Call For Robust Privacy Legislation In Wake Of EU Safe Harbor Strike-Down
A group of U.S. and EU digital rights organizations and consumer NGOs — including the EFF, the U.S. Center for Digital Democracy, the European Consumer Organization and Privacy International — have issued a statement calling for a “meaningful legal framework” to protect fundamental privacy rights in the digital era.
The statement comes as a critical response to the publication earlier this month of the Bridges report: a joint project between U.S. and EU academics — and including the involvement of the Dutch data protection agency — advocating for continued reliance on existing laws coupled with industry self-regulation as a middle-of-the-road approach to safeguarding privacy rights.
The Bridges report advocates for, as they put it, “a framework of practical options that advance strong, globally-accepted privacy values in a manner that respects the substantive and procedural differences between the two jurisdictions” — such as offering standardized user controls and user complaint mechanisms, and best practices for the de-identification of user data, among other proposed measures.
However the EFF et al are highly critical of this approach — dubbing it “failed policy” and “remarkably out of touch with the current legal reality”.
“Digital rights organization and consumer NGOs call on the Data Protection Commissioners to refocus their attention on the need to update and enforce privacy law,” the group said today.
The current legal reality on the U.S.-EU data privacy front includes the ruling, earlier this month, by Europe’s top court, the ECJ, invalidating the Safe Harbor data-sharing agreement — which had governed data flows between the regions for some 15 years, allowing companies sending EU data to the U.S. for processing to self-certify they would provide “adequate protection”.
The court ruled that such self-certification failed in an era of mass surveillance by government intelligence agency dragnets — opening the door to individual reviews of data transfers by data protection authorities in individual European Member States.
This is not a situation conducive to operational certainty for businesses — with DPAs already issuing differing opinions on the current post-Safe Harbor scenario. For example, guidance issued by the U.K.’s ICO differs greatly in tone from a position paper published by German data supervisory authorities in the wake of the ECJ ruling.
So while the ICO is telling businesses and organizations not to panic or “rush to other transfer mechanisms that may turn out to be less than ideal” — arguing the impact of the judgement is “still being analysed” — the German DPAs suggest they will immediately be prohibiting data transfers to the U.S. that are solely based on Safe Harbor, as well as specifying other explicit controls, such as that consent clauses cannot be used to sanction ‘repeated, mass or routine data transfers’.
Meanwhile, the European Commission is attempting to hammer out a so-called Safe Harbor 2.0 agreement with the U.S. in the next few weeks, to try to reestablish a data flows agreement. Although any such deal is likely to face fresh legal challenges unless the U.S. agrees to substantial concessions on surveillance and privacy rights. (Yet only yesterday the Senate passed another bill that critics say will expand government agencies’ surveillance capabilities…)
With existing legal frameworks governing data protection under continued pressure from the surveillance state — and new tech challenges to privacy pushing into the frame all the time, whether it’s from AI-powered big data processing or drone surveillance — the EFF et al are pressing the case for “a comprehensive privacy legal framework” — to offer robust consumer protection, and ultimately also create legal certainty for businesses.
“Particularly after the Safe Harbor decision, the ‘Bridges report’ is remarkably out of touch with the current legal reality and what we need to do to address it,” they write, criticizing the report for failing to recommend any “substantive changes in law”.
“The practical consequence of focusing instead on failed policies, such as self regulation, will be to make more difficult the work of the privacy experts around the world who could have otherwise benefitted from a meaningful discussion about how to move forward on legislation, aggressive enforcement, and other steps that are long overdue. Yes, they are difficult; all the more reason why we need to act now,” they add.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.