Civil Liberties Groups Point Out More Reasons Why The 'Privacy Shield' Framework For Transatlantic Data Flows Is At Risk
from the much-more-serious-than-it-looks dept
Earlier this year, we wrote about growing concerns that President Trump’s executive order stripping those who are not US citizens of certain rights under the Privacy Act could have major consequences for transatlantic data flows. Now two leading civil liberties groups — the American Civil Liberties Union (ACLU) and Human Rights Watch (HRW) — have sent a joint letter to the EU’s Commissioner for Justice, Consumers and Gender Equality, and other leading members of the European Commission and Parliament, urging the EU to re-examine the Privacy Shield agreement, which regulates transatlantic data flows, as well as the US-EU umbrella agreement, a data protection framework for EU-US law enforcement cooperation. The joint letter calls on European politicians to take into account what the ACLU and HRW delicately term “changed circumstances” — essentially, the arrival of Donald Trump and his new agenda.
The first worry concerns the Executive Order that excluded foreigners from privacy protections. The joint letter goes into more detail about why other laws, for example, the Judicial Redress Act, are not an adequate replacement for those protections. The ACLU and HRW also raise another issue: the lack of a functioning Privacy and Civil Liberties Oversight Board (PCLOB). That matters, because the Court of Justice of the European Union (CJEU) said oversight was needed to ensure that EU data receives appropriate privacy and other fundamental rights protections when it is exported to other countries. The joint letter explains why effective US oversight and redress mechanisms are absent:
The Privacy and Civil Liberties Oversight Board, while fulfilling a valuable public reporting role, is limited in its oversight function and was not designed to provide redress concerning US surveillance practices. Thus, the PCLOB has never provided remedies for rights violations or functioned as a sufficient mechanism to protect personal data. In recent months, the situation has worsened: the PCLOB currently lacks a quorum, which strips its ability to issue public reports and recommendations, make basic staffing decisions, assist the Ombudsman created by the Privacy Shield framework, and conduct other routine business as part of its oversight responsibilities. The current administration and Senate have yet to act to fill the vacancies on the PCLOB.
Some might dismiss the letter as troublemakers stirring things up over nothing. But the Privacy Shield framework is crucial if data flows across the Atlantic are to continue as at present. Without it, or some replacement, US companies will find it much harder to move personal data out of the EU. If they do so without adequate legal safeguards, oversight and redress mechanisms in the US, they are likely to be fined by data protection officials across Europe, who are always happy to make high-profile examples of erring companies in order to encourage everyone else to comply with EU law.
Protecting the privacy of Europeans and filling vacant seats on the Privacy and Civil Liberties Oversight Board are probably not priorities for the Trump administration as it settles in and grapples with multiple issues. But the European Commission has to take demands to revisit and possibly suspend Privacy Shield seriously. If the EU decides to drop the framework, as it has just threatened to do if there is a “significant change” in the US approach to EU privacy, then the consequences for US companies are likely to be so serious that even an over-stretched Trump administration will need to start paying attention.