Are the privacy and other rights of European internet users at risk when US companies transfer their data to the United States? Undeniably yes – unless the US overhauls its sweeping surveillance laws.

U.S. and European Union flags are pictured in front of the European Commission headquarters in Brussels, Belgium February 20, 2017.

© 2017 Reuters

Recent developments regarding the right to privacy under President Donald Trump only heighten these concerns.  Yesterday, Human Rights Watch and the American Civil Liberties Union sent a letter urging the European Commission to reconsider the Privacy Shield, a key data transfer deal, in light of these changes.

Under European Union law, US companies can’t transfer EU residents’ personal data, like personnel files or social media posts, to the US unless companies show it will be protected in ways “essentially equivalent” to that in Europe. In a 2015 case against Facebook brought by activist Max Schrems, the EU’s top court invalidated an agreement allowing such transfers, citing concerns US intelligence agencies could access European data indiscriminately, without meaningful redress if agencies violated rights.

Under pressure to restore cross-Atlantic data flows, in July 2016, the US Commerce Department and the European Commission reached a new deal, the Privacy Shield, with promises of stronger data protection. The deal relies on written assurances by the US director of national intelligence that European data won’t be subject to “indiscriminate mass surveillance.” US negotiators also pointed to US oversight mechanisms like the Privacy and Civil Liberties Oversight Board (PCLOB) and a new ombudsperson to take complaints about surveillance from the EU.

The deal was flawed from the start. Privacy Shield simply doesn’t prevent dragnet surveillance of European data. Since the Schrems case, there haven’t been any changes to laws allowing wholesale scanning of information sent over internet cables connecting the EU to the US. This also goes for the gathering of address books and cellphone locations in bulk. The promised ombudsperson, as well as the PCLOB, are limited in their ability to investigate complaints or compel specific remedies. 

Since Trump’s inauguration, the situation has worsened. The new administration’s steps on immigration removed Privacy Act protections for non-US persons, which Europeans have relied on if US agencies misuse their data. The PCLOB is also now inactive because all but one of its members have stepped down, and it isn’t clear when they will be replaced. Also, many of the asserted safeguards against mass surveillance are not laws, merely a presidential directive or agency policies, which Trump could easily reverse.

These concerns should cast doubt on the strength of the safeguards on which Privacy Shield is built. Europeans deserve more than vague promises to protect their privacy.