Breach, Compliance Management, Threat Intelligence, Data Security, Government Regulations, Network Security, Privacy

Electronic Frontier Foundation opinion piece pokes holes in EU-U.S. Privacy Shield

Digital rights group the Electronic Frontier Forum (EFF) yesterday came out swinging against the Privacy Shield, the intended successor to the recently invalidated Safe Harbor agreement, which sets official policy on how companies must handle the exchange of consumers' personal data from Europe to the U.S.

In a scathing blog post, the EFF asserted that the new agreement contains a “patchwork of concessions” that continue to leave the door open for the digital surveillance of hundreds of millions of Europeans by U.S. government agencies. “It's unclear what, if anything, the new Privacy Shield is supposed to be shielding people from—except perhaps shielding U.S. companies from the inevitable consequences of their country's mass surveillance program,” the EFF wrote in its post yesterday.

The EFF piece takes exception to several major talking points advanced by the European Commission and the U.S. Department of Commerce regarding this joint agreement.

For starters, the organization takes exception to a Feb. 29 release from the European Commission that states the U.S. government has provided written assurances that there will be “no indiscriminate or mass surveillance by national security authorities.” The EFF suggests that use of the term “indiscriminate” is undefined and ambiguous; therefore, anyone espousing the most liberal interpretation of this policy might believe that “the data of hundreds of millions of people can be scanned by the government under broad categories, and that, somehow, this activity is discriminating.”

The new Privacy Shield offers European consumers several means of recourse when their digital privacy is violated. In alignment with this tenet, President Obama recently signed into law the Judicial Redress Act, which grants European citizens the same powers as U.S. citizens to legally challenge companies that mismanage sensitive personal data. While this sounds promising, the EFF disputed the legislation's efficacy, noting that the law only applies to infringements of the Privacy Act of 1974, a law it claims is “riddled with exemptions.”

Citizens have other means of redress as well, such as by contacting EU Data Protection Authorities (DPAs) and through arbitration overseen by a Privacy Shield Panel.

However, EFF questioned the logic of establishing an independent ombudsman within the U.S. State Department to handle redress from incidents specifically involving U.S. national security. The organization suggested there would be an inherent conflict of interest and bias toward federal law enforcement, “especially when that department directly benefits from advice of the intelligence agencies.”

In light of these critiques, the EFF concludes that the Privacy Shield does not sufficiently remedy the flaws that resulted in Safe Harbor being struck down by the European Court of Justice. Rather, claims EFF, “It maintains the program of mass surveillance against non-U.S. persons that so disturbed the court, it denies Europeans effective remedy against a wide range of state surveillance programs, and its proposed methods for dispute resolution are neither independent, nor reach sufficiently deeply into the intelligence agencies' practices.”

In stark contrast to the EFF's sentiments, U.S. Secretary of Commerce Penny Pritzker effusively backed the new joint arrangement in a release earlier this week.

“Our U.S. and EU negotiators worked around the clock to develop a new framework that underpins $260 billion in digital services trade across the Atlantic. The new EU-U.S. Privacy Shield provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online,” said Pritzker in her statement. “In the end, we achieved a strong agreement that enables transatlantic commerce while safeguarding privacy."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.