The United States must answer the real concerns of EU judges about European citizens’ data within the US, when it is accessed by the American intelligence services, says Isabelle Falque-Pierrotin.
Isabelle Falque-Pierrotin is head of the French data protection authority CNIL and current chair of the Article 29 Working Party, the group of privacy watchdogs from EU member states.
After the European Court of Justice ruled the Safe Harbour data sharing agreement between the EU and the US invalid in October, the group called on the Commission to strike a deal with the US on a new data transfer agreement by the end of January 2016.
Falque-Pierrotin was interviewed by Catherine Stupp.
How has your job as president of Working Party 29 changed since the ECJ decision to reject the Safe Harbour deal?
It hasn’t changed dramatically in the last few months. In the last month, the Working Party 29 has become an increasingly operational place to discuss cases and political and strategic decisions between the DPAs [data protection authorities]. This is rather new. Before, it was more of a place only for technical and very legal decisions. I don’t mean that we’re no longer interested in legal discussions, but on top of that, we’re more and more empowered to define operational and strategic decisions for the 28 DPAs.
How are you doing that?
It’s very important to keep the DPAs united on this sensitive issue, so it was important to work closely together to define a common decision and to take a collective risk. When we called for a transition period ending at the end of January, it was a risk that we took collectively. Because the decision of the court is a decision that has to be implemented at once. It’s the state of the law. We’ve decided to have this temporary transition phase in order to allow each of the actors to take their own responsibilities. I think it was a very interesting cooperation between us, because we agreed on that phase and we agreed commonly to take the risk. Some of us had already received complaints.
But some DPAs have made more radical decisions in the meantime.
There is only one in Germany that said something that was understood in a different way than the common European position of the Working Party 29. When we asked if they were really willing to stop transfers, they said no, that their statement was misunderstood. The pack is more or less still united, which takes quite an effort between 28 countries
You’re talking about the Schleswig-Holstein DPA?
But the conference of all the German DPAs also said they would not give new contracts for binding corporate rules or model contract clauses, alternative ways to transfer data to the US.
Yes, but we said that we could allow the BCRs and contractual clauses to go on, which means we’re not considering them illegal immediately. It’s true that the Germans said we’re not going to give new ones. But still, they are not stopping the present transfers under these instruments.
You don’t see that as a lack of unity?
DPAs don’t have to allow these contractual clauses. There’s no formal decision, so I think the German position can be accepted.
Julie Brill, commissioner at the US Federal Trade Commission, said last week that in the 15 years the Safe Harbour agreement was in effect European DPAs only forwarded four complaints to the FTC. Should European DPAs have been helping the FTC more and forwarding more complaints?
It’s true that we didn’t convey a lot of complaints to the FTC. It was probably more than four complaints, because we suggested several compliance issues. They weren’t from complaints, but from online inspection to the websites of the interested companies. We transferred this information to the FTC a few years ago, and it was difficult for the FTC to deal with them because they don’t work exactly as we do. When I say this, I mean that I don’t need a complaint or to have sufficient complaints to investigate a case. Whereas for the FTC, they need to have a certain amount of complaints—complaints, not external audits—to really have the possibility to investigate a case. So they didn’t do anything with our information.
But having said that, I think probably we can improve the way both of us collaborate on the Safe Harbour oversight. But this is probably not the core of the issue that has been pointed out by the judge. Let’s try to concentrate on the main message of the judge,which is not on the type of cooperation, but on the situation of the data when (it is) in the United States, and when (it is) accessed by intelligence services. The judge says that in that situation, they don’t benefit from enough guarantees according to European law.
Probably we could have both acted more energetically, because there were studies analysing the Safe Harbour provisions and saying that it wasn’t enough in order to protect European citizens. Have you heard about the Chris Connolly report? Everybody knew there was something to be improved in Safe Harbour.
You called for a new agreement by the end of January, right after the ECJ decision. Do you think we will have a new agreement that complies with the ECJ decision so soon?
We said that there is a need for the United States to give a political sign somehow, in terms of guarantees on European citizens’ data. So we said that there was a need to have either an intergovernmental agreement, or a kind of binding solution within the American laws on the intelligence services.
I don’t know whether it will be possible to have everything completed by the end of January. But at least we need some kind of political sign showing that they have understood the main message of the judge. The question is not to produce in due time a Safe Harbour number two. It is really to answer the arguments of the judge, which is about the situation of European citizens’ data within the United States when (it is) accessed by the American intelligence services.
Do you think the US government is already answering that by all the other steps they’re going through now, including the Judicial Redress Act?
I think Judicial Redress is interesting. But it doesn’t cover intelligence and public security. It shows that the American public authorities understand that they need to give some freedom, some guarantees. Some civil liberties associations have written to the American government following the Safe Harbour decision, to ask for binding legislation or an intergovernmental agreement between the EU and the United States to provide these guarantees.
There is a kind of political pressure from civil society, from the Working Party 29 and probably also from everyone who wants the question to be solved. We’re all in favour of having these Transatlantic transfers maintained. Because there is a very high economic and also political interest in these transfers. But not at any price. The United States is more and more aware of this political pressure.
Under a new data sharing agreement, should there be more cooperation between European DPAs and the FTC?
We can always improve the cooperation between the Working Party 29 and the FTC. We’re not against it. We’re cooperating very well with the FTC on a very wide range of subjects. Recently we collaborated on genetic data. For Safe Harbour, we can increase cooperation. I’m in favour of that. Increased cooperation of the Working Party 29, and the FTC won’t answer the precise question raised by the judge that is related to the intelligence services’ access to European data for their own activities. This has nothing to do with the cooperation between the FTC and the Working Party 29.