From An unSafe Harbour To A Privacy Shield full Of Holes

News & Analysis
From an unSafe Harbour to a Privacy Shield full of holes

Should the European Union agree to legitimise trade with a country that refuses to adhere to European legal standards? This is the fundamental question that will be addressed at tomorrow’s meeting among European privacy regulators when they publish their opinion on the data-sharing agreement known as the ‘Privacy Shield’, the replacement to the failed ‘Safe Harbour’ agreement.



Many of the world’s largest companies, such as Google and Facebook, store their customers’ data in the US. While over 100 countries across the world have passed laws giving people strong privacy protections, the U.S. Government has insisted on providing little privacy protections for Americans and non-Americans alike. This means that a European’s data is susceptible to America’s surveillance systems, even though that data is protected by European data protection laws, simply because it crosses into the US. The so-called ‘Safe Harbor’ agreement from 2000 represented a feeble first attempt at offering data-sharing privacy protections but in October 2015 the European Court of Justice annulled the Safe Harbor regime. This decision caused a crisis among US Government officials, US industry, and international law firms who were intent on protecting the status quo of privacy dysfunction in favour of vast surveillance.

For years, Privacy International have been arguing that the simple solution is for the U.S. Government to create a legal regime that protects privacy. Such laws should be equivalent to Europe’s standards – which are, in theory, strong.


The So-Called ‘Privacy Shield’

The ‘Privacy Shield’ agreement is a second attempt at firming up privacy protections between the EU and U.S. Unfortunately, this second attempt falls flat, offering little clarity or strong data-sharing protection for Europeans. Over the last few weeks, various pundits, many of which represent international law firms, have openly boasted that the data protections offered by the US to Europeans’ is “essentially equivalent” to data protection laws in Europe. This is not surprising given these firms’ large corporate clientele and pro-business lobbying reputation. Quite the contrary, European data in the US will continue to be susceptible to surveillance, and Europeans will continue to have no access to justice.

Tomorrow’s meeting of European data protection regulators is significant because if the regulators were to reject the Privacy Shield agreement, then the European Union would have to go back to the Americans and demand meaningful change in law.

Rumour has it that the regulators will send the deal back to the drawing board, since it largely fails to meet key criteria set the European Court of Justice and standards set by the data protection regulators following the court ruling. Their demands include clarity of law, use of human rights standards, independent oversight, and access to effective remedy.


What Is Wrong?

If one compares Europeans’ rights under EU law to Europeans’ rights under the current Privacy Shield, holes are immediately apparent. The current ‘Privacy Shield’ agreement does not let Europeans do the following:

  1. Exercise their full rights of consent to data processing
  2. Exercise their full access to their personal information rights
  3. Exercise their full rights to rectification and erasure
  4. Exercise their right to object to processing of data for direct marketing purposes
  5. Exercise their right to data portability
  6. Have easy and readily available access to an independent complaint and redress mechanism.

There is an urgent need to update and fix the agreement. The US is leading the world in the development of big data systems and inter-connected technologies such as the so-called “Internet of Things” and related ‘smart’ infrastructure. These technological systems will compound the amount of data that people and systems create. Because companies control much of this data, it is essential that strong laws are in place to protect people from unlimited and unchecked corporate and government surveillance. Even the US Federal Trade Commission and Obama Administration have called for new legal protections.

Instead of proposing meaningful protections, we have been subjected to a barrage of propaganda on both sides of the Atlantic from authorities, industry, and academics, proclaiming the “essential equivalence” and robustness of the US privacy system, and explaining how we will all suffer untold harms if something is not put in place expeditiously. These unchecked claims represent a desperate attempt to rush through this agreement, while glossing over the key protections that are needed.

None of this propaganda has been at its core about enacting fundamental rights, or maintaining consumer online trust, or creating an even playing field for all companies; it is all about the billions potentially lost in trade, lost profits (and data mines) to the powerful digital corporations, and never forget the interest in political expediency. The result is a porous Shield, a rushed new arrangement that is barely an improvement on the old one. 


What Can We Do?

If a quick interim solution was needed, why not start from the basis of the internationally-recognised OECD Guidelines for Trans-border Data Flows? It has been signed on by both sides of the Atlantic and contains a coherent set of principles, plus a set of essential rights.

For the longer term Privacy International supports the set of reforms proposed together with privacy advocates and consumer groups on both sides of the Atlantic, which first and foremost include US commitment to legislative reform, both for data protection and surveillance laws. This is not just in order to meet the standards set by EU’s Court and its data protection regulators, but is essential to meet the needs and demands of people everywhere, and Americans too.