Reuters reported earlier this month that, according to three former employees, Yahoo Inc. had “complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo mail accounts at the behest of the NSA or FBI.” Yahoo responded that the article was misleading, but did not deny the scanning had occurred.
The New York Times reported further details about this scanning: Yahoo had modified a system intended to scan emails for child pornography and spam in order to satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization. Apparently, the order came last year from a judge of the U.S. Foreign Intelligence Surveillance Court and involved the scanning of all users’ emails rather than individual accounts.
Edward Snowden’s revelations about U.S. surveillance activities led to the Schrems decision rendered on October 2015 and the invalidation by the European Court of Justice of the Safe Harbour agreement which had served as the basis for many companies to transfer personal data from the EU to the U.S.
Could these new revelations about Yahoo have negative consequences on the Privacy Shield and in what way?
One of the criticisms of the Safe Harbor since its adoption in 2000 was that it did not evolve with the times. This weakness is addressed in the Privacy Shield, which provides for an annual review to monitor the functioning of the Shield, which review will include issues of national security access to personal information. The European Commission and the U.S. Department of Commerce will conduct this review and associate national security experts from the U.S. and European Data Protections Authorities to it. The Yahoo case will no doubt be discussed during the first annual review and, if the European Commission finds it to be evidence that the U.S. privacy efforts are not sufficient, the European Commission can suspend its adequacy decision. In practice, this would mean that companies transferring data would have to use an alternative transfer tool, such as the Commission Standard Contractual Clauses, or face orders to stop transferring data and/or penalties for improperly transferring data.
The Schrems decision also says that national Data Protection Authorities are not bound by the European Commission’s adequacy decisions. They can separately conclude that the U.S. privacy scheme does not afford a sufficient level of protection and order the exporter of data to stop transferring the data to the U.S.
Even if the Privacy Shield received a positive adequacy decision, that conclusion could be invalidated by the European Court of Justice if a complaint were filed before a national Data Protection Authority. However this could take several years. (In the Schrems case, Maximilian Schrems filed his complaint against Facebook with the Irish Data Protection Commissioner in June 2013 and the Safe Harbour was invalidated in October 2015.)
How likely is it that the European Commission or a National Data Protection Authority or the European Court finds that the Privacy Shield does not afford a sufficient level of protection?
In the Privacy Shield, an important effort was made by U.S. authorities to explain the rules governing surveillance activities. However, the Article 29 Working Party was not totally convinced. In its initial opinion on the draft adequacy decision, it noted that “the representations of the U.S. Office of the Director of National Intelligence (ODNI) does not exclude massive and indiscriminate collection of personal data” and recalled “its long-standing position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society….”The key concept is whether the collection is massive and indiscriminate. Although the information publicly available about Yahoo is still limited, the scanning of all users’ emails, if confirmed, could well be regarded as a massive and indiscriminate collection of data. The period of time during which this occurred could be an important factor. The USA Freedom Act limits bulk collection of data and took effect at the end of November 2015. If the scanning occurred in the spring months of 2015, U.S. authorities could argue that this can no longer happen.
The Irish Data Protection Commissioner has stated that the matter was being investigated. A member of the European Parliament has asked the Commission to investigate, but the Commission has not made any public statement yet.