The demise of Safe Harbour and rise of Privacy Shield was never going to satisfy everybody. In actuality, it satisfies very few.
“Deficiencies still remain, which need to be urgently resolved to ensure that the Privacy Shield doesn’t suffer from critical weaknesses.”
It’s a pretty damning criticism of a deal that is supposed to grease the bureaucratic wheels of industry between the EU and US, while also protecting citizens’ rights both sides of the Atlantic.
But it’s the view of Claude Moraes, chair of the Civil Liberties Committee, which recently visited Washington for the first time under the new US administration to take stock of developments in the field of data protection, counterterrorism and immigration.
Back in April, MEPs were “alarmed” at what they saw as the undermining of privacy safeguards in the US.
Basically, Safe Harbour 2.0 looks much like Safe Harbour 1.0.
This springtime fear came as US authorities created new rules allowing the National Security Agency (NSA) to share private data with other US agencies, without court oversight.
Referencing those concerns, Moraes last week said: “Several key positions still need to be filled under the new US administration in order to meet the conditions of the adequacy decision.
“These would include some of the necessary functions of the Federal Trade Commission (FTC), the Privacy and Civil Liberties Oversight Board that is currently lacking four of its five commissioners, and the ombudsperson, who is currently only in an acting capacity,” he said.
These issues should not be a surprise, given how Privacy Shield came about. When Edward Snowden released evidence of extreme, indiscriminate data collection from the NSA a few years ago, Safe Harbour was dead in the water.
It took a while to fully pass away but pretty soon, a replacement emerged. However, it always gave off the impression of a rebranding experiment between the EU and US, rather than a rewriting aimed at strengthening citizen protections.
Earlier this month, US NGOs explained their apprehension when it comes to Privacy Shield, with the agreement providing a “serious erosion” of citizens’ data.
The Center for Digital Democracy, a data protection NGO, was particularly critical, with Jeffrey Chester, executive director of the organisation, hoping the impending General Data Protection Regulation (GDPR) could act as a catalyst for change.
“The rights of EU citizens under the Privacy Shield programme are not equivalent to how they would be protected by EU law,” he said.
“We urge the [European] Commission and EU data protection authorities to suspend the Privacy Shield in light of its lack of any policies, rules or enforcement that would provide meaningful adequacy or equivalency.”
During their visit last week, MEPs met with US authorities (eg departments of state, justice, treasury, homeland security, commerce, FTC), Congress representatives, stakeholders, academics and representatives of civil society.
Moraes said the deficiencies he and his team discovered, which don’t seem particularly new, “must be addressed immediately to ensure that the Privacy Shield complies with the EU Charter of Fundamental Rights and [GDPR] entering into force in May next year”.
He added: “Only this way can it be ensured that the Privacy Shield will stand the test of time and serve its purpose, which is so urgently needed.”