Privacy Shield: The new EU rules on transatlantic data sharing will not protect you
Albrecht and Schrems say new regime likely to fall foul of EU Court of Justice in same way as Safe Harbor
The European Union’s data protection laws are intended to ensure that we can entrust personal data to our devices and online services without fear of privacy violations. To make sure that this European standard is not undermined, it is essential to clarify under which circumstances personal data can be transferred to other countries – ones that may not have the same privacy protection laws.
The European Commission will today adopt the so-called Privacy Shield, which will allow companies to transfer personal data from the EU to the United States. It follows the European Court of Justice ruling that the previous system for the transfer of data to the US, called Safe Harbour, violated fundamental rights to privacy.
Does Privacy Shield protect the privacy of European users when their data is sent to the United States? Various indicators suggest it does not.
With regard to the private sector, it is painfully obvious that the rules give nowhere near the level of protection and principles afforded by the EU. For example, if you share your personal information with your doctor, you reasonably expect that he will only use this information for the purpose of curing you – not to gossip behind your back. This expectation is enshrined in EU law as “purpose limitation”.
Privacy Shield allows the sharing of your data for very broad and generic purposes, such as “for all services we may provide to you and others”. This undermines a very crucial protection. Many other data protection rules, such as the deletion of data or the sharing of data, are interlinked with this principle.
Privacy Shield is meant to be based on “notice and choice”, which sounds promising. However, Privacy Shield does not give users much “choice”. It actually gives companies a general blanket approval to use the personal data of any person under the sun. Only in two specific cases can users object.
They would first have to know which US company was using their data, and then contact the company and actively “opt out”. This gives US companies a significant competitive advantage over European firms. Under the European “opt-in” system, companies typically have to ask customers for consent.
In addition, the rules for legal redress are rather complex. If European customers believe their rights have been violated, they have to first contact private US arbitration bodies and their national authorities, who in turn contact the US authorities, in order to be finally able to address concerns with a “privacy shield board”.
None of this guarantees that the person responsible for oversight will be empowered to actually review the practices of any company and, for example, review servers and software. None of the options available are directly enforceable by a customer. In sum, even if a company violates the fundamental rights of a customer, it is very unlikely there will be any real consequences.
The rules concerning personal data in the public sector are equally worrisome. In its Safe Harbour ruling, the European Court of Justice strongly criticised mass-surveillance laws in the US, which have not changed in the meantime. While US citizens enjoy certain protection against surveillance measures, “non-US persons” are specifically exempted.
Not only does the final Privacy Shield use the exact same wording on mass surveillance laws as Safe Harbor, but the US now even admits that it will continue to collect personal data stemming from Europe in bulk.
Blanket mass surveillance without any reasonable suspicion is contrary to the principles of European human rights. European courts have consequently ruled clearly against blanket access to personal data for not being in line with the fundamental rights to privacy and data protection.
Legal redress against measures in the public sector is little more than a farce. An EU citizen may address an ombudsperson in the US, which is not a court or independent body, but an undersecretary of the US government.
Confirm nor deny
While the new ombudsperson can raise issues within the US government, the reply to the individual concerned will always contain the same two sentences: first, the US will not confirm or deny any surveillance; and, second, all US laws were adhered to, or any non-compliance was remedied.
This ombudsperson is not what the Europe Court of Justice meant when it asked for individual redress.
Privacy Shield needs to fulfil the criteria laid down in European Union law and by its courts, which have clearly stated that blanket data collection is not compatible with the fundamental right to data protection.
This is also a problem for European businesses that are obliged to meet EU data protection standards but which will, under Privacy Shield, face competition from US companies who face no such obligation. Nor does this new deal provide legal certainty for the industry that is so desperately needed.
The European Commission should hold off on activating Privacy Shield until more work is done on the US side. Given the countless insufficiencies, it is otherwise highly likely that the new Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice.
Jan-Philipp Albrecht is a Green/EFA MEP who worked as lead negotiator on EU data protection reform. Max Schrems is a leading European privacy campaigner whose Facebook challenge ended the Safe Harbour agreement