Cracked

With a few months to go until a scheduled European Commission review of the so-called Privacy Shield transatlantic data transfer framework, two US NGOs have weighed in with devastating warnings that America isn't keeping its side of the deal.

Privacy Shield is the hastily-cobbled together fudge that was cooked up between the European Commission and the US authorities after the long-standing Safe Harbor data transfer regulations were struck down as inadequate by the European Union’s highest court.

With US firms needing to maintain/restore confidence among non-US customers about data handling in the post-Edward Snowden/NSA revelations climate, Privacy Shield was a hurried attempt to paper over the cracks. It’s been widely criticised by data protection experts and authorities, even among the Commission’s own working parties, and is due to come under its first review in September.

As that date draws nearer, the Center for Digital Democracy (CDD), which specialises in data protection issues in digital marketplaces, and Access Now, which “defends and extends the digital rights of users at risk around the world”, have both criticised Privacy Shield as being not fit-for-purpose, with the former calling for it to be scrapped completely.

The CDD pulls no punches in a letter to Bruno Gencarelli, Head of Unit at the Directorate-General Justice and Consumers at the European Commission. Executive Director Jeffrey Chester calls for the Commission to look to the forthcoming General Data Protection Regulation (GDPR) to provide more robust protection:

EU citizens and consumers who deal with companies enrolled in the Privacy Shield program confront a serious erosion of their data protection and privacy rights. The rights of EU citizens under the Privacy Shield program are not equivalent to how they would be protected by EU law. We urge the Commission and EU Data Protection Authorities to suspend the Privacy Shield in light of its lack of any policies, rules, or enforcement that would provide meaningful adequacy or equivalency. The Commission should insist that US companies targeting EU citizens or consumers must operate under the forthcoming General Data Protection Regulation (GDPR) framework.

He adds:

CDD calls on the Commission to terminate the Privacy Shield agreement and to call on the US to enact privacy rules that meaningfully reflect the principles and policies of the forthcoming GDPR. Companies participating under the “cover” of the Privacy Shield are able to use programmatic and other automated and data- driven decision-making and practices that effect EU citizens’ and consumers’ ability to obtain financial services, health information, and buy products and services fairly. The failure of the US to have its own effective legal privacy framework, the lack of oversight and enforcement by the Commerce Department and the FCC, and the failure of Privacy Shield participants not only to disclose their practices but also to ensure that they fully respect the EU approach to data protection, are among the reasons why the Commission must act now to protect the public.

Archer says that CDD looked closely at the activities of a number of major US companies who have publicly signed up to and endorsed Privacy Shield. Its conclusions should not make for happy reading in Brussels. They include:

The absence of an effective legal framework to protect consumer privacy in the US, with inadequate enforcement of the weak policies in place and an overall failure to address the dramatic growth of data practices.

Political opposition from the Congress and the White House to having effective data-protection rules. The CDD cites the March 2017 decision by President Donald Trump, backed by Congress, to overturn the Broadband Consumer Privacy Rules, adopted by the Federal Communications Commission introduced by President Obama in October 2016

Permissible use of far-reaching data use practices that operate on an ineffective “Notice and Choice” framework, while key EU data policies, such as on purpose limitation, sensitive data, are ignored.

Problems with the Privacy Shield website and submissions, which the CDD argues is indicative of “overall disregard for its operations and impact on the public”. It states:

Submissions by Privacy Shield applicants are full of typos, broken links, and sloppy data entry. The website itself is not designed to be user friendly in terms of its search functions. It suggests that no one at the Commerce Department or the FTC ever actually reviews what is being posted and the claims that are made.

Ombudsperson concerns

Access Now isn’t quite as robust in its critique, but does cite in its own letter to Gencarelli:

developments that call into question the validity of the Privacy Shield, including changes to US surveillance law, implementation of the General Data Protection Regulation (GDPR) in the EU, and Trump administration policies that show disregard for human rights globally.

Access Now calls on the Commission to take into account:

A claimed dysfunction of the US Privacy Civil Liberties Oversight Board (PCLOB).

The issuance of US executive orders that disregard the rights of anyone outside the US.

Ongoing expansion of US surveillance authorities, willful misuse of surveillance programs, reneging on transparency promises, and the impending review of Section 702 of the US FISA Amendments Act.

Active debate on circumventing the Mutual Legal Assistance Treaty system.

Lack of adequate redress mechanisms in the Privacy Shield itself.

The Trump administration’s threat to leave the United Nations’ Human Rights Council.

The repeal of broadband privacy regulations previously issued by the US Federal Communications Commission (FCC).

The NGO also points to next year’s implementation of GDPR as a critical factor, with Fanny Hidvegi, European Policy Manager at Access Now, stating:

EU officials made concessions on the high level of privacy and data protection rights of Europeans when they adopted Privacy Shield. The Privacy Shield fails Europeans because it fails to provide effective individual redress mechanisms or independent oversight. To avoid further legal challenges, the Commission must improve the framework to meet the standard of the GDPR.

Access Now also has concerns about one of Privacy Shield’s supposed biggest selling points - the creation of an independent ombudsperson in the US to address concerns and complaints. But the NGO states bluntly:

Essentially, the Ombudsperson mechanism is inadequate to provide protection that is essentially equivalent to that prescribed by EU law.

This assessment is based on a number of arguments:

The location of the Ombudsperson mechanism under the US Secretary of State cannot be considered adequately independent from the intelligence community and free from influence.

Privacy Shield does not provide safeguards or details on how the independence of the intelligence community may be guaranteed.

It does not meet the Court of Justice of the European Union’s requirements for the independence and impartiality of the oversight and redress mechanism.

The Ombudsperson position is a political appointment subject to presidential discretion (with the confirmation of the U.S. Senate). A person in this role can be terminated at any time without a cause or obligation to substantiate the decision.

The role has not been filled with a permanent appointment. With the incoming Trump administration in January, the post remained unoccupied until April. At that point, Judith Garber, who rejoices in the title of Acting Assistant Secretary for Oceans, Environment, and Science, was appointed as a temporary and unconfirmed holder of the position. Access Now says this has worrying implications, arguing that the current absence sets "a troubling precedent against having the role permanently filled".

My take

September’s review of Privacy Shield and all its naked inadequacies can’t come soon enough. We’ve consistently referred to this flimsy PR exercise as being akin to lipstick on a pig. I’m certainly hoping we hear the comforting sizzle of bacon in the pan before September is out.