July 6, 2017 — Access Now yesterday sent extensive comments to the European Commission on the review of the EU-US “Privacy Shield” arrangement to allow data transfer between Europe and the United States.
The Commission is conducting its first annual review of the Privacy Shield adequacy decision that outlines policies and developments in the US and Europe that implicate the arrangement, and requested feedback from Access Now. Access Now highlighted to the Commission developments that call into question the validity of the Privacy Shield, including changes to US surveillance law, implementation of the General Data Protection Regulation (GDPR) in the EU, and Trump administration policies that show disregard for human rights globally.
The Privacy Shield is a unilateral decision of the European Commission that allows personal data of people in the EU to be transmitted and stored in the US. According to EU law, the US must meet European standards of data protection, privacy, and security for the information to be transferred. There is an annual review process that ensures these standards are continually met. However, Access Now warns the Commission that changes in the US put this framework at risk, and the Privacy Shield must be in line with the GDPR.
Among other things, Access Now identified the following developments as important for the Commission to consider:
- The dysfunction of the US Privacy Civil Liberties Oversight Board (PCLOB)
- The issuance of US executive orders that disregard the rights of anyone outside the United States
- Ongoing expansion of US surveillance authorities, willful misuse of surveillance programs, reneging on transparency promises, and the impending review of Section 702 of the US FISA Amendments Act
- Active debate on circumventing the Mutual Legal Assistance Treaty system
- Lack of adequate redress mechanisms in the Privacy Shield itself
- The US threat to leave the United Nations’ Human Rights Council
- Recent repeal of broadband privacy regulations previously issued by the US Federal Communications Commission (FCC)
- Implementation of the General Data Protection Regulation (GDPR)
Read the full letter here.
“The free flow of data is necessary for a healthy internet that facilitates human rights, but that openness cannot come at the cost of the free exercise of those rights,” said Amie Stepanovich, US Policy Manager at Access Now. “One of the most invasive US surveillance authorities is set to sunset at the end of this year, and committing to substantive reform of that law would represent a great first step in the effort to show Europe and the rest of the world that the US takes its human rights obligations seriously. Without this commitment, though, it’s hard to see how Privacy Shield can survive.”
“EU officials made concessions on the high level of privacy and data protection rights of Europeans when they adopted Privacy Shield,” said Fanny Hidvegi, European Policy Manager at Access Now. “The Privacy Shield fails Europeans because it fails to provide effective individual redress mechanisms or independent oversight. To avoid further legal challenges, the Commission must improve the framework to meet the standard of the GDPR.”
Access Now is an international NGO that works on human rights and tech policy around the world, including offices in Brussels and Washington, D.C.