Modern field guide to security and privacy

EU privacy advocates complain data-sharing pact not good enough

On Wednesday, a group of data regulators from the European Union said that the Privacy Shield pact to ensure data flows between the EU and US does little to protect against the threat of surveillance.

Francois Lenoir/Reuters

The US and European Union data-sharing plan known as Privacy Shield does not adequately protect Europeans' personal information, privacy watchdogs said Wednesday.

While the plan is a "major improvement" over the previous data transfer pact known as Safe Harbor, "we still have concerns and an urgent need for clarification," said Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Group, which is comprised of European data commissioners. The group had been examining the proposal since it was first announced in February.

Under the current proposal, "massive and indiscriminate" collection of Europeans' data could still be allowed under certain exceptions, said Ms. Falque-Pierrotin. Furthermore, the proposed US State Department ombudsperson designed to oversee data transfers and handle complaints does not have enough independence, she added.

While the working group's opinion is nonbinding, it's still a major blow for the many industry groups hoping for the quick adoption of a new transatlantic data agreement and an end to legal uncertainty about moving Europeans' personal information overseas. 

Last October, the European Court of Justice invalidated Safe Harbor, the 15-year old mechanism that allowed companies to move data abroad as long as organizations adhered to EU data protection laws. The court ruled that, due to recent revelations on US government surveillance, data transfers could not longer be considered safe.

That decision left companies in regulatory limbo when it came to data transfers. While alternative agreements for data transfers exist, Safe Harbor represented the most cost effective tool, particularly for small and medium companies less likely to have offshore data centers.

The opinion from the data protection agencies in Europe isn't unexpected, said Jens-Henrik Jeppesen, head of the Brussels office of Center for Democracy and Technology. After all, said Mr. Jeppesen said, Europeans' concerns about American government surveillance measures were never fully addressed in the Privacy Shield deal.

"It was never possible for the Privacy Shield negotiators to amend [the US] legislation" that granted government access to EU data, he said. "It has been negotiated by the Department of Commerce, and obviously, [Commerce] does not have the power to legislate."

Jeppesen's organization has argued from the beginning that to deal with the surveillance concerns requires amending the law, he said.

It is possible that the European Commission and the Commerce Department can work some changes into Privacy Shield before it is adopted, but those changes will probably not be fundamental, Jeppesen said. "For companies, there is likely to be continued uncertainty about how solid the Privacy Shield will be and whether it would withstand the European Court’s scrutiny."

Under the current proposal, the deal would bring US companies under the tougher scrutiny when it comes to upholding EU privacy standards. EU citizens, for example, would have new ways of making a complaint against EU and US companies, including the right to bring a US company into binding arbitration. Companies would be required to reply to individuals within 45 days.

That also means that individual data protection agencies, or DPAs, in Europe and an ombudsperson independent from intelligence services in the US would directly work with individuals to redress their complaints.

The ombudsperson would serve as contact point for data subjects and European data protection authorities when the processing of personal data by US intelligence agencies is at stake, according to Berlin-based lawyer Carlo Piltz, who specializes in privacy and data law.

"But it’s not absolutely clear if the competence of this role fulfills the requirements established by the European Court of Justice," he said.

Organizations such as the Electronic Privacy Information Center (EPIC) have warned that without significant changes to domestic law and international commitments, a Safe Harbor 2.0 will almost certainly fail.

"The ombudsperson in its current form does not meet the criteria for independence," said Fanny Hidvegi, an international privacy fellow at EPIC. "The Privacy Shield proposal will most certainly fail under future legal scrutiny."

Jaikumar Vijayan contributed reporting from Chicago. 

This story was updated after publication to clarify comments from Fanny Hidvegi of EPIC.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.