UK Official: US Privacy Shield Ombudsman Received Zero Surveillance Claims

The European Commission demanded the appointment of an ombudsman under the transatlantic data flow agreement, so the U.S. could review complaints and signal a commitment to the deal. The first ombudsperson was appointed in 2019 after months of delay.

The U.K. Information Commissioner’s Office received briefings about ongoing negotiations between U.S. and EU officials as they try to strike a new agreement to replace the Privacy Shield (see 2009100001), Edwards said during the International Association of Privacy Professionals’ global privacy summit. He said he asked about the volume of complaints for the ombudsperson and was told the U.S. didn’t receive any. Negotiators appear to be considering a new structure that would replace the ombudsperson.

The 2019 appointment showed a “very principled approach taken and adherence to that legal position, but we don’t see the demand side,” said Edwards. “So it’s a solution that does not appear to be meeting a problem, unless you define the problem as the need to comply with the terms of the Schrems decision. And that is important, of course. We are rule of law nations, but I just wanted to point out this junction between what the court is saying is a necessary condition for these trusted data flows and what seems to be happening on the ground.”

He noted that providing adequate European redress for U.S. surveillance is a major sticking point in conversations: “It is an intensely political area, and I’m not sure the standards are applied consistently and uniformly across different jurisdictions.”

The expectation is the U.S. will seek to reach agreement with the EU through an executive order rather than relying on Congress to pass legislation, said Microsoft Senior Director-Privacy and Data Policy Chris Calabrese. “I don’t think we’re going to see legislation, but we know that EOs” can be reliable in the surveillance space, he said, citing former President Ronald Reagan’s EO 12333, which remains in effect. Individual surveillance redress could be provided from a “multi-layered redress mechanism” that includes an independent data protection review board to adjudicate claims with “direct remedial measures,” he said.

Congress created dedicated committees for overseeing intelligence gathering practices, but there hasn’t been a lot of “legislative productivity” over the past few years, said former House Intelligence Committee staffer Raffaela Wakeman, now policy director at In-Q-Tel.

In dealing with comprehensive privacy legislation, Congress should consider creating a digital regulatory commission with the authority to craft rules, Microsoft President Brad Smith said during his keynote to start the conference on Wednesday. Having a dedicated agency with rulemaking authority might be better than having Congress regulate on a piecemeal basis, he said: “We should always be a little nervous in inviting a government to be more powerful than regulating yourself, but the truth is in a world where regulation is becoming a reality, we need thoughtful regulation.” It’s a conversation worth having over the next decade, he said.

Smith voiced support for a private right of action and federal preemption, two sticking points in congressional discussions (see 2204120062). He noted those two elements have been a part of “every U.S. consumer protection law for more than a century.” Congress is at an impasse, but more than 120 countries and jurisdictions around the world have passed privacy laws, he said: U.S. failure doesn’t stop global regulation, and the U.S. is becoming “less influential” because of it.