U.S. Congressional briefing

Transatlantic coalition of civil society groups: Privacy Shield is not enough, must return to negotiating tables

(March 16, 2016) — Today, more than two dozen civil society groups sent a letter to European leaders reviewing the “Privacy Shield” data-transfer agreement with a singular message: this arrangement is not enough. The Privacy Shield is intended to allow companies to share data about customers across the Atlantic. Unfortunately, the Privacy Shield fails to provide sufficient clarity, oversight, remedy, or protections for the human rights of E.U. citizens against U.S. surveillance practices. The letter specifically calls for legislative reform of U.S. surveillance laws, increased protections for personal data, and additional redress and transparency mechanisms.

“The Privacy Shield does not guarantee adequate protection for E.U. personal data as required by E.U. law and the E.U.’s highest court,” said Estelle Massé, Access Now Policy Analyst. She added, “to add insult to injury, the agreement fails to establish a sufficient mechanism for E.U. citizens to raise complaints about U.S. practices. We must return to the negotiating tables.”

The Privacy Shield, announced at the beginning of February and published a month later, is an arrangement between the European Union and the United States intended to allow companies to transfer data on E.U. citizens to the U.S. Under European law, companies are only allowed to transfer data to a country that guarantees adequate levels of data protection. The Privacy Shield is intended to provide rules for that protection.

The Privacy Shield replaces the “Safe Harbor” arrangement, which was invalidated by the Court of Justice of the European Union (“CJEU”) late last year. The Safe Harbor had been broadly criticized for its system of self-certification, lack of transparency and oversight, and insufficient privacy protections. The CJEU further found that the Safe Harbor specifically failed to protect data against disproportionate government access. The CJEU explained that adequate protection, as required under E.U. law, required a level of protection that was essentially equivalent to what was provided for in the E.U.

The Privacy Shield must be approved by the European Commission with guidance from the E.U. member states who are tasked with delivering a binding opinion via their membership within the Article 31 Committee, which includes representatives from the 28 E.U. member states and the E.U. Commission. Non-binding opinions and comments from the Article 29 Working Party of Data Protection Authorities and the E.U. Parliament must also be considered.

The letter from civil society organizations calls on the Article 29 Working Party, the European Parliament, and the Article 31 Committee to reject the Privacy Shield and send it back to the U.S. and the European Commission for further negotiations.

“The negotiators of the Privacy Shield utterly failed to protect the human rights of Europeans against U.S. surveillance. U.S. law must be reformed if this arrangement has any hope of providing the certainty for transatlantic data transfers that users, and companies, need,” said Amie Stepanovich, U.S. Policy Manager at Access Now.

“There can be no shield for the privacy of European citizens without true reform of the United States’ disproportionate government surveillance of non-U.S. persons,” said Danny O’Brien, International Director at the Electronic Frontier Foundation.

“EPIC urges both the U.S. and the E.U. to strengthen data protection. The Privacy Shield negotiators should start over and put in place a framework that provides meaningful protection for transatlantic data flows,’ said Fanny Hidvegi, EPIC International Law Fellow.

“The U.S. is incapable of addressing how its own digital industry continually expands data collection on consumers. Until the U.S. enacts a law protecting privacy, no one is safe—whether they live in the E.U. or America,” said Jeff Chester, Executive Director, Center for Digital Democracy.

“The most sensitive personal information, bar none, is health data about our minds and bodies. If we cannot protect our most sensitive data, what hope is there for protecting any other personal data?” said Dr. Deborah Peel, Founder of Patient Privacy Rights.

###