A US consumer protection and privacy organisation has called for the suspension of the EU-US Safe Harbour agreement covering the transfer of citizens’ data from Europe to the US.
The Center for Digital Democracy (CDD) said the programme should be halted pending an investigation by the US Federal Trade Commission (FTC).
A complaint filed by the CDD called for the investigation of 30 US companies involved in data profiling and online targeting for allegedly failing to adhere to Safe Harbour rules. These include Adobe and Salesforce.com.
The group of companies includes data brokers that have compiled sensitive information on individual consumers; providers of data management platforms that allow their corporate clients to analyse their own consumer information and combine it with outside data sources to produce detailed marketing insights; and mobile marketers that track devices and tie them to user profiles to identify the most profitable consumers for personalised advertising.
The complaint comes as the US and EU wind up negotiations to revise the Safe Harbour programme in response to a call by members of the European Parliament.
More on EU and NSA
- NSA and GCHQ mass surveillance violates EU law, study finds
- Civil Liberties Committee calls for tighter data protection for EU, following NSA revelations
- NSA involved in industrial espionage, says Snowden
- MEPs call for suspension of EU-US bank data deal in response to NSA snooping
- US websites should inform EU citizens about NSA surveillance, says report
- Mass surveillance must end, says EU inquiry
The call was triggered by concerns over revelations of US National Security Agency (NSA) spying made by whistleblower Edward Snowden.
The CDD complaint alleges that dozens of US companies are failing to provide accurate and meaningful information to EU consumers on how to opt out and about what data is actually collected.
Many of these companies are using and sharing EU consumers’ personal information without their consent, in violation of the Safe Harbour framework, the complaint said.
The Safe Harbour agreement relies on a voluntary self-certification process that is supposed to be overseen by the US Department of Commerce.
But according to the CDD complaint, there is a lack of oversight by the Department of Commerce and a lack of enforcement by the FTC to ensure that EU consumers’ privacy rights are respected.
“The US is failing to keep its privacy promise to Europe,” said Jeff Chester, CDD’s executive director.
“Instead of ensuring that the US lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC,” he said.
Safe Harbour has to be overhauled to make sure it actually works; until that time, it should be suspended
Hudson Kingston, CDD
According to Chester, the big data-driven companies cited in the complaint use Safe Harbour as a shield to further their information-gathering practices without serious scrutiny.
“Companies are relying on exceedingly brief, vague or obtuse descriptions of their data collection practices, even though Safe Harbour requires meaningful transparency and candour,” he said.
The CDD investigation, he said, found that many of the companies are involved with several data broker partners which, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online.
Hudson Kingston, CDD legal director, said the complaint described the “systemic failure” of the Safe Harbour framework to function as it was intended.
“Safe Harbour has to be overhauled to make sure it actually works; until that time, it should be suspended,” he said.
Chester said the US and EU are currently negotiating a trade agreement that will enable US companies to gather even more data on Europeans.
“Reform of Safe Harbour is urgently required before it becomes a ‘get out of protecting privacy’ card used by US firms under the coming Transatlantic Trade and Investment Partnership,” he said.
The CDD said the complaint highlights five broad concerns:
1. The failure of Safe Harbour declarations and required privacy policies to provide accurate and meaningful information to EU consumers.
2. A lack of candour from the companies about the nature of their data collection, including their networks of data broker partners and corporate affiliations.
3. The general failure to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from data collection and processing.
4. The myth of “anonymity” at a time when marketers – armed with vast amounts of details about consumers – do not need to know an individual’s name to be able to track and target them online.
5. The false claim made by several companies named in the complaint that they act as “data processors” on behalf of others, when in fact they play a central role in data-driven services for profiling and targeting.
Read more on Privacy and data protection
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement
European court to decide legality of EU-US data sharing in dispute between Schrems and Facebook
Facebook: Legality of EU-US data sharing to be decided by Court of Justice
Irish High Court asks European court to rule on legality of EU-US data transfers