Irish Times, 12 July 2016
The European Union’s data protection laws are
intended to ensure that we can entrust personal data to our devices and online
services without fear of privacy violations. To make sure that this European
standard is not undermined, it is essential to clarify under which
circumstances personal data can be transferred to other countries – ones that
may not have the same privacy protection laws.
The European Commission will today adopt the
so-called Privacy Shield, which will allow companies to transfer personal data
from the EU to theUnited States. It follows the European Court
of Justice ruling that the previous system for the transfer of data to the US,
called Safe Harbour, violated fundamental rights to privacy.
Does Privacy Shield protect the privacy of European
users when their data is sent to the United States? Various indicators suggest
it does not.
With regard to the private sector, it is painfully
obvious that the rules give nowhere near the level of protection and principles
afforded by the EU. For example, if you share your personal information with
your doctor, you reasonably expect that he will only use this information for
the purpose of curing you – not to gossip behind your back. This expectation is
enshrined in EU law as “purpose limitation”.
Privacy Shield allows the sharing of your data for
very broad and generic purposes, such as “for all services we may provide to
you and others”. This undermines a very crucial protection. Many other data
protection rules, such as the deletion of data or the sharing of data, are
interlinked with this principle.
Privacy Shield is meant to be based on “notice and
choice”, which sounds promising. However, Privacy Shield does not give users
much “choice”. It actually gives companies a general blanket approval to use
the personal data of any person under the sun. Only in two specific cases can
users object.
They would first have to know which US company was
using their data, and then contact the company and actively “opt out”. This gives
US companies a significant competitive advantage over European firms. Under the
European “opt-in” system, companies typically have to ask customers for
consent.
In addition, the rules for legal redress are rather
complex. If European customers believe their rights have been violated, they
have to first contact private US arbitration bodies and their national
authorities, who in turn contact the US authorities, in order to be finally
able to address concerns with a “privacy shield board”.
No guarantees
None of this guarantees that the person responsible
for oversight will be empowered to actually review the practices of any company
and, for example, review servers and software. None of the options available
are directly enforceable by a customer. In sum, even if a company violates the
fundamental rights of a customer, it is very unlikely there will be any real
consequences.
The rules concerning personal data in the public
sector are equally worrisome. In its Safe Harbour ruling, the European Court of
Justice strongly criticised mass-surveillance laws in the US, which have not
changed in the meantime. While US citizens enjoy certain protection against
surveillance measures, “non-US persons” are specifically exempted.
Not only does the final Privacy Shield use the
exact same wording on mass surveillance laws as Safe Harbor, but the US now
even admits that it will continue to collect personal data stemming from Europe in bulk.
Blanket mass surveillance without any reasonable
suspicion is contrary to the principles of European human rights. European
courts have consequently ruled clearly against blanket access to personal data
for not being in line with the fundamental rights to privacy and data
protection.
Legal redress against measures in the public sector
is little more than a farce. An EU citizen may address an ombudsperson in the
US, which is not a court or independent body, but an undersecretary of the US
government.
Confirm nor deny
While the new ombudsperson can raise issues within
the US government, the reply to the individual concerned will always contain
the same two sentences: first, the US will not confirm or deny any
surveillance; and, second, all US laws were adhered to, or any non-compliance
was remedied.
This ombudsperson is not what the Europe Court of Justice meant when it
asked for individual redress.
Privacy Shield needs to fulfil the criteria laid
down in European Union law and by its courts,
which have clearly stated that blanket data collection is not compatible with
the fundamental right to data protection.
This is also a problem for European businesses that
are obliged to meet EU data protection standards but which will, under Privacy
Shield, face competition from US companies who face no such obligation. Nor
does this new deal provide legal certainty for the industry that is so
desperately needed.
The European Commission should hold off on
activating Privacy Shield until more work is done on the US side. Given the
countless insufficiencies, it is otherwise highly likely that the new Privacy
Shield will share the history of the previous Safe Harbor and be invalidated by
the European Court of Justice
No comments:
Post a Comment