Today, more than two dozen organisations working in the European Union and the United States have sent a letter to the EU data protection authorities, the EU Parliament, and the Dutch Presidency of the EU to request the reopening of the negotiations on the Privacy Shield. The newly proposed data transfer arrangement between the EU and the US, successor of the Safe Harbour, is not in line with standards established by EU law, in particular regarding the protection of the fundamental right to privacy.
The letter highlights the Privacy Shield’s inherent flaws related to the absence of surveillance reforms — previously detailed by Access Now — and its shortcoming in terms of protection for personal information used for commercial purposes.
The self-certification dilemma
The Privacy Shield principles, providing the rules for the transfer of data from the EU to the US, are broadly similar to those found in the Safe Harbour, though slightly more detailed. The principles that companies certify to comply with are pretty straightforward and positive, and the extra detail is a positive shift. They include, for instance, a user’s right to know what types of data are collected, where the information is located, who has access to it, and a right for the user to access his or her personal information.
However, Privacy Shield, like its predecessor, relies on a self-certification mechanism which does not guarantee robust protection for privacy. Companies wishing to transfer data across the Atlantic must simply certify to the US Department of Commerce that they comply with the set of principles listed in annex of the Privacy Shield, but there is no independent authority to review compliance with those rules (though the Department of Commerce does commit to conducting reviews through compliance questionnaires). The list of “self-certified” companies will be made available, just as it was under the Safe Harbour.
A shield for or against privacy?
As required by EU law, the Privacy Shield is supposed to guarantee that personal data about EU users is adequately protected when it is transferred or stored in the US. However, the arrangement clearly states that the privacy principles developed in the context of the Privacy Shield have to be interpreted in light of US law. While this seems contradictory with the objective of guaranteeing protection offered under EU law, the issue becomes even more complex when considering that the US currently lack a comprehensive framework for data protection at the federal level. It is unclear whether the new arrangement therefore will actually shield users from privacy abuses or, instead, shield companies from complying with EU privacy law.
Privacy Shield is not enough
The Privacy Shield ultimately fails from lack of surveillance reform, weak enforcement, and lack of comprehensive redress mechanism, among other things.
The coalition letter, coordinated by Access Now and delivered today to the institutions in charge of reviewing the arrangement, calls for the Privacy Shield to be sent back to drafting table and to allow time for the needed reform to be concluded.
Without comprehensive surveillance reform in the EU and the US, additional data protection reforms in the US, and a redrafting of the arrangement to strengthen its enforcement and redress mechanism, the Privacy Shield, quite simply, does not sufficiently protect users or their data. We call on leaders on both side of the Atlantic to conduct these reforms to provide users with the safeguard they need to protect fundamental rights and companies with the legal certainty they have been waiting for to restore trust in the transatlantic economy.