On 22 January 2019, the European Data Protection Board (EDPB) adopted a Report on the Second Annual Review of the EU-US Privacy Shield. The Privacy Shield is a framework arrangement between the United States and the European Union to enable the transmission of personal data from the territory of the EU to the US. It was negotiated and adopted after its predecessor framework, the “Safe Harbor” arrangement, had been struck down by the Court of Justice of the European Union (CJEU) for several violations of fundamental rights to privacy, data protection and access to remedy. The EDPB’s review of the “same but not the same” framework confirms (again) that the Privacy Shield continues to have manifest problems in regard to the protection of fundamental rights.
As positive developments the EDPB appreciates the appointment of three new members to the Privacy and Civil Liberties Oversight Board (PCLOB), and the announcement of a future appointment of a permanent Ombudsperson. However, the board members reiterated their concern that the Privacy Shield does not provide any concrete protection against the “indiscriminate collection and access of personal data for national security purposes”, as the legal framework that led to the strike-down of the Safe Harbour arrangement has not significantly changed. In particular, the EDPB regrets that the re-authorisation of the Foreign Intelligence Surveillance Act’s section 702,which concerns the surveillance of non-US citizens outside of the US, in 2018 has not been used in any way by the US legislators to introduce additional safeguards for EU citizens. As EDRi member Access Now reported, the revision has actually led to an expansion of section 702 that is ultimately less protective than the previous status quo. In the context of national security, the EDPB further regards it as deeply problematic that EU individuals have most likely no chance of fulfilling the “standing requirement” under US law, meaning that they cannot file a lawsuit against a surveillance measure directed at them and thus have no access to any legal remedy. Finally, the report calls for the timely appointment of a permanent Ombudsperson and a clarification of this office’s competences vis-a-vis the US intelligence community. Currently, the US Senate is holding hearings with businessman Keith Krach, who might become the permanent Ombudsperson.
Despite the EDPB’s careful language when describing the Privacy Shield’s outstanding issues, their criticism is yet another confirmation that the core violations that led to the downfall of the original “Safe Harbour” arrangement remain untackled. First, the consideration that national security concerns of United States authorities enjoyed absolute primacy over the protection of personal data of EU citizens under the European Commission’s arrangement with the United States. Second, the lack of any effective redress mechanism against such fundamental rights intrusive practices for EU citizens. Both had already been key arguments for the CJEU to render the decision invalid (para. 86-90). The EDPB thus indirectly confirms that, contrary to what the Commission keeps claiming, the Privacy Shield does not correct the practical and legal issues connected to the Court’s invalidation of the former regime. Since most of the key problems have not been addressed adequately, it can be assumed that transfers of personal data to US companies continue being unprotected from intrusive collection by US agencies.
As the EDPB highlights in its concluding remarks, the issues of concern stated in this Report will also be subject to review in several court cases pending before the CJEU.
Given the Privacy Shield’s manifest failure to implement the court’s earlier requirements, it takes little imagination to realise how these rulings will turn out.
Civil society letter: Without reforms in US surveillance laws, the Privacy Shield must be suspended (02.03.2017)
Privacy Shield: Privacy Sham (12.07.2016)
European Parliament confirms that “Privacy Shield” is inadequate (26.05.2016)
(Contribution by Yannic Blaschke, EDRi intern)