principles, it will ensure that those organisations return or delete the personal data they had received under the framework.
(35)
When an organisation leaves the EU-U.S. Privacy Shield for any reason, it must remove all public statements implying that it continues to participate in the EU-U.S. Privacy Shield or is entitled to its benefits, in particular any references to the EU-U.S. Privacy Shield in its published privacy policy. The Department of Commerce will search for and address false claims of participation in the framework, including by former members (36). Any misrepresentation to the general public by an organisation concerning its adherence to the Principles in the form of misleading statements or practices is subject to enforcement action by the FTC, Department of Transportation or other relevant U.S. enforcement authorities; misrepresentations to the Department of Commerce are enforceable under the False Statements Act (18 U.S.C. § 1001) (37).
(36)
The Department of Commerce will ex officio monitor any false claims of Privacy Shield participation or the improper use of the Privacy Shield certification mark, and DPAs can refer organisations for review to a dedicated contact point at the Department. When an organisation has withdrawn from the EU-U.S. Privacy Shield, fails to re-certify or is removed from the Privacy Shield List, the Department of Commerce will on an on-going basis verify that it has deleted from its published privacy policy any references to the Privacy Shield that imply its continued participation and, if it continues to make false claims, refer the matter to the FTC, Department of Transportation or other competent authority for possible enforcement action. It will also send questionnaires to organisations whose self-certifications lapse or that have voluntarily withdrawn from the EU-U.S. Privacy Shield to verify whether the organisation will return, delete or continue to apply the Privacy Principles to the personal data that they received while participating in the EU-U.S. Privacy Shield and, if personal data are to be retained, verify who within the organisation will serve as an ongoing contact point for Privacy Shield-related questions.
(37)
On an ongoing basis, the Department of Commerce will conduct ex officio compliance reviews (38) of self-certified organisations, including through sending detailed questionnaires. It will also systematically carry out reviews whenever it has received a specific (non-frivolous) complaint, when an organisation does not provide satisfactory responses to its enquiries, or when there is credible evidence suggesting that an organisation may not be complying with the Principles. Where appropriate, the Department of Commerce will also consult with DPAs about such compliance reviews.
2.3. Redress mechanisms, complaint handling and enforcement
(38)
The EU-U.S. Privacy Shield, through the Recourse, Enforcement and Liability Principle, requires organisations to provide recourse for individuals who are affected by non-compliance and thus the possibility for EU data subjects to lodge complaints regarding non-compliance by U.S. self-certified companies and to have these complaints resolved, if necessary by a decision providing an effective remedy.
(39)
As part of their self-certification, organisations must satisfy the requirements of the Recourse, Enforcement and Liability Principle by providing for effective and readily available independent recourse mechanisms by which each individual’s complaints and disputes can be investigated and expeditiously resolved at no cost to the individual.
(40)
Organisations may choose independent recourse mechanisms in either the Union or in the United States. This includes the possibility to voluntarily commit to cooperate with the EU DPAs. However, no such choice exists where organisations process human resources data as cooperation with the DPAs is then mandatory. Other alternatives include independent Alternative Dispute Resolution (ADR) or private-sector developed privacy programs that incorporate the Privacy Principles into their rules. The latter must include effective enforcement mechanisms in accordance with the requirements of the Recourse, Enforcement and Liability Principle. Organisations are obliged to remedy any problems of non-compliance. They must also specify that they are subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body.
(41)
Consequently, the Privacy Shield framework provides data subjects with a number of possibilities to enforce their rights, lodge complaints regarding non-compliance by U.S. self-certified companies and to have their complaints resolved, if necessary by a decision providing an effective remedy. Individuals can bring a complaint directly to an organisation, to an independent dispute resolution body designated by the organisation, to national DPAs or to the FTC.
(42)
In cases where their complaints have not been resolved by any of these recourse or enforcement mechanisms, individuals also have a right to invoke binding arbitration under the Privacy Shield Panel (Annex 1 of Annex II of this decision). Except for the arbitral panel, which requires certain remedies to be exhausted before it can be invoked, individuals are free to pursue any or all of the redress mechanism of their choice, and are not obliged to choose one mechanism over the other or to follow a specific sequence. However, there is a certain logical order that is advisable to follow, as set out below.
(43)
First, EU data subjects may pursue cases of non-compliance with the Principles through direct contacts with the U.S. self-certified company. To facilitate resolution, the organisation must put in place an effective redress mechanism to deal with such complaints. An organisation’s privacy policy must therefore clearly inform individuals about a contact point, either within or outside the organisation, that will handle complaints (including any relevant establishment in the Union that can respond to inquiries or complaints) and about the independent complaint handling mechanisms.
(44)
Upon receipt of an individual’s complaint, directly from the individual or through the Department of Commerce following referral by a DPA, the organisation must provide a response to the EU data subject within a period of 45 days. This response must include an assessment of the merits of the complaint and information as to how the organisation will rectify the problem. Likewise, organisations are required to respond promptly to inquiries and other requests for information from the Department of Commerce or from a DPA (39) (where the organisation has committed to cooperate with the DPA) relating to their adherence to the Principles. Organisations must retain their records on the implementation of their privacy policies and make them available upon request to an independent recourse mechanism or the FTC (or other U.S. authority with jurisdiction to investigate unfair and deceptive practices) in the context of an investigation or a complaint about non-compliance.
(45)
Second, individuals can also bring a complaint directly to the independent dispute resolution body (either in the United States or in the Union) designated by an organisation to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous) and to provide appropriate recourse free of charge to the individual. Sanctions and remedies imposed by such a body must be sufficiently rigorous to ensure compliance by organisations with the Principles and should provide for a reversal or correction by the organisation of the effects of non-compliance and, depending on the circumstances, the termination of the further processing of the personal data at stake and/or their deletion, as well as publicity for findings of non-compliance. Independent dispute resolution bodies designated by an organisation will be required to include on their public websites relevant information regarding the EU-U.S. Privacy Shield and the services they provide under it. Each year, they must publish an annual report providing aggregate statistics regarding these services (40).
(46)
As part of its compliance review procedures, the Department of Commerce will verify that self-certified U.S. companies have actually registered with the independent recourse mechanisms they claim they are registered with. Both the organisations and the responsible independent recourse mechanisms are required to respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield.
(47)
In cases where the organisation fails to comply with the ruling of a dispute resolution or self-regulatory body, the latter must notify such non-compliance to the Department of Commerce and the FTC (or other U.S. authority with jurisdiction to investigate unfair and deceptive practices), or a competent court (41). If an organisation refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution or government body or where such a body determines that an organisation frequently fails to comply with the Principles, this will be considered as a persistent failure to comply with the result that the Department of Commerce, after first providing 30 days’ notice and an opportunity to respond to the organization that has failed to comply, will strike the organisation off the list (42). If, after removal from the list, the organisation continues to make the claim of Privacy Shield certification, the Department will refer it to the FTC or other enforcement agency (43).
(48)
Third, individuals may also bring their complaints to a national Data Protection Authority. Organisations are obliged to cooperate in the investigation and the resolution of a complaint by a DPA either when it concerns the processing of human resources data collected in the context of an employment relationship or when the respective organisation has voluntarily submitted to the oversight by DPAs. Notably, organisations have to respond to inquiries, comply with the advice given by the DPA, including for remedial or compensatory measures, and provide the DPA with written confirmation that such action has been taken.
(49)
The advice of the DPAs will be delivered through an informal panel of DPAs established at Union level (44), which will help to ensure a harmonised and coherent approach to a particular complaint. Advice will be issued after both sides in the dispute have had a reasonable opportunity to comment and to provide any evidence they wish. The panel will deliver advice as quickly as the requirement for due process allows, and as a general rule within 60 days after receiving a complaint. If an organisation fails to comply within 25 days of delivery of the advice and has offered no satisfactory explanation for the delay, the panel will give notice of its intention either to submit the matter to the FTC (or other competent U.S. enforcement authority), or to conclude that the commitment to cooperate has been seriously breached. In the first alternative, this may lead to enforcement action based on Section 5 of the FTC Act (or similar statute). In the second alternative, the panel will inform the Department of Commerce which will consider the organisation’s refusal to comply with the advice of the DPA panel as a persistent failure to comply that will lead to the organisation’s removal from the Privacy Shield List.
(50)
If the DPA to which the complaint has been addressed has taken no or insufficient action to address a complaint, the individual complainant has the possibility to challenge such (in-) action in the national courts of the respective Member State.
(51)
Individuals may also bring complaints to DPAs even when the DPA panel has not been designated as an organisation’s dispute resolution body. In these cases, the DPA may refer such complaints either to the Department of Commerce or the FTC. In order to facilitate and increase cooperation on matters relating to individual complaints and non-compliance by Privacy Shield organisations, the Department of Commerce will establish a dedicated contact point to act as a liaison and to assist with DPA inquiries regarding an organisation’s compliance with the Principles (45). Likewise, the FTC has committed to establish a dedicated point of contact (46) and provide the DPAs with investigatory assistance pursuant to the U.S. SAFE WEB Act (47).
(52)
Fourth, the Department of Commerce has committed to receive, review and undertake best efforts to resolve complaints about an organisation’s non-compliance with the Principles. To this end, the Department of Commerce provides special procedures for DPAs to refer complaints to a dedicated contact point, track them and follow up with companies to facilitate resolution. In order to expedite the processing of individual complaints, the contact point will liaise directly with the respective DPA on compliance issues and in particular update it on the status of complaints within a period of not more than 90 days following referral. This allows data subjects to bring complaints of non-compliance by U.S. self-certified companies directly to their national DPA and have them channelled to the Department of Commerce as the U.S. authority administering the EU-U.S. Privacy Shield. The Department of Commerce has also committed to provide, in the annual review of the functioning of the EU-U.S. Privacy Shield, a report that analyses in aggregate form the complaints it receives each year (48).
(53)
Where, on the basis of its ex officio verifications, complaints or any other information, the Department of Commerce concludes that an organisation has persistently failed to comply with the Privacy Principles it will remove such an organisation from the Privacy Shield list. Refusal to comply with a final determination by any privacy self-regulatory, independent dispute resolution or government body, including a DPA, will be regarded as a persistent failure to comply.
(54)
Fifth, a Privacy Shield organisation must be subject to the investigatory and enforcement powers of the U.S. authorities, in particular the Federal Trade Commission (49) that will effectively ensure compliance with the Principles. The FTC will give priority consideration to referrals of non-compliance with the Privacy Principles received from independent dispute resolution or self-regulatory bodies, the Department of Commerce and DPAs (acting on their own initiative or upon complaints) to determine whether Section 5 of the FTC Act has been violated (50). The FTC has committed to create a standardised referral process, to designate a point of contact at the agency for DPA referrals, and to exchange information on referrals. In addition, it will accept complaints directly from individuals and will undertake Privacy Shield investigations on its own initiative, in particular as part of its wider investigations of privacy issues.
(55)
The FTC can enforce compliance through administrative orders (‘consent orders’), and it will systematically monitor compliance with such orders. Where organisations fail to comply, the FTC may refer the case to the competent court in order to seek civil penalties and other remedies, including for any injury caused by the unlawful conduct. Alternatively, the FTC may directly seek a preliminary or permanent injunction or other remedies from a federal court. Each consent order issued to a Privacy Shield organisation will have self-reporting provisions (51), and organisations will be required to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC. Finally, the FTC will maintain an online list of companies subject to FTC or court orders in Privacy Shield cases.
(56)
Sixth, as a recourse mechanism of ‘last resort’ in case none of the other available redress avenues has satisfactorily resolved an individual’s complaint, the EU data subject may invoke binding arbitration by the ‘Privacy Shield Panel’. Organisations must inform individuals about their possibility, under certain conditions, to invoke binding arbitration and they are obliged to respond once an individual has invoked this option by delivering notice to the concerned organisation (52).
(57)
This arbitral panel will consist of a pool of at least 20 arbitrators designated by the Department of Commerce and the Commission based on their independence, integrity, as well as experience in U.S. privacy and Union data protection law. For each individual dispute, the parties will select from this pool a panel of one or three (53) arbitrators. The proceedings will be governed by standard arbitration rules to be agreed between the Department of Commerce and the Commission. These rules will supplement the already concluded framework which contains several features which enhance the accessibility of this mechanism for EU data subjects: (i) in preparing a claim before the panel, the data subject may be assisted by his or her national DPA; (ii) while the arbitration will take place in the United States, EU data subjects may choose to participate through video or telephone conference, to be provided at no cost to the individual; (iii) while the language used in the arbitration will as a rule be English, interpretation at the arbitral hearing and translation will normally (54) be provided upon a reasoned request and at no cost to the data subject; (iv) finally, while each party has to bear its own attorney’s fees, if represented by an attorney before the panel, the Department of Commerce will establish a fund supplied with annual contributions by the Privacy Shield organisations, which shall cover the eligible costs of the arbitration procedure, up to maximum amounts, to be determined by the U.S. authorities in consultation with the Commission.
(58)
The Privacy Shield Panel will have the authority to impose ‘individual-specific, non-monetary equitable relief’ (55) necessary to remedy non-compliance with the Principles. While the panel will take into account other remedies already obtained by other Privacy Shield mechanisms when making its determination, individuals may still resort to arbitration if they consider these other remedies to be insufficient. This will allow EU data subjects to invoke arbitration in all cases where the action or inaction of the competent U.S. authorities (for instance the FTC) has not satisfactorily resolved their complaints. Arbitration may not be invoked if a DPA has the legal authority to resolve the claim at issue with respect to the U.S. self-certified company, namely in those cases where the organisation is either obliged to cooperate and comply with the advice of the DPAs as regards the processing of human resources data collected in the employment context, or has voluntarily committed to do so. Individuals can enforce the arbitration decision in the U.S. courts under the Federal Arbitration Act, thereby ensuring a legal remedy in case a company fails to comply.
(59)
Seventh, where an organisation does not comply with its commitment to respect the Principles and published privacy policy, additional avenues for judicial redress may be available under the law of the U.S. States which provide for legal remedies under tort law and in cases of fraudulent misrepresentation, unfair or deceptive acts or practices, or breach of contract.
(60)
In addition, where a DPA, upon receiving a claim by an EU data subject, considers that the transfer of an individual’s personal data to an organisation in the United States is carried out in violation of EU data protection law, including when the EU data exporter has reason to believe that the organisation is not complying with the Principles, it can also exercise its powers vis-à-vis the data exporter and, if necessary, order the suspension of the data transfer.
(61)
In the light of the information in this section, the Commission considers that the Principles issued by the U.S. Department of Commerce as such ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the substantive basic principles laid down in Directive 95/46/EC.
(62)
In addition, the effective application of the Principles is guaranteed by the transparency obligations, and the administration and compliance review of the Privacy Shield by the Department of Commerce.
(63)
Moreover, the Commission considers that, taken as a whole, the oversight, recourse and enforcement mechanisms provided for by the Privacy Shield enable infringements of the Principles by Privacy Shield organisations to be identified and punished in practice and offer legal remedies to the data subject to gain access to personal data relating to him and, eventually, to obtain the rectification or erasure of such data.
3. ACCESS AND USE BY U.S. PUBLIC AUTHORITIES
(64)
As follows from Annex II, Sec. I.5, adherence to the Principles is limited to the extent necessary to meet national security, public interest or law enforcement requirements.
(65)
The Commission has assessed the limitations and safeguards available in U.S. law as regards access and use of personal data transferred under the EU-U.S. Privacy Shield by U.S. public authorities for national security, law enforcement and other public interest purposes. In addition, the U.S. government, through its Office of the Director of National Intelligence (ODNI) (56), has provided the Commission with detailed representations and commitments that are contained in Annex VI to this decision. By letter signed by the Secretary of State and attached as Annex III to this decision the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community. Finally, a representation from the U.S. Department of Justice, contained in Annex VII to this decision, describes the limitations and safeguards applicable to access and use of data by public authorities for law enforcement and other public interest purposes. In order to enhance transparency and to reflect the legal nature of these commitments, each of the documents listed and annexed to this decision will be published in the U.S. Federal Register.
(66)
The findings of the Commission on the limitations on access and use of personal data transferred from the European Union to the United States by U.S. public authorities and the existence of effective legal protection are further elaborated below
3.1. Access and use by U.S. public authorities for national security purposes
(67)
The Commission’s analysis shows that U.S. law contains a number of limitations on the access and use of personal data transferred under the EU-U.S. Privacy Shield for national security purposes as well as oversight and redress mechanisms that provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse (57). Since 2013, when the Commission issued its two Communications (see recital 7), this legal framework has been significantly strengthened, as described below.
3.1.1. Limitations
(68)
Under the U.S. Constitution, ensuring national security falls within the President’s authority as Commander in Chief, as Chief Executive and, as regards foreign intelligence, to conduct U.S. foreign affairs (58). While Congress has the power to impose limitations, and has done so in various respects, within these boundaries the President may direct the activities of the U.S. Intelligence Community, in particular through Executive Orders or Presidential Directives. This of course also applies in those areas where no Congressional guidance exists. At present, the two central legal instruments in this regard are Executive Order 12333 (‘E.O. 12333’) (59) and Presidential Policy Directive 28.
(69)
Presidential Policy Directive 28 (‘PPD-28’), issued on 17 January 2014, imposes a number of limitations for ‘signals intelligence’ operations (60). This presidential directive has binding force for U.S. intelligence authorities (61) and remains effective upon change in the U.S. Administration (62). PPD-28 is of particular importance for non-US persons, including EU data subjects. Among others, it stipulates that:
(a)
the collection of signals intelligence must be based on statute or Presidential authorisation, and must be undertaken in accordance with the U.S. Constitution (in particular the Fourth Amendment) and U.S. law;
(b)
all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside;
(c)
all persons have legitimate privacy interests in the handling of their personal information;
(d)
privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities;
(e)
U.S. signals intelligence activities must, therefore, include appropriate safeguards for the personal information of all individuals, regardless of their nationality or where they might reside.
(70)
PPD-28 directs that signals intelligence may be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purpose (e.g. to afford a competitive advantage to U.S. companies). In this regard, the ODNI explains that Intelligence Community elements ‘should require that, wherever practicable, collection should be focused on specific foreign intelligence targets or topics through the use of discriminants (e.g. specific facilities, selection terms and identifiers)’ (63). Furthermore, the representations provide assurance that decisions about intelligence collection are not left to the discretion of individual intelligence agents, but are subject to the policies and procedures that the various U.S. Intelligence Community elements (agencies) are required to put in place to implement PPD-28 (64). Accordingly, the research and determination of appropriate selectors takes place within the overall ‘National Intelligence Priorities Framework’ (NIPF) which ensures that intelligence priorities are set by high-level policymakers and regularly reviewed to remain responsive to actual national security threats and taking into account possible risks, including privacy risks (65). On this basis, agency personnel researches and identifies specific selection terms expected to collect foreign intelligence responsive to the priorities (66). Selection terms, or ‘selectors’, must be regularly reviewed to see if they still provide valuable intelligence in line with the priorities (67).
(71)
Furthermore, the requirements stipulated in PPD-28 that intelligence collection shall always (68) be ‘as tailored as feasible’, and that the Intelligence Community shall prioritise the availability of other information and appropriate and feasible alternatives (69), reflect a general rule of prioritisation of targeted over bulk collection. According to the assurance provided by the ODNI, they ensure in particular that bulk collection is neither ‘mass’ nor ‘indiscriminate’, and that the exception does not swallow the rule (70).
(72)
While PPD-28 explains that Intelligence Community elements must sometimes collect bulk signals intelligence in certain circumstances, for instance in order to identify and assess new or emerging threats, it directs these elements to prioritise alternatives that would allow the conduct of targeted signals intelligence (71). It follows that bulk collection will only occur where targeted collection via the use of discriminants — i.e. an identifier associated with a specific target (such as the target’s e-mail address or phone number) — is not possible ‘due to technical or operational considerations’ (72). This applies both to the manner in which signals intelligence is collected and to what is actually collected (72).
(73)
According to the representations from the ODNI, even where the Intelligence Community cannot use specific identifiers to target collection, it will seek to narrow the collection ‘as much as possible’. In order to ensure this, it ‘applies filters and other technical tools to focus the collection on those facilities that are likely to contain communications of foreign intelligence value’ (and thus will be responsive to requirements articulated by U.S. policy-makers pursuant to the process described above in 70). As a consequence, bulk collection will be targeted in at least two ways: First, it will always relate to specific foreign intelligence objectives (e.g. to acquire signals intelligence about the activities of a terrorist group operating in a particular region) and focus collection on communications that have such a nexus. According to the assurance provided by the ODNI, this is reflected in the fact that the ‘United States’ signals intelligence activities touch only a fraction of the communications traversing the internet’ (73). Second, the ODNI representations explain that the filters and other technical tools used will be designed to focus the collection ‘as precisely as possible’ in order to ensure that the amount of ‘non-pertinent information’ collected will be minimised.
(74)
Finally, even where the United States considers it necessary to collect signals intelligence in bulk, under the conditions set out in recitals 70-73, PPD-28 limits the use of such information to a specific list of six national security purposes with a view to protect the privacy and civil liberties of all persons, whatever their nationality and place of residence (74). These permissible purposes comprise measures to detect and counter threats stemming from espionage, terrorism, weapons of mass destruction, threats to cybersecurity, to the Armed Forces or military personnel, as well as transnational criminal threats related to the other five purposes, and will be reviewed at least on an annual basis. According to the representations by the U.S. government, Intelligence Community elements have reinforced their analytic practices and standards for querying unevaluated signals intelligence to conform with these requirements; the use of targeted queries ‘ensures that only those items believed to be of potential intelligence value are ever presented to analysts to examine’ (75).
(75)
These limitations are particularly relevant to personal data transferred under the EU-U.S. Privacy Shield, in particular in case collection of personal data were to take place outside the United States, including during their transit on the transatlantic cables from the Union to the United States. As confirmed by the U.S. authorities in the representations of the ODNI, the limitations and safeguards set out therein — including those of PPD-28 — apply to such collection (76).
(76)
Although not phrased in those legal terms, these principles capture the essence of the principles of necessity and proportionality. Targeted collection is clearly prioritised, while bulk collection is limited to (exceptional) situations where targeted collection is not possible for technical or operational reasons. Even where bulk collection cannot be avoided, further ‘use’ of such data through access is strictly limited to specific, legitimate national security purposes (77).
(77)
As a directive issued by the President as the Chief Executive, these requirements bind the entire Intelligence Community and have been further implemented through agency rules and procedures that transpose the general principles into specific directions for day-to-day operations. Moreover, while Congress is itself not bound by PPD-28, it has also taken steps to ensure that collection and access of personal data in the United States are targeted rather than carried out ‘on a generalised basis’.
(78)
It follows from the available information, including the representations received from the U.S. government, that once the data has been transferred to organisations located in the United States and self-certified under the EU-U.S. Privacy Shield, U.S. intelligence agencies may only (78) seek personal data where their request complies with the Foreign Intelligence Surveillance Act (FISA) or is made by the Federal Bureau of Investigation (FBI) based on a so-called National Security Letter (NSL) (79). Several legal bases exist under FISA that may be used to collect (and subsequently process) the personal data of EU data subjects transferred under the EU-U.S. Privacy Shield. Aside from Section 104 FISA (80) covering traditional individualised electronic surveillance and Section 402 FISA (81) on the installation of pen registers or trap and trace devices, the two central instruments are Section 501 FISA (ex-Section 215 U.S. PATRIOT ACT) and Section 702 FISA (82).
(79)
In this respect, the USA FREEDOM Act, which was enacted on 2 June 2015, prohibits the collection in bulk of records based on Section 402 FISA (pen register and trap and trace authority), Section 501 FISA (formerly: Section 215 of the U.S. PATRIOT ACT) (83) and through the use of NSL, and instead requires the use of specific ‘selection terms’ (84).
(80)
While the FISA contains further legal authorisations to carry out national intelligence activities, including signals intelligence, the Commission’s assessment has shown that, insofar as personal data to be transferred under the EU-U.S. Privacy Shield are concerned, these authorities equally restrict interference by public authorities to targeted collection and access.
(81)
This is clear for traditional individualised electronic surveillance under Section 104 FISA (85). As for Section 702 FISA, which provides the basis for two important intelligence programs run by the U.S. intelligence agencies (PRISM, UPSTREAM), searches are carried out in a targeted manner through the use of individual selectors that identify specific communications facilities, like the target’s e-mail address or telephone number, but not key words or even the names of targeted individuals (86). Therefore, as noted by the Privacy and Civil Liberties Oversight Board (PCLOB), Section 702 surveillance ‘consists entirely of targeting specific [non-U.S.] persons about whom an individualised determination has been made’ (87). Due to a ‘sunset’ clause, Section 702 FISA will have to be reviewed in 2017, at which time the Commission will have to reassess the safeguards available to EU data subjects.
(82)
Moreover, in its representations the U.S. government has given the European Commission explicit assurance that the U.S. Intelligence Community ‘does not engage in indiscriminate surveillance of anyone, including ordinary European citizens’ (88). As regards personal data collected within the United States, this statement is supported by empirical evidence which shows that access requests through NSL and under FISA, both individually and together, only concern a relatively small number of targets when compared to the overall flow of data on the internet (89).
(83)
As regards access to collected data and data security, PPD-28 requires that access ‘shall be limited to authorized personnel with a need to know the information to perform their mission’ and that personal information ‘shall be processed and stored under conditions that provide adequate protection and prevent access by unauthorized persons, consistent with the applicable safeguards for sensitive information’. Intelligence personnel receive appropriate and adequate training in the principles set forth in PPD-28 (90).
(84)
Finally, as regards the storage and further dissemination of personal data from EU data subjects collected by U.S. intelligence authorities, PPD-28 states that all persons (including non-U.S. persons) should be treated with dignity and respect, that all persons have legitimate privacy interests in the handling of their personal data and that Intelligence Community elements therefore have to establish policies providing appropriate safeguards for such data ‘reasonably designed to minimize the[ir] dissemination and retention’ (91).
(85)
The U.S. government has explained that this reasonableness requirement signifies that Intelligence Community elements will not have to adopt ‘any measure theoretically possible’, but will need to ‘balance their efforts to protect legitimate privacy and civil liberties interests with the practical necessities of signals intelligence activities’ (92). In this respect, non-U.S. persons will be treated in the same way as U.S. persons, based on procedures approved by the Attorney-General (93).
(86)
According to these rules, retention is generally limited to a maximum of five years, unless there is a specific determination in law or an express determination by the Director of National Intelligence after careful evaluation of privacy concerns — taking into account the views of the ODNI Civil Liberties Protection Officer as well as agency privacy and civil liberties officials — that continued retention is in the interest of national security (94). Dissemination is limited to cases where the information is relevant to the underlying purpose of the collection and thus responsive to an authorised foreign intelligence or law enforcement requirement (95).
(87)
According to the assurances given by the U.S. government, personal information may not be disseminated solely because the individual concerned is a non-U.S. person and ‘signals intelligence about the routine activities of a foreign person would not be considered foreign intelligence that could be disseminated or retained permanently by virtue of that fact alone unless it is otherwise responsive to an authorized foreign intelligence requirement’ (96).
(88)
On the basis of all of the above, the Commission concludes that there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-U.S. Privacy Shield to what is strictly necessary to achieve the legitimate objective in question.
(89)
As the above analysis has shown, U.S. law ensures that surveillance measures will only be employed to obtain foreign intelligence information — which is a legitimate policy objective (97) — and be tailored as much as possible. In particular, bulk collection will only be authorised exceptionally where targeted collection is not feasible, and will be accompanied by additional safeguards to minimise the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes).
(90)
In the Commission’s assessment, this conforms with the standard set out by the Court of Justice in the Schrems judgment, according to which legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must impose ‘minimum safeguards’ (98) and ‘is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail’ (99). Neither will there be unlimited collection and storage of data of all persons without any limitations, nor unlimited access. Moreover, the representations provided to the Commission, including the assurance that U.S. signals intelligence activities touch only a fraction of the communications traversing the internet, exclude that there would be access ‘on a generalised basis’ (100) to the content of electronic communications.
3.1.2. Effective legal protection
(91)
The Commission has assessed both the oversight mechanisms that exist in the United States with regard to any interference by U.S. intelligence authorities with personal data transferred to the United States and the avenues available for EU data subjects to seek individual redress.
Oversight
(92)
The U.S. intelligence community is subject to various review and oversight mechanisms that fall within the three branches of the State. These include internal and external bodies within the executive branch, a number of Congressional Committees, as well as judicial supervision the latter specifically with respect to activities under the Foreign Intelligence Surveillance Act.
(93)
First, intelligence activities by U.S. authorities are subject to extensive oversight from within the executive branch.
(94)
According to PPD-28, Section 4(a)(iv), the policies and procedures of Intelligence Community elements ‘shall include appropriate measures to facilitate oversight over the implementation of safeguards protecting personal information’; these measures should include periodic auditing (101).
(95)
Multiple oversight layers have been put in place in this respect, including civil liberties or privacy officers, Inspector Generals, the ODNI Civil Liberties and Privacy Office, the PCLOB, and the President’s Intelligence Oversight Board. These oversight functions are supported by compliance staff in all the agencies (102).
(96)
As explained by the U.S. government (103), civil liberties or privacy officers with oversight responsibilities exist at various departments with intelligence responsibilities and intelligence agencies (104). While the specific powers of these officers may vary somewhat depending on the authorising statute, they typically encompass the supervision of procedures to ensure that the respective department/agency is adequately considering privacy and civil liberties concerns and has put in place adequate procedures to address complaints from individuals who consider that their privacy or civil liberties have been violated (and in some cases, like the ODNI, may themselves have the power to investigate complaints (105)). The head of the department/agency in turn has to ensure that the officer receives all the information and is given access to all material necessary to carry out his functions. Civil liberties and privacy officers periodically report to Congress and the PCLOB, including on the number and nature of the complaints received by the department/agency and a summary of the disposition of such complaints, the reviews and inquiries conducted and the impact of the activities carried out by the officer (106) According to the assessment by the national data protection authorities, the internal oversight exercised by the civil liberties or privacy officers can be considered as ‘fairly robust’, even though in their view they do not meet the required level of independence (107).
(97)
In addition, each Intelligence Community element has its own Inspector General with responsibility, among others, to oversee foreign intelligence activities (108). This includes, within the ODNI, an Office of the Inspector General with comprehensive jurisdiction over the entire Intelligence Community and authorised to investigate complaints or information concerning allegations of unlawful conduct, or abuse of authority, in connection with ODNI and/or Intelligence Community programs and activities (109). Inspectors General are statutorily independent (110) units responsible for conducting audits and investigations relating to the programs and operations carried out by the respective agency for national intelligence purposes, including for abuse or violation of the law (111). They are authorised to have access to all records, reports, audits, reviews, documents, papers, recommendations or other relevant material, if need be by subpoena, and may take testimony (112). While the Inspectors General can only issue non-binding recommendations for corrective action, their reports, including on follow-up action (or the lack thereof) are made public and moreover sent to Congress which can on this basis exercise its oversight function (113).
(98)
Furthermore, the Privacy and Civil Liberties Oversight Board, an independent agency (114) within the executive branch composed of a bipartisan, five-member Board (115) appointed by the President for a fixed six-year term with Senate approval, is entrusted with responsibilities in the field of counterterrorism policies and their implementation, with a view to protect privacy and civil liberties. In its review of Intelligence Community action, it may access all relevant agency records, reports, audits, reviews, documents, papers and recommendations, including classified information, conduct interviews and hear testimony. It receives reports from the civil liberties and privacy officers of several federal departments/agencies (116), may issue recommendations to them, and regularly reports to Congressional committees and the President (117). The PCLOB is also tasked, within the confines of its mandate, to prepare a report assessing the implementation of PPD-28.
(99)
Finally, the aforementioned oversight mechanisms are complemented by the Intelligence Oversight Board established within the President’s Intelligence Advisory Board which oversees compliance by U.S. intelligence authorities with the Constitution and all applicable rules.
(100)
To facilitate the oversight, Intelligence Community elements are encouraged to design information systems to allow for the monitoring, recording and reviewing of queries or other searches of personal information (118). Oversight and compliance bodies will periodically check the practices of Intelligence Community elements for protecting personal information contained in signals intelligence and their compliance with those procedures (119).
(101)
These oversight functions are moreover supported by extensive reporting requirements with respect to non-compliance. In particular, agency procedures must ensure that, when a significant compliance issue occurs involving personal information of any person, regardless of nationality, collected through signals intelligence, such issue shall be promptly reported to the head of the Intelligence Community element, which in turn will notify the Director of National Intelligence who, under PPD-28, shall determine if any corrective actions are necessary (120). Moreover, according to E.O. 12333, all Intelligence Community elements are required to report to the Intelligence Oversight Board on non-compliance incidents (121). These mechanisms ensure that the issue will be addressed at the highest level in the Intelligence Community. Where it involves a non-U.S. person, the Director of National Intelligence, in consultation with the Secretary of State and the head of the notifying department or agency, shall determine whether steps should be taken to notify the relevant foreign government, consistent with the protection of sources and methods and of U.S. personnel (122).
(102)
Second, in addition to these oversight mechanisms within the executive branch, the U.S. Congress, specifically the House and Senate Intelligence and Judiciary Committees, have oversight responsibilities regarding all U.S. foreign intelligence activities, including U.S. signals intelligence. According to the National Security Act, ‘[t]he President shall ensure that the congressional intelligence committees are kept fully and currently informed of the intelligence activities of the United States, including any significant anticipated intelligence activity as required by this subchapter’ (123). Also, ‘[t]he President shall ensure that any illegal intelligence activity is reported promptly to the congressional intelligence committees, as well as any corrective action that has been taken or is planned in connection with such illegal activity’ (124). Members of these committees have access to classified information as well as intelligence methods and programs (125).
(103)
Later statutes have extended and refined the reporting requirements, both regarding the Intelligence Community elements, the relevant Inspector Generals and the Attorney-General. For instance, FISA requires the Attorney General to ‘fully inform’ the Senate and House Intelligence and Judiciary Committees regarding the government’s activities under certain sections of FISA (126). It also requires the government to provide the Congressional committees with ‘copies of all decisions, orders, or opinions of the Foreign Intelligence Surveillance Court or Foreign Intelligence Surveillance Court of Review that include significant construction or interpretation’ of FISA provisions. In particular, as regards surveillance under Section 702 FISA, oversight is exercised through statutorily required reports to the Intelligence and Judiciary Committees, as well as frequent briefings and hearings. These include a semi-annual report by the Attorney General describing the use of Section 702 FISA, with supporting documents including notably the Department of Justice and ODNI compliance reports and a description of any incidents of non-compliance (127), and a separate semi-annual assessment by the Attorney General and the DNI documenting compliance with the targeting and minimization procedures, including compliance with the procedures designed to ensure that collection is for a valid foreign intelligence purpose (128). Congress also receives reports by the Inspector Generals who are authorised to evaluate the agencies’ compliance with targeting and minimization procedures and Attorney General Guidelines.
(104)
According to the USA FREEDOM Act of 2015, the U.S. government must disclose to Congress (and the public) each year the number of FISA orders and directives sought and received, as well as estimates of the number of U.S. and non-U.S. persons targeted by surveillance, among others (129). The Act also requires additional public reporting about the number of NSL issued, again both with regard to U.S. and non-U.S. persons (while at the same time allowing the recipients of FISA orders and certifications, as well as NSL requests, to issue transparency reports under certain conditions) (130).
(105)
Third, intelligence activities by U.S. public authorities based on FISA allow for review, and in some cases prior authorisation of the measures, by the FISA Court (FISC) (131), an independent tribunal (132) whose decisions can be challenged before the Foreign Intelligence Court of Review (FISCR) (133) and, ultimately, the Supreme Court of the United States (134). In case of prior authorisation, the requesting authorities (FBI, NSA, CIA, etc.) will have to submit a draft application to lawyers at the National Security Department of the Department of Justice who will scrutinise it and, if necessary, request additional information (135). Once the application has been finalised, it will have to be approved by the Attorney General, Deputy Attorney General or the Assistant Attorney General for National Security (136). The Department of Justice will then submit the application to the FISC that will assess the application and make a preliminary determination on how to proceed (137). Where a hearing takes place, the FISC has the authority to take testimony which may include expert advice (138).
(106)
The FISC (and FISCR) is supported by a standing panel of five individuals that have an expertise in national security matters as well as civil liberties (139). From this group the court shall appoint an individual to serve as amicus curiae to assist in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court finds that such appointment is not appropriate (140). This shall in particular ensure that privacy considerations are properly reflected in the court’s assessment. The court may also appoint an individual or organisation to serve as amicus curiae, including providing technical expertise, whenever it deems this appropriate or, upon motion, permit an individual or organisation leave to file an amicus curiae brief (141).
(107)
As regards the two legal authorisations for surveillance under FISA that are most important for data transfers under the EU-U.S. Privacy Shield, oversight by the FISC differs.
(108)
Under Section 501 FISA (142), which allows the collection of ‘any tangible things (including books, records, papers, documents, and other items)’, the application to the FISC must contain a statement of facts showing that there are reasonable grounds to believe that the tangible things sought for are relevant to an authorised investigation (other than a threat assessment) conducted to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities. Also, the application must contain an enumeration of the minimisation procedures adopted by the Attorney General for the retention and dissemination of the collected intelligence (143).
(109)
Conversely, under Section 702 FISA (144), the FISC does not authorise individual surveillance measures; rather, it authorises surveillance programs (like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence. Section 702 FISA allows the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information (145). Such targeting is carried out by the NSA in two steps: First, NSA analysts will identify non-U.S. persons located abroad whose surveillance will lead, based on the analysts’ assessment, to the relevant foreign intelligence specified in the certification. Second, once these individualised persons have been identified and their targeting has been approved by an extensive review mechanism within the NSA (146), selectors identifying communication facilities (such as e-mail addresses) used by the targets will be ‘tasked’ (i.e. developed and applied) (147). As indicated, the certifications to be approved by the FISC contain no information about the individual persons to be targeted but rather identify categories of foreign intelligence information (148). While the FISC does not assess — under a probable cause or any other standard — that individuals are properly targeted to acquire foreign intelligence information (149), its control extends to the condition that ‘a significant purpose of the acquisition is to obtain foreign intelligence information’ (150). Indeed, under Section 702 FISA, the NSA is allowed to collect communications of non-U.S. persons outside the U.S. only if it can be reasonably believed that a given means of communication is being used to communicate foreign intelligence information (e.g. related to international terrorism, nuclear proliferation or hostile cyber activities). Determinations to this effect are subject to judicial review (151). Certifications also need to provide for targeting and minimization procedures (152). The Attorney General and the Director of National Intelligence verify compliance and the agencies have the obligation to report any incidents of non-compliance to the FISC (153) (as well as the Congress and the President’s Intelligence Oversight Board), which on this basis can modify the authorisation (154).
(110)
Furthermore, to increase the efficiency of the oversight by the FISC, the U.S. Administration has agreed to implement a recommendation by the PCLOB to supply to the FISC documentation of Section 702 targeting decisions, including a random sample of tasking sheets, so as to allow the FISC to assess how the foreign intelligence purpose requirement is being met in practice (155). At the same time, the U.S. Administration accepted and has taken measures to revise NSA targeting procedures to better document the foreign intelligence reasons for targeting decisions (156).
Individual redress
(111)
A number of avenues are available under U.S. law to EU data subjects if they have concerns whether their personal data have been processed (collected, accessed, etc.) by U.S. Intelligence Community elements, and if so, whether the limitations applicable in U.S. law have been complied with. These relate essentially to three areas: interference under FISA; unlawful, intentional access to personal data by government officials; and access to information under Freedom of Information Act (FOIA) (157).
(112)
First, the Foreign Intelligence Surveillance Act provides a number of remedies, available also to non-U.S. persons, to challenge unlawful electronic surveillance (158). This includes the possibility for individuals to bring a civil cause of action for money damages against the United States when information about them has been unlawfully and wilfully used or disclosed (159); to sue U.S. government officials in their personal capacity (‘under colour of law’) for money damages (160); and to challenge the legality of surveillance (and seek to suppress the information) in the event the U.S. government intends to use or disclose any information obtained or derived from electronic surveillance against the individual in judicial or administrative proceedings in the United States (161).
(113)
Second, the U.S. government referred the Commission to a number of additional avenues that EU data subjects could use to seek legal recourse against government officials for unlawful government access to, or use of, personal data, including for purported national security purposes (i.e. the Computer Fraud and Abuse Act (162); Electronic Communications Privacy Act (163); and Right to Financial Privacy Act (164)). All of these causes of action concern specific data, targets and/or types of access (e.g. remote access of a Computer via the internet) and are available under certain conditions (e.g. intentional/wilful conduct, conduct outside of official capacity, harm suffered) (165). A more general redress possibility is offered by the Administrative Procedure Act (5 U.S.C. § 702), according to which ‘any person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action’, is entitled to seek judicial review. This includes the possibility to ask the court to ‘hold unlawful and set aside agency action, findings, and conclusions found to be […] arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law’ (166).
(114)
Finally, the U.S. government has pointed to the FOIA as a means for non-U.S. persons to seek access to existing federal agency records, including where these contain the individual’s personal data (167). Given its focus, the FOIA does not provide an avenue for individual recourse against interference with personal data as such, even though it could in principle enable individuals to get access to relevant information held by national intelligence agencies. Even in this respect the possibilities appear to be limited as agencies may withhold information that falls within certain enumerated exceptions, including access to classified national security information and information concerning law enforcement investigations (168). This being said, the use of such exceptions by national intelligence agencies can be challenged by individuals who can seek both administrative and judicial review.
(115)
While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited (169) and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show ‘standing’ (170), which restricts access to ordinary courts (171).
(116)
In order to provide for an additional redress avenue accessible for all EU data subjects, the U.S. government has decided to create a new Ombudsperson Mechanism as set out in the letter from the U.S. Secretary of State to the Commission which is contained in Annex III to this decision. This mechanism builds on the designation, under PPD-28, of a Senior Coordinator (at the level of Under-Secretary) in the State Department as a contact point for foreign governments to raise concerns regarding U.S. signals intelligence activities, but goes significantly beyond this original concept.
(117)
In particular, according to the commitments from the U.S. government, the Ombudsperson Mechanism will ensure that individual complaints are properly investigated and addressed, and that individuals receive independent confirmation that U.S. laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied (172). The Mechanism includes ‘the Privacy Shield Ombudsperson’, i.e. the Under-Secretary and further staff as well as other oversight bodies competent to oversee the different elements of the Intelligence Community on whose cooperation the Privacy Shield Ombudsperson will rely in dealing with complaints. In particular, where an individual’s request relates to the compatibility of surveillance with U.S. law, the Privacy Shield Ombudsperson will be able to rely on independent oversight bodies with investigatory powers (such as the Inspector-Generals or the PCLOB). In each case the Secretary of State ensures that the Ombudsperson will have the means to ensure that its response to individual requests is based on all the necessary information.
(118)
Through this ‘composite structure’, the Ombudsperson Mechanism guarantees independent oversight and individual redress. Moreover, the cooperation with other oversight bodies ensures access to the necessary expertise. Finally, by imposing an obligation on the Privacy Shield Ombudsperson to confirm compliance or remediation of any non-compliance, the mechanism reflects a commitment from the U.S. government as a whole to address and resolve complaint from EU individuals.
(119)
First, differently from a pure government-to-government mechanism, the Privacy Shield Ombudsperson will receive and respond to individual complaints. Such complaints can be addressed to the supervisory authorities in the Member States competent for the oversight of national security services and/or the processing of personal data by public authorities that will submit them to a centralised EU body from where they will be channelled to the Privacy Shield Ombudsperson (173). This will in fact benefit EU individuals who can turn to a national authority ‘close to home’ and in their own language. It will be the task of such an authority to support the individual in making a request to the Privacy Shield Ombudsperson that contains the basic information and thus can be considered ‘complete’. The individual does not have to demonstrate that his/her personal data have in fact been accessed by the U.S. government through signals intelligence activities.
(120)
Second, the U.S. government commits to ensure that, in carrying out its functions, the Privacy Shield Ombudsperson will be able to rely on the cooperation from other oversight and compliance review mechanisms existing in U.S. law. This will sometimes involve national intelligence authorities, in particular where the request is to be interpreted as one for access to documents under the Freedom of Information Act. In other cases, particularly when requests relate to the compatibility of surveillance with U.S. law, such cooperation will involve independent oversight bodies (e.g. Inspector Generals) with the responsibility and power to carry out a thorough investigation (in particular through access to all relevant documents and the power to request information and statements) and address non-compliance (174). Also, the Privacy Shield Ombudsperson will be able to refer matters to the PCLOB for its consideration (175). Where any non-compliance has been found by one of these oversight bodies, the Intelligence Community element (e.g. an intelligence agency) concerned will have to remedy the non-compliance as only this will allow the Ombudsperson to provide a ‘positive’ response to the individual (i.e. that any non-compliance has been remedied) to which the U.S. government has committed. Also, as part of the cooperation, the Privacy Shield Ombudsperson will be informed of the outcome of the investigation, and the Ombudsperson will have the means to ensure that it receives all the information necessary to prepare its response.
(121)
Finally, the Privacy Shield Ombudsperson will be independent from, and thus free from instructions by, the U.S. Intelligence Community (176). This is of significant importance, given that the Ombudsperson will have to ‘confirm’ that (i) the complaint has been properly investigated and that (ii) relevant U.S. law — including in particular the limitations and safeguards set out in Annex VI — has been complied with or, in the event of non-compliance, such violation has been remedied. In order to be able to provide that independent confirmation, the Privacy Shield Ombudsperson will have to receive the necessary information regarding the investigation to assess the accuracy of the response to the complaint. In addition, the Secretary of State has committed to ensure that the Under-Secretary will carry out the function as Privacy Shield Ombudsperson objectively and free from any improper influence liable to have an effect on the response to be provided.
(122)
Overall, this mechanism ensures that individual complaints will be thoroughly investigated and resolved, and that at least in the field of surveillance this will involve independent oversight bodies with the necessary expertise and investigatory powers and an Ombudsperson that will be able to carry out its functions free from improper, in particular political, influence. Moreover, individuals will be able to bring complaints without having to demonstrate, or just to provide indications, that they have been the object of surveillance (177). In the light of these features, the Commission is satisfied that there are adequate and effective guarantees against abuse.
(123)
On the basis of all the above, the Commission concludes that the United States ensures effective legal protection against interferences by its intelligence authorities with the fundamental rights of the persons whose data are transferred from the Union to the United States under the EU-U.S. Privacy Shield.
(124)
In this respect, the Commission takes note of the Court of Justice’s judgment in the Schrems case according to which ‘legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification of erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter’ (178). The Commission’s assessment has confirmed that such legal remedies are provided for in the United States, including through the introduction of the Ombudsperson mechanism. The Ombudsperson mechanism provides for independent oversight with investigatory powers. In the framework of the Commission’s continuous monitoring of the Privacy Shield, including through the annual joint review which shall also involve the Ombudsperson, the effectiveness of this mechanism will be reassessed.
3.2. Access and use by U.S. public authorities for law enforcement and public interest purposes
(125)
As regards interference with personal data transferred under the EU-U.S. Privacy Shield for law enforcement purposes, the U.S. government (through the Department of Justice) has provided assurance on the applicable limitations and safeguards which in the Commission’s assessment demonstrate an adequate level of protection.
(126)
According to this information, under the Fourth Amendment of the U.S. Constitution (179) searches and seizures by law enforcement authorities principally (180) require a court-ordered warrant upon a showing of ‘probable cause’. In the few specifically established and exceptional cases where the warrant requirement does not apply (181), law enforcement is subject to a ‘reasonableness’ test (182). Whether a search or seizure is reasonable is ‘determined by assessing, on the one hand, the degree to which it intrudes upon an individual’s privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests’ (183). More generally, the Fourth Amendment guarantees privacy, dignity, and protects against arbitrary and invasive acts by officers of the Government (184). These concepts capture the idea of necessity and proportionality in Union law. Once law enforcement no longer has a need to use the seized items as evidence, they should be returned (185).
(127)
While the Fourth Amendment right does not extend to non-U.S. persons that are not resident in the United States, the latter nevertheless benefit indirectly from its protections, given that the personal data are held by U.S. companies with the effect that law enforcement authorities in any event have to seek judicial authorisation (or at least respect the reasonableness requirement) (186). Further protections are provided by special statutory authorities, as well as the Department of Justice Guidelines, which limit law enforcement access to data on grounds equivalent to necessity and proportionality (e.g. by requiring that the FBI use the least intrusive investigative methods feasible, taking into account the effect on privacy and civil liberties) (187). According to the representations made by the U.S. government, the same or higher protections apply to law enforcement investigations at State level (with respect to investigations carried out under State laws) (188).
(128)
Although a prior judicial authorisation by a court or grand jury (an investigate arm of the court impanelled by a judge or magistrate) is not required in all cases (189), administrative subpoenas are limited to specific cases and will be subject to independent judicial review at least where the government seeks enforcement in court (190).
(129)
The same applies for the use of administrative subpoenas for public interest purposes. In addition, according to the representations from the U.S. government, similar substantive limitations apply in that agencies may only seek access to data that is relevant to matters falling with their scope of authority and have to respect the standard of reasonableness.
(130)
Moreover, U.S. law provides for a number of judicial redress avenues for individuals, against a public authority or one of its officials, where these authorities process personal data. These avenues, which include in particular the Administrative Procedure Act (APA), the Freedom of Information Act (FOIA) and the Electronic Communications Privacy Act (ECPA), are open to all individuals irrespective of their nationality, subject to any applicable conditions.
(131)
Generally, under the judicial review provisions of the Administrative Procedure Act (191), ‘any person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action’, is entitled to seek judicial review (192). This includes the possibility to ask the court to ‘hold unlawful and set aside agency action, findings, and conclusions found to be […] arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law’ (193).
(132)
More specifically, Title II of the Electronic Communications Privacy Act (194) sets forth a system of statutory privacy rights and as such governs law enforcement access to the contents of wire, oral or electronic communications stored by third-party service providers (195). It criminalises the unlawful (i.e. not authorised by court or otherwise permissible) access to such communications and provides recourse for an affected individual to file a civil action in U.S. federal court for actual and punitive damages as well as equitable or declaratory relief against a government official that has wilfully committed such unlawful acts, or against the United States.
(133)
Also, under the Freedom of Information Act (FOIA, 5 U.S.C. § 552), any person has the right to obtain access to federal agency records and, upon exhaustion of administrative remedies, to enforce such right in court, except to the extent that such records are protected from public disclosure by an exemption or special law enforcement exclusion (196).
(134)
In addition, several other statutes afford individuals the right to bring suit against a U.S. public authority or official with respect to the processing of their personal data, such as the Wiretap Act (197), the Computer Fraud and Abuse Act (198), the Federal Torts Claim Act (199), the Right to Financial Privacy Act (200), and the Fair Credit Reporting Act (201).
(135)
The Commission therefore concludes that there are rules in place in the United States designed to limit any interference for law enforcement (202) or other public interest purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-U.S. Privacy Shield to what is strictly necessary to achieve the legitimate objective in question, and that ensure effective legal protection against such interference.
4. ADEQUATE LEVEL OF PROTECTION UNDER THE EU-U.S. PRIVACY SHIELD
(136)
In the light of the those findings, the Commission considers that the United States ensures an adequate level of protection for personal data transferred from the Union to self-certified organisations in the United States under the EU-U.S. Privacy Shield.
(137)
In particular, the Commission considers that the Principles issued by the U.S. Department of Commerce as a whole ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the basic principles laid down in Directive 95/46/EC.
(138)
In addition, the effective application of the Principles is guaranteed by the transparency obligations and the administration of the Privacy Shield by the Department of Commerce.
(139)
Moreover, the Commission considers that, taken as a whole, the oversight and recourse mechanisms provided for by the Privacy Shield enable infringements of the Principles by Privacy Shield organisations to be identified and punished in practice and offer legal remedies to the data subject to gain access to personal data relating to him and, eventually, to obtain the rectification or erasure of such data.
(140)
Finally, on the basis of the available information about the U.S. legal order, including the representations and commitments from the U.S. government, the Commission considers that any interference by U.S. public authorities with the fundamental rights of the persons whose data are transferred from the Union to the United States under the Privacy Shield for national security, law enforcement or other public interest purposes, and the ensuing restrictions imposed on self-certified organisations with respect to their adherence to the Principles, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that there exists effective legal protection against such interference.
(141)
The Commission concludes that this meets the standards of Article 25 of Directive 95/46/EC, interpreted in light of the Charter of Fundamental Rights of the European Union, as explained by the Court of Justice in particular in the Schrems judgment.
5. ACTION OF DATA PROTECTION AUTHORITIES AND INFORMATION TO THE COMMISSION
(142)
In the Schrems judgment, the Court of Justice clarified that the Commission has no competence to restrict the powers that DPAs derive from Article 28 of Directive 95/46/EC (including the power to suspend data transfers) where a person, in bringing a claim under that provision, calls into question the compatibility of a Commission adequacy decision with the protection of the fundamental right to privacy and data protection (203).
(143)
In order to effectively monitor the functioning of the Privacy Shield, the Commission should be informed by Member States about relevant action undertaken by DPAs.
(144)
The Court of Justice furthermore considered that, in line with the second subparagraph of Article 25(6) of Directive 95/46/EC, Member States and their organs must take the measures necessary to comply with acts of the Union institutions, as the latter are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Consequently, a Commission adequacy decision adopted pursuant to Article 25(6) of Directive 95/46/EC is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities (204). Where such an authority has received a complaint putting in question the compliance of a Commission adequacy decision with the protection of the fundamental right to privacy and data protection and considers the objections advanced to be well founded, national law must provide it with a legal remedy to put those objections before a national court which, in case of doubts, must stay proceedings and make a reference for a preliminary ruling to the Court of Justice (205).
6. PERIODIC REVIEW OF ADEQUACY FINDING
(145)
In the light of the fact that the level of protection afforded by the U.S. legal order may be liable to change, the Commission, following adoption of this decision, will check periodically whether the findings relating to the adequacy of the level of protection ensured by the United States under the EU-U.S. Privacy Shield are still factually and legally justified. Such a check is required, in any event, when the Commission acquires any information giving rise to a justified doubt in that regard (206).
(146)
Therefore, the Commission will continuously monitor the overall framework for the transfer of personal data created by the EU-U.S. Privacy Shield as well as compliance by U.S. authorities with the representations and commitments contained in the documents attached to this decision. To facilitate this process, the U.S. has committed to inform the Commission of material developments in U.S. law when relevant to the Privacy Shield in the field of data protection and the limitations and safeguards applicable to access to personal data by public authorities. Moreover, this decision will be subject to an Annual Joint Review which will cover all aspects of the functioning of the EU-U.S. Privacy Shield, including the operation of the national security and law enforcement exceptions to the Principles. In addition, since the adequacy finding may also be influenced by legal developments in Union law, the Commission will assess the level of protection provided by the Privacy Shield following the entry into application of the GDPR.
(147)
To perform the Annual Joint Review referred to in Annexes I, II and VI, the Commission will meet with the Department of Commerce and FTC, accompanied, if appropriate, by other departments and agencies involved in the implementation of the Privacy Shield arrangements, as well as, for matters pertaining to national security, representatives of the ODNI, other Intelligence Community elements and the Ombudsperson. The participation in this meeting will be open for EU DPAs and representatives of the Article 29 Working Party.
(148)
In the framework of the Annual Joint Review, the Commission will request that the Department of Commerce provides comprehensive information on all relevant aspects of the functioning of the EU-U.S. Privacy Shield, including referrals received by the Department of Commerce from DPAs and the results of ex officio compliance reviews. The Commission will also seek explanations concerning any questions or matters concerning the EU-U.S. Privacy Shield and its operation arising from any information available, including transparency reports allowed under the USA FREEDOM Act, public reports by U.S. national intelligence authorities, the DPAs, privacy groups, media reports, or any other possible source. Moreover, in order to facilitate the Commission’s task in this regard, the Member States should inform the Commission of cases where the actions of bodies responsible for ensuring compliance with the Principles in the United States fail to secure compliance and of any indications that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offenses do not ensure the required level of protection.
(149)
On the basis of the annual joint review, the Commission will prepare a public report to be submitted to the European Parliament and the Council.
7. SUSPENSION OF THE ADEQUACY DECISION
(150)
Where, on the basis of the checks or of any other information available, the Commission concludes that the level of protection offered by the Privacy Shield can no longer be regarded as essentially equivalent to the one in the Union, or where there are clear indications that effective compliance with the Principles in the United States might no longer be ensured, or that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offenses do not ensure the required level of protection, it will inform the Department of Commerce thereof and request that appropriate measures are taken to swiftly address any potential non-compliance with the Principles within a specified, reasonable timeframe. If, after the expiration of the specified timeframe, the U.S. authorities fail to demonstrate satisfactorily that the EU-U.S. Privacy Shield continues to guarantee effective compliance and an adequate level of protection, the Commission will initiate the procedure leading to the partial or complete suspension or repeal of this decision (207). Alternatively, the Commission may propose to amend this decision, for instance by limiting the scope of the adequacy finding only to data transfers subject to additional conditions.
(151)
In particular, the Commission will initiate the procedure for suspension or repeal in case of:
(a)
indications that the U.S. authorities do not comply with the representations and commitments contained in the documents annexed to this decision, including as regards the conditions and limitations for access by U.S. public authorities for law enforcement, national security and other public interest purposes to personal data transferred under the Privacy Shield;
(b)
failure to effectively address complaints by EU data subjects; in this respect, the Commission will take into account all circumstances having an impact on the possibility for EU data subjects to have their rights enforced, including, in particular, the voluntary commitment by self-certified U.S. companies to cooperate with the DPAs and follow their advice; or
(c)
failure by the Privacy Shield Ombudsperson to provide timely and appropriate responses to requests from EU data subjects.
(152)
The Commission will also consider initiating the procedure leading to the amendment, suspension, or repeal of this decision if, in the context of the Annual Joint Review of the functioning of the EU-U.S. Privacy Shield or otherwise, the Department of Commerce or other departments or agencies involved in the implementation of the Privacy Shield, or, for matters pertaining to national security, representatives of the U.S. Intelligence Community or the Ombudsperson, fail to provide information or clarifications necessary for the assessment of compliance with the Principles, the effectiveness of complaint handling procedures, or any lowering of the required level of protection as a consequence of actions by U.S. national intelligence authorities, in particular as a consequence of the collection and/or access to personal data that is not limited to what is strictly necessary and proportionate. In this respect, the Commission will take into account the extent to which the relevant information can be obtained from other sources, including through reports from self-certified U.S. companies as allowed under the USA FREEDOM Act.
(153)
The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC published its opinion on the level of protection provided by the EU-U.S. Privacy Shield (208), which has been taken into account in the preparation of this Decision.
(154)
The European Parliament adopted a resolution on transatlantic data flows (209).
(155)
The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,
HAS ADOPTED THIS DECISION: