Category Archives: Privacy Shield

Privacy Shield doesn’t do enough to curtail US surveillance, say EU data watchdogs - Ars Technica 20160413

Privacy Shield doesn’t do enough to curtail US surveillance, say EU data watchdogs - Ars Technica 20160413

"Great step forward," but still work to do, say privacy experts.

Exceptions in the proposed EU-US Privacy Shield framework that would allow the US to carry out mass surveillance of EU citizens are "not acceptable," the Article 29 Working Party of EU data protection authorities said today in a press conference.

The Chairman of the group, Isabelle Falque-Pierrotin, explained that the Article 29 Working Party would look with "great interest" on the forthcoming ruling by the Court of Justice of the European Union (CJEU) on whether mass surveillance of EU citizens could be legal. If the CJEU finds that the surveillance carried out by GCHQ is unlawful, it would have a big impact on the national security exceptions included in Privacy Shield.

Falque-Pierrotin said that the data protection authorities also had some concerns about the independence and effectiveness of the Privacy Shield ombudsperson who will deal with complaints from Europeans about how their data has been used by the NSA.

However, the Article 29 Working Party called the proposed Privacy Shield in general a "great step forward" compared to the Safe Harbour framework it is designed to replace. But Falque-Pierrotin said "it is rather difficult to understand all the documents and annexes, as they are complex and not consistent." She went on: "we believe it would have been better to have something simpler and less complex."

Falque-Pierrotin pointed out that the imminent arrival of new data protection rules in the EU meant that the Privacy Shield needed some kind of review mechanism to allow it to be updated. Currently, there is no provision to do this.


Unlikely to satisfy Europe's data protection watchdogs—nor, for that matter, EU's top court.
The Article 29 Data Protection Working Party, which was set up under the 1995 Directive on the protection of personal data, is purely advisory, and the European Commission is not obliged to follow its advice.

Before making a final decision whether to proceed with the Privacy Shield framework, the Commission will wait to hear from another group set up under the 1995 Directive. The Article 31 Committee consists of representatives of the Member States, and therefore follows their policies, which are broadly in favour of Privacy Shield. The Article 31 Committee is expected to consider the Privacy Shield arrangement at meetings on April 29 and May 19 before issuing its opinion.

The European Commission must then decide whether to try to modify the current Privacy Shield proposal in the light of the Article 29 Working Party's comments, plus any made by the Article 31 Committee. The Commission told Ars that it is hopeful it will be able to give the go-ahead for Privacy Shield in June, which would then come into immediate effect. The European Parliament does not have a vote on this issue, which lies purely within the competence of the Commission.

Until then, the alternative transfer mechanisms, such as standard contractual clauses and binding corporate rules, can still be used for personal data transfers to the US. Falque-Pierrotin said that the Article 29 Working group would not be considering whether these were valid until after the European Commission had produced the final version of Privacy Shield.

Three facts about US surveillance the European Commission gets wrong in Privacy Shield - Access Now 20160303

Three facts about US surveillance the European Commission gets wrong in Privacy Shield - Access Now 20160303

On February 29, the European Commission released the draft text of the new Privacy Shield data-transfer arrangement between the EU and the US. Unfortunately, the arrangement has the same inherent flaws as the “Safe Harbour” mechanism it seeks to replace. Safe Harbourwas invalidated by the Court of Justice of the European Union (CJEU) for failing to comply with EU law and protect fundamental rights.

In issuing the Privacy Shield, the commission asserts that is has “carefully analysed US law and practice,” to determine whether it complies with EU law. The CJEU called for a showing of essential equivalence in protections between the two in order to allow data flows to continue. Far from an in-depth inquiry, the commission’s analysis relied on a series of letters sent by the US administration and published as annexesto the draft deal.  Unfortunately, the end result demonstrates the inadequacy of this approach, and the European Commission errs on several important facts. Here are our top three:

1.) Claim: “the U.S. government has given the European Commission explicit assurance that the U.S. Intelligence Community ‘does not engage in indiscriminate surveillance of anyone, including ordinary European citizens.’”

Fact: The US does not provide sufficient protections to non-US persons

The US government often makes this kind of broad statement, but almost always with an important and necessary qualification: “…under this programme.” Undoubtedly, what the statement is meant to refer to is the surveillance conducted under Section 702 of the FISA Amendments Act, the specific law at issue in the case in which Safe Harbour was invalidated. It doesn’t address surveillance that takes place secretly.

However, even this qualified statement is deceptive. As Access Now previously explained, there is a conflict in terms between the EU and the US. Most of the surveillance that the US administration considers “targeted” would qualify as “indiscriminate surveillance” in the EU, and would therefore be prohibited. But, more broadly, this statement isn’t even remotely correct. Under Executive Order 12333, the US conducts broad, inadequately overseen, non-transparent surveillance of innocent people around the world without having to meet any evidentiary standard at all. These kinds of programmes collect users’ address books and buddy lists, and record details about every phone conversation, across full countries.

The European Commission makes several statements asserting the adequacy of the protections that the US provides to non-US persons. But the truth is simple: the US does not respect the fundamental rights of those outside the United States.

Specifically, the EU Commission references limitations on government surveillance in Presidential Policy Directive 28 (PPD28), which provides that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside.” But this aspiration is not the same as a commitment to respect rights. In fact, the policies and protections that PPD-28 provides for non-US persons are only applied “[t]o the maximum extent feasible consistent with the national security.” This exception not only swallows the rule — it engulfs it.

2.) Claim: “U.S. law contains clear limitations on the access and use of personal data transferred under the EU-U.S. Privacy Shield for national security purposes as well as oversight and redress mechanisms that provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse.”

Fact: The system of congressional and executive oversight is inadequate

The European Commission relies heavily on the “multiple oversight layers” that are used to oversee US surveillance operations, including those in the executive branch (“civil liberties or privacy officers, Inspector Generals, the ODNI Civil Liberties and Privacy Office, the [Privacy and Civil Liberties Oversight Board], and the President’s Intelligence Oversight Board”), in Congress (“the House and Senate Intelligence and Judiciary Committees”), and in the courts (“the FISA Court…an independent tribunal whose decisions can be challenged before the Foreign Intelligence Court of Review”).

However, the commission does not  acknowledge that these three layers have frequently failed to accomplish their missions effectively. As the Snowden revelations demonstrated, even with most of these mechanisms in place, the US was able to conduct at least one known surveillance programme that, once revealed, was nearly universally believed to have been both unlawful and likely unconstitutional. And, where Executive Order 12333 is concerned, there is no judicial or congressional oversight at all.

One of the major problems is the lack of transparency. Broad exemptions for information even remotely related to national security insulate surveillance agencies from public scrutiny. Congressional oversight committees conduct most of their hearings behind closed doors, and, when they do decide to hold an open hearing, the lack of probing questions is a joke even among the members of Congress, and the FISA court is known for its secrecy. While recent reforms in the USA FREEDOM Act help address the transparency problem, it’s only a small step for an area of government where the black-curtain culture still reigns.

As Access Now previously pointed out, even without public transparency, federal judge John D. Bates publicly accused the National Security Agency of “repeatedly misleading” the court. In two of the few public hearings on surveillance, both former NSA Director General Keith Alexander and Director of National Intelligence James Clapper provided information that was a bit removed from the truth.

Finally, regardless of how robustly any of these mechanisms review intelligence programs, the ultimate truth is that they are looking for violations of US law, which doesn’t recognise rights for non-US persons. Mass surveillance is lawfully permitted under both Section 702 and Executive Order 12333, and entities like the Privacy and Civil Liberties Oversight Board have so far failed to address the impact of these authorities on the rights of non-US persons. This is not what oversight looks like.

3.) Claim: “the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community…This mechanism builds upon the designation…of a Senior Coordinator…in the State Department.”

Fact: Proposed redress mechanism is unacceptably entrenched in the existing structure

With regard to improper government access to data, one of the biggest changes made from the Safe Harbour to the Privacy Shield is the creation of an “Ombudsperson,” to serve as a means for redress for EU citizens. However, the Ombudsperson is given authority only to coordinate responses to complaints filed by users and relevant authorities. The office is not empowered to initiate investigations.

Further, the European Commission specifically trumpets the ombudsperson’s independence from the intelligence community, explaining that such independence is necessary to ensure that complaints are “properly investigated.” However, the office will, in fact, be housed in the US Department of State, which is a central part of the US’s intelligence framework. In fact, the specific individual designated by US Secretary of State John Kerry as Ombudsperson, Catherine A. Novelli, is directly linked with the US intelligence community in her other role as Under Secretary of State.

Outside of the Ombudsperson, Privacy Shield offers no new alternative avenues for redress.

Road ahead for the Privacy Shield

Based on the same flawed foundations as its predecessor, the Privacy Shield is not likely to withstand future legal challenges. Comprehensive surveillance reforms on both side of the Atlantic must be conducted before any data transfer arrangement can meet the standards set forth by the Court of Justice of the EU.

Access Now urges the Working Party 29 and the Article 31 Committee to take into consideration all the abovementioned facts overlooked by the Commission negotiators when developing their opinions on the arrangement. The adoption of yet another flawed mechanism will benefit no one, and has the potential to further hinder users’ trust in the digital economy. We expect DPAs and representatives from EU member states to take seriously their duty to protect users’ fundamental rights to privacy and data protection.