The critical transatlantic data agreement, named Privacy Shield, is worthless, gives intelligence agencies complete free rein, and should be discarded, according to Human Rights Watch and the American Civil Liberties Union.
In a letter to European Union leaders responsible for overseeing the agreement, the two organizations outline in some detail why they believe President Trump's recent executive order on immigration undermines the agreement, and highlights that the accountability structures intended to make it effective are non-functional.
In direct contrast to US officials – who have argued that Privacy Shield is unaffected by Trump's order – the letter argues that the order does in fact directly impinge on the agreement.
The key aspect is Section 14 in Trump's Enhancing Public Safety in the Interior of the United States, which explicitly stated that the US Privacy Act would "exclude persons who are not United States citizens or lawful permanent residents."
That would appear to undermine the main tenet of Privacy Shield – that European citizens have a right to sue if their data is misused by US companies or authorities.
But acting head of the US Federal Trade Commission Maureen Ohlhausen and former FTC Commissioner Julie Brill have both argued that the existence of the Judicial Redress Act and an accompanying list of countries the Act covered, signed by the Attorney General – both of which became law on February 1 – means that Privacy Shield remains unaffected.
Not so, say Human Rights Watch and the ACLU, who argue:
- The Judicial Redress Act provides a much smaller range of protections than the Privacy Act. As a result, EU citizens can bring legal action only if their data is "willfully and intentionally" misused rather than spread accidentally or inadvertently.
- The data protection under the Judicial Redress Act covers only some federal agencies, but not all. The letter gives as an example the Department of Health, which would effectively be exempt from any misuse of personal data.
- The US security services – who stand at the heart of the argument – would get a free pass and any information they gather and possess would not be covered.
- The Judicial Redress Act requires individuals to file claims and does not obligate federal agencies to provide a clear process for dealing with complaints, which would likely make any challenges extremely time-consuming and expensive.
The letter also points out that the many thousands of non-EU citizens living and working legally in the EU would not even get the protections under the Judicial Redress Act.
In addition to the loss in legal protections and process caused by the Trump executive order, the letter also points out the dire state of the oversight and accountability structures that are supposed to provide confidence in the system.
One key organization in that process is the Privacy and Civil Liberties Oversight Board (PCLOB), which is supposed to have the independent authority to examine records, hear testimony and issue reports with recommendations.
Thank you for your service
However, after the PCLOB took issue with the US government's spying programs brought to light by Edward Snowden's revelations, its independence and even its ability to function have been fatally undermined.
The PCLOB, for example, concluded in 2014 that the NSA's Section 215 phone surveillance program was unconstitutional.
Less than two years later, Congress passed legislation that formally prohibited the board from reviewing covert activity, gave Congress budget control over the board, and required it to report directly to legislators. The result was a slew of resignations of both staff and board members.
In March 2016, chair David Medine unexpectedly resigned. Following the results of the presidential election, former judge Patricia Wald resigned from the board on January 7 this year; James Dempsey left a week earlier on January 3. Rachel Brand's term ended on January 29 and was not renewed. And the PCLOB's executive director Sharon Bradford Franklin also stepped down.
None of their positions have been filled, meaning that the PCLOB has just one of five board members and no executive director. And, legally, that means it cannot carry out any work.
"Given these recent changes to US policies and oversight structures," the letter from the ACLU and Human Rights Watch argues, "we believe that the assurances that the European Commission relied on as part of the Privacy Shield and US-EU umbrella agreement are no longer valid. Thus, we urge you to examine whether these agreements are consistent with the protections enshrined in the EU Charter of Fundamental Rights."
Or, in other words, kill it before the European Court of Justice forces you to do so for a second time. ®
PS: The UK's Investigatory Powers Act appears to be gift-wrapped for the NSA.
Sponsored: Ransomware has gone nuclear