A transatlantic data transfer program that Alphabet Inc.’s Google, Facebook Inc. and thousands of other companies rely on to move data out of the European Union is set to go under the microscope.
Billions of dollars in transatlantic commerce hinge on the EU-U.S. Privacy Shield program, under which U.S. companies can transfer personal data out of the EU if they certify to the Commerce Department that they comply with certain privacy standards. EU and U.S. regulators will meet in Washington, D.C. Sept. 12-13 for an annual review of how well the program is functioning.
“Privacy Shield is at the foundation of the $7.1 trillion economic relationship between the United States and Europe,” the White House said in a statement Sept. 11.
The officials likely will focus on the Commerce Department and the Federal Trade Commission’s oversight and enforcement of the agreement’s principles, and U.S. intelligence gathering practices, among other things, former Commerce Department officials and privacy attorneys said. U.S. government surveillance also will likely be one of the issues discussed, they said.
EU authorities have questioned how the U.S. has handled the program in recent years, such as by leaving vacant certain positions to oversee data privacy. Since the last review, the U.S. has named a permanent ombudsperson to handle complaints and appointed new members to the Privacy and Civil Liberties Oversight Board (PCLOB), moves that well help the 2019 review go smoothly, the sources said.
“This year’s annual review is different from all others in that the big items on the Commission’s checklists have been ticked off,” Cameron Kerry, former Commerce acting secretary in the Obama administration, said.
The European Commission’s focus this year will be on how compliance with the Privacy Shield rules is being monitored and enforced, Christian Wigand, a Commission spokesman, said in an email. The review will also cover how U.S. companies comply with their obligations, the rules around data access by public authorities, and the procedures to make sure the ombudsperson mechanism is functioning, he said.
U.S. officials said they will highlight recent U.S. actions in the talks.
The Commerce Department is “in a good position going into the third review,” Alex Greenstein, the current Privacy Shield director, said. The department is doing “more frequent and proactive compliance monitoring” to make sure companies adhere to the framework, he said.
More than 5,000 companies currently are certified under the Privacy Shield framework, Greenstein said.
The FTC will tout its enforcement efforts around the Privacy Shield as well as data privacy in general, according to Andrew Smith, director of the FTC’s bureau of consumer protection. The FTC announced proposed settlements Sept. 3 with five companies that the agency said misrepresented their participation in the Privacy Shield program.
The agency’s $5 billion settlement with Facebook to resolve a privacy investigation will also be a “big part of how we demonstrate to the Europeans our focus on privacy,” Smith said. The FTC will also highlight its July settlement with Equifax Inc., proposed changes to the Gramm-Leach-Bliley Act’s Safeguards Rule, and recent enforcement actions on children’s privacy, among other things, Smith said.
The Senate in June confirmed Keith Krach to a State Department position that also serves as an ombudsperson dealing with complaints and requests from EU data subjects. The PCLOB also now has its full five-member slate.
“There is no question that having a confirmed Ombudsman and a full PCLOB in place will be welcomed by both sides,” Caitlin Fennessy, a senior privacy fellow at the International Association of Privacy Professionals and a former Commerce Department official overseeing the Privacy Shield program, said. “While the mechanisms continued to function before, it sends an important signal to have the appointed officials engaged.”
The privacy board also has “been more transparent about its activities, for example by publishing logs of its activities, initiated several important new work projects, and held public meetings,” Eleni Kyriakides, international counsel at the Electronic Privacy Information Center, said.
The two-day review also will likely look at U.S. surveillance and national security activities, as it has in the past, former Commerce officials and attorneys said. They will focus on upcoming U.S. surveillance reauthorization deadlines such as USA FREEDOM Act provisions that are set to expire at the end of the year.
The National Security Agency and the rest of the intelligence community can collect business records more easily in national security investigations under the law, place roving wiretaps on targets, and obtain certain call and text records from U.S. telecommunications companies.
“There is no doubt that the failure to pare back surveillance in the U.S. is a question mark for the long-term viability of Privacy Shield,” Kyriakides said.
A case playing out in the EU’s highest court involving U.S. surveillance activities looms in the background of this year’s review. Although the case involves a separate data transfer mechanism, the court’s judgment could have repercussions for the Privacy Shield if the court addresses the powers of the ombudsperson, attorneys and others said.
The case, involving Max Schrems and Facebook Ireland before the EU Court of Justice, mainly addresses standard contractual clauses, but the EU’s top court opened the door for the Privacy Shield to be examined. “It is difficult to predict where the CJEU will go,” said Charles-Albert Helleputte, head of Mayer Brown LLP’s cybersecurity and data privacy team in Brussels.