Scheme Fails to Protect Consumers’ Fundamental Rights to Privacy and Data Protection
Following the 29 February 2016 release of the text of the “Privacy Shield” by the European Commission and the U.S. Department of Commerce, we have adopted a new policy resolution on the proposed transatlantic data transfer agreement, meant to replace the invalidated Safe Harbour.
We believe that the framework does not provide significantly stronger protections than Safe Harbour and we therefore urge the European Commission not to adopt the Privacy Shield. Like its predecessor arrangement, it continues to be a self-declared, self-regulatory system, which will be adhered to by a limited number of companies. Furthermore, in the continuous absence of a robust U.S. privacy framework that meets the EU standards, the Privacy Shield fails to guarantee the essentially equivalent level of protection required under EU law. It also fails to bring any improvement to the privacy protection of U.S. consumers.
In our resolution, we make a set of recommendations to the EU and U.S. authorities for a framework that guarantees the adequate protection of EU and U.S. consumers alike.
We urge the EU Authorities to:
- Hold off adopting the proposed Privacy Shield decision until the U.S. can guarantee an essentially equivalent level of data protection to the one existing in the EU.
- Publish a detailed legal review of the Privacy Shield vis a vis the ECJ Safe Harbour ruling, the 1995 Data Protection Directive, the upcoming General Data Protection Regulation (GDPR) and the EU Charter of Fundamental Rights.
- Effectively enforce the EU data protection rules to stop unlawful data transfers to the U.S.
- Formally adopt the agreed EU General Data Protection Regulation without delay and proceed with the review of the e-Privacy Directive.
- Hold off on signing the EU-U.S. Umbrella Agreement.
- Prompt those Member States engaging in mass surveillance of individuals to put an end to such practices.
We urge the U.S. Authorities to:
- Enact a comprehensive legal framework for data protection and privacy.
- Become a full party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) and its Additional Protocol regarding supervisory authorities and trans-border data flows (CETS No. 181)
- Provide rulemaking authority to the Federal Trade Commission and ensure that the Federal Communications Commission and the Consumer Financial Protection Bureau act on their respective jurisdictions and exercise the full extent of their rulemaking authority to protect consumer privacy in the electronic communications and financial services areas.
- Establish an independent agency for the protection of privacy to ensure independent enforcement of the Privacy Act. The new independent agency should also have the appropriate enforcement and regulatory powers.
- Update the Privacy Act of 1974 to provide meaningful judicial redress to any person whose data is stored by a U.S. federal agency.
- Support strong encryption and reject any law or policy that would undermine the security of consumers and internet users.
- End mass surveillance of U.S. and non-U.S. persons and enact a surveillance reform and legislative changes within a reasonable time.
Please click here to read the full TACD resolution on the EU-U.S. Privacy Shield.