Access Now to EU Commission: US failure on privacy means “Privacy Shield” must be suspended

September 3 & 4, 2018 — Access Now is calling upon the European Union to suspend the EU-US “Privacy Shield” arrangement in light of the repeated failure by the United States government to take necessary steps to protect European privacy rights.

The call comes in tandem with our extensive comments to the European Commission on the second annual review of the Privacy Shield arrangement which allows data transfer between Europe and the United States. In our comments, we highlight developments that call into question the validity of the arrangement, including changes to US surveillance law and Trump administration policies that show disregard for human rights globally. These developments, coupled with the inherent flaws of the Privacy Shield that remain unaddressed, reinforce the position that the arrangement is not fit for purpose and must be suspended.

“The ongoing expansion of the US surveillance apparatus and the disdain this US administration shows toward human rights globally continue to undermine the validity of the Privacy Shield and its capacity to protect privacy,” said Amie Stepanovich, US Policy Manager at Access Now. “These facts necessitate reflection on what more (or rather, less) the United States would have to do to vacate the Privacy Shield and how much longer the EU Commission can hold its nose to tolerate the US government’s willful dereliction of its responsibilities.”

“Maintaining Privacy Shield in its current form does not, and will not, provide for legal certainty. The Commission must take action to protect the rights of EU data subjects by suspending the arrangement,” said Fanny Hidvegi, European Policy Manager at Access Now.

In our submission, we detail how the US Congress and the Executive have continuously ignored or consciously disregarded the provisions of the Privacy Shield and turned a deaf ear to the repeated calls for compliance by EU government institutions and experts. For instance, the EU Commission has repeatedly identified the functioning of the Privacy and Civil Liberties Oversight Board (PCLOB) and the Ombudsperson as a key component for the continued viability of the Privacy Shield. Yet, since 2017, the PCLOB has been lacking quorum and the position of the Ombudsperson remains vacant. Earlier this year, the committee of EU data protection authorities warned that if an independent Ombudsperson as well as a full quorum of PCLOB members were not appointed by 25 May 2018, they would “take appropriate action, including bringing the Privacy Shield adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.” Meanwhile, in July 2018, the European Parliament adopted a resolution calling for suspension of the Privacy Shield arrangement unless the US complies with EU data protection requirements by 1 September 2018. The US administration simply ignored both deadlines.

Over the summer, Access Now has followed developments in the US regarding nominations to the PCLOB and the Ombudsperson. Even if these positions were now to be filled, larger structural problems would remain. As we detail in our submission, the Ombudsperson mechanism is not adequate to provide protection that is essentially equivalent to that prescribed by EU law.

Accordingly, our submission provides a list of the bare minimum requirements for the Privacy Shield to be brought as close as possible to compliance with EU primary and secondary law. As negotiations with US counterparts did not lead to significant progress in the functioning of the arrangement over the past 19 months, it is high time for the EU Commission to take action to protect the rights of EU data subjects and suspend the arrangement.

Read the full submission here.

Access Now is an international NGO that works on human rights and tech policy around the world, including offices in Brussels and Washington, D.C.