EU-US Privacy Shield not up to snuff, data tap should be turned off – MEPs

Civil liberties committee votes: US has until Sept to comply

The deal governing transatlantic data flows doesn't properly protect European Union citizens and should be suspended unless the United States complies with its terms, MEPs have said.

The Privacy Shield agreement, which aims to protect personal data transferred from the EU to the US, was set up after a legal challenge by privacy activist Max Schrems ruled its predecessor, Safe Harbor, invalid.

The new deal was agreed in summer 2016, and underwent its first annual review last September, when the European Commission deemed it adequate – despite raising a number of concerns.

These included vacant posts on the Privacy and Civil Liberties Oversight Board (PCLOB), the lack of a permanent ombudsman, the impact of US President Donald Trump's executive orders on immigration, and attitudes towards security and privacy.

However, almost a year later, MEPs on the civil liberties committee (LIBE) have warned that a number of issues are still not resolved – which they say means the US is not compliant with the terms of the deal, or EU data protection laws.

In a close-run vote last night – passed by 29 to 25, with three abstentions – the committee adopted a motion for a resolution that calls on the Commission to suspend the deal unless the US is compliant by 1 September.

"While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter," said Claude Moraes, chair of LIBE.

"It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the [General Data Protection Regulation]."

The committee also pointed out that both Facebook and Cambridge Analytica – the firms at the centre of the data scandal of the year – are both certified under the Privacy Shield.

It called on US authorities to act on these revelations "without delay", and "if needed, to remove such companies from the Privacy Shield list"; their EU counterparts should also investigate and, where appropriate, suspend or prohibit data transfers under the deal.

Similarly, the US Department of Commerce should carry out more proactive and regular compliance checks, to ensure that companies – which are allowed to self-certify – are falling in line with Privacy Shield.

Elsewhere in the motion, the committee did acknowledge that some progress had been made – for instance, the appointment of a chair for PCLOB – but noted that the delay had prevented the group from drawing up various reports.

They added that the delay in choosing an ombudsman "is not contributing to mutual trust" and said that the role's powers in relation to the intelligence community needed to be clarified.

Meanwhile, the group expressed regret that the US hadn't embedded Presidential Policy Directive 28 (PDF) – which states surveillance activities need to safeguard personal information regardless of where the person resides – into the Foreign Intelligence Surveillance Act when it was re-authorised at the end of last year.

It called for evidence ensuring that data collection under FISA 702 isn't indiscriminate and isn't conducted in a generalised, bulk manner – which would run against the EU Charter on Fundamental Rights.

The group also raised concerns that the US's new snooping law, the CLOUD (Clarifying Lawful Overseas Use of Data) Act – which obliges US companies to hand over content to authorities even if it is held on servers overseas – could conflict with EU data protection laws.

The committee said a "more balanced solution" would have been to strengthen existing Mutual Legal Assistance instruments, which the group said respect the laws of the country in which the data is located.

Moreover, the committee said US authorities should have provided the Commission with "timely and comprehensive" information about the new law, as it was relevant to the Privacy Shield, but failed to do so.

The motion is expected to be put to a vote in the full House in July. ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022