The EU Commission should strike down the EU-US Privacy Shield. Here’s why.

For the fourth year in a row, Access Now is urging the EU Commission to strike down the EU-US Privacy Shield. But what exactly is the Privacy Shield, and why do we want the EU to put an end to it?

What is the Privacy Shield?

The EU–US Privacy Shield is a series of voluntary principles that apply to the transfer of personal data for commercial purposes from the European Union and the United States and the subsequent use of this data in the US.

The EU–US Privacy Shield replaces the Safe Harbour Privacy Principles, which the Court of Justice of the European Union declared invalid in October 2015 for violating the rights to privacy, data protection, and a fair trial. From the day of its adoption in 2016, Access Now explained that the Privacy Shield fails to address the many shortcomings identified by the EU Court and is a “mere political solution to a legal problem.” The principles may have been re-branded, but none of the necessary reforms the Court identified on surveillance, oversight, transparency, redress, and data protection have been enacted.

Why are we talking about the Privacy Shield now? 

The EU Commission is undertaking the third review of the Privacy Shield and has so far authorised the continuation of the framework despite important shortcomings highlighted by lawmakers and experts, including Access Now.

In the meantime, the Privacy Shield is facing scrutiny by the EU Court of Justice in cases brought by French NGO La Quadrature du Net and privacy activist Max Schrems, who brought the challenge against Safe Harbour.

Who benefits from the Privacy Shield?

On the basis of the Privacy Shield principles, the EU has granted a so-called adequacy decision to the United States, allowing companies to easily move data out of the EU as long as they self-certify that they are compliant with Privacy Shield principles.

In the absence of an adequacy decision, companies would have to use other mechanisms for transfers of data provided for under EU law, which usually entails greater EU data protection authority scrutiny and oversight.

As a result of loose oversight, companies like Cambridge Analytica self-certified under the Privacy Shield and were therefore able to take data out of the EU. Large companies harvesting people’s data, like data brokers, advertising companies, or large tech companies, have also signed up for the Privacy Shield to be able to easily move data out of the EU.

Why does it matter for the rights of people in the EU?

Data protection is a fundamental right in the European Union. Under EU law, personal data can only move outside the EU if a mechanism guaranteeing its protection is in place: this is the premise behind the Privacy Shield principles. By granting an adequacy decision on the basis of these principles, the EU considers that adherence to the Privacy Shield guarantees that people’s rights to data protection and privacy will be protected the same way in the US as in the EU.

The Privacy Shield moved forward despite the lack of comprehensive laws protecting data and privacy in the US and the country’s large scale surveillance system that is known to target non-US persons. While the EU usually requires third countries to have data protection laws and robust oversight mechanisms in place to grant a country an adequacy status, it is not the case for the US. In doing so, the EU is weakening its position as a global data protection leader and jeopardising the protection of personal data of people living in the EU.

Why is Access Now calling for the Privacy Shield to be struck down?

Ever since the Privacy Shield principles were adopted, they have manifestly failed to meet the standards set by EU law that guarantee the rights to privacy, data protection, and access to remedy.

In our detailed analysis to the EU Commission in 2016, 2017, 2018 and 2019, we have provided an extensive list of reasons why the Privacy Shield should be struck down, including the following facts:

  • The US federal government and Congress have made no substantive steps to protect people’s privacy and data. The majority of commitments made to the EU under the Privacy Shield framework come from non-binding promises in letters from the Obama Administration;
  • Since 2016, and despite the Snowden Revelations, the US has extended its surveillance programmes, in particular those affecting non-US persons including people in the EU;
  • The US Federal Trade Commission’s slow action has demonstrated that this oversight body  is unable to meaningfully protect privacy under the current US legal framework; and
  • The US has shown a growing disregard for the protection of human rights globally and at its borders. The US has also ignored many of its Privacy Shield commitments for years;
  • And more.

What happens if the Privacy Shield is struck down? 

Striking down the Privacy Shield would put an end to a broken framework that is ill-suited to protect people’s rights to privacy and data protection. By terminating the Privacy Shield, the EU Commission can help protect people’s rights and live up to its status as a global leader on the protection of personal data.

For companies relying on the Privacy Shield to transfer data, other mechanisms allowing for data to move from the EU to the US exist and can be used, such as the Standards Contractual Clause or Binding Corporate Rules.

For users in Europe, it means that their personal data should only be moved to the US via one of the alternative transfer mechanisms mentioned above. While not perfect, these mechanisms offer greater protection and stronger oversight than the Privacy Shield.

What would be the ideal replacement?

If the Privacy Shield is struck down by the EU Commission or invalidated by the EU Court, the EU can start re-negotiating a new framework with the US.

For the US to be granted a long-term adequacy status that ensures the protection of human rights, we recommend at minimum the following legislative changes:

  1. The US must adopt comprehensive privacy and data protection framework that puts users at the center and provides meaningful avenues for redress and oversight;
  2. Non-US persons, including Europeans, must be granted greater right to redress in case of rights violations due to unlawful data processing in the US or by US authorities; and
  3. The US must significantly reform its surveillance practices and take actions to protect the human rights of all people, including those at the US-Mexico border.

Next steps

As the EU Commission formally reviews the EU-US Privacy Shield this month, Access Now reiterates its call for suspension. It is high time to address the flaws and failures of this deal to ensure users’ rights to data protection and privacy, and to guarantee the secure flow of data between the EU and the US.

Read our submission to the EU Commission here.

Check out our infographic explaining the history of the Privacy Shield below: