A paper shield does not protect privacy: Privacy International’s analysis of the “Privacy Shield” safeguards on surveillance
On 29 February 2016, the European Commission and the US government released the details of the proposed EU-U.S. “Privacy Shield”. The “Privacy Shield” replaces the now defunct so-called “Safe Harbor”.
The Privacy Shield is in fact a significant number of documents from various parts of the U.S. administration, which merely outline the existing, weak U.S. safeguards applicable to personal data of EU citizens. These documents are meant to serve as the basis for an “adequacy” decision by the European Commission that the U.S. has a data protection regime that is essentially equivalent to that applicable in the EU. In making that decision, the European Commission must also review issues related to government surveillance and consumer data protection.
Last month Privacy International joined other European and American NGOs in expressing concerns that the “Privacy Shield” will put users at risk, undermine trust in the digital economy, and perpetuate the human rights violations that are already occurring as a result of surveillance programs and other activities.
We have now analysed in detail the government surveillance aspects of the proposed personal data transfers arrangements, and have found the shield isn’t operational. These are our main conclusions:
- The “Privacy Shield” does not significantly limit the ability of US intelligence agencies to collect and use personal communications on a mass scale. Instead, it allows for “generalised” retention of personal data in ways contrary to the Schrems’ judgment (https://cdt.org/blog/making-privacy-a-reality-the-safe-harbor-judgment-a...).
- The Presidential Directive (PPD-28) imposes new rules limiting the use and dissemination of non-U.S. persons’ information. However, it does not limit its bulk collection.
- The “Privacy Shield” provides a weaker standard (“as tailored as feasible” and “reasonable”) than the test of necessity and proportionality required under international human rights law.
- The proposed Ombudsperson lacks independence from the executive, as he/she is appointed by and reports to the Secretary of State.
The coming months will be crucial in revealing if the “Privacy Shield” in its current form will pass the “adequacy” test, when challenged, and be deemed sufficient to protect the privacy of EU citizens. Most notably, next week the European data protection authorities (Article 29 Working Party) are due to adopt its opinion on the draft Commission adequacy decision based on the “Privacy Shield”.