No matter what anybody says, the “privacy shield” is just “smoke in the eyes”. There are not fundamentals to protect personal data in the way the European Court of Justice asked in October 2015 Judgment versus Facebook (C-362/14, 6 October 2015).
Many people thought of the Judicial Redress Act (hereinafter JRA) as a rule extending to US citizens’ prerogatives to “allied countries citizens”.
Maybe the first version of the JRA, the one passed behind the House of Representatives in October 2015, was drafted in this perspective.
The JRA that Obama signed last week it’s not even “the cousin of the original version”. It’s an act with a giant pair of “caveat”.
The declarations of Vera Jourova don’t help to correctly evaluate the weight of the Judicial Redress Act.
But to understand my point of view it’s preferable to analyze the parts of the JRA I’m referring to.
Actually, the devil is in the details …
If we read the part entitled “Designation of covered country”, the reader can probably understand my doubts.
Designation of covered country
The Attorney General may […] designate a foreign country or regional economic integration organization, or member country of such organization, as a covered country for purposes of this section if—
(i)the country or regional economic integration organization, or member country of such organization, has entered into an agreement with the United States that provides for appropriate privacy protections for information shared for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses; or
(ii)the Attorney General has determined that the country or regional economic integration organization, or member country of such organization, has effectively shared information with the United States for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses and has appropriate privacy protections for such shared information;
(B)the country or regional economic integration organization, or member country of such organization, permits the transfer of personal data for commercial purposes between the territory of that country or regional economic organization and the territory of the United States, through an agreement with the United States or otherwise; and
(C)the Attorney General has certified that the policies regarding the transfer of personal data for commercial purposes and related actions of the country or regional economic integration organization, or member country of such organization, do not materially impede the national security interests of the United States.
The conditions under points A, B and C, are not alternatives but they have to coexist.
Another point is the sequence of the requirements, they have to be already in force when the Department carries out its evaluation.
It looks like the European position made strong by the ECJ judgment is suddenly growing weaker and needs to agree with the USA requirements in order to create the suitable conditions for the respect of the European data protection framework. Even if we were to consider that option, and I don’t agree with that, the final framework will be able to protect the European citizens’ fundamental rights.
In Italian, we say “a dog chasing its tail”!
In other words, the condition for the application of the JRA needs as a pre-condition the agreement of the data transfer and such agreement must not interfere with National security purposes … as I underlined in a previous post, the Umbrella Act (made public by EPIC.org with a FOIA versus USA Department of Justice) and, more practically, cases like the FBI vs Apple case, demonstrate that the “doubts” that led the ECJ judgment to invalidate #safeharbor are still unresolved.
By reading the Umbrella Act and the approved version of the JRA, I’m not so sure the new framework will survive to a detailed and competent evaluation of the Data Protection Authorities or, worse, of the European Court of Justice.