Last year, the United States and European Union came to terms on the Privacy Shield Framework, which provides a means for companies in both regions to ensure compliance with EU data protection laws when sending personal data from the EU to the US as part of commercial transactions. It's a critical underpinning of transatlantic commerce.
Privacy Shield replaced the previous Safe Harbor agreement, which had similar intentions but was ultimately deemed inadequate. There have been critics of Privacy Shield as well, but now the drumbeat to alter or invalidate it may get quite a bit louder.
Human Rights Watch and the American Civil Liberties Union have sent a joint letter to the European Commission, saying that actions by US President Donald Trump, along with other factors, have called the sufficiency of Privacy Shield into question. Here's an excerpt:
In recent weeks, President Donald Trump has issued several executive orders that represent an attack on the rights of immigrants and foreigners—including specific provisions designed to strip these individuals of critical privacy protections that have been provided by previous Democratic and Republican administrations for decades. Concurrently, there has been a deterioration in existing oversight and accountability structures that impact whether, consistent with the ruling in the Schrems[1]and Digital Rights Ireland judgments[2], people in the EU are afforded appropriate privacy protections and redress in cases where their data is transferred to the US.
Previously, the ACLU and other rights organizations have written to you expressing our view that reform to US surveillance laws is necessary to ensure that EU data transferred to the US receives protection that is “essentially equivalent” to the protections required under the EU Charter—calling into question the legality of the existing Privacy Shield agreement. We have also stressed the inadequacy of existing privacy oversight and redress mechanisms for both US residents and individuals around the world. The following recent changes to US policies only deepen our concerns that assurances underpinning both the Privacy Shield and US-EU umbrella agreement are not valid, requiring a reexamination of whether these agreements are consistent with the rights enshrined in the EU Charter of Fundamental Rights.
The letter also argues that the Privacy and Civil Liberties Oversight Board—which is part of the US executive branch of government and dates to 2004—has provided public reporting but otherwise is essentially toothless, and even more so do to a lack of action on Trump's part:
The PCLOB has never provided remedies for rights violations or functioned as a sufficient mechanism to protect personal data. In recent months, the situation has worsened: the PCLOB currently lacks a quorum, which strips its ability to issue public reports and recommendations, make basic staffing decisions, assist the Ombudsman created by the Privacy Shield framework, and conduct other routine business as part of its oversight responsibilities. The current administration and Senate have yet to act to fill the vacancies on the PCLOB.
Getting assurances that the PCLOB would have adequate oversight over US intelligence agencies' activities was key to getting the EU on board with Privacy Shield, the letter argues.
The full letter, which is available here, lays out the groups' case in much further detail, and is well worth a read.
There's a philosophical discussion to be had around personal data privacy that the letter doesn't directly take on.
"Privacy advocates have been worried about Privacy Shield from the outset, says Constellation Research VP and principal analyst Steve Wilson. "Like the Safe Harbor, Privacy Shield is still an end run around the very sound privacy protections afforded to European citizens by their laws and community standards."
"Of course they want to use American services and they want to participate in world affairs, but Europeans also enjoy generally the best data protection in the world," he adds. "And lord knows everybody these days—especially American citizens—need data protection. So instead of trying every legal trick in the book to get around them, I say American companies should do more to integrate European privacy standards. In the long run, everyone will benefit."
Meanwhile, the reality is that businesses and governments worldwide have underinvested terribly in cybersecurity and resilience, Wilson notes. You need only look as far as the major outage this week at Amazon Web Services, the massively crippling Mirai IoT botnet, and other security disasters.
"We all need to lift our game," Wilson says. "We don't need excuses like Privacy Shield. We need to get on with the job, give our customers the safety they deserve, and genuinely improve security and data protection all round."
Go here to read Wilson's in-depth analysis of Privacy Shield.
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.