Top EU Data Protection Body Asks US To Fix Problems Of 'Privacy Shield' Or Expect A Referral To Region's Highest Court
from the please-don't-make-us-do-this dept
The Privacy Shield framework is key to allowing personal data to flow legally across the Atlantic from the EU to the US. As we've noted several times this year, there are a number of reasons to think that the EU's highest court, the Court of Justice of the European Union (CJEU), could reject Privacy Shield just as it threw out its predecessor, the Safe Harbor agreement. An obscure but influential advisory group of EU data protection officials has just issued its first annual review of Privacy Shield (pdf). Despite its polite, bureaucratic language, it's clear that the privacy experts are not happy with the lack of progress in dealing with problems pointed out by them previously. As the "Article 29 Data Protection Working Party" -- the WP29 for short -- explains:
Based on the concerns elaborated in its previous opinions ... the WP29 focused on the assessment of both the commercial aspects of the Privacy Shield and on the government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security, including the legal remedies available to EU citizens. The WP29, assessed whether these concerns have been solved and also whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.
As far as the commercial aspects of Privacy Shield are concerned, the WP29 is unhappy about a number of important "unresolved" issues such as "the lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers [of personal data] and on the rights and available recourse and remedies for data subjects." The issue of US government access to the personal data of EU citizens is even thornier. Although the WP29 welcomed efforts by the US government to become more "transparent on their use of their surveillance powers", the collection of and access to personal data for national security purposes under both section 702 of FISA and Executive Order 12333 were still a problem. On the former, WP29 suggests:
Instead of authorizing surveillance programs, section 702 should provide for precise targeting, along with the use of the criteria such as that of "reasonable suspicion", to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante.
As regards the Executive Order 12333, WP29 wants the Privacy and Civil Liberties Oversight Board (PCLOB) "to finish and issue its awaited report on EO 12333 to provide information on the concrete operation of this Executive Order and on its necessity and proportionality with regard to interferences brought to data protection in this context." That's likely to be a bit tricky, because the PCLOB is understaffed due to unfilled vacancies, and possibly moribund. In conclusion, the WP29 "acknowledges the progress of the Privacy Shield in comparison with the invalidated Safe Harbor Decision", but underlines that the EU group has "identified a number of significant concerns that need to be addressed by both the [European] Commission and the U.S. authorities." It spells out what will happen if they aren't sorted out:
In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.
That is, it will ask the EU's highest court to rule on the so-called "adequacy decision" of the European Commission, where it decided that Privacy Shield offered enough protection for EU personal data moving to the US. There's a clear implication that WP29 doubts the CJEU's ruling will be favorable unless all the changes it has requested are made soon. And without the Privacy Shield framework, it will be much harder to transfer personal data legally across the Atlantic. Moreover, the EU's data protection laws are about to become even more stringent next year, when the new General Data Protection Regulation (GDPR) is enforced. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover, which means even the biggest Internet companies will have a strong incentive to comply.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: eu, executive order 12333, privacy, privacy shield, safe harbor, section 702, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
bottom line ?
[ link to this | view in chronology ]
Re: bottom line ?
To demonstrate once more the magical coding's effect on visitors, to make you ask questions like that, or, I dunno, to highlight how the USG's sticky fingers and refusal to show restraint with regards to personal data might make it much more difficult and risky to engage in trans-atlantic data sharing, even to the point that major companies might be forced to split up so they have US and EU branches, where one cannot acquire data from the other, with or without a court order.
And as for smaller US-based companies that don't have the resources to do that, they'll possibly be forced into the position of not allowing any visitors from the EU to use their service/platforms, as they wouldn't be able to prevent data sharing(voluntary or 'voluntary') and can't afford the fines.
[ link to this | view in chronology ]
Re: Re: bottom line ?
Or the EU will rule that it's impossible to protect the privacy of an EU citizen's data if it traverses into a US based / controlled network and as such order any routes to such networks be blackhole'd.
If that's too much, (breaks half or more of their main trunks), then I'd imagine they'd start up an initiative to build up some alternative infrastructure.
The US has pretty much burned it's bridges with technology privacy advocates and foreign governments alike due to it's constant declarations of "We want to spy on everyone!" and "We'll mandate backdoors for us in everything!" If you're paying attention, now's a good time to invest money in non-US tech firms. The US is going to loose it's technology sector, not because of better talent, or cheaper processes / labor / automation, but because it can't be trusted to process the data of others in any shape or form.
(Disclaimer: I'm a US citizen, and yes this does bother me.)
[ link to this | view in chronology ]
What then?
[ link to this | view in chronology ]
Who comes up with these names? They imply the complete opposite of the intent.
Perhaps the following would be more descriptive
- private info portal
- unsafe harbor
[ link to this | view in chronology ]
Re:
Politicians. It is SOP. First example, Citizens United.
Yeah, right...
[ link to this | view in chronology ]
Don't make us do it.
And if that doesn't do it, then expect the possibly of a 'stern talking to'.
[ link to this | view in chronology ]
Another Gov. Agency?>>
Letting another nation MONITOR data in other countries is NOT A GOOD THING..
That is what would happen..
Its the idea of Oops, we went to far, sorry about that, Over and over and over..
WE WANT to install tracking software on the EU SERVERS..
OR at the very least, a central Server farm to MONITOR in/out data from/to the EU..
THEY wont Ask us/we IF they can do it HERE...they JUST WILL and apologize later..
Ever Shoot someone and say, IM SORRY..and not get sent to jail..
Apologies are for incidents and accidents, but NOT for deliberate FORCE AND USE..
[ link to this | view in chronology ]
Get a *F*** WARRANT, ALWAYS!
The national security apparatus needs to start asking judges for warrants before searching. Judges need to start asking for reports back from those searching.
It's time to notice that that little "and NO warrants shall issue, except" bit in the constitution didn't limit the targets to citizens, and didn't limit the geography to the United States.
[ link to this | view in chronology ]
Re: WARRANT, ALWAYS!
The highest levels of American government blatantly ignore 4th Amendment -- what divine intervention do you expect to remedy this?
[ link to this | view in chronology ]
Re: Re: WARRANT, ALWAYS!
[ link to this | view in chronology ]