Europe issues a deadline for US’ Privacy Shield compliance

The European Commission has finally given the U.S. a deadline related to the much criticized data transfer mechanism known as the EU-US Privacy Shield.

But it’s only asking for the U.S. to nominate a permanent ombudsperson — to handle any EU citizens’ complaints — by February 28, 2019.

If a permanent ombudsperson is not appointed by then the Commission says it will “consider taking appropriate measures, in accordance with the General Data Protection Regulation”.

So not an out-and-out threat to suspend the mechanism — which is what critics and MEPs have been calling for.

But still a fixed deadline at last.

“We now expect our American partners to nominate the Ombudsperson on a permanent basis, so we can make sure that our EU-US relations in data protection are fully trustworthy,” said Andrus Ansip, Commission VP for the Digital Single Market, in a statement.

“All elements of the Shield must be working at full speed, including the Ombudsperson,” added Věra Jourová, the commissioner for justice and consumers.

It’s the first sign the Commission is losing patience with its U.S. counterparts.

Although there’s no doubt the EC remains fully committed to the survival of the business-friendly mechanism which it spent years negotiating after the prior arrangement, Safe Harbor, was struck down by Europe’s top court following NSA whistleblower Edward Snowden’s disclosures of US government surveillance programs.

Its problem is it has to contend with Trump administration priorities — which naturally don’t align with privacy protection for non-US citizens.

While the EU-US Privacy Shield is over two years’ old at this point, president Trump has failed to nominate a permanent ombudsperson to a key oversight role.

The acting civil servant (Judith Garber, principal deputy assistant secretary for the Bureau of Oceans and International Environmental and Scientific Affairs) was also nominated as U.S. ambassador to Cyprus this summer, suggesting a hard limit to her already divided attention on EU citizens’ data privacy.

Despite this problematic wrinkle, the EU’s executive today professed itself otherwise satisfied that the mechanism is ensuring “an adequate level of protection for personal data”, announcing the conclusion of its second annual Privacy Shield review.

The data transfer mechanism is now used by more than 4,000 companies to simplify flows of EU citizens’ personal data to the US.

And the Commission clearly wants to avoid a repeat of the scramble that kicked off when, three years ago, Safe Harbor was struck down and businesses had to find alternative legal means for authorizing essential data flows.

But at the same time Privacy Shield has been under growing pressure. This summer the EU parliament called for the mechanism to be suspended until the U.S. comes into compliance.

The parliament’s Libe committee also called for better monitoring of data transfers was clearly required in light of the Cambridge Analytica Facebook data misuse scandal. (Both companies having been signed up to Privacy Shield.)

The mechanism has also been looped into a separate legal challenge to another data transfer tool after the Irish High Court referred a series of questions to the European Court of Justice — setting the stage for another high stakes legal drama if fundamental European privacy rights are again deemed incompatible with U.S. national security practices.

A decision on that referral remains for the future. But in the meanwhile the Commission looks to be doing everything it can to claim it’s ‘business as usual’ for EU-US data flows.

In a press release today, it lauds steps taken by the U.S. authorities to implement recommendations it made in last year’s Privacy Shield review — saying they have “improved the functioning of the framework”.

Albeit, the detail of these slated ‘improvements’ shows how very low its starting bar was set — with the Commission listing, for e.g.:

  • the strengthening by the Department of Commerce of the certification process and of its proactive oversight over the framework — including setting up mechanisms such as a system of spot checks (it says that 100 companies have been checked; and 21 had “issues that have now been solved” — suggesting a fifth of claimed compliance was, er, not actually compliance)
  • additional “compliance review procedures” such as analysis of Privacy Shield participants’ websites “to ensure that links to privacy policies are correct”; so previously we must assume no one in the U.S. was bothering to check
  • the Department of Commerce put in place a system to identify false claims which the Commission now claims “prevents companies from claiming their compliance with the Privacy Shield, when they have not been certified”; so again, prior to this system being set up certifications weren’t necessary worth the pixels they were painted in

The Commission also claims the Federal Trade Commission has shown “a more proactive approach” to enforcement by monitoring the principles of the Privacy Shield — noting that, for example, it has issued subpoenas to request information from participating companies.

Another change it commends — related to the sticky issue of access to personal data by U.S. public authorities for national security purposes (which is what did for Safe Harbor) — is the appointment of new members of the Privacy and Civil Liberties Oversight Board (PCLOB) — to restore the Board’s quorum.

The denuded PCLOB has been a long running bone of contention for Privacy Shield critics.

“The Board’s report on the implementation of Presidential Policy-Directive No. 28 (PPD-28, which provides for privacy protections for non-Americans) has been made publicly available,” the Commission writes, referring to a key Obama era directive that it has previously said the Shield depends upon. “It confirms that these privacy protections for non-Americans are implemented across the U.S. intelligence community.”

It says it also took into account relevant developments in the U.S. legal system in the area of privacy during the review, noting that: “The Department of Commerce launched a consultation on a federal approach to data privacy to which the Commission contributed and the US Federal Trade Commission is reflecting on its current powers in this area.”

“In the context of the Facebook/Cambridge Analytica scandal, the Commission noted the Federal Trade Commission’s confirmation that its investigation of this case is ongoing,” it adds, kicking the can down the road on that particular data scandal.

Meanwhile, as you’d expect, business groups have welcomed another green light for data to keep being passed.

In a statement responding to the conclusion of the review, the Computer & Communications Industry Association said: “We commend the European Commission for its thorough review. Privacy Shield is a robust framework, with strong data protections, that allows for the daily transfers of commercial data between the world’s two biggest trading partners.”