Access Now, EDRi on data protection: “No Safe Harbour 2.0 without reform on both sides of the Atlantic”

On January 12, Estelle Massé, Policy Analyst at Access Now, and Joe McNamee, Executive Director at EDRi, were invited by the committee of EU data protection authorities – the Article 29 Data Protection Working Party – to discuss the aftermath of the Safe Harbour ruling.

Read our full submission to the Article 29 Data Protection Working Group (PDF).

At that meeting, we discussed the consequences of the European Union Court of Justice (CJEU) ruling in the case C-362/14 (Maximillian Schrems v Data Protection Commissioner, known as “the Schrems case”) which invalidated the Safe Harbour arrangement. We provided evidence to the EU data protection authorities on the reforms needed on both sides of the Atlantic, including the specific reforms needed in the US for a robust new transatlantic data transfer agreement that would resist legal challenge. Here is the list of reforms we recommend:

1. Surveillance reform in the European Union and the United States which includes
   a. Reform of Foreign Intelligence Surveillance Act (FISA) Section 702
   b. Reform of Executive Order 12333
   c. Reform of EU Member States’ legislation on surveillance
2. US compliance with the International Covenant on Civil and Political Rights (ICCPR)
3. Passage of comprehensive data protection legislation at federal level in the US
4. EU member states to stop avoiding their human rights obligation in the guise of the ill-defined “national security exemption”

Despite the impetus for reform generated by the Schrems ruling and the launch of negotiations for a so-called Safe Harbour 2.0, the status quo remains on both sides of the Atlantic. Worse, legislation was passed in the US that potentially negates the possibility of a future transatlantic data transfer agreement. That legislation is the Cybersecurity Act of 2015 (also known as CISA). Passage of the Cybersecurity Act increases the breadth of unaccountable, secret US spying and further cements the corporate-intelligence relationship. This law would require the Department of Homeland Security (DHS) to deliver “cyber threat” indicators, which are shared with the intelligence and law enforcement agencies in near real-time. Companies would be granted broad legal immunity for supplying those indicators to the US government, which could include personal information. The option exists to transfer the information entirely secretly. That means massive repositories of personal information, including data transferred from the EU, could be secretly turned over to spying agencies.

We highlighted these shortcomings in our meeting and written submission. They are in addition to the considerations raised by the limitations the Schrems ruling imposed on the EU Commission and the repeated “misleading” of US institutions and secret re-interpretation of US legislation.

Finally, we called on negotiators to take the time necessary to conduct reform that would provide users and companies on both sides of the Atlantic with a robust, trustworthy mechanism for transfer of data, upholding the right to privacy and ensuring legal certainty.