EPIC - Privacy Shield EU-U.S. Data Transfer Arrangement

Privacy Shield EU-U.S. Data Transfer Arrangement

Summary |
Background |
EPIC's Interest |
Resources |
News

Summary

On February 29, 2016, the European Commission and the Obama Administration released the proposed EU-U.S. Privacy Shield. The Privacy Shield aims to replace the Safe Harbor framework for commercial data flows between the EU and the U.S., which was struck down by the Court of Justice of the European Union in October 2015. The Privacy Shield agreement is to serve as the basis for an “adequacy” decision by the European Commission that the U.S. has a satisfactory system regarding data protection, including addressing issues related to government surveillance and consumer privacy.

Top News

European Privacy Officials Push for Answers on Status of U.S. Privacy: The Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law. (Jun. 13, 2017)
EPIC, Privacy Coalition Meet with EU Data Protection Supervisor: European Data Protection Supervisor Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the E-Privacy Regulation, the Privacy Shield, the U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani. (Apr. 21, 2017)

More top news

European Parliament Expresses Alarm Over Rollback of US Privacy Safeguards (Apr. 6, 2017) +

In a resolution passed today, the European Parliament expressed alarm over the rollback of U.S. privacy safeguards necessary for Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. The Parliament cited several recent developments including procedures that allow the NSA to disseminate raw data across the US government, vacancies at the Federal Trade Commission and the Privacy and Civil Liberties Oversight Board, the repeal of an FCC privacy rule, and the absence of effective redress for violations of Privacy Shield. The resolution of Parliament called on the European Commission to rigorously analyze these matters and to "take all necessary measures" to ensure the agreement respects EU privacy rights. In 2015, EPIC a coalition of privacy organizations had urged the US and the EU to strengthen privacy protections, following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US.

NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +

In March 2016, EPIC and more than 20 civil society organizations urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs wrote that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups urged the US to make changes in domestic laws and international commitments to permit transfers of personal data to the US. The ACLU and Human Rights Watch have now also sent a letter asking Europe to reexamine Privacy Shield. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler has made submissions in DPC v. Facebook highlighting weaknesses in US privacy law.

White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +

As one of the final acts of the outgoing President, the White House has released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of data breach, identity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breaches, email disclosures and cyber attack The U.S. is still one of the few democratic nations in the world without a data protection agency.

EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield (Jan. 18, 2017) +

EPIC has sent a letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the inadequacy of the Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law.

Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +

La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems.

Privacy Shield Sign-ons Begin (Aug. 2, 2016) +

The European Commission announced that the EU-U.S. Privacy Shield data transfer arrangement is "fully operational" and U.S. "companies are able to sign up with the Department of Commerce." The framework was adopted by the European Commissioner objection by European data protection authorities, the European Data Protection Supervisor, the European Parliament, and EU and US NGOs. The deal will be subject to future legal scrutiny and experts predict that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC has urged the EU and US to strengthen safeguards for transborder data flows including redress mechanisms.

European Commission Signs Off on Flawed "Privacy Shield" (Jul. 12, 2016) +

The European Commission has approved the "Privacy Shield" which will allow companies to transfer personal data of Europeans to the U.S. without legal protections. European data protection authorities, the European Data Protection Supervisor, and EU and US NGOs identified flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework, Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC and other consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US increased by 47% between 2014 and 2015.

Privacy Shield Revisions Fail to Satisfy Legal Requirements (Jun. 29, 2016) +

A revised draft of the Privacy Shield included some modifications on the scope of US bulk data collection, the role of the "ombudsperson," and data erasure but fails to resolve flaws previously identified by European data protection authorities and the European Data Protection Supervisor. EPIC and an international coalition of NGOs previously called for substantial changes in the Privacy Shield to respect the fundamental rights to privacy and data protection.

EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +

Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.

Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +

The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection.

European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +

The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers.

TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +

The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.

EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +

Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.

NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +

More than twenty civil society groups has urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.

"Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +

The text of the "Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the Schrems case. But the framework appears to provide less protection than the Safe Harbor arrangement it replaces. New exceptions take broad categories of personal data entirely outside the scope of the agreement. Max Schrems said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have urged the US to update its privacy laws.

Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +

As a response to EPIC's Freedom of Information request for the "Privacy Shield," the Commerce Department responded that "the record you requested does not exist." EU and US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.

Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +

The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement."

Background

The Court of Justice of the European Union (CJEU) issued the final ruling in Schrems v. Data Protection Commissioner (Case C-362/14) on October 6, 2015. The Court’s decision invalidated the Safe Harbor EU-U.S. data transfer arrangement. The European Commission seeks to replace the Safe Harbor framework with the Privacy Shield proposal.

As a consequence of the Schrems decision the negotiations between the European Commission and the U.S. Department of Commerce continued on the revision of Safe Harbor. The goal has been to reach a solution for the continuation of data flows which provides legal certainties for individuals and businesses alike. The new framework must meet the legal criteria of EU law, including the Schrems judgment, and provide for adequate safeguards for the fundamental rights to privacy and data protection.

The Court interprets that ‘adequacy’ means that the third country must ensure, through its domestic legal order or international commitments, a level of protection which is essentially equivalent to that guaranteed within the EU.

The Article 29 Working Party, composed of privacy officials across Europe, set the end of January 2016 deadline for the European Commission and the U.S. to create an alternative to Safe Harbor before initiating coordinated enforcement actions.

On February 2, 2016, the EU Commission and the Department of Commerce announced that they reached a political agreement on the framework, the so-called Privacy Shield. Despite the announcement, they did not make the text of the agreement public until February 29, 2016.

According to privacy and consumer groups the framework in the published form fails to provide adequate protections against commercial misuse of personal information and bulk surveillance.

The Article 29 Working Party issued its opinion on the Privacy Shield draft adequacy decision on April 13, 2016. They announced that there must be changes in the proposal. The Article 29 Working Party in its opinion cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the arrangement. According to the privacy officials the US does "not exclude massive and indiscriminate collection of personal data”, the Ombudsperson “is not sufficiently independent” and “does not guarantee a satisfactory remedy”. The Working Party has also concluded that "onward transfers of EU personal data are insufficiently framed”.

EPIC's interest

EPIC supports the establishment of a comprehensive legal framework to enable transborder data flows. EPIC previously urged that the United States begin the process of ratification of Council of Europe Convention 108. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.

In a letter to Commissioner Vera Jourova and Secretary Penny Pritzker, EPIC and more than 40 NGOs to urge the U.S. and the EU to protect the fundamental right to privacy. The groups warned that that without significant changes to "domestic law" and "international commitments," a new framework will almost certainly fail.

EPIC and a coalition of NGOs called on the European Union, and the Article 29 Working Party in particular, to oppose the Privacy Shield proposal because the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case.

EPIC’s President Marc Rotenberg in a testimony before the LIBE Committee of the European Parliament outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.

EPIC filed a Freedom of Information request to obtain the text of the agreement when the negotiators failed to publish the Privacy Shield in February 2016.