Human Rights Watch (HRW) and Amnesty International (AI) issued a press release today on a letter and brief the two organizations sent to European Justice and Home Affairs Commissioner Vera Jourova arguing for invalidation of the EU-U.S. Privacy Shield. The letter and brief can be found here.
On substance of the criticism, these groups continue to sell the U.S. surveillance framework short, failing to recognize extensive transparency and safeguards that underlie the U.S. framework. That aside, invalidation on these terms is not appropriate because the European Commission’s reasoned and detailed adequacy decision was based on information about U.S. surveillance practices and laws that the Commission had when the decision was released on July 12, 2016. After reviewing the commitments self-certifying organizations would make under the privacy shield and the enforcement mechanisms available under U.S. law, the Commission said, “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.”
Based on its review of the protections in place under U.S. surveillance law, the Commission concluded “that there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-U.S. Privacy Shield to what is strictly necessary to achieve the legitimate objective in question.”
It is true that PPD-28, an important element of the adequacy decision, can be changed by the executive branch. But the point is that it has not been. The relevant analysis concerns commitments already undertaken by the parties to the Privacy Shield, not new commitments.
The Commission did not say that privacy protections under U.S. surveillance law had to be improved in order for the U.S. system to provide adequate privacy protection. It said the current protections are already adequate.
As the United States and the European Union prepare for the September 18, 2017 Washington, D.C. review of the Shield, SIIA urges the parties to focus on industry practices in making operational the Shield’s new privacy protections and the government oversight in ensuring that those protections are respected.