EC Review Finds Privacy Shield Works but Needs Tweaking
Privacy Shield is working well but needs improvement, the European Commission said in its inaugural review of the trans-Atlantic agreement for protecting Europeans' personal data held in the U.S. By signing the pact with the U.S., the EC took on part of the responsibility for what happens with Europeans' private data on American soil, so it's crucial that the system have no "gaps and loopholes," said Justice, Consumers and Gender Equality Commissioner Vera Jourová at a webcast Politico event Wednesday. The change from the Obama to the Trump administration raised concerns for the EC, which "desperately" needed to clarify whether it's "America first or America only," she said. Jourová's latest trip to Washington dispelled that worry, she said at a later news briefing. The FTC and tech industry agreed Privacy Shield is a success, but one digital rights activist doesn't expect it to hold up.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The review, which took place Sept. 17-18, involved feedback and information from Privacy Shield-certified companies, digital rights and privacy groups, and U.S. authorities, an EC memo said. Since the agreement launched last year, the Department of Commerce has set up and fine-tuned its process for receiving and reviewing applications from companies seeking to self-certify, it said. The DOC created questionnaires to monitor compliance, and, in conjunction with the FTC and EU data protection authorities (DPAs), put in place systems to ensure smooth enforcement cooperation, it said. The U.S. State Department acted to ensure the ombudsman mechanism for addressing complaints about U.S. access to personal data for national security purposes is up and running, the EC said. Commerce Secretary Wilbur Ross and staff showed commitment to the agreement and understand EU concerns, Jourová said at the briefing.
There's room for improvement, the EC said. There have been few complaints about U.S. misuse of Europeans' personal data, but that may be because few people know about Privacy Shield and its mechanisms for redress, Jourová said. The review suggested DOC and national privacy watchdogs boost efforts to make people aware of how to exercise their rights. There must be more monitoring for false compliance certification statements by companies, she said. The EC is also unhappy the administration failed to appoint four of the five members of the Privacy and Civil Liberties Oversight Board, and told the U.S. it expects action as soon as possible, she added.
Another concern is Section 702 of the Foreign Intelligence Surveillance Act, Jourová said. The law, which authorizes some forms of surveillance, expires at year's end, and the EC wants Congress to enshrine data protection for non-Americans in an updated version, she said. It's unclear from discussions with lawmakers whether they will stick to the current version or modify it, she said.
The report makes other recommendations. Companies shouldn't be allowed to announce publicly they're Privacy Shield-certified until the DOC finalized certification. The agency should do regular compliance checks. The EC encouraged DOC and DPAs to collaborate on guidance on the legal interpretation of several concepts.
In the national security arena, the EC recommended the U.S. make public PCLOB's report on implementation of the presidential directive. It pressed the U.S. to "proactively fulfill" its commitment to provide timely and comprehensive information about any developments that could raise questions about Privacy Shield's functioning. The report now goes to the European Parliament, EU Council, Article 29 Working Party and U.S. authorities, the EC said.
Acting FTC Chairman Maureen Ohlhausen welcomed the "positive outcome," saying enforcing such regimes is an integral part of the agency's privacy and data security program. "We agree with the European Commission's assessment of the robustness of Privacy Shield," which has boosted privacy safeguards and provided legal clarity for companies and users, said Computer & Communications Industry Association Senior Policy Counsel Bijan Madhani. Software & Information Industry Association Vice President-Public Policy Mark McCarthy concurred, hoping more companies sign on.
One digital rights activist was less than impressed. "In 2013, the Commission gave the US 13 ways to save Safe Harbour. In 2017, the Commission gave the US 10 ways to save Privacy Shield," said European Digital Rights Executive Director Joe McNamee, expecting the new arrangement to go the way of the old one: "The lyrics stay the same, only the music changes."