The European Parliament (EP) passed a resolution that calls for the suspension of the Privacy Shield data transferring agreement between the European Union (EU) and the U.S. by September 1, unless the U.S. government can guarantee through new laws that EU citizens’ privacy rights will not be violated under mass surveillance programs.
Privacy Shield In A U.S. Mass Surveillance Era
In 2015, the Austrian privacy activist and, now, founder of the nonprofit None Of Your Business (noyb) Max Schrems was able to single-handedly bring down the 15-year-old data transferring agreement between the EU and the United States through a lawsuit against Facebook.
However, his lawsuit may not have gone too far unless he didn’t also benefit from the documents revealed by national security whistleblower Edward Snowden. Those documents proved that the U.S. government had programs in place to capture all data that passes through U.S. internet cables, as well as programs that gave intelligence agencies more direct access to tech companies’ servers.
Most of these programs were enabled by the FISA section 702, which was extended for another six years this January, as well as the Reagan-era Executive Order 12333. As long as these laws and orders are in place, and there are no new laws to guarantee that EU citizens’ data isn’t captured along with the data of Americans and other foreigners, EU citizens’ privacy rights will be violated under the EU Charter of Fundamental Rights.
The CJEU has previously ruled that in order for other countries and their companies to process the data of EU citizens, the data must benefit from “equivalent” privacy protections as those guaranteed within EU territory. That goes beyond having GDPR-like laws, but also laws that protect the citizens against the U.S. government’s mass surveillance programs.
The Members of the European Parliament (MEPs) also noted the recent Cambridge Analytica scandal and how despite both Facebook and Cambridge Analytica being under the Privacy Shield agreement, the monitoring of these companies by the appropriate authorities (FTC in this case) had failed. The MEPs that voted for the resolution believe that the Privacy Shield agreement needs to be updated so that companies’ compliance is better monitored.
The MEPs were also concerned with the recently passed CLOUD Act, which was supported by the law enforcement and big tech companies alike, because it gives the U.S. government the ability to take users’ data at will, even if those users’ data is stored in the EU.
The fact that the national security oversight board PCLOB was also recently gutted by the Trump administration was another cause for concern for the MEPs, because it means there is less oversight over what the U.S. intelligence agencies are doing with EU citizens and Americans’ data.
Privacy Shield On Its Last Breath
The Privacy Shield agreement, in its current form, has never looked like it would survive, not just because it was rushed by the European Commission within months after the Course of Justice of the European Union (CJEU), but also because it didn’t comply with the CJEU’s most important point in the ruling that brought down the previous Safe Harbor agreement: the fact that EU data needs to be protected under equivalent privacy laws when processed in other countries.
The Privacy Shield has never demanded that the United States government properly comply with that part of the Safe Harbor ruling. The most the Privacy Shield demanded of the U.S. government is for EU citizens to be able to sue the U.S. government, if they have proof that they’ve been caught in U.S. mass surveillance programs, which isn’t an easy task given the fact that U.S. surveillance programs are secret.
Additionally, the Privacy Shield agreement allowed the U.S. government to handle the monitoring of its own companies, in case they breached EU privacy laws, instead of EU bodies doing that themselves.
Civil Liberties Committee Chair and rapporteur Claude Moraes (S&D, UK) said:
"This resolution makes clear that the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. Progress has been made to improve on the Safe Harbor agreement but this is insufficient to ensure the legal certainty required for the transfer of personal data.”
"In the wake of data breaches like the Facebook and Cambridge Analytica scandal, it is more important than ever to protect our fundamental right to data protection and to ensure consumer trust. The law is clear and, as set out in the GDPR, if the agreement is not adequate, and if the US authorities fail to comply with its terms, then it must be suspended until they do.”
Whether or not the EP will suspend the Privacy Shield on September 1 unless the U.S. government passes a new law to limit its own agencies’ surveillance powers, it may not matter in the end. That’s because the Privacy Shield agreement will soon reach the CJEU, too, and there’s a high chance that the CJEU will call it invalid, for the same reasons it called the Safe Harbor invalid: U.S. laws not being in sync with EU privacy laws.