On February 29, the European Commission released the draft text of the new Privacy Shield data-transfer arrangement between the EU and the US. Unfortunately, the arrangement has the same inherent flaws as the “Safe Harbour” mechanism it seeks to replace. Safe Harbour was invalidated by the Court of Justice of the European Union (CJEU) for failing to comply with EU law and protect fundamental rights.
In issuing the Privacy Shield, the commission asserts that is has “carefully analysed US law and practice,” to determine whether it complies with EU law. The CJEU called for a showing of essential equivalence in protections between the two in order to allow data flows to continue. Far from an in-depth inquiry, the commission’s analysis relied on a series of letters sent by the US administration and published as annexes to the draft deal. Unfortunately, the end result demonstrates the inadequacy of this approach, and the European Commission errs on several important facts. Here are our top three:
1.) Claim: “the U.S. government has given the European Commission explicit assurance that the U.S. Intelligence Community ‘does not engage in indiscriminate surveillance of anyone, including ordinary European citizens.’”
Fact: The US does not provide sufficient protections to non-US persons
The US government often makes this kind of broad statement, but almost always with an important and necessary qualification: “…under this programme.” Undoubtedly, what the statement is meant to refer to is the surveillance conducted under Section 702 of the FISA Amendments Act, the specific law at issue in the case in which Safe Harbour was invalidated. It doesn’t address surveillance that takes place secretly.
However, even this qualified statement is deceptive. As Access Now previously explained, there is a conflict in terms between the EU and the US. Most of the surveillance that the US administration considers “targeted” would qualify as “indiscriminate surveillance” in the EU, and would therefore be prohibited. But, more broadly, this statement isn’t even remotely correct. Under Executive Order 12333, the US conducts broad, inadequately overseen, non-transparent surveillance of innocent people around the world without having to meet any evidentiary standard at all. These kinds of programmes collect users’ address books and buddy lists, and record details about every phone conversation, across full countries.
The European Commission makes several statements asserting the adequacy of the protections that the US provides to non-US persons. But the truth is simple: the US does not respect the fundamental rights of those outside the United States.
Specifically, the EU Commission references limitations on government surveillance in Presidential Policy Directive 28 (PPD28), which provides that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside.” But this aspiration is not the same as a commitment to respect rights. In fact, the policies and protections that PPD-28 provides for non-US persons are only applied “[t]o the maximum extent feasible consistent with the national security.” This exception not only swallows the rule — it engulfs it.
2.) Claim: “U.S. law contains clear limitations on the access and use of personal data transferred under the EU-U.S. Privacy Shield for national security purposes as well as oversight and redress mechanisms that provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse.”
Fact: The system of congressional and executive oversight is inadequate
The European Commission relies heavily on the “multiple oversight layers” that are used to oversee US surveillance operations, including those in the executive branch (“civil liberties or privacy officers, Inspector Generals, the ODNI Civil Liberties and Privacy Office, the [Privacy and Civil Liberties Oversight Board], and the President’s Intelligence Oversight Board”), in Congress (“the House and Senate Intelligence and Judiciary Committees”), and in the courts (“the FISA Court…an independent tribunal whose decisions can be challenged before the Foreign Intelligence Court of Review”).
However, the commission does not acknowledge that these three layers have frequently failed to accomplish their missions effectively. As the Snowden revelations demonstrated, even with most of these mechanisms in place, the US was able to conduct at least one known surveillance programme that, once revealed, was nearly universally believed to have been both unlawful and likely unconstitutional. And, where Executive Order 12333 is concerned, there is no judicial or congressional oversight at all.
One of the major problems is the lack of transparency. Broad exemptions for information even remotely related to national security insulate surveillance agencies from public scrutiny. Congressional oversight committees conduct most of their hearings behind closed doors, and, when they do decide to hold an open hearing, the lack of probing questions is a joke even among the members of Congress, and the FISA court is known for its secrecy. While recent reforms in the USA FREEDOM Act help address the transparency problem, it’s only a small step for an area of government where the black-curtain culture still reigns.
As Access Now previously pointed out, even without public transparency, federal judge John D. Bates publicly accused the National Security Agency of “repeatedly misleading” the court. In two of the few public hearings on surveillance, both former NSA Director General Keith Alexander and Director of National Intelligence James Clapper provided information that was a bit removed from the truth.
Finally, regardless of how robustly any of these mechanisms review intelligence programs, the ultimate truth is that they are looking for violations of US law, which doesn’t recognise rights for non-US persons. Mass surveillance is lawfully permitted under both Section 702 and Executive Order 12333, and entities like the Privacy and Civil Liberties Oversight Board have so far failed to address the impact of these authorities on the rights of non-US persons. This is not what oversight looks like.
3.) Claim: “the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community…This mechanism builds upon the designation…of a Senior Coordinator…in the State Department.”
Fact: Proposed redress mechanism is unacceptably entrenched in the existing structure
With regard to improper government access to data, one of the biggest changes made from the Safe Harbour to the Privacy Shield is the creation of an “Ombudsperson,” to serve as a means for redress for EU citizens. However, the Ombudsperson is given authority only to coordinate responses to complaints filed by users and relevant authorities. The office is not empowered to initiate investigations.
Further, the European Commission specifically trumpets the ombudsperson’s independence from the intelligence community, explaining that such independence is necessary to ensure that complaints are “properly investigated.” However, the office will, in fact, be housed in the US Department of State, which is a central part of the US’s intelligence framework. In fact, the specific individual designated by US Secretary of State John Kerry as Ombudsperson, Catherine A. Novelli, is directly linked with the US intelligence community in her other role as Under Secretary of State.
Outside of the Ombudsperson, Privacy Shield offers no new alternative avenues for redress.
Road ahead for the Privacy Shield
Based on the same flawed foundations as its predecessor, the Privacy Shield is not likely to withstand future legal challenges. Comprehensive surveillance reforms on both side of the Atlantic must be conducted before any data transfer arrangement can meet the standards set forth by the Court of Justice of the EU.
Access Now urges the Working Party 29 and the Article 31 Committee to take into consideration all the abovementioned facts overlooked by the Commission negotiators when developing their opinions on the arrangement. The adoption of yet another flawed mechanism will benefit no one, and has the potential to further hinder users’ trust in the digital economy. We expect DPAs and representatives from EU member states to take seriously their duty to protect users’ fundamental rights to privacy and data protection.