EU-US Privacy Shield remains precariously placed

The EU-US Privacy Shield appears to be weathering the storm of a Trump presidency — for now. But it could take just a single stroke of Trump’s pen to bring the entire arrangement toppling down.

The data transfer agreement, which seeks to bridge two different data protection regimes to enable close to 2,000 companies to transfer the personal data of EU citizens to the US for processing without breaching fundamental European privacy rights, replaces the invalidated prior Safe Harbor arrangement — itself brought down via a legal challenge in the wake of the Snowden revelations of US government mass surveillance programs.

Alternative mechanisms for authorizing transatlantic data transfers do exist but the aim with Privacy Shield is to streamline and simplify the process by offering businesses certainty — a situation that would be reversed by a sudden suspension.

Of especially key import to Privacy Shield’s survival is Presidential Policy Directive No. 28 (PPD-28) — an Obama era reform which extended privacy protections to foreigners. “That’s very important for us,” an EC spokeswoman told us.

She also pointed to the new ombudsperson position created to handle EU citizens complaints about how their data is being processed in the US. And said the Commission is closely following discussions in Congress around whether to extend Section 702 of the Foreign and Intelligence Surveillance Act, which authorizes government agencies’ bulk collection of Internet data, and is due to expire at the end of this year.

“These are safeguards that we really need,” she added.

If president Trump were to revoke PPD-28 what would happen then? Would that be the immediate end of Privacy Shield? “That would be very complicated,” said the spokeswoman, noting the EC can suspend the data transfer mechanism if core planks of the adequacy arrangement (as the Commission sees it) are removed.

But despite these caveats, the EU’s executive body is continuing to stand behind Privacy Shield — as you’d expect, given how many years of work it put into negotiating the replacement arrangement in the first place. Safe Harbor stood for fifteen years; Privacy Shield is not yet a year old.

“We will continue to work to keep the Privacy Shield running, for now it is clear that it works in practice and is fulfilling its main purpose. Over 1,900 companies are using it,” said the EC in a statement.

“Commissioner [Vera] Jourová received during her visit in the U.S. assurances by U.S. commerce secretary Wilbur Ross on the EU-U.S. Privacy Shield… He reassured [her] that he understands the importance of Privacy Shield and also the tasks, the commitments which are under Privacy Shield in place for the state administration.”

Right from the start Privacy Shield has had critics — who argue it does not address fundamental issues such as national security agencies’ intrusive access to personal data; nor even offer the touted adequate protection for EU citizens’ data. Redress mechanisms for consumers are also challenged as too complex to be workable. And the mechanism is already facing at least two legal challenges.

But with a new US president apparently intent on rolling back Obama era reforms — including privacy-related ones — European lawmakers are more visibly concerned than ever.

Last month the European Parliament’s civil liberties committee approved a resolution saying the Privacy Shield is inadequate.

And yesterday the EU parliament also debated the adequacy of the protection offered by the mechanism, with further warnings being voiced — including concerns about new rules that allow the NSA to share private data with other US agencies without court oversight; and about the recent dismantling of broadband privacy reform — signed by Trump last week.

Vacancies at relevant US oversight bodies are also worrying MEPs.

Yesterday the EU parliament passed a resolution calling on the Commission to conduct a proper assessment of Privacy Shield to ensure it provides enough personal data protection for EU citizens to comply with the EU Charter of Fundamental Rights and new EU data protection rules.

“This resolution aims to ensure that the Privacy Shield stands the test of time and that it does not suffer from critical weaknesses,” said Civil Liberties Committee chair Claude Moraes in a statement. “We acknowledge the significant improvements made compared to the former EU-US Safe Harbour, but there are clearly deficiencies that remain to be urgently resolved to provide legal certainty for the citizens and businesses that depend on this agreement.”

It’s clear that much will hinge on the first review of Privacy Shield — which the Commission has now said will take place in September.

Jourová, who led Privacy Shield negotiations from the EU side, also spoke during the debate in parliament yesterday, giving MEPs an update on her trip last month to Washington for talks with the Trump administration to, as she previously couched it, assess its commitment to the Privacy Shield.

“During my visit to Washington last week, I put a particular emphasis on some of the key foundations on which the Privacy Shield is built,” she told MEPs. “This concerns in particular the limitations and safeguards that apply in the area of government access for national security purposes.”

In January an immigration-related Executive Order signed by Trump stripped privacy rights from non-US citizens — and while the Commission quickly asserted that that decision did not put a dent in Privacy Shield, as it focused on legislation the mechanism does not rely on, the fact that a sitting US president is taking a visibly hostile stance to foreigners’ privacy rights clearly makes for very uncomfortable viewing in Brussels.

As well as PPD-28 and the new ombudsperson position, Jourová described the US Privacy and Civil Liberties Oversight Board as one of the “essential” elements for “the sustainability of the Privacy Shield” — although the PCLOB has been criticized as effectively defunct at this point, with too few Senate-confirmed members to function. It only currently lists one board member on its website — so the EC is presumably hoping to spur action from the Trump administration to reinvigorate what is currently a moribund oversight body.

The ombudsperson role had also been vacant since January, when the prior appointee departed. However an EC spokeswoman told us today that the role was filled last week — naming Judith Garber as the new appointee.

Garber is currently listed as Acting Assistant Secretary for Oceans, Environment and Science (OES) on the US Department of State website. And does not appear to have been announced by the Commission as the new Privacy Shield Ombudsperson to the European Parliament yesterday. We’ve reached out to the US Department of State for confirmation of her appointment — and will update this post with any response.

Update: According to a State Department official “Acting Assistant Secretary Garber was delegated the authorities of the Under Secretary for Economic Growth, Energy and the Environment (which includes those of the Ombudsperson under the EU-US Privacy Shield), pursuant to Delegation of Authority No. 415, dated January 18, 2017″, and “can exercise those authorities until a new Under Secretary is in place, or until the delegation is revoked by competent authority”.

The official further told us: “Acting Assistant Secretary Garber is not the Acting Under Secretary. She is the Acting Assistant Secretary of OES, who has been delegated the authorities of the Under Secretary.”

So it would appear that the position of Under Secretary for Economic Growth, Energy and the Environment — and therefore the Privacy Shield ombudsperson — remains vacant at this point in the Trump administration’s tenure, with only an acting civil servant in place for now.

It’s less clear whether a temporary appointee for a key Privacy Shield role will pass muster in Europe, however. Nor whether a non-confirmed civil servant would be in a position to make controversial decisions as you’d hope/expect an oversight ombudsperson to be able to in order to be able to carry out their duties.

Seeking to reassure MEPs yesterday, Jourová said: “I received assurances that this message is well understood by our US counterparts – both as to the value of the Privacy Shield and the need to keep all of its elements in place.

“Let me make this point very clear: If we are faced with any developments that could negatively affect the level of protection afforded under the Privacy Shield, the Commission will take its responsibilities and use all available mechanisms – review, suspension, revocation, repeal – to react.”

She went on to reiterate her conviction that Privacy Shield is “the most comprehensive solution for data transfers across the Atlantic”. While also making clear that she’s aware of the privacy concerns European parliamentarians are raising vis-a-vis the Trump presidency.

“I am also conscious of the concerns that some of you have raised and I understand that many remain sceptical about where the new U.S. government stands on privacy issues. Let me assure you that we will stay vigilant. I am personally committed to the regular monitoring of the Privacy Shield, and I will ensure this is properly done on both sides of the Atlantic and in a dialogue with the European Parliament.”

Jourová said her focus now will be on the review of the mechanism, which she described as “a crucial moment — a moment of truth” to take stock of how (or for some, whether) Privacy Shield is functioning.

She said the review, which will take place in Washington, will cover:

(i) how US companies comply with their data protection obligations and the mechanisms they have put in place to ensure a speedy handling of complaints;

(ii) how the Department of Commerce and the FTC certify companies, monitor compliance and cooperate with our Data Protection Authorities in the enforcement;

(iii) the operation of the rules regarding access by public authorities and the rules and procedures to ensure that the Ombudsperson mechanism functions well.

(iv) In addition, the issued identified already in the Commission’s adequacy decision, such as the dialogue on automated decision-making, as well as any developments in U.S. law that might raise questions concerning the EU-U.S. Privacy Shield and its operation will have to be discussed.

Though she also noted that the Article 29WP — aka the body that is comprised of representatives of all EU Member States Data Protection Authorities — will be involved in discussions about “the precise parameters” of the review.

The data protection watchdog group was critical of Privacy Shield throughout the drafting process, and it’s clear concerns remain.

The chair of the Article 29WP, Isabelle Falque-Pierrotin, was part of the EU delegation visiting the US last month. In a statement giving feedback on the trip, the group said: “The FTC and the Ombudsperson reiterated their general support to the Privacy Shield and their willingness to help the European Commission and the WP29 in their annual review. However, some of the key functions in the Privacy Shield architecture still need to be definitely appointed following the US election (Ombudsperson, FTC commissioners and PCLOB members). In addition, the organization of the annual review must be discussed in depth and in detail with the US authorities especially regarding access to documents.

“In that regard, Isabelle Falque-Pierrotin recalls that the objective of this annual review exercise is to verify through concrete evidences if US commitments under the Privacy Shield are fulfilled. It is essential that US authorities provide substance and demonstrate to EU stakeholders that the system is in place and works effectively so that this instrument ensures real and effective protection to EU data according to EU standards.”

On the U.S. side, Jourová said the forthcoming joint review of Privacy Shield will involve the Department of Commerce, the Federal Trade Commission, the Ombudsperson and representatives from the Intelligence Community.

“Directly after the joint review, we will report our findings to you and to the Member States in the Council. This will allow you and us to assess and discuss where we are and the next steps,” she told MEPs.

One key difference between Privacy Shield and the prior Safe Harbor arrangement is these regular (annual) reviews that the arrangement is subject to — which puts the EU in a position of being able to warn US administrations preemptively against rolling back specific privacy protections, as indeed it has been doing. A warning that is being backed up with the threat of immediate suspension of the mechanism should there be changes that the Commission does not like.

It remains to be seen how the Trump administration responds on key privacy issues over the longer term — such as the prolongation of Section 702 of FISA. And whether the EC really would be minded to pull the plug on a data transfer arrangement that it worked so very hard to push into place in the face of concerns about the adequacy of the privacy protections. But, safe to say, Privacy Shield remains precariously placed.