Brussels, BE— Earlier today, the Article 31 Committee, which represents the EU’s 28 member states, gave its green light to the “Privacy Shield” — a data-transfer arrangement between the EU and the US designed to replace the “Safe Harbour” mechanism that was invalidated more than six months ago by the Court of Justice of the EU (CJEU). The arrangement will now have to be approved by the the EU Commission before being officially signed by the EU Commissioner for Justice Věra Jourová and US Secretary of Commerce Penny Pritzker.
The final version of the text offers clarity on US surveillance practices and access to remedy for EU citizens. It however fails to address the substantial shortcomings of the agreement identified by the EU data protection authorities, the EU Parliament, and privacy experts and civil liberties groups, including Access Now. Specifically, mass collection of European data remains possible under the arrangement, the functioning and access to the Ombudsperson remains opaque, and access to remedy might not apply to everyone in the EU, which would be contrary to the EU Charter of Fundamental Rights.
“The recommendations made by experts to bring the Privacy Shield in line with EU law have been largely ignored by the EU Commission in the redrafting process,” said Estelle Massé, Policy Analyst at Access Now.“After the EU Passenger Name Records and the Umbrella Agreement, the Privacy Shield may well be the third unlawful instrument adopted by the EU this year. Once more, users will have to turn to the Court to have their rights restored.”*
Even further problems with the Privacy Shield might still arise as the continued oversight capacity of the Privacy and Civil Liberties Oversight Board (PCLOB) in the United States is currently up in the air. The oversight provided by the PCLOB is central to the Privacy Shield agreement. However, the US Senate Intelligence Committee recently approved legislation that would prohibit the PCLOB from considering the privacy impact of US activities on non-US persons. In short, if this legislation gets adopted, the PCLOB would be severely limited in its ability to question a program designed to record every single phone call in the EU.
“It would be short-sighted to gut the power of the PCLOB as the already weak Privacy Shield comes to adoption. As the most genuinely independent US intelligence oversight body, the PCLOB must play a central role in protecting the human rights under any new data transfer agreement between the US and EU,” added Drew Mitnick, Policy Counsel at Access Now.
For our in-depth analysis of the Privacy Shield, see:
- Three facts about US surveillance the European Commission gets wrong in Privacy Shield
- Activating the EU-US Privacy Shield: To protect privacy, we need reform, not rebranding
NOTE: This press release was updated to improve accuracy.