EU-US Privacy Shield remains precariously placed

The EU-US Privacy Shield appears to beweathering the blizzard of a Trump presidency for now. But it couldtake only a single stroke of Trumps pen to bring the entire arrangement toppling down.

The data transfer agreement, which seeks to bridge two different data protection regimes to enable close to 2,000 companies to transfer the personal data of EU citizens to the US for processing without violating fundamental European privacy rights, replaces the invalidated priorSafe Harbor arrangement itselfbrought down via a legal challenge in the wake of the Snowden revelations of US government mass surveillance programs.

Alternative mechanisms for approving transatlantic data transfers do exist but the aim with Privacy Shield is to streamline and simplify the process by offering industries certainty a situation that would be reversed by a sudden suspension.

Of especially keyimport to Privacy Shields survival is Presidential Policy Directive No. 28( PPD-2 8) an Obama era reform which extended privacy protections to foreigners.Thats very important for us, an EC spokeswoman told us.

She also pointed to the new ombudsperson position created to handle EU citizens complaints about how their data is being processed in the US. And said the Commission is closely following discussions in Congress around whetherto extendSection 702 of the Foreign and Intelligence Surveillance Act, which approves governmentagencies bulk collect of Internet data, and is due to expire at the end of this year.

These are safeguards that we really need, she added.

Ifpresident Trump wereto rescinded PPD-2 8 what would happen then? Would that be the immediate end of Privacy Shield? That would be very complicated, said the spokeswoman, noting the EC cansuspend the data transfer mechanism if core timbers of the adequacy arrangement( as the Commissionsees it) are removed.

But despite these caveats, the EUs executive bodyis continuing to stand behind Privacy Shield as youd expect, given how many years ofwork it put into negotiatingthe replacementarrangement in the first place. Safe Harbor stood for fifteen years; Privacy Shield is not yet a year old.

We will continue to work to keep the Privacy Shield running, for now it is clear that it works in practice and is fulfilling its main purpose. Over 1,900 companies are utilizing it, said the EC in a statement.

Commissioner[ Vera] Jourov received during her visit in the U.S. assurances by U.S. commerce secretary Wilbur Ross on the EU-U.S. Privacy Shield He reassured[ her] that he understands the importance of Privacy Shield and also the tasks, specific commitments which are under Privacy Shield in place for the state administration.

Right from the beginning Privacy Shield hashad critics who argue it does not address fundamental issues such as national security bureaux intrusive access to personal data; nor even offer the touted adequate protection for EU citizens data. Redress mechanisms for consumers are also challenged as too complex to be workable. And the mechanism isalready facing at least two legal challenges.

Butwith a new US president apparently intent on rolling back Obama era reforms including privacy-related ones European lawmakers are more visiblyconcerned than ever.

Last monththeEuropean Parliaments civil liberty committee approved a resolution saying the Privacy Shield is inadequate.

And yesterday the EU parliament alsodebated the adequacy of the protection offered by the mechanism, with further warns being voiced including concerns aboutnew regulations that allow the NSA to share private data with other US bureaux without tribunal oversight; and about the recent dismantlingof broadband privacy reform signed by Trump last week.

Vacancies at relevant US oversight bodies arealso worrying MEPs.

Yesterday the EU parliament passed a resolution calling on the Commission toconduct a proper assessment of Privacy Shield to ensure itprovides enough personal data protection for EU citizens to comply with the EU Charter of Fundamental human rights and new EU data protection rules.

This resolution aims to ensure that the Privacy Shield stands the test of day and that it does not suffer from critical flaws, said Civil Liberties Committee chair Claude Moraes in a statement. We acknowledge the significant improvements constructed compared to the former EU-US Safe Harbour, but there are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and industries that depend on this agreement.

Its clear that much will hinge on the first its consideration of Privacy Shield which the Commission has now said willtake place in September.

Jourov, who led Privacy Shield negotiations from the EU side, also spokeduring the debatein parliament yesterday, givingMEPs an update onher trip last month to Washington for talks withthe Trump administration to, as she previously couched it, assess its commitment tothePrivacy Shield.

During my visit to Washington last week, I set a particular emphasis on some of the key foundations on which the Privacy Shield is build, shetold MEPs.This concerns in particular the limitations and safeguards which are applicable to the area of government access for national security purposes.

In January an immigration-related Executive Ordersigned by Trump stripped privacy rights from non-US both citizens and while the Commission rapidly asserted that that decision did not set a dent inPrivacy Shield, as it focused on legislation the mechanism does not will vary depending on, the fact that a sitting US president istakinga visibly hostile posture to foreigners privacy rights clearly makesfor very uncomfortable viewing in Brussels.

As well as PPD-2 8 and the new ombudsperson position, Jourov describedthe US Privacy and Civil Liberties Oversight Board as one of the essential elementsfor the sustainability of the Privacy Shield although the PCLOB has been blamed aseffectivelydefunct at this phase, with too few Senate-confirmed members to function. It only currently lists one board member on its website so the EC is presumably hoping to spur action from the Trump administration to reinvigorate what is currentlya moribund oversight body.

The ombudsperson role hadalso been vacant since January, when the prior appointee departed. However anEC spokeswoman told us today that the role was filled last week naming Judith Garber as the new appointee.

Garber iscurrently listed as Acting Assistant Secretary for Oceans, Environment and Science( OES) on the US Department of State website. And does not appear to have been announced by the Commission as the new Privacy Shield Ombudsperson to the European Parliament yesterday. Weve reached out to the US Department of State for verification of her appointment and will update this post with any response.

Update : According to a State Department official Acting Assistant Secretary Garber was delegated the authorities concerned of the Under Secretary for Economic Growth, Energy and the Environment( which includes those of the Ombudsperson under the EU-US Privacy Shield ), pursuant to Delegation of Authority No. 415, dated January 18, 2017, and can exercise those authorities until a new Under Secretary is in place, or until the delegation is rescinded by competent authority.

The official further told us: Acting Assistant Secretary Garber is not the Acting Under Secretary. She is the Acting Assistant Secretary of OES, who has been delegated the authorities concerned of the Under Secretary.

So it would appear that the position of Under Secretary for Economic Growth, Energy and the Environment and therefore the Privacy Shield ombudsperson remains vacant at this phase in the Trump administrations tenure, with only anactingcivil servant in place for now.

Its less clear whether a temporary appointee for akey Privacy Shield role will pass muster in Europe, however. Nor whether a non-confirmed civil servant would be in a position tomake controversial decisions as youd hope/ expect an oversight ombudsperson to be able to in order to be able to carry out their duties.

Seeking to reassure MEPs yesterday, Jourov said: I received assurances that this message is well understood by our US counterparts both as to the value of the Privacy Shield and the need to keep all of its components in place.

Let me make this phase very clear: If we are faced with any developments that could negatively affect the level of protection afforded under the Privacy Shield, the Commission will take its responsibilities and use all available mechanisms review, suspension, revocation, repeal to react.

She went on toreiterate her conviction thatPrivacy Shield is the most comprehensive solution for data transfers across the Atlantic. While also makingclear that shes aware of theprivacy fears European parliamentariansare raising vis-a-visthe Trump presidency.

I am also conscious of the concerns that some of you have raised and I understand that many remain sceptical about where the new U.S. government stands on privacy issues. Let me assure you that we will stay vigilant. I am personally committed to the regular monitoring of the Privacy Shield, and I will ensure this is properly done on both sides of the Atlantic and in a dialogue with the European Parliament.

Jourov said her focus now will be on the review of the mechanism, which she described as a crucial moment a moment of truth to take stock of how( or for some, whether) Privacy Shield is functioning.

She said the review, which will take place in Washington, will cover šŸ˜› TAGEND

( i) how US companies comply with their data protection obligations and the mechanisms they have put in place to ensure a speedy handling of complaints ;P TAGEND ( ii) how the Department of Commerce and the FTC certify companies, assess compliance and cooperate with our Data Protection Authorities in the enforcement ;P TAGEND

( iii) the operation of the rules regarding access by public authorities and the rules and procedures to ensure that the Ombudsperson mechanism functions well.

( iv) In addition, the issued identified already in the Commissions adequacy decision, such as the dialogue on automated decision-making, as well as any developments in U.S. statute that might raise questions concerning the EU-U.S. Privacy Shield and its operation will have to be discussed.

Though she also noted that the Article 29 WP aka the body thatis comprised of representatives ofall EU Member States Data Protection Authorities will be involved in discussions about the exact parameters of the review.

The data protection watchdog group wascritical of Privacy Shieldthroughout the drafting process, and its clear concerns remain.

The chair of the Article 29 WP, Isabelle Falque-Pierrotin, was part of the EU delegation visiting the US last month. In a statement giving feedback on the trip, the group said: The FTC and the Ombudsperson reiterated their general support to the Privacy Shield and their willingness to help the European Commission and the WP29 in their annual review. However, some of the key functions in the Privacy Shield architecture still need to be definitely appointed following the US election( Ombudsperson, FTC commissioners and PCLOB members ). In addition, the organization of the annual review must be discussed in depth and in detail with the US authorities especially regarding access to documents.

In that regard, Isabelle Falque-Pierrotin recalls that the objective of this annual review exercise is to verify through concrete proofs if US commitments under the Privacy Shield are fulfilled. It is essential that US authorities offer substance and demonstrate to EU stakeholders that the system is in place and runs effectively so that such an instrument ensures real and effective protection to EU data according to EU standards.

On the U.S. side, Jourov said the forthcoming joint its consideration of Privacy Shield willinvolve the Department of Commerce, the Federal Trade Commission, the Ombudsperson and representatives from the Intelligence Community.

Directly after the joint review, we will report our findings to you and to the Member States in the Council. This will enable you and us to assess and discuss where we are and the next steps, she told MEPs.

One key difference betweenPrivacy Shield and the priorSafe Harbor arrangement is these regular( annual) reviews thatthe arrangement is subject to which puts the EU in a position of being able to warn US administrations preemptively against rolling backspecificprivacy protections, as indeed it has been doing. A warningthat is being backed up withthe threat of immediate suspension of the mechanism should there be changes that the Commission does not like.

It remains to be seen howthe Trump administration reacts on key privacy issues over the longer term such as the prolongation of Section 702 of FISA. And whether the EC actually would be mindedto pull the plug on a data transferarrangement that it ran so very hard topush into place in the faceof very concerned about the adequacy of the privacy protections. But, safe to tell, Privacy Shield remains precariously placed.

Read more: