New “Shield”, Old Problems
7 July 2016
It has been said is that we pay for free services with our personal data. Now, the Privacy Shield exponentially expands this truth and we are paying for the cost of U.S. political dysfunction combined with EU complacency with our privacy. More than four months after the first EU-US Privacy Shield was published on 29 February 2016, a new version has been leaked. Remarkably, it is expected to be adopted.
Four months, two opinions by group of EU data protection regulatory authorities and the EU Data Protection Supervisor, countless letters and briefings expressing concerns by human rights and consumer organisations both side of the Atlantic, … and the “new” Privacy Shield looks very much like the old one.
Based on an initial, summary analysis of the leaked text, Privacy International have four key concerns:
First, it remains an opaque document that will be a field day for law firms. The EU-US Privacy Shield is contained in the EU Commission draft adequacy decision, annexes and the annexes to the annexes, running into over 200 pages. As such, the Privacy Shield is made up of a collection of commitments and explanatory notes by various parts of the US Government making it very difficult for anyone to assess what guarantees are provided to the protection of personal data and how they would apply in practice.
Second, the principles on data protection standards outlined in the EU-US Privacy Shield Framework Principles contain some improvements- including on the accountability for onward transfer, on purpose limitation and deletion of personal data - but they still fall below what is expected to protect the rights of individuals.
Third, there are no meaningful legal protections, and therefore any promises today can be easily be undermined tomorrow. The safeguards relating to unlawful surveillance, particularly mass surveillance, by US intelligence agencies continue to not contain meaningful legal protections. One of the Annexes in the leaked document contains an additional letter by the Office of Director of National Intelligence providing further information in the ways the US conducts “bulk collection of signal intelligence” (second letter in Annex VI).
The letter confirms that when targeting using specific selectors is not possible (because, for example, the name or e-mail address of the target is not known), collection “in bulk” is allowed, provided it is focused “as precisely as possible” (such as collecting all communications to and from a region in the Middle East).
So, it seems, according to the U.S. Government it is not mass surveillance if surveillance is limited to all communications to and from a region of the world, but not to the whole world.
Beyond the debate on semantics (“bulk” v. “mass”) - which are eerily familiar here in the UK (see debate around the Investigatory Powers Bill) - the fact remains that the U.S. Government is arguing that it can collect all communications to and from a region of the world if the use of specific selector is not possible.
The strict principles of necessity and proportionality in any interference with someone’s privacy cannot be dismissed just by references to “filters and other technical tools” which give no concrete indication of the extent of such collection.
Bulk collection of personal data is an impermissible interference with the right to privacy because of its indiscriminate nature.
The letter goes on to provide further information on the oversight role of the Privacy and Civil Liberties Oversight Board (PCLOB). What it fails to mention is that, as we speak, a provision of the Intelligence Authorization Act for FY 2017 (Act, S. 3017) would bar, if adopted, the PCLOB from considering the privacy and civil liberties interests of anyone but citizens and lawful permanent residents of the U.S. (see letter by NGOs opposing such a provision)
Fourth, the country that extolls the virtue of separation of powers can’t seem to get it sorted on this case. The agreement creates a privacy ombudsperson mechanism. While the language contained in the leaked EU-US Privacy Shield Ombudsperson Mechanism regarding signals intelligence (contained in an annex to a letter by the U.S. State Department, in Annex III) includes some minor changes, the substance of the two main concerns expressed by EU data protection authorities and by NGOs remains unaddressed.
First, the proposed Ombudsperson lacks independence from the executive, as he/she is appointed by and report to the Secretary of State. Contrary to assertions in the draft EU Commission adequacy decision, the independence and impartiality of such a mechanism, including the perception of such independence, is questionable.
Second, the Ombudsperson continues to have only limited powers of redress. This is starkly stated in paragraph 4(e) of the leaked Annex III, where it states that “the Privacy Shield Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Privacy Shield Ombudsperson confirm the specific remedy that was applied.”
Both of these flaws in the proposed redress mechanism mean it falls short of providing effective redress, as described, for example, in the recommendations by the Council of Europe’s Commissioner for human rights.
Conclusions. Given the flawed premises – trying to fix data protection deficit in the U.S. by means of the Obama Administration’s assurances as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield, at least as it appears in the leaked version, remains full of holes and offers limited protections.
The coming days will likely see the adoption of this flawed text by the EU, but it is unlikely to be the final chapter of the EU-US data transfer saga. Because it fails to address the concerns expressed by the Court of Justice of the EU in the Schrems’ case last year, the new Privacy Shield, if adopted in the current form, is likely to be challenged in courts.
 In a judgment last year, the Grand Chamber of the European Court of Human Rights considered the use of surveillance powers and the level of specificity needed to ensure interception powers were not used arbitrarily. It confirmed that to ensure the test of necessity and proportionality had been properly applied the interception authorisation must clearly identify “a specific person to be placed under surveillance or a single set of premises as the premises in respect of which the authorisation is ordered. Such identification may be made by names, addresses, telephone numbers or other relevant information.” European Court of Human Rights, Zakharov v Russia (2015), paragraph 264.
 Council of Europe Commissioner for Human Rights, Democratic and effective oversight of national security services, May 2015.