Following the February 29 release of the European Commission’s European Union-United States Privacy Shield proposal, a group of twenty-seven civil liberties groups from both sides of the Atlantic have written to the proposal’s authors to criticize it. In their view, the Privacy Shield does not do enough to ensure U.S. compliance and, therefore, does not meet the requirements of the Court of Justice of the European Union (the “CJEU”) to replace the EU-U.S. Safe Harbor framework.

The letter’s authors, including the American Civil Liberties Union, Amnesty International USA, and the Electronic Frontier Foundation, criticize the Privacy Shield for not including stronger assurances from the U.S. federal government regarding its surveillance practices. The authors would require that the U.S. “formally commit to substantial reforms,” including the adoption of the principles of necessity and proportionality in their surveillance of both U.S. and non-U.S. targets; a more limited definition of “foreign intelligence information” (the subject of the Foreign Intelligence Surveillance Act); and restrictions on access, retention, and use of data that have been collected. In particular, the letter calls for an end to untargeted scanning of messages’ content and metadata. The authors urge the EU to condition the Privacy Shield’s effectiveness on the United States’ adoption of these reforms.

The authors of the letter also raise numerous issues with the contents of the Privacy Shield. For instance, they question the effectiveness of the proposed enforcement options (including binding arbitration and the private right of action for EU individuals to sue in U.S. state courts), when U.S. law does not require the United States to notify individuals who have been the subject of its surveillance. They argue that situating the United States’ ombudsperson within the State Department will compromise the position’s independence, and that the position lacks the authority to investigate or remedy complaints as anticipated in the Privacy Shield.

A working group of European data regulators proposed the Privacy Shield in February, following the CJEU’s invalidation of the existing EU-U.S. Safe Harbor agreement. The Safe Harbor had allowed U.S. controllers and processors of EU citizens’ personal data to comply with EU privacy measures through a self-certification process. Privacy activists in Europe had long challenged this arrangement as insufficient in practice to ensure compliance with European law, and in an October 2015 decision the CJEU agreed.

In order to take effect, a committee of the EU’s member states, as well as the European Parliament and Council, must determine that the Privacy Shield provides adequate protections in line with the Data Protection Directive, 95/46/EC. Only following this determination, and a final adoption by the European Commission, will U.S. firms be able to take advantage of the Privacy Shield. While this process is pending, the public interest groups’ letter is intended to pressure the U.S. for revisions to its surveillance laws by increasing the legal uncertainty for firms in the U.S. who rely on Europeans’ data.

Reporter, Daniel Ray, Silicon Valley, +1 650 422 6715, dray@kslaw.com.