EU trying to salvage US deal on data privacy
The EU's commissioner for justice, Vera Jourova, is in Washington DC to prevent privacy safeguards for European citizens from unravelling.
European privacy in personal data sent to the United States is supposed to be maintained under the EU-US Privacy Shield accord, which was launched last summer.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
"The commitments the US has taken must be respected, she [Jourova] has been very clear already on this and also publicly," said Paul Nemitz, a senior EU commission official on Wednesday (29 March) at the RightsCon digital conference in Brussels.
Around 1,800 companies, including Google, Microsoft, and Facebook, are self-certified under the scheme.
This means they are supposed to respect EU-level protection standards whenever the personal data of EU citizens is in the US.
But US authorities have failed so far to adhere to the terms of the agreement, while the US administration, under president Donald Trump, is rolling back privacy safeguards and stepping up surveillance through executive orders.
"Privacy Shield is on shaky ground, in part because some of the foundations of Privacy Shield are being undercut," said Greg Nojeim, a senior counsel at the Center for Democracy and Technology, a Washington-based NGO.
Jourova is hoping to address some of those issues following meetings this week with the US attorney general, the US secretary of commerce, and the US federal trade commissioner, among others.
The Privacy Shield terms had included a key oversight board in the US to ensure that the personal data of EU citizens is not abused. The five-member board has four vacancies.
The US was also supposed to set up a permanent ombudsperson, to whom EU citizens can file complaints if they believe their rights have been violated. Instead, the US has appointed an "acting" ombudsperson.
The Federal Trade Commission, which enforces the Privacy Shield, has three of its five seats vacant.
Former US president Barack Obama's presidential policy directive (PPD-28), on signals intelligence, is also being undermined. Obama's directive had limited the amount of data intelligence that can be collected and processed.
But Trump's picks for CIA director and US attorney general have both gone on record opposing PPD-28.
Trump had also issued an executive order that allows the National Security Agency (NSA) to share raw surveillance intelligence data with 16 other government agencies without any oversight from the courts.
Privacy campaigners in the US are hoping that upcoming debates on the NSA's section 702 on foreign intelligence gathering will shift the mood in Congress.
"It [debates] can make a difference in the US Congress in limiting the scope of the surveillance to make it more likely the Privacy Shield would actually survive," said Nojeim.
Section 702 is set to expire at the end of the year.
But the effort may prove difficult, given that, earlier this week, the US Congress decided to repeal another set of of Obama-era broadband privacy rules. Those rules aimed to protect the privacy of US customers.
Privacy Shield is also facing mounting criticism in Europe.
"It is amazing to see how Privacy Shield allows US companies to be on the European market with substantially lower protections that any European companies," said Austrian privacy campaigner Max Schrems.
"It is absurd that the European Union agrees to it because it allows Google to be in competition [with] a European company, without following the same rules," he added.
Last October, a privacy advocacy group, Digital Rights Ireland, launched national court proceedings against it.
The case was followed a week later by a second challenge from the Paris-based privacy advocacy group, La Quadrature du Net.
The French group is lodging their case directly with the General Court at the European Court of Justice in Luxembourg.