On October 18, the European Commission (EC) published its first annual report on the functioning of the US-EU Privacy Shield, which aims to protect the personal data of EU citizens when this data is transferred to companies in the U.S. for commercial purposes. According to the EC, the United States is doing an “adequate” job of putting into place the necessary structures and procedures for this important data transfer mechanism. However, the EC also suggested that the U.S. could be doing more to protect the personal data privacy of EU users, including reform of the U.S. Foreign Intelligence Surveillance Act (FISA).
Findings from the first annual Privacy Shield review
On one hand, the EC noted that the U.S. appeared to be taking the right steps in the adoption of the US-EU Privacy Shield, which is the successor to the Safe Harbor framework for data transfer that had been in place for nearly 15 years. The EC, for example, noted positively that nearly 2,400 companies – including some of the biggest tech companies of Silicon Valley – had embraced the Privacy Shield and were taking steps to remain in compliance with the data transfer mechanism.
This rapid uptake of the Privacy Shield suggests willingness by the U.S. side to consider the privacy and data transfer concerns of EU users, who might be understandably concerned about the trans-Atlantic transfer of personal data. What happens, for example, once this data crosses EU borders?
As part of its report, the EC provided 10 salient recommendations for fine-tuning and strengthening the Privacy Shield still further in order to protect personal data and facilitate the privacy shield framework. In general, EC privacy experts focused on three key recommendations:
- Providing more proactive and regular monitoring of U.S. companies for compliance
- Raising awareness of redress opportunities for EU users
- Establishing closer cooperation between US and EU authorities
Of these three recommendations, the one that caused the most concern among U.S. companies was the suggestion that the U.S. Department of Commerce should provide more proactive and regular monitoring of data transfer mechanisms. Moreover, according to the EC, U.S. companies should not rush to proclaim themselves Privacy Shield-certified until the U.S. Department of Commerce is able to sign off on their data transfer compliance. This potentially raises the stakes for U.S. companies: it could significantly increase the regulatory burden for these companies, as well as raise legal and compliance risks if European Union users do seek redress opportunities.
Concerns about FISA and the surveillance of non-Americans
While the EC was able to sign off on the “adequate” nature of the Privacy Shield, it was much less willing to give the U.S. Foreign Intelligence Surveillance Act (FISA) a clean bill of health. The EC has been lobbying, both publicly and behind closed doors, for reform of specific sections of FISA, including Section 702 of FISA, which gives the U.S. government the power to intercept the communications of certain foreign nationals deemed to be a security threat.
Remember – the reason why Privacy Shield exists in the first place was the hue and outcry over the Edward Snowden revelations that the U.S. government, via the National Security Agency, was intercepting the communications of foreign nationals and acting to conduct electronic surveillance without their prior consent. So the concern now is that the personal data of EU nationals – once it leaves the safe confines of the EU – could become subject of similar types of monitoring, especially under the framework established by FISA or the Patriot Act.