Top EU Data Protection Body Asks US To Fix Problems Of 'Privacy Shield' Or Expect A Referral To Region's Highest Court

from the please-don't-make-us-do-this dept

The Privacy Shield framework is key to allowing personal data to flow legally across the Atlantic from the EU to the US. As we've noted several times this year, there are a number of reasons to think that the EU's highest court, the Court of Justice of the European Union (CJEU), could reject Privacy Shield just as it threw out its predecessor, the Safe Harbor agreement. An obscure but influential advisory group of EU data protection officials has just issued its first annual review of Privacy Shield (pdf). Despite its polite, bureaucratic language, it's clear that the privacy experts are not happy with the lack of progress in dealing with problems pointed out by them previously. As the "Article 29 Data Protection Working Party" -- the WP29 for short -- explains:

Based on the concerns elaborated in its previous opinions ... the WP29 focused on the assessment of both the commercial aspects of the Privacy Shield and on the government access to personal data transferred from the EU for the purposes of Law Enforcement and National Security, including the legal remedies available to EU citizens. The WP29, assessed whether these concerns have been solved and also whether the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.

As far as the commercial aspects of Privacy Shield are concerned, the WP29 is unhappy about a number of important "unresolved" issues such as "the lack of guidance and clear information on, for example, the principles of the Privacy Shield, on onward transfers [of personal data] and on the rights and available recourse and remedies for data subjects." The issue of US government access to the personal data of EU citizens is even thornier. Although the WP29 welcomed efforts by the US government to become more "transparent on their use of their surveillance powers", the collection of and access to personal data for national security purposes under both section 702 of FISA and Executive Order 12333 were still a problem. On the former, WP29 suggests:

Instead of authorizing surveillance programs, section 702 should provide for precise targeting, along with the use of the criteria such as that of "reasonable suspicion", to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante.

As regards the Executive Order 12333, WP29 wants the Privacy and Civil Liberties Oversight Board (PCLOB) "to finish and issue its awaited report on EO 12333 to provide information on the concrete operation of this Executive Order and on its necessity and proportionality with regard to interferences brought to data protection in this context." That's likely to be a bit tricky, because the PCLOB is understaffed due to unfilled vacancies, and possibly moribund. In conclusion, the WP29 "acknowledges the progress of the Privacy Shield in comparison with the invalidated Safe Harbor Decision", but underlines that the EU group has "identified a number of significant concerns that need to be addressed by both the [European] Commission and the U.S. authorities." It spells out what will happen if they aren't sorted out:

In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.

That is, it will ask the EU's highest court to rule on the so-called "adequacy decision" of the European Commission, where it decided that Privacy Shield offered enough protection for EU personal data moving to the US. There's a clear implication that WP29 doubts the CJEU's ruling will be favorable unless all the changes it has requested are made soon. And without the Privacy Shield framework, it will be much harder to transfer personal data legally across the Atlantic. Moreover, the EU's data protection laws are about to become even more stringent next year, when the new General Data Protection Regulation (GDPR) is enforced. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover, which means even the biggest Internet companies will have a strong incentive to comply.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 9 Dec 2017 @ 5:16am

    bottom line ?

    ...the minutiae of EU government bureaucrats internal squabbles is so so fascinating. But what's the significance of this stuff to Joe-6Pack in Fresno California?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 9 Dec 2017 @ 8:30am

      Re: bottom line ?

      To demonstrate once more the magical coding's effect on visitors, to make you ask questions like that, or, I dunno, to highlight how the USG's sticky fingers and refusal to show restraint with regards to personal data might make it much more difficult and risky to engage in trans-atlantic data sharing, even to the point that major companies might be forced to split up so they have US and EU branches, where one cannot acquire data from the other, with or without a court order.

      And as for smaller US-based companies that don't have the resources to do that, they'll possibly be forced into the position of not allowing any visitors from the EU to use their service/platforms, as they wouldn't be able to prevent data sharing(voluntary or 'voluntary') and can't afford the fines.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Dec 2017 @ 6:26pm

        Re: Re: bottom line ?

        Or the EU will rule that it's impossible to protect the privacy of an EU citizen's data if it traverses into a US based / controlled network and as such order any routes to such networks be blackhole'd.

        If that's too much, (breaks half or more of their main trunks), then I'd imagine they'd start up an initiative to build up some alternative infrastructure.

        The US has pretty much burned it's bridges with technology privacy advocates and foreign governments alike due to it's constant declarations of "We want to spy on everyone!" and "We'll mandate backdoors for us in everything!" If you're paying attention, now's a good time to invest money in non-US tech firms. The US is going to loose it's technology sector, not because of better talent, or cheaper processes / labor / automation, but because it can't be trusted to process the data of others in any shape or form.

        (Disclaimer: I'm a US citizen, and yes this does bother me.)

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Dec 2017 @ 6:47am

    What then?

    Would that really change anything, or would the EU just need to tweak and rename the program every year or two when the old one gets struck down?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Dec 2017 @ 7:58am

    Privacy Shield ... Safe Harbor

    Who comes up with these names? They imply the complete opposite of the intent.

    Perhaps the following would be more descriptive
    - private info portal
    - unsafe harbor

    reply to this | link to this | view in chronology ]

    • identicon
      Pixelation, 9 Dec 2017 @ 9:48am

      Re:

      "Who comes up with these names? They imply the complete opposite..."

      Politicians. It is SOP. First example, Citizens United.

      Yeah, right...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Dec 2017 @ 10:21am

    Don't make us do it.

    Fix Problems Of 'Privacy Shield' Or Expect A Referral To Region's Highest Court.

    And if that doesn't do it, then expect the possibly of a 'stern talking to'.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 9 Dec 2017 @ 10:38am

    Another Gov. Agency?>>

    Really wonder Why this is even a THING..
    Letting another nation MONITOR data in other countries is NOT A GOOD THING..

    That is what would happen..
    Its the idea of Oops, we went to far, sorry about that, Over and over and over..
    WE WANT to install tracking software on the EU SERVERS..
    OR at the very least, a central Server farm to MONITOR in/out data from/to the EU..
    THEY wont Ask us/we IF they can do it HERE...they JUST WILL and apologize later..

    Ever Shoot someone and say, IM SORRY..and not get sent to jail..
    Apologies are for incidents and accidents, but NOT for deliberate FORCE AND USE..

    reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 9 Dec 2017 @ 11:07am

    Get a *F*** WARRANT, ALWAYS!

    along with the use of the criteria such as that of "reasonable suspicion", to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante.

    The national security apparatus needs to start asking judges for warrants before searching. Judges need to start asking for reports back from those searching.

    It's time to notice that that little "and NO warrants shall issue, except" bit in the constitution didn't limit the targets to citizens, and didn't limit the geography to the United States.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Dec 2017 @ 7:21am

      Re: WARRANT, ALWAYS!

      ...how charming & naive -- you think government employees should obey the Constitution.

      The highest levels of American government blatantly ignore 4th Amendment -- what divine intervention do you expect to remedy this?

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.