The EU-US Privacy Shield is inadequate for the purpose of protecting European citizens' personal data and is unlikely to meet the requirements of the European Court of Justice which struck down Safe Harbour.
That's according to Marc Rotenberg, adjunct professor of law at Georgetown University Law Center in Washington DC, and Max Schrems, the Austrian privacy activist whose complaint to Ireland's Data Protection Commissioner against Facebook eventually resulted in the termination of Safe Harbour.
They were speaking at a hearing of the European Parliament's committee on Civil Liberties, Justice and Home Affairs yesterday, chaired by Claude Moraes MEP, which heard from negotiators, supporters and critics of the draft agreement.
The opinion of the committee will be considered by the European Commission – along with the views of the Article 29 working party and the European Data Protection Supervisor – when deciding whether the draft texts of the EU-US Privacy Shield are “adequate” protection for EU citizens.
Privacy Shield is a draft agreement between EU and US negotiators for a framework to reassure European citizens that US organisations which transmit, store and process their data outside of EU countries will abide by the same standards as required when data is processed within EU borders.
Rotenberg described the Privacy Shield as “a step backward” compared to Safe Harbour. There was no advantage to consumers in how their data might be used, he said, and it was almost contrary to what a data protection framework should look like.
He also said that data protection under Privacy Shield was almost unenforceable. Seeking redress under Safe Harbour was difficult enough, he said. By way of example, the US Federal Trade Commission received only four complaints in 15 years, but Rotenberg said that was hardly surprising considering how difficult it was.
Privacy Shield, he said, would add further hurdles to the process. The system of redress was favoured by no organisation, he said. Although it cost nothing to pursue a case, the issue is not the question of how much it costs to go to court but how much compensation you could get – which would currently be nil.
He ended his comments by saying that the greatest threat to European data in the US was section 702 of the US Foreign Intelligence Act which facilitates the acquisition of foreign intelligence on non-US people. He said the test of “adequacy” for Privacy Shield should be the abolishment of section 702.
Max Schrems didn't agree that Privacy Shield was a backward step, but while it was “a step up”, the question is whether it is achieving what the courts asked for.
Privacy Shield, in his view, should provide equivalent protection for European citizens' data abroad as it would have within EU borders.
He also agreed with Rotenberg that there were too many hurdles for consumers to jump through to get redress.
Privacy Shield would also create unfair competition, he said, between EU and US companies because EU companies would be bound by more stringent rules than their competitors who were processing data abroad.
When it comes to surveillance, he said that it was impossible for the European Commission to fully assess whether Privacy Shield was working because the very guidelines used by US surveillance agencies were classified as secret and therefore shielded from the Commission.
The chair of the Article 29 working party, Isabelle Falque-Pierrotin, said her group is still assessing the Privacy Shield. They will want to be assured that the proposed system gives similar protections as one would expect in Europe and that fundamental rights are respected.
However, initially she would say that there is an absence of rules in Privacy Shield around data retention and whether European citizens will truly have access to mechanisms of redress.
Looking to the future, she asked whether Privacy Shield would be ready for the General Data Protection Regulations as they are implemented in the European member states.
She said the opinion of the Article 29 working party would be finalised by the end of April.
The European Data Protection Supervisor, Giovanni Buttarelli, was also not willing to issue a final opinion to the hearing, but raised a number of areas for consideration.
He echoed the previous speaker's concern about timing, specifically whether Privacy Shield would be adopted before or after the GDPR, and he advocated a future-looking approach to avoid the whole thing going back to court again.
Privacy Shield also needs to be robust enough to weather political changes in the US, and linked to that, clear rules around derogations for law enforcement purposes must be established, especially where there is significant risk of abuse.
And the adequacy statements need to be reviewed on a regular basis to ensure ongoing scrutiny.
Overall, Privacy Shield was to be welcomed, he said, because organisations needed certainty in their international operations but, for that very reason, it was vital to ensure that no errors were made in drafting Privacy Shield or it would only serve to undermine confidence.