Actu
TRANSATLANTIC COALITION OF CIVIL SOCIETY GROUPS: PRIVACY SHIELD IS NOT ENOUGH, MUST RETURN TO NEGOTIATING TABLES
March 2016 by La Quadrature du Net
TODAY, MORE THAN TWO DOZEN CIVIL SOCIETY GROUPS
SENT A LETTER TO EUROPEAN LEADERS REVIEWING THE “PRIVACY SHIELD”
DATA-TRANSFER AGREEMENT WITH A SINGULAR MESSAGE: THIS ARRANGEMENT IS NOT
ENOUGH. THE PRIVACY SHIELD IS INTENDED TO ALLOW COMPANIES TO SHARE DATA
ABOUT CUSTOMERS ACROSS THE ATLANTIC. UNFORTUNATELY, THE PRIVACY SHIELD
FAILS TO PROVIDE SUFFICIENT CLARITY, OVERSIGHT, REMEDY, OR PROTECTIONS FOR
THE HUMAN RIGHTS OF E.U. CITIZENS AGAINST U.S. SURVEILLANCE PRACTICES. THE
LETTER SPECIFICALLY CALLS FOR LEGISLATIVE REFORM OF U.S. SURVEILLANCE LAWS,
INCREASED PROTECTIONS FOR PERSONAL DATA, AND ADDITIONAL REDRESS AND
TRANSPARENCY MECHANISMS.
“THE PRIVACY SHIELD DOES NOT GUARANTEE ADEQUATE PROTECTION FOR E.U.
PERSONAL DATA REQUIRED BY E.U. LAW AND THE E.U.’S HIGHEST COURT,” SAID
ESTELLE MASSÉ, ACCESS NOW POLICY ANALYST. SHE ADDED, “TO ADD INSULT TO
INJURY, THE AGREEMENT FAILS TO ESTABLISH A SUFFICIENT MECHANISM FOR E.U.
CITIZENS TO RAISE COMPLAINTS ABOUT US PRACTICES. WE MUST RETURN TO THE
NEGOTIATING TABLES.”
The Privacy Shield, announced at the beginning of February and published a
month later, is an arrangement between the European Union and the United
States intended to allow companies to transfer data on E.U. citizens to the
U.S. Under European law, companies are only allowed to transfer data to a
country that guarantees adequate levels of data protection. The Privacy
Shield is intended to provide rules for that protection.
The Privacy Shield replaces the "Safe Harbor" arrangement, which was
invalidated by the Court of Justice of the European Union ("CJEU") late
last year. The Safe Harbor had been broadly criticized for its system of
self-certification, lack of transparency and oversight, and insufficient
privacy protections. The CJEU further found that the Safe Harbor
specifically failed to protect data against disproportionate government
access. The CJEU explained that adequate protection, as required under E.U.
law, required a level of protection that was essentially equivalent to what
was provided for in the E.U.
The Privacy Shield must be approved by the European Commission with
guidance from the E.U. member states who are tasked with delivering a
binding opinion via their membership within the Article 31 Committee, which
includes representatives from the 28 E.U. member states and the E.U.
Commission. Non-binding opinions and comments from the Article 29 Working
Party of Data Protection Authorities and the E.U. Parliament must also be
considered.
The letter [2] from civil society organizations calls on the Article 29
Working Party, the European Parliament, and the Article 31 Committee to
reject the Privacy Shield and send it back to the U.S. and the European
Commission for further negotiations.
“THE NEGOTIATORS OF THE PRIVACY SHIELD UTTERLY FAILED TO PROTECT THE
HUMAN RIGHTS OF EUROPEANS AGAINST U.S. SURVEILLANCE. U.S. LAW MUST BE
REFORMED IF THIS ARRANGEMENT HAS ANY HOPE OF PROVIDING THE CERTAINTY FOR
TRANSATLANTIC DATA TRANSFERS THAT USERS, AND COMPANIES, NEED,” SAID AMIE
STEPANOVICH, U.S. POLICY MANAGER AT ACCESS NOW.
“THERE CAN BE NO SHIELD FOR THE PRIVACY OF EUROPEAN CITIZENS WITHOUT TRUE
REFORM OF THE UNITED STATES’ DISPROPORTIONATE GOVERNMENT SURVEILLANCE OF
NON-U.S. PERSONS,” SAID DANNY O’BRIEN, INTERNATIONAL DIRECTOR AT THE
ELECTRONIC FRONTIER FOUNDATION.
“EPIC URGES BOTH THE U.S. AND THE E.U. TO STRENGTHEN DATA PROTECTION. THE
PRIVACY SHIELD NEGOTIATORS SHOULD START OVER AND PUT IN PLACE A FRAMEWORK
THAT PROVIDES MEANINGFUL PROTECTION FOR TRANSATLANTIC DATA FLOWS,’ SAID
FANNY HIDVEGI, EPIC INTERNATIONAL LAW FELLOW.
“THE U.S. IS INCAPABLE OF ADDRESSING HOW ITS OWN DIGITAL INDUSTRY
CONTINUALLY EXPANDS DATA COLLECTION ON CONSUMERS. UNTIL THE U.S. ENACTS A
LAW PROTECTING PRIVACY, NO ONE IS SAFE—WHETHER THEY LIVE IN THE E.U. OR
AMERICA,” SAID JEFF CHESTER, EXECUTIVE DIRECTOR, CENTER FOR DIGITAL
DEMOCRACY.
“THE MOST SENSITIVE PERSONAL INFORMATION, BAR NONE, IS HEALTH DATA ABOUT
OUR MINDS AND BODIES. IF WE CANNOT PROTECT OUR MOST SENSITIVE DATA, WHAT
HOPE IS THERE FOR PROTECTING ANY OTHER PERSONAL DATA?” SAID DR. DEBORAH
PEEL, FOUNDER OF PATIENT PRIVACY RIGHTS.
