Top EU Data Protection Body Asks US To Fix Problems Of 'Privacy Shield' Or Expect A Referral To Region's Highest Court

from the please-don't-make-us-do-this dept

The Privacy Shield framework is key to allowing personal data to flow legally across the Atlantic from the EU to the US. As we’ve noted several times this year, there are a number of reasons to think that the EU’s highest court, the Court of Justice of the European Union (CJEU), could reject Privacy Shield just as it threw out its predecessor, the Safe Harbor agreement. An obscure but influential advisory group of EU data protection officials has just issued its first annual review of Privacy Shield (pdf). Despite its polite, bureaucratic language, it’s clear that the privacy experts are not happy with the lack of progress in dealing with problems pointed out by them previously. As the “Article 29 Data Protection Working Party” — the WP29 for short — explains:

Based on the concerns elaborated in its previous opinions … the WP29 focused on the assessment of both the commercial aspects of the Privacy Shield and on the government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security, including the legal remedies available to EU citizens. The WP29, assessed whether these concerns have been solved and also whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.

As far as the commercial aspects of Privacy Shield are concerned, the WP29 is unhappy about a number of important “unresolved” issues such as “the lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers [of personal data] and on the rights and available recourse and remedies for data subjects.” The issue of US government access to the personal data of EU citizens is even thornier. Although the WP29 welcomed efforts by the US government to become more “transparent on their use of their surveillance powers”, the collection of and access to personal data for national security purposes under both section 702 of FISA and Executive Order 12333 were still a problem. On the former, WP29 suggests:

Instead of authorizing surveillance programs, section 702 should provide for precise targeting, along with the use of the criteria such as that of “reasonable suspicion”, to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante.

As regards the Executive Order 12333, WP29 wants the Privacy and Civil Liberties Oversight Board (PCLOB) “to finish and issue its awaited report on EO 12333 to provide information on the concrete operation of this Executive Order and on its necessity and proportionality with regard to interferences brought to data protection in this context.” That’s likely to be a bit tricky, because the PCLOB is understaffed due to unfilled vacancies, and possibly moribund. In conclusion, the WP29 “acknowledges the progress of the Privacy Shield in comparison with the invalidated Safe Harbor Decision”, but underlines that the EU group has “identified a number of significant concerns that need to be addressed by both the [European] Commission and the U.S. authorities.” It spells out what will happen if they aren’t sorted out:

In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.

That is, it will ask the EU’s highest court to rule on the so-called “adequacy decision” of the European Commission, where it decided that Privacy Shield offered enough protection for EU personal data moving to the US. There’s a clear implication that WP29 doubts the CJEU’s ruling will be favorable unless all the changes it has requested are made soon. And without the Privacy Shield framework, it will be much harder to transfer personal data legally across the Atlantic. Moreover, the EU’s data protection laws are about to become even more stringent next year, when the new General Data Protection Regulation (GDPR) is enforced. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover, which means even the biggest Internet companies will have a strong incentive to comply.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Top EU Data Protection Body Asks US To Fix Problems Of 'Privacy Shield' Or Expect A Referral To Region's Highest Court”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Re: bottom line ?

To demonstrate once more the magical coding’s effect on visitors, to make you ask questions like that, or, I dunno, to highlight how the USG’s sticky fingers and refusal to show restraint with regards to personal data might make it much more difficult and risky to engage in trans-atlantic data sharing, even to the point that major companies might be forced to split up so they have US and EU branches, where one cannot acquire data from the other, with or without a court order.

And as for smaller US-based companies that don’t have the resources to do that, they’ll possibly be forced into the position of not allowing any visitors from the EU to use their service/platforms, as they wouldn’t be able to prevent data sharing(voluntary or ‘voluntary’) and can’t afford the fines.

Anonymous Coward says:

Re: Re: bottom line ?

Or the EU will rule that it’s impossible to protect the privacy of an EU citizen’s data if it traverses into a US based / controlled network and as such order any routes to such networks be blackhole’d.

If that’s too much, (breaks half or more of their main trunks), then I’d imagine they’d start up an initiative to build up some alternative infrastructure.

The US has pretty much burned it’s bridges with technology privacy advocates and foreign governments alike due to it’s constant declarations of "We want to spy on everyone!" and "We’ll mandate backdoors for us in everything!" If you’re paying attention, now’s a good time to invest money in non-US tech firms. The US is going to loose it’s technology sector, not because of better talent, or cheaper processes / labor / automation, but because it can’t be trusted to process the data of others in any shape or form.

(Disclaimer: I’m a US citizen, and yes this does bother me.)

ECA (profile) says:

Another Gov. Agency?>>

Really wonder Why this is even a THING..
Letting another nation MONITOR data in other countries is NOT A GOOD THING..

That is what would happen..
Its the idea of Oops, we went to far, sorry about that, Over and over and over..
WE WANT to install tracking software on the EU SERVERS..
OR at the very least, a central Server farm to MONITOR in/out data from/to the EU..
THEY wont Ask us/we IF they can do it HERE…they JUST WILL and apologize later..

Ever Shoot someone and say, IM SORRY..and not get sent to jail..
Apologies are for incidents and accidents, but NOT for deliberate FORCE AND USE..

Christenson says:


along with the use of the criteria such as that of “reasonable suspicion”, to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante.

The national security apparatus needs to start asking judges for warrants before searching. Judges need to start asking for reports back from those searching.

It’s time to notice that that little “and NO warrants shall issue, except” bit in the constitution didn’t limit the targets to citizens, and didn’t limit the geography to the United States.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...