The European Commission (EC) recently published its second annual review of the EU-U.S. Privacy Shield, which provides a mechanism for complying with data protection requirements for the transfer of personal data from EU citizens to U.S. companies for commercial purposes. The good news is that this second review went better than the first review, which found glaring weaknesses in the way U.S. companies protect data of EU citizens. The bad news, however, is that the European Commission is still waiting on the U.S. government to nominate a permanent Ombudsperson to handle potential complaints and requests from EU citizens.
Privacy Shield protection: Pros
First, the good news – nearly 4,000 companies have now been certified under the EU-U.S. Privacy Shield framework, including some of the biggest names in the U.S. tech industry. For example, Google, Microsoft and IBM are all now certified to process personal data flows between the EU and the United States.
Moreover, the European Commission applauded the U.S. Department of Commerce for strengthening its oversight activities in relation to data protection requirements. In the past, the U.S. Department of Commerce had signaled that it would not be proactive in ensuring compliance with the EU-U.S. Privacy Shield. But the United States appears to have softened in this regard, agreeing to carry out “spot checks” on a random basis to make sure that companies are in compliance with the Privacy Shield. (And, indeed, of the 100 spot checks carried out last year, 21 companies needed to make changes in order to remain in compliance).
Moreover, the U.S. Department of Commerce has agreed to play a more proactive role in analyzing the privacy policies of companies, in order to make sure that they meet the high bar set by the EU-U.S. Privacy Shield. The U.S. Federal Trade Commission (FTC) has also said that it would now be willing to issue subpoenas to request information from companies as needed. And, according to the U.S. government, it’s not just large multinational companies like Google and IBM that are getting certified – over 50 percent of participants in the Privacy Shield are small- and medium-sized companies, for whom compliance is much more burdensome and costly. All of this would seem to show that the U.S. is starting to get its house in order, beefing up its data protection to the much higher levels of the European Union. And, in fact, the European Commission acknowledged that the Privacy Shield has been “generally a success” and that there is “an adequate level of protection for personal data.”
Privacy Shield protection: Cons
Yet, despite these steps, the United States did not receive a clean bill of health from the European Commission. One sticking point continues to be the fact that the United States still has not appointed a permanent Ombudsperson. In fact, the acting civil servant in this role was recently appointed to become the U.S. Ambassador to Cyprus. This obviously rankled the Europeans – do the Americans care more about their relations with Cyprus than they do with the EU? As a result, the European Commission gave the U.S. until the end of February to come up with someone who can head up this role.
Moreover, pressure is building within Europe for the EC to do more to protect the personal data of EU citizens. Case in point – just last summer, the EU Parliament called for the Privacy Shield to be pulled until the U.S. fully complies. At that time, the EU Parliament found that there were not “essentially equivalent” data protections for EU citizens within U.S. companies. In July 2018, the call went out for the EC to suspend the Privacy Shield until all data protections were “watertight.” The deadline last summer had been September 1, 2018.
The EU and US try to patch over their differences
That day came and went, though, suggesting that the EU might have been doing a bit of blustering during negotiations. What they saw was the U.S. dragging its feet on protection for transfers of personal data. And, more disturbingly, they saw the U.S. actively taking steps to enact other legislation – such as the Cloud Act – that would give U.S. law enforcement officials the right to request personal data from EU citizens if needed. Earlier, disclosures about U.S. mass surveillance of citizens and the whole Snowden affair had forced the EU to scuttle the predecessor to the Privacy Shield, known as Safe Harbor, so there still appears to be some residual distrust.
And, what was perhaps most troubling from a European perspective was the whole Facebook-Cambridge Analytica scandal, After all, Facebook had “self-certified” under the provisions of the EU-U.S. Privacy Shield, but now it turns out that might have all been an illusion (if not something even worse). Moreover, data breaches of commercial entities continue to make headlines in the United States, suggesting the Privacy Shield might be more limited than once thought.
And there’s one more factor that is lurking in the background, and that is the European General Data Protection (GDPR), which went into effect in May 2018. According to Article 45 (5) of the GDPR, the EC must repeal, amend or suspend any agreement with a third-party country if an adequate level of data protection for EU citizens is not provided under the terms of that agreement.
In part, that is why this second review of the EU-U.S. Privacy Shield was so important. The EC had already missed the September 1 deadline to suspend the Privacy Shield, and if this second review turned up a lot of missing pieces and non-compliance, then the pressure would surely grow for suspension in 2019. Thus, by noting all the positive steps made by the U.S. over the past year, the EC has created a window of opportunity for the U.S. All it has to do now is appoint a single person to the Ombudsperson role, and all talk of Privacy Shield suspension can be put in the rear view mirror… At least, that’s what U.S. business groups must be thinking.
The future of data protection laws and global privacy legislation
Ever since July 2016, when the EU-U.S. Privacy Shield was first adopted, the momentum has started to shift in favor of tougher, stronger and more stringent data protection laws. The big question now, of course, is whether nations like the United States can reconcile their “pro-business” and “pro-commerce” orientation with the need for greater compliance and oversight to protect personal data. If nothing else, the EU GPDR has given lawmakers and citizens a powerful tool with which to force other nations to bring their data protection laws and regulations up to European standards.