Fiber optic cables carrying internet providers are seen running into a server room at Intergate.Manhattan, a data center owned and developed by Sabey Data Center Properties, during a tour of the facility in lower Manhattan, in New York, March 20, 2013. The 32-story building is the largest high-rise data center in the world with 600,000 square feet (55,742 square meters) of data center floor space and 40 Megawatts of electrical capacity. © 2013 Reuters

United States surveillance laws and programs are so broad and contain such weak safeguards that they render the EU-US Privacy Shield invalid, Human Rights Watch said today in a briefing and letter to the European Commission, published jointly with Amnesty International. The Commission’s 2016 decision approving the Privacy Shield arrangement makes it legal for internet companies to transfer users’ personal data from the EU to the US, with major commercial implications. The arrangement will undergo its first annual review in September 2017.

Under the EU’s strong data-protection laws, companies such as Facebook, Google, and Amazon may only transfer people’s personal data to non-EU countries such as the US if those countries adequately protect privacy and other rights in this area. When issuing the Privacy Shield decision last year, the European Commission found that the US provides sufficient rights protections, while obtaining some additional concessions. However, Human Rights Watch and Amnesty International concluded that several types of US intelligence surveillance clearly fail to meet the EU’s fundamental-rights standards – meaning that the Privacy Shield is not valid.

“There’s no way to get around the fact that US laws and policies allow abusive monitoring and need to be drastically overhauled before they can meet human rights standards,” said Maria McFarland Sánchez-Moreno, co-director of the US Program at Human Rights Watch. “The European Commission should face this reality and insist that genuine, thoroughgoing reforms be adopted.”

The personal data the Privacy Shield allows companies to transfer to the US includes information such as social media posts and purchase or browsing histories that is essential to many US internet companies’ business models. But that data can also be highly revealing of personal life, especially in the aggregate, and may be susceptible to unnecessary or disproportionate government intrusions.

The two organizations analyzed the fundamental rights protections the Court of Justice of the European Union has said apply to the processing of personal data under EU law. They then measured three major US surveillance authorities against these standards – and found that they fall far short of the mark. One of these authorities is Section 702 of the Foreign Intelligence Surveillance Act, which underpins at least two large-scale warrantless surveillance programs and which Congress is currently debating whether to renew before it expires at the end of this year. Another is Executive Order 12333, which the National Security Agency uses as the basis for most of its communications surveillance activities – including, according to media reports, vast warrantless snooping programs around the world.

It is virtually impossible for the overwhelming majority of people to find out if the US intelligence agencies have subjected them to such surveillance, or to challenge the legality of these activities in court. As the briefing points out, this situation exacerbates the other human rights problems inherent in the programs.

The Commission should re-evaluate the Privacy Shield decision, Human Rights Watch and Amnesty International said.

“People shouldn’t have to choose between having their human rights protected and being able to use whatever internet services they may prefer,” McFarland Sánchez-Moreno said. “The European Commission should take a good, hard look at the realities of US surveillance and take action to make sure no one’s rights are sacrificed in the name of political or economic convenience.”