Privacy Shield: a Protection Full of Holes!
11 July 2016 update: On Friday 8 July, Member States have taken an "adequacy decision" that authorises the European Commission to adopt Privacy Shield on 12 July. La Quadrature du Net deeply deplores the rush with which Member States have analysed and adopted this text within only one week, without even waiting for the evaluation by European National Data Protection Authorities, set to meet on July 25 to discuss whether their suggestions and reservations were taken into account in the new text.
Paris, 8 July 2016 — On 8 July 2016, EU Member States, gathering as the so-called "Article 31 Committee", are set to decide whether to adopt or not the "adequacy decision" that will establish a framework for the transfer of personal data between the USA and the EU: the Privacy Shield. This decision, adopted in a rush, does not address the concerns raised during the past weeks by European National Data Protection Authorities (NDPAs), the European Parliament, different European governments, and human rights organisations.
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared invalid the "Safe Harbor" agreement, which ruled data transfers since 2000. It argued that the agreement enabled massive data collection and generalised surveillance, without establishing effective legal means in the USA for European citizens. Currently, it is obvious that the new Privacy Shield does not comply with the legal demands from the Court of Justice either.
As it is now, the adequacy decision under negotiation will not replace existing, less restrictive measures like the standard contractual clauses or the binding corporate rules, but it will overlap them instead. As such, the very usefulness of the Privacy Principles that companies should respect under Privacy Shield is questionable. For example, if a company covered by the Privacy Shield gets excluded from it for non-compliance, it may still be able to keep processing these data through the two above mentioned mechanisms.
Apart from these serious issues, the core of the decision actually concerns the access to data by US public authorities. Instead of referring to "mass surveillance", the text calls it "bulk collection". The United States do not consider "bulk collection" as surveillance, but the European Union does -- by means of the Court of Justice of the European Union. Indeed, the Court has already ruled that bulk collection does constitute mass surveillance (in the judgement of 6 October 2015 Maximillian Schrems v Data Protection Commissioner), which is contrary to the Charter of Fundamental Rights of the European Union. This judgement lead to the invalidation of the "Safe Harbor". From all accounts, the empty promises and the weak safeguards mentioned by the US government will not be enough to make the Privacy Shield decision adequate with European jurisprudence.
The same applies for the concerns raised in relation to legal remedy. One of the requirements expressed by the CJEU, the G29 (the European Data Protection Authorities), the EDPS (European Data Protection Supervisor) and the civil society is that EU data subjects affected by transfers of their data to this third country should have access to legal remedy and the opportunity to challenge any illegal processing or surveillance. Safe Habor established a mechanism involving a mediator ("Ombudsperson") in order to address this concern. In theory, it would have been a good solution, if the Ombudsperson were truly independent. However, this mediator is appointed by the US Secretary of State, and plaintiffs may not reach the Ombudsperson directly, as they are required to go through two layers of authorities before, national and European. Moreover, the Ombudsperson will only be able to inform the plaintiff that due verifications have taken place, and may ensure that illegal surveillance is ceased, but the plaintiff will never really have access to the specific reality of the surveillance conducted upon them. This procedure resembles the National Commission of Control of Surveillance Practices established in France through the Surveillance Law (Loi Renseignement) and, similarly, does not offer enough legal guarantees for citizens.
The Privacy Shield project was prepared and imposed in a rush by the European Commission and the US Department of Commerce, and does not offer sufficient guarantees for protecting the privacy of European citizens. The project ignores the CJEU judgment that invalidated Safe Harbor concerning the massive surveillance exerted through the data collection of users. It is essential that European governments and National Data Protection Authorities reject this agreement, and that they work together to draft a set of rules that actually protects fundamental rights. The necessity to establish a legal framework for companies whose economic model is based on exploiting personal data must not become an excuse to set up a sordid bazar that sells the private life of tens of millions of European Internet users.