Data Protection Regulators Say Privacy Shield Is Not Strong Enough
The committee of data protection regulators across Europe, the Working Party 29, announced today its opinion on the current “Privacy Shield”. The Opinion is expected shortly, and based on the statements made by the Working Party chair in a press conference, we understand that the Working Party, while noting improvements from the annulled “Safe Harbor” agreement, has serious concerns about a range of aspects of the current "Privacy Shield" agreement with the U.S.
Overall they note the complexity of the Privacy Shield and the lack of clarity and internal contradictions of the documents of which it’s comprised. PI agrees with this assessment. The Privacy Shield is made up of a collection of commitments and explanatory notes by various parts of the US administration making it very difficult for anyone to assess what guarantees are provided to the protection of personal data and how they would apply in practice.
The Working Party announced it will issue two separate documents: one related to the consumer protection and one related to the guarantees against unlawful state surveillance (“essential guarantees”).
The committee of privacy regulators raised a range of concerns, particularly on the missing data protection principles, notably limitations on the purposes for which our information are used, and limited data retention periods. PI is continuing to review these concerns in detail, but our overall assessment remains that the current so-called Privacy Shield does not provide effective protection of personal data. To advance trade and develop a modern economy, the U.S. must leave the dark ages and implement strong and meaningful privacy legal regime.
The Working Party noted inadequate protection of personal data from mass collection by the U.S. Government agencies and the lack of an independent mechanism of oversight and of redress. The Working Party based its assessment of four overarching principles: accessible rules, necessity and proportionality of the interference with privacy, independent oversight mechanisms and effective remedy. These are principles embedded in European law and human rights law which have been reflected in judgments of the European Court of Justice and the European Court of Human Rights.
These principles form the basis for an assessment of the adequacy of the protection of the right to privacy from interference by state authorities, both in the US and EU member states. The Working Party reportedly found that the Privacy Shield does not adequately fulfil some of these principles, particularly in its allowance of bulk collection, insufficient limits on the collection and use of personal data, and lack of independent and effective oversight. PI agrees that the current US legislation and policies do not comply with applicable international human rights law, particularly as they allow bulk retention of personal data and lack of redress. Again, the US must send a signal that the privacy of both Americans and non-Americans is respected, by implementing strong legal safeguards over its surveillance.
Privacy International believes that surveillance reform and strong data protection law are necessary for a modern global economy that engenders trust and safeguards rights. Both Europe and the US must take significant steps to protect privacy. In this sense, the Privacy Shield agreement is a failure. However, policy failures are not limited to the US and as other countries across Europe and the EU itself are adopting mass surveillance, strong privacy protections are critical. This is why we oppose the Privacy Shield, the Investigatory Powers Bill, the EU passenger profiling system, U.S. Executive Order 12333… It is absurd that this list of surveillance laws is growing longer at a time when the right to privacy is even more important.