On October 18, the European Commission (EC) published its first annual report on the functioning of the US-EU Privacy Shield, which aims to protect the personal data of EU citizens when this data is transferred to companies in the U.S. for commercial purposes. According to the EC, the United States is doing an “adequate” job of putting into place the necessary structures and procedures for this important data transfer mechanism. However, the EC also suggested that the U.S. could be doing more to protect the personal data privacy of EU users, including reform of the U.S. Foreign Intelligence Surveillance Act (FISA).
Findings from the first annual Privacy Shield review
On one hand, the EC noted that the U.S. appeared to be taking the right steps in the adoption of the US-EU Privacy Shield, which is the successor to the Safe Harbor framework for data transfer that had been in place for nearly 15 years. The EC, for example, noted positively that nearly 2,400 companies – including some of the biggest tech companies of Silicon Valley – had embraced the Privacy Shield and were taking steps to remain in compliance with the data transfer mechanism.
This rapid uptake of the Privacy Shield suggests willingness by the U.S. side to consider the privacy and data transfer concerns of EU users, who might be understandably concerned about the trans-Atlantic transfer of personal data. What happens, for example, once this data crosses EU borders?
As part of its report, the EC provided 10 salient recommendations for fine-tuning and strengthening the Privacy Shield still further in order to protect personal data and facilitate the privacy shield framework. In general, EC privacy experts focused on three key recommendations:
Providing more proactive and regular monitoring of U.S. companies for compliance
Raising awareness of redress opportunities for EU users
Establishing closer cooperation between US and EU authorities
Of these three recommendations, the one that caused the most concern among U.S. companies was the suggestion that the U.S. Department of Commerce should provide more proactive and regular monitoring of data transfer mechanisms. Moreover, according to the EC, U.S. companies should not rush to proclaim themselves Privacy Shield-certified until the U.S. Department of Commerce is able to sign off on their data transfer compliance. This potentially raises the stakes for U.S. companies: it could significantly increase the regulatory burden for these companies, as well as raise legal and compliance risks if European Union users do seek redress opportunities.
Concerns about FISA and the surveillance of non-Americans
While the EC was able to sign off on the “adequate” nature of the Privacy Shield, it was much less willing to give the U.S. Foreign Intelligence Surveillance Act (FISA) a clean bill of health. The EC has been lobbying, both publicly and behind closed doors, for reform of specific sections of FISA, including Section 702 of FISA, which gives the U.S. government the power to intercept the communications of certain foreign nationals deemed to be a security threat.
Remember – the reason why Privacy Shield exists in the first place was the hue and outcry over the Edward Snowden revelations that the U.S. government, via the National Security Agency, was intercepting the communications of foreign nationals and acting to conduct electronic surveillance without their prior consent. So the concern now is that the personal data of EU nationals – once it leaves the safe confines of the EU – could become subject of similar types of monitoring, especially under the framework established by FISA or the Patriot Act.
Thus, even though a big tech company like Google has embraced the Privacy Shield, this fact might not fully guarantee that the U.S. government and its various intelligence agencies would not try to access that personal data via FISA. For example, the U.S. intelligence agencies – such as the CIA or FBI – might choose to examine the personal search history of any EU user at any time and obtain FISA warrants, under the grounds that it was permissible in the fight against terror.
That, in a nutshell, explains why the EC has been so vociferous in its rejection of Section 702 of FISA, which appears to grant the U.S. intelligence community a “backdoor” to the surveillance and data transfer monitoring of any individual it chooses to label as a foreign intelligence threat or agent of a foreign power.
Under the Obama administration, the EC had received at least tacit support from the White House that such monitoring of EU nationals to obtain foreign intelligence information as part of a surveillance program would no longer be tolerated. However, with the Trump administration, there appears to have been some potential backtracking on the issue of FISA reform, the proper data transfer protocols and data minimization procedures.
For example, the EC specifically pointed out that several trust-building measures – such as the step of nominating and appointing a permanent privacy ombudsman – had not yet been taken. For now, the approach of the EC appears to be working through the U.S. Department of Commerce and International Trade Administration to get the necessary protections and changes put into place, especially with regard to FISA. That might open the door to further debate within the House judiciary committee or Senate judiciary committee to get those changes written into law.
Implications for Privacy Shield and US-EU data transfer mechanisms
After its first year of operation, the EU US Privacy Shield framework for data transfer received the equivalent of a “thumbs up” from EC regulators. However, that does not meant that additional changes to the Privacy Shield are not forthcoming in the future. For example, the Article 29 Data Protection Working Party is also planning to publish its own report on the Privacy Shield. For now, it can be assumed that the findings of the EC and the Article 29 Data Protection Working Party will largely coincide – but what if they don’t? And will human rights organizations get involved in this issue?
Moreover, there’s still the matter of what role the U.S. Department of Commerce will take in this. Under the Trump administration, the emphasis has been on the rollback of regulatory burdens for business, so if the burden of compliance and monitoring for Privacy Shield becomes too great, it will have to be balanced against the need to maintain an amicable working relationship with EU partners.
And don’t forget the power of current events to drive the narrative about Privacy Shield. At a time when terror attacks can seemingly occur at any time on European soil and now on U.S. soil (the most recent attack being an ISIS-inspired terror attack in New York City), the Trump administration may not be as willing to move forward with the full set of 10 recommendations proposed by the EC. That’s especially true if they are seen as curtailing current intelligence activities.
For now, though, all signs point to the growing trust and comfort level of EU and US partners. After one year, it looks like Privacy Shield has been a success. Now, however, comes a period in which the U.S. will attempt to ensure that the privacy needs of individuals are balanced against the security needs of nations.