Last week, the European Parliament (EP) passed a resolution manifesting concern over the EU-US Privacy Shield, a legal scheme that allows American companies to transfer personal data from the European Union to the United States. In a nutshell, the EP is worried that the U.S. government doesn’t take privacy protection seriously, and the Members of the European Parliament (MEPs) make explicit reference to, among other things, the Trump administration’s undoing of the Federal Communication Commission’s broadband privacy rules.
MEPs are worried that the takedown of Broadband Privacy provisions signals a lack of commitment of the Trump Administration with the protection of privacy and Privacy Shield.
How We Got Here
With the adoption of the Data Protection Directive in 1995, the European Union established a very protective and comprehensive regime for the collection, processing, and international transfer of Europeans’ personal data. Under this framework, the European Commission must certify that a non-EU country offers an “adequate level of protection” of Europeans’ personal data before allowing personal data transfers to that country. In practice, this has meant that all countries wishing to allow their companies to trade with European personal data have had to copy the European approach to privacy protection. All countries, that is, except the United States.
The European Commission has always considered the American privacy framework as not equivalent to European protections and therefore not immediately adequate for data transfers. However, because blocking data transfers between the EU and the U.S. would be highly disruptive for social and economic reasons, the EU and the U.S. have always found ways to accommodate each other. Privacy Shield now, like Safe Harbor before, is essentially an accommodation mechanism between two very different privacy approaches. The U.S. government promises to protect Europeans’ personal data by making some tweaks to its privacy framework, and the EU allows transatlantic data flows.
What Is Happening Now
The EP is worried that the Trump administration is not living up to the Privacy Shield commitments. Last year, the EU’s “Article 29 Working Party” (which is comprised of representatives from national data protection agencies) and the European Data Protection Supervisor (the Data Protection Agency supervising the European institutions and acting as the voice of Data Protection Agencies in Brussels) had already expressed numerous concerns about the level of protection offered by the Privacy Shield. In May 2016, the EP issued a resolution in response to concerns about the Privacy Shield.
As for the April 2017 resolution, our European partners at EDRi explained that the EP is worried about:
…the lack of specific rules on automated decisions and of a general right to object and the need for stricter guarantees on the independence and powers of the Ombuds mechanism, the current non-quorate status of the Privacy and Civil Liberties Oversight board, as well as the lack of concrete assurances that the US agencies have established safeguards against mass and indiscriminate collection of personal data (bulk collection). Another flaw mentioned in the Parliament’s criticism is the fact that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme.
The Future: Transatlantic Data Flows at Risk?
In Europe, the Privacy Shield has been in a precarious situation since its inception, criticized and questioned by civil society, European authorities, and experts. The European Commission, wary of disrupting global data flows and after being reassured by Obama’s privacy commitments, remained thus as virtually the last pillar of Privacy Shield in Brussels.
It seems that U.S. telecom companies and their business and political allies didn’t realize that an unintended consequence of the legislative takedown of broadband privacy would be increasing European concerns over Privacy Shield. The EP in particular, and Europeans in general, distrust the U.S. privacy regime and transatlantic data flow arrangements. Now, Privacy Shield critics have yet another argument: if the U.S. government won’t protect the privacy of its own citizens against abuses by ISPs, surely it is not serious about protecting Europeans’ personal data.
The United States Government should take the EP’s resolution as a sign that, like it or not, the world pays close attention to American telecommunications policies. Defending open internet values, including broadband privacy and net neutrality, is crucial for consumers, the economy, and U.S. leadership in internet governance and electronic commerce.
Image credit: Wikimedia Commons, David Iliff, CC-BY-SA 3.0