Unsolicited advice to Privacy Shield negotiators

EU negotiators are in the final stages of drafting the text of Privacy Shield. What should they pay attention to?

EU Commissioner Jourova has just declared that the negotiations around the text of the transatlantic agreement on data protection are in their final stretch.

I have a lot of practical experience trying to exercise my rights under the previous scheme, Safe Harbor. This means that I have had to argue, in front of a US arbitration court, for the exercise of rights that the defending company had agreed to in committing to the Safe Harbor scheme. In front of me were U.S. lawyers, mediators, judges, etc trying to ascertain the validity of my claims. I am not a lawyer, and presumably others using Privacy Shield should not need to retain one. However I have found that any slip in language in the Safe Harbor text was very hurtful to the whole process. Based on these experiences, I would like to share five pieces of advice:

1. Avoid the word privacy in the text at all costs. EU (and Swiss) laws care for the more general data protection. For instance, the EU directive (officially: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) guarantees access to any data held by any entity, regardless of whether there was any kind of breach of privacy. Using the word privacy means that the opposing lawyer can argue for using U.S. privacy laws as a basis for interpretation of the Safe Harbor text, which considerably weakens its intended scope.
2. There is a clause in the definition of personal data that undermines the whole scheme: “Personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the Directive, received by a U.S. organization from the European Union, and recorded in any form. Reformulate the clause received by a U.S. organization. Indeed, if data about me is transferred to the U.S., Safe Harbor intends for the protections on the data to extend there as well. If data is further processed, the protections extend on the output of that processing. However, one reading of the personal data definition would specifically exclude that output, as it hasn’t been received by a U.S. organization from the EU. All kinds of legal and technical arrangements can be devised to magnify the impact of this loophole.
3. Insist on the Directive scope (or its GDPR replacement). The lawyers and judge are US-based. A casual reference to under the scope of the Directive is a very weak indication of the relevance of the EU Directive for US-based proceedings.
4. Avoid the word person at all costs. With Citizens United and other decisions, the word person carries a sometimes different meaning in the US and in Europe, easing the conflation between juridicial and natural persons. Hence, if Safe Harbor limits the Access right of a person to not jeopardize the privacy of others, does this second limitation also refer to both types of persons? If so, then any company being asked for data can just claim revealing that data would impugn on its own privacy.
5. Require arbitration courts to dispose of their confidentiality rules. It is impossible to know how many EU citizens have gone through US based arbitration. In fact, it has been nearly impossible for journalists to find examples of individuals who have tried this. Once it became clear they would have to provide me with access to my data, Turn Inc. has tried to impose a permanent confidentiality clause on the outcome. But the problem goes much deeper. Individuals might be confronted with arguments made by US lawyers in front of a US judge that are clearly invalid in EU law or against the spirit of Safe Harbor (see above). How does the reporting to Data Protection Authorities work then? Are they supposed to breach the confidentiality rules to get the help of DPAs? In doing so, they might invalidate the whole US arbitration. Are they supposed to wait for the outcome, and then call for help? This seems counterproductive.

Again, all those remarks are borne out of practical experience. I thank the Privacy Shield negotiators for their work and hope they will find this useful.