Privacy Shield Review May Find Major Faults; Experts Predict Agreement Will Endure
Europeans may have ample concerns about Privacy Shield during the agreement's inaugural review next month (see 1704200034), but industry and privacy experts interviewed over the past week don't expect the EU to withdraw from the trans-Atlantic data sharing agreement, though some admit it's unclear what will happen. Experts said both sides have invested too much into forging the agreement, which ensures certain privacy protections for Europeans' data used by U.S. companies and government agencies, and the economic stakes are too high to start anew.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Privacy expert Chris Stevens said Privacy Shield is a major improvement over its predecessor safe harbor, scuttled nearly two years ago, but will still face the question of whether it provides adequate privacy safeguards by EU standards. He doesn't expect Europeans to pull out, but thinks they will use this year's review -- slated for the week of Sept. 18 in Washington -- to point out deficiencies before the second review next year, which will be more important. Computer & Communications Industry Association Senior Policy Counsel Bijan Madhani agreed, saying the U.S. could justify some failings like vacancies at key agencies because the Trump administration is still getting up to speed. That excuse won't exist in a year, he said. In this review, the EU likely will "scold" the U.S. for not living up to some promises, but the accord will survive, he said.
More than 2,400 U.S. companies have voluntarily enrolled in Privacy Shield through a self-certification process as of Tuesday. The value of trans-Atlantic trade is at least $1 trillion. Melissa Blaustein, who founded Allied for Startups, said many startups from day one look to be global and many have signed up with the agreement. They heavily depend on data flows to innovate and if Privacy Shield fails it would be a "company-closing burden." She said she met with several members of the European Parliament's Civil Liberties, Justice and Home Affairs Committee, which has consistently criticized the accord, and came away encouraged, though she offered no details (see 1707210007).
A European Commission (EC) spokeswoman said it's consulting with participating companies, privacy groups and other stakeholders before the review. She said the plan is to review how U.S. companies are complying with their data protection and redress obligations, how well the Department of Commerce and the FTC are monitoring and enforcing compliance, whether the rules on data access by U.S. government agencies are operating properly, and if the Department of State's ombudsperson is functioning properly. The EU also will look at any developments in U.S. law that may affect Privacy Shield, she said. The White House and Commerce didn't comment, but Secretary Wilbur Ross previously affirmed his commitment to the agreement (see 1703290015).
From the review, the EC will publish a nonbinding but "highly influential" report for the European Parliament, likely before year-end, an industry source said. The Article 29 Working Party, which also will send representatives to the Washington meeting, may accept the EC analysis or could produce its own "shadow" report if it doesn't like the EC's report, the source said. It's relevant because individual data protection authorities have the power to rule Privacy Shield is inadequate and prevent any data transfer from their countries, the source said.
The EU may admonish the U.S. over vacancies at key agencies and boards that ensure corporate compliance and consumer data privacy safeguards. The Privacy and Civil Liberties Oversight Board is down to one member, though a couple of experts said they've heard the Trump administration is talking with several people about serving on PCLOB but didn't know who (see 1707210007 and 1612270051). State has an acting, not permanent, ombudsperson (see 1707210007). The FTC has three vacancies, though news reports named Paul Weiss antitrust attorney Joseph Simons as the next chairman, with names for the other two seats.
Dan Caprio, who worked at the FTC and Commerce as chief privacy officer and trade policy adviser, said he's "very worried" about the fact that senior political appointees aren't in place at this stage of the administration. "The Europeans look at this and wonder from their perspective if the U.S. is really committed to Privacy Shield,” he said. The EU also has been "persistent" in concerns about redress and surveillance, but Caprio, who's now chairman of cybersecurity consulting company Providence Group, said he's encouraged that one frequent critic, Member of European Parliament Jan Philipp Albrecht, seemed "more measured" in his opinion about Privacy Shield during a visit to the U.S. in May.
The vacancies are "small potatoes," said World Privacy Forum Executive Director Pam Dixon, compared with President Donald Trump's January public safety executive order 13768, which directed agencies to exclude privacy rights of foreigners under the 1974 Privacy Act (see 1701260015). She said that order could seriously jeopardize Privacy Shield. Her organization analyzed the EO's impact on the agreement and said the EO "definitely casts doubt on the viability of privacy protections for non-resident aliens" made available through the Judicial Redress Act. Europeans may have a "very defensible legal basis" to pull out based on the EO, she said, but the outcome remains "murky." Other privacy groups including Access Now (see 1707060006) and the Center for Digital Democracy (see 1707050019) cited issues like adequacy and surveillance as reasons to suspend Privacy Shield.
Harris, Wiltshire partner Adrienne Fowler said there are "a lot of question marks" about the review, such as whether Europeans will get enough information for their assessment of the data collected by U.S. law enforcement agencies on foreign nationals and how they're using it. If the EU believes it doesn't have enough information on that issue it could "throw a wrench" in the agreement's stability, she said (see 1703310003). A second concern is "potential mistrust" with the Trump administration to fulfill promises made by the previous one, she said. For instance, Trump could withdraw from or give short shrift to President Barack Obama's Presidential Policy Directive 28, which extends privacy safeguards for foreign nationals and is considered a cornerstone to Privacy Shield. Fowler said the Europeans "rightfully" will seek strong statements about the ongoing applicability of PPD-28. A lack of strong reassurance could also undermine the agreement's stability, she added.
Experts said industry is keeping a close watch on the review as companies gear up to comply with the EU's general data protection regulation, which takes effect in May, raising the floor for companies in complying with privacy standards. Experts said companies can't afford not to have some mechanism, whether it's Privacy Shield, binding corporate rules or standard contractual clauses, which face court challenges (see 1611040002 and 1702060029) that could affect companies' business and trade. But most companies rely on Privacy Shield, Stevens said, and if the EU withdraws there's nothing to replace it.