New data transfer mechanism remains self-certified, backed by negligible reforms from governments
Brussels, BE – Earlier today the EU Commission released the draft text of the new Privacy Shield data-transfer arrangement between the EU and the US.
The arrangement seeks to replace the “Safe Harbour” mechanism that was invalidated by the Court of Justice of the European Union for failing to comport with EU law and protect fundamental rights, but it has the same inherent flaws. Once again, US companies need only self-certify their compliance with EU law, and there has not been enough legislative reform in US to ensure adequate privacy protection for non-US individuals. Worse, the draft text even contains a carve-out for mass data collection.
“By approving the Privacy Shield, the EU Commission would fail to protect EU citizens’ interests. The flow of data might go on for now, but there remains insufficient protection for users’ private data, and insufficient legal certainty for companies,” said Estelle Massé, EU Policy Analyst at Access Now. “Even though the US lacks a comprehensive data protection framework, the government successfully negotiated an unsafe ‘safe passage’ for data under the Safe Harbour, and now under the Privacy Shield, transfer of data is shielded from compliance with privacy rules,” she added.
The structure of the new agreement does not provide legal certainty. The agreement goes into far greater detail than its predecessor, but fails to call for the legislative changes necessary to guarantee the protection of user data. While the arrangement is supposed to guarantee essential equivalence with EU law, the “Privacy Principles” that it outlines will be interpreted on the basis of current US law. Companies can simply self-certify that they will adhere to these principles, just like they did under the Safe Harbour.
The only way that the EU Commission proposes to ensure that the US government provides adequate privacy protection is through a series of assurances and letters. Clearly, that might not be enough; as the commission has pointed out, the Fourth Amendment of the US Constitution may carry restrictions that protect US citizens, but it does not have the scope to provide the same level of protection for non-US individuals.
The possibility for redress is also insufficient. US Secretary of State John Kerry specifies in Annex III of the Privacy Shield that redress will now be possible through an “Ombudsperson” who is meant to provide independent oversight. However, this person will be a direct employee of the US government. Trying to show that such an entity could be “independent” in an EU court would prove difficult. Further, the ombudsperson will be tasked only with ensuring “follow up,” not initiating actions.
At the same time, there is no mention in the new arrangement of the much-touted Judicial Redress Act, which was weakened before it was passed in the US.
Finally, of deep concern is paragraph 59 of the text, which provides a carve-out for the bulk collection of personal data if there is a technical need or where there is a risk or a “threat” present. Since bulk collection of data is one of the central concerns that sunk Safe Harbour before the Court of Justice of the EU, the fact that the draft Privacy Shield contains this provision is nothing short of baffling.
Amie Stepanovich, US Policy Manager at Access Now, added, “This agreement does not sufficiently control the US intelligence agencies’ access to EU user data. It’s time to end our global arms race on surveillance. The US needs to live up to its international human rights obligations by providing explicit protections for those in the EU.”
The draft text is now in the hands of the European Union Data Protection Authorities (DPAs) who will carry out an evaluation before the college can sign it into practice. We urge the Working Party 29 to scrutinise and address the severe inadequacies of this agreement, which would likely fail legal challenge.
EU Policy Analyst
US Policy Manager