European Union officials are pressuring the U.S. government to do more on its end of the EU-U.S. Privacy Shield program, ahead of a high-stakes bilateral review.
More than 3,600 U.S. companies, including Alphabet Inc.'s Google and Microsoft Corp., which are both certified, rely on the program to move data out of the EU. But EU officials warn that U.S. oversight has been anemic, leaving EU citizens without adequate data protections. They plan to raise their concerns at a review with U.S. officials in Brussels starting Oct. 18.
The EU is concerned about how the Commerce Department is performing its oversight of U.S. companies under the program, the bloc’s lead privacy supervisor said. EU officials also have criticized the lack of a permanent program referee at the State Department and shaky review of U.S. surveillance activities.
“The Privacy Shield is in some ways a relic from the old data protection regime, pre-GDPR,” European Data Protection Supervisor Giovanni Buttarelli told Bloomberg Law. The EU will have to decide in the review if the “Privacy Shield is still fit for purpose,” he said.
The program undergirds an estimated $260 billion in digital trade between the EU and U.S., according to Bloomberg Intelligence analyst Tamlin Bason.
“There is no question that a very significant number of entities rely on the Privacy Shield, and it would be reasonably devastating to the global economy if the program fails and there isn’t sufficient time provided to comply with another data transfer mechanism,” Lisa Sotto, privacy partner with Hunton Andrews Kurth LLP, told Bloomberg Law.
The European Commission approved the Privacy Shield in 2016 to straddle the EU’s stringent privacy protections and less-demanding U.S. law. U.S. companies must certify that EU personal data will be subject to the same protections it has inside the bloc to participate.
The review, the second one since the program took effect, may be a turning point, given EU concerns about whether the program is protecting EU data as intended.
“In the first annual review of the Privacy Shield, the Commission has recommended to the U.S. to be more proactive in tackling the issue” of companies falsely claiming participation in the program through their privacy policies, EC spokesman Christian Wigand told Bloomberg Law by email. Commerce has improved its procedures, but EU officials will raise the subject again during the upcoming review, he said.
EU officials haven’t signaled any readiness to end the program now, and privacy attorneys say the EU isn’t likely to scrap it. But that may change if the U.S. doesn’t fully address the EU’s concerns, leaving thousands of U.S. companies to scramble to find another way to comply with the bloc’s data rules.
Commerce declined to comment on alleged delays in the Privacy Shield certification and recertification programs. The White House and the State Department didn’t immediately respond to Bloomberg Law’s email requests for comment.
U.S. Oversight Role
EU officials set out several conditions for the Trump administration in last year’s Privacy Shield review, some of which the U.S. has addressed.
The EU called for a fully functioning U.S. Privacy and Civil Liberties Oversight Board. The board now has four members after the Senate Oct. 11 confirmed three of President Donald Trump’s nominees. The Senate Judiciary Committee hasn’t acted on Trump’s two other nominations.
But, the board will have to act to assuage EU concerns over U.S. surveillance activities, EU officials said.
The Trump administration partially addressed another condition, that the U.S. name a permanent U.S. Privacy Shield Ombudsman, when State Sept. 28 named Manisha Singh in an acting capacity. The previous ombudsman also was in an acting role. The last permanent ombudsman served during the Obama administration.
But EU officials also have questioned whether Commerce, which is charged with administering the Privacy Shield, and the Federal Trade Commission, which brings enforcement actions against U.S. companies for violations, are being tough enough.
The FTC on Sept. 27 settled with four companies for falsely claiming participation in the Privacy Shield. The charges were in part based on companies saying they were in the process of certifying their privacy policies under the Privacy Shield when they hadn’t actually undergone the process. The companies neither admitted nor denied the FTC’s allegations as part of the settlements.
Commerce lists the companies that are certified under the program and those whose certifications are inactive. Companies must state in privacy policies when they are certified with the program, and are required to remove those statements if their certification becomes inactive, privacy attorneys and EU and U.S. officials said.
Buttarelli said he had found “inconsistencies” in the certifications and recertifications of U.S. companies appearing on the online Privacy Shield list. Buttarelli, who raised similar concerns in 2017, said he will discuss the topic with U.S. officials again in the second review.
Any perception that the U.S. is not living up to expectations may cause the EU to ask for changes to the program, privacy attorneys said. Administrative tweaks and resource allocation could help smooth out EU concerns, they said—and some of those tweaks have occurred.
Commerce “conducts quarterly reviews of organizations on the Privacy Shield inactive list to monitor for false claims,” Caitlin Fennessy, the Privacy Shield team lead, told Bloomberg Law. “In addition, Commerce conducts random compliance spot checks of Privacy Shield-certified organizations.”
Commerce Oversight Concerns
Commerce is experiencing a high volume of recertification requests, which could contribute to a large number of companies on the inactive list for minor deficiencies, companies and privacy attorneys told Bloomberg Law.
The EU’s General Data Protection Regulation, which took effect May 25, likely led to a wave of applications from companies seeking to participate in the program for the first time, which may have created a Commerce backlog, they said.
Some companies said the alleged backlog is causing them to appear inactive on the Privacy Shield website when they filed recertification paperwork on time. Companies say that their cases weren’t processed before their recertification deadline lapsed.
Stephanie Bachman, director of legal affairs at Flatiron Solutions, a multinational company that provides software and content management consulting services, told Bloomberg Law that the company recertified its compliance with the Privacy Shield principles before its deadline lapsed. In reaching out to Commerce, Bachman said she received a message that there was a “high volume” of certification and recertification requests. The company, as of Oct. 15, remains inactive on the Privacy Shield website.
Other company officials representing Alcoa Corp. and Humble Bundle Inc. told Bloomberg Law that they had communications issues when contacting Commerce officials about their recertification requests. Alcoa remains inactive since July 10, but Humble Bundle received its recertification approval Sept. 6.
Cynthia LaRose, head of Mintz Levin’s privacy and cybersecurity practice, told Bloomberg Law that such episodes aren’t isolated incidents.
Commerce also declined to answer questions on specific company recertification issues.
Top EU officials are urging the U.S. to follow through on its commitments to the program.
The EU’s leading privacy official, Vera Jourova, in early September called on Commerce Secretary Wilbur Ross to “use his strength” to help Commerce and the U.S. oversee the program. The commission will follow up with a report on the program’s health, Wigand said.
The commission and Commerce appear committed to resolving certification concerns, despite EU criticisms, “particularly in light of the implications for international e-commerce,” Linda Priebe, privacy partner at Culhane Meadows PLLC, told Bloomberg Law.
“How quickly they can achieve that, remains to be seen,” Priebe said.