El Tribunal de la UE ha dinamitado la figura del «Puerto Seguro» en Protección de Datos y revoluciona el Cloud: la AGPD podrá entrar a valorar si los datos transferidos fuera de la UE-desde Facebook a Dropbox o empresas de cloud- cumplen la normativa nacional… ¡Y no la cumplen!
Se empieza con una declaración contundente: «El Tribunal de Justicia declara inválida la Decisión de la Comisión que declaró que Estados Unidos garantiza un nivel de protección adecuado de los datos personales transferidos» (sentencia en el asunto C-362/14)
Y sigue con el fondo del asunto: « las autoridades nacionales de control a las que se haya presentado una solicitud pueden, aun cuando una Decisión de la Comisión declare que un país tercero ofrece un nivel de protección adecuado de los datos personales, examinar si la transferencia de los datos de una persona a ese país respeta las exigencias de la legislación de la Unión sobre la protección de esos datos así como acudir ante los tribunales nacionales»
¿Qué significa?
En primero lugar, que se le pasan a exigir a todas las empresas y personas que almacenen Datos Personales fuera de la UE el cumplimiento de la legislación europea.
Hasta esta resolución se permitía que la Comisión Europea publicara un listado de países a los que la transferencia internacional de datos estaba permitida porque se consideraba que prestaban un nivel de protección equiparable a la LOPD. Entre ellos estaban los del Espacio Económico Europeo y, entre otros EEUU sólo para entidades adscritas a los «principios de Puerto Seguro». Para la transmisión al resto de países o entidades hacía falta un complicado procedimiento que necesitaba de la autorización previa expresa del director de la AGPD.
Tras esta resolución, al haber sido excluido EEUU del concepto de Puerto Seguro, para transmitir datos a servidores en EEUU habrá que demostrar que el destinatario de los datos cumple con los mismos estándares de seguridad y exigencia de la LOPD. Y ello es aplicable a Facebook -involucrada en la sentencia-, pero también a servicios de uso común como Dropbox o cualquier otro servicio cloud.
¿Es automático?
La normativa nacional obliga a solicitar autorización previa para la transferencia de datos fuera de la UE, pero entiendo que los datos ya transferidos lo fueron bajo el paraguas de una decisión de la Comisión Europea y bajo las directrices de la AGPD, por lo tanto la transferencia se hizo de forma legal.
El problema surge por un lado de que cualquier nueva transferencia de datos a EEUU requerirá del largo proceso y de la autorización previa para ser considerada como legal. Y por otra parte de que la AGPD podrá entrar la a examinar y exigir el cumplimiento de la ley nacional a cualquiera de los otros destinos de «puerto Seguro» para cualquiera que utilice servidores fuera de la UE. Y para ello bastará una sola denuncia de alguien descontento.
O dicho de otro modo, las autoridades Europeas podrán analizar a partir de ahora el tratamiento de los datos depositados en «puertos seguros».
Entonces los servidores fuera cumplirán la norma
Pero, ¿pasarán las empresas norteamericanas el filtro de las distintas agencias de protección de datos de Europa?
El Parlamento Europeo ha publicado un Informe comparativo de protección de Datos EEUU- UE que hace un estudio detallado del nivel del marco de uno y otro lado del océano y a la vista de los resultados parece difícil que un marco como el norteamericano pueda ser modificado de forma fácil y rápida para conseguir un nivel de protección y tratamiento de los datos Personales análogo al que se hace en Europa.
El informe es largo y detallado, pero incluye un interesante y clarificador resumen que se transcribe al final de este post.
Consecuencias
Para el usuario de Internet: evidentemente mayor grado de protección.
Para quien maneje datos: la necesidad de una auditoría urgente del tratamiento de hace de esos datos.
A comparison between US and EU data protection legislation for law enforcement purposes: summarizing comparison
Comparing EU and the US data protection legislation for LE purposes is a difficult task due to the fundamental structural, constitutional and practical legal differences visible in the prior analysis. A summarizing comparison can therefore only refer to and identify the most striking differences and shortcomings, with the details being elucidated in the comprehensive analysis above.
The most prominent and important divergence concerns the constitutional protection of personal data. While data protection and privacy are fundamental rights in the EU and are also applicable in the LE context, there is no equivalent protection in the US. The EU’s understanding of these rights have been shaped since the 1970s by comprehensive case law of the ECtHR and was been further developed in recent years through important EU instruments such as the Directive 95/46/EC, the TFEU and the Charter of Fundamental Rights, as well as the EU courts’case law. The US, with its restrictions to the protection of the Fourth Amendment, through the Third Party Doctrine, and the exclusion of non-US persons from both the Fourth Amendment and the Privacy Act protection, follow a very different approach, which is contrary to the EU’s perspective of privacy and data protection as comprehensive fundamental rights.
The EU data protection canon consists of several principles, which mainly apply independently of the context. They include, amongst others, rules on data quality standards, on sensitive data, independent supervision, the purpose limitation principle, rules on inter-agency exchange or transfer of data to third states, time limits for the retention of data, effective judicial review and access possibilities, independent oversight, proportionality elements, notification requirements after surveillance or data breaches, access, correction and deletion rights as well as rules on automated decisions, data security as well as technical protection. These rights and principles are subject to restrictions, but these restrictions are limited by proportionality elements and are continually subject to judicial review. Some of the mentioned EU rights, such as notification, supervision or judicial review can also be found in certain US Acts, for instance in the ECPA. However, they only exist in a mitigated form and are often subject to far-reaching restrictions, when LE or national security interests are concerned. These restrictions are not limited by proportionality considerations, leading to a structural and regular prevalence of LE and national security interests.
While some legal concepts are similar to a certain extent, most of the EU data protection guarantees simply do not exist in US law. One example illustrating a certain degree of similarity is supervision. While the idea of oversight and supervision can be found in both jurisdictions, supervision according to EU rules must be independent of the supervised agency, whereas internal supervisory mechanisms dominate the US LE and national security sector. Other basic EU data protection principles such as restrictions on the further use and dissemination of data collected in an LE context, purpose limitation, or time limits on data retention do not exist at all or only rudimentarily exist in the US. In particular, the approach to data sharing is fundamentally different. Whilst under EU law every transfer of data to other agencies interferes with fundamental rights and requires specific justification, largely unrestricted data sharing between LE authorities and the intelligence community in the US seems to be the rule, rather than the exception.
A further crucial distinction is the approach taken to determining the scope of a law protecting privacy and data protection of individuals. While privacy restrictions in the EU are usually considered in a balancing of interests, focusing on proportionality requirements, US laws often restrict the scope of application of the law itself, thereby considerably limiting its scope from the outset. An example is the Draft Judicial Redress Act, whose application is limited to “covered records” and “covered countries”.
Moreover, while in the EU, the existence of a legal act interfering in general with fundamental rights is sufficient to trigger a standing for the individual to sue, the existence of bulk collection of data in the US does not automatically
lead to an individual right of action. In the recent Klayman case, the US Court of Appeals for the District of Columbia Circuit stated that Klayman has no standing to sue as the plaintiffs “lack[s] direct evidence that records involving their calls have actually been collected.” The possibility of judicial review in light of this ruling consequently appears to be limited.
Another important difference relates to the protected persons. Whereas in EU law, fundamental rights cover all persons targeted by LE and surveillance measures, regardless of their nationality or domicile, US law distinguishes between US and non-US persons and discriminates against the latter. This distinction is clearly visible in the provisions regulating foreign intelligence surveillance, such as the FISA and the PATRIOT Act. Newly introduced laws, such as the FREEDOM Act, do not remedy or change this situation. Only with regards to ordinary criminal investigations, the same rights apply to US persons as to non-US persons.
However, the introduction of stricter access conditions for the collection of tangible things and metadata for foreign intelligence purposes through the newly introduced criterion of the specific selection term in the FREEDOM Act is an improvement compared to the previous predominantly unregulated bulk data collection. Its intention is to limit mass data collection by introducing more restrictive criteria to identify a specific person, entity or account during surveillance. Governmental authorities must now prove that they search for a specific individual or account in order to obtain a FISA order in order to access metadata, call detail records or other tangible things. Regrettably, this newly introduced restriction does not concern Section 702 of the FISA Amendment Act, which authorizes far-reaching surveillance of foreign intelligence information, including communications, content, metadata or other records. This (mass) access to content would clearly violate EU fundamental rights (cf. data retention case and opinion of Advocate General Bot in the Schrems case).
With regards to existing EU-US data sharing agreements such as the Safe Harbor regime, it can be concluded that this instrument is not applicable to current data protection standards anymore and clearly needs to be adapted to overcome the existing shortcomings.This view was very recently confirmed by the opinion of Advocate General Bot in the Schrems case.
From the analysis above, it can be deduced that even if all existing data protection guarantees applying to US persons in the LE and national security framework were made applicable to EU citizens, there would be a considerable difference regarding the level of privacy and personal data protection. The newly introduced Judicial Redress Act and the FREEDOM Act only partially improve this rather unsatisfying situation.
