Transatlantic coalition of civil society groups: Privacy Shield is not enough – renegotiation is needed

By EDRi · March 16, 2016

Today, EDRi joined forces with other 26 civil society organisations to send a letter to European leaders reviewing the “Privacy Shield” data-transfer agreement with a very specific message: this arrangement is not enough. The Privacy Shield is intended to allow companies to share data about customers across the Atlantic. Unfortunately, the Privacy Shield fails to provide sufficient clarity, oversight, remedy, or protections for the human rights of individuals with regard to surveillance and commercial use of data in the US. The letter specifically calls for legislative reform of US surveillance laws, increased protections for personal data used for commercial purposes and additional redress and transparency mechanisms.

We need to avoid creating another safe harbour where businesses can hide from their duty to protect personal data

, said Joe McNamee, Executive Director of European Digital Rights (EDRi).

The Privacy Shield, announced at the beginning of February 2016 and published a month later, is an arrangement between the European Union and the United States intended to allow companies to transfer data of EU citizens to the US. Under European law, companies are only allowed to transfer data to a country that provides adequate levels of data protection. The Privacy Shield is intended to provide a framework for that protection.

The Privacy Shield replaces the “Safe Harbour” arrangement, which was invalidated by the Court of Justice of the European Union (“CJEU”) in October 2015. The Safe Harbour had been broadly criticised for its system of self-certification, lack of transparency and oversight, and insufficient privacy and data protection. The CJEU further found that the Safe Harbour specifically failed to protect data against disproportionate government access. The CJEU explained that adequate protection, as required under EU law, required a level of protection that was essentially equivalent to what was provided for in the EU.

The Privacy Shield must be approved by the European Commission with guidance from the EU 28 Member States which are tasked with delivering a binding opinion within the Committee established under Article 31 of the Data Protection Directive 95/46 (“the Article 31 Committee”). Non-binding opinions and comments from the Data Protection Authorities gathered under the so-called “Article 29 Working Party” and the European Parliament must also be considered.

The letter from civil society organisations calls on the Article 29 Working Party, the European Parliament, and the Article 31 Committee to reject the Privacy Shield and send it back to the US and the European Commission for further negotiations.

Background information

Privacy Shield Letter by 27 civil society groups (16.03.2016)

Press Release: Privacy Shield is the same unsafe harbour (29.02.2016)

What’s behind the shield? Unspinning the “privacy shield” spin (03.02.2016)

European Commission defence of European rights sinks in an unsafe harbour (02.02.2016)

Why is Safe Harbour II such a challenge? (01.02.2016)

Access Now, EDRi on data protection: “No Safe Harbour 2.0 without reform on both sides of the Atlantic” (21.01.2016)

EU and US NGOs propose privacy reforms post Schrems (12.11.2015)