It is difficult to know the true extent to which American corporate interests and the US government continue to lobby the European Union and its member states on the US-EU Privacy Shield agreement. In March of this year, public records requests about Privacy Shield were sent to data protection authorities across the European Union. To date, the vast majority of EU data protection authorities have failed to release public records on Privacy Shield.
Lobbying by American Corporate Interests
American corporations, such as Google, Microsoft, Facebook, Amazon, and Twitter, use the Privacy Shield framework as the legal basis to transfer personal data from the European Union to the United States. Civil society groups [1, 2, 3, 4] have criticized the Privacy Shield’s many flaws and lack of basic protection for personal data. Even the EU’s own parliament has been critical of the agreement. The Article 29 Working Party, the group of EU data protection authorities, has also expressed serious concern and doubt about Privacy Shield. Perhaps the most glaring inadequacy of the Privacy Shield agreement is that it allows for NSA mass surveillance, in violation of EU law.
The European Union has a voluntary lobbying register. Google, Microsoft, BusinessEurope, and DigitalEurope are four of the top eight lobbying organizations by number of meetings with EU officials, according to Integrity Watch. The transparency register lists Google and Microsoft as being members of BusinessEurope and DigitalEurope. The transparency register also lists Google and Microsoft estimating their annual spending on EU lobbying as between €4 and €5 million Euros each. BusinessEurope lists its estimated annual spending on the low side of €4 million Euros, while DigitalEurope is spending approximately €1.9 million Euros a year.
There has been a massive lobbying campaign by American corporate interests on Privacy Shield in the EU. In addition to spending on lobbying, the transparency register also lists meetings between EU officials and lobbyists. In January of 2016, a couple months after the EU Court of Justice struck down Safe Harbor (the framework before Privacy Shield), Microsoft met separately with EU Commission Vice President Andrus Ansip and Commissioner Vera Jourova on the issue.
American technology companies such as Adobe, Apple, Amazon. AT&T, Cisco, Facebook (subsidiary in Ireland), General Electric, Google, Hewlett-Packard, IBM, Symantec, and Yahoo! have lobbied EU officials on the EU’s data protection standards. Several American financial services companies, including Citigroup, JP Morgan Chase, and Mastercard, have also lobbied EU officials on data protection standards. Trade industry groups representing American corporate interests have also partaken in this lobbying effort. The American Chamber of Commerce, the Business Software Alliance, BusinessEurope, and DigitalEurope are also listed as meeting with and lobbying EU officials on Privacy Shield.
Since the EU’s transparency registry is completely voluntary and there are few sanctions for violations, some meetings with EU officials and additional spending on lobbying may have never been registered. The American lobbying invasion may actually be much larger than the records on the EU’s transparency register suggest.
US Embassy Gets Involved
The US government is also engaged in lobbying EU member states to accept the Privacy Shield agreement. In January of 2016, the US embassy sent the Danish data protection authority (Datatilsynet) an email warning that legal uncertainty about personal data transfers from the EU to the US could harm business. The US embassy goes on to state that the EU should not solve the problem by hosting servers and storing data in the EU. The email also rather comically insinuates a denial of some aspects of NSA spying by stating, “The allegations underlying the Schrems case about U.S. privacy law and intelligence practices were based on mistaken assumptions and outdated information.” The Datatilsynet confirms that there was a meeting in May 2016 between their office, the Danish Ministry of Justice, the US embassy, and the US Department of Commerce about the Privacy Shield agreement.
In January of last year, the US embassy sent an email thanking the Slovenian data protection authority (IPRS) for meeting the week earlier. Several days later, the US embassy sent IPRS and the Slovenian Ministry of Justice a rather ominous email. The email warns, “It is imperative to conclude a revised U.S.-EU Safe Harbor agreement now, or risk harm to economic growth and job creation on both sides of the Atlantic, as well as damage to the broader transatlantic relationship.” The email also pressures Slovenia to direct EU Commissioner Vera Jourova to approve a new agreement to replace Safe Harbor. The US embassy also sent documents to the IPRS, which the IPRS is refusing to release.
The data protection authority of Italy confirms receiving communication from the US embassy about Privacy Shield. The data protection authorities in Finland, Germany, Latvia, Romania, and Sweden deny receiving emails from the US embassy about Privacy Shield. The data protection authority of Austria refuses to confirm or deny if it ever received emails. In response to questions about the possible existence of emails, the data protection authority of Luxembourg (CNPD) had a rather bizarre reply. The CNPD stated that Luxembourg does not have a freedom of information law. In addition, the CNPD refused to answer questions about the US embassy by citing Luxembourg data protection laws.
For now, the true extent of American lobbying remains behind closed doors.
The text of this article is released into the public domain. You are free to translate and republish the text of this article. Featured picture is obtained from the US Department of Commerce.