Protection of Privacy in the Spotlight at Second Annual Review of EU-US Data Transfer Pact

25 October 2018

High-level officials from the EU and US gathered last week in Brussels, Belgium, to evaluate the health and efficacy of their bilateral Privacy Shield, a trans-Atlantic accord that sets rules governing personal data flows and privacy protections. The meeting, helmed by US Secretary of Commerce Wilbur Ross and EU Commissioner for Justice, Consumers, and Gender Equality Věra Jourová, considered the framework’s performance and identified areas for further action in preparation of a key EU report due later this year. 

The event marked the Second Annual Review of the EU-US Privacy Shield, and also featured representatives from the European Data Protection Authorities. Talks covered issues relating to both commercial exchanges of data and collection of personal information by US authorities for national security purposes. 

The Privacy Shield oversees the trans-Atlantic transfer of data, with the objective of ensuring the protection of personal data and privacy rights for individuals, as well as providing legal certainty for firms that depend on these data flows for their operations. It takes the place of the Safe Harbour framework, after the European Court of Justice (ECJ) ruled in 2015 that the European Commission’s decision over a decade prior to endorse the framework was invalid. (See Bridges Weekly, 8 October 2015 and 5 November 2015)

Adopted in 2016, the Privacy Shield is underpinned by a self-certification scheme, through which US firms voluntarily make legally enforceable commitments to meet the framework’s requirements, as well as access to redress for individuals who have been affected by misuse of data. Over 3500 companies are certified under the shield, with over half of these being small and medium-sized enterprises (SMEs).

The first annual review took place in September 2017, followed by the publication of the findings in October, including recommendations for the enhanced functioning of the framework.

Earlier this year, the European Parliament adopted a non-binding resolution to suspend the programme unless Washington takes further steps to show its compliance with its obligations, citing risks to the privacy of EU citizens and giving a 1 September deadline. (See Bridges Weekly, 12 July 2018)

Evolving digital needs

In the digital economy, cross-border data flows are increasingly integral to global trade and electronic commerce, fuelling productivity, innovation, and economic growth.

The Privacy Shield is also aimed at bridging differences between Washington and Brussels in regulatory approaches to data flows. While the EU advocates for stringent privacy protections, the US maintains a patchwork of sector-specific privacy protection laws, focused on ensuring the free flow of information across borders. 

This past May, the EU enacted the General Data Protection Regulation (GDPR), designed to harmonise data privacy rules across the bloc and enhance the rights of EU citizens to control the use of their personal information even if it is transmitted, processed, or stored in a server outside of the bloc. (See Bridges Weekly, 31 May 2018)

“We must be mindful that countries take different approaches to privacy concerns and challenges presented by our hyper-connected world,” said Ross in an op-ed published by the Financial Times. “If both parties are to realise the full potential of the digital rev­olution in a way that protects individual privacy, we must preserve the framework that we have worked so hard to build.”

The review comes amid concerns that individuals are losing confidence in how dominant tech firms are treating their personal data, particularly in view of the cybersecurity concerns roused by the Cambridge Analytica data breach that affected 87 million Facebook users, of which 2.7 million were based in Europe.

While Facebook is certified under the Privacy Shield, Cambridge Analytica was disbanded after the breach. Facebook could also have its certification revoked pending the results of an ongoing US Federal Trade Commission (FTC) investigation into the company’s privacy practices.

“In the wake of recent privacy incidents involving the personal data of Europeans and Americans, the US and EU reaffirm the need for strong privacy enforcement to protect our citizens and ensure trust in the digital economy,” according to the joint statement issued by Jourová and Ross on 19 October.

Primary concerns

EU officials have scrutinised US performance to ensure close adherence to the conditions established in the first annual review.

Over the past year, the US government had been working to “refine” the “functioning and governance” of the Privacy Shield, to enhance “stakeholder understanding” and enhance “public knowledge,” and to broaden the framework’s scope and develop new resources and guidance for firms, Ross said at last week’s meetings, according to a copy of his remarks circulated by his office.

The Privacy Shield requires evaluation also in view of the roll-out of the EU’s new data protection regulations, officials say. “The Privacy Shield is in some ways a relic from the old data protection regime, pre-GDPR,” said Giovanni Buttarelli, the European Data Protection Supervisor, to the Bloomberg Law news outlet. This new context necessitates review to determine whether the framework is still “fit for purpose,” he said.

In the first annual review, Brussels recommended improvements to the functioning of the US Privacy and Civil Liberties Oversight Board, the independent agency responsible for ensuring privacy is weighed on balance with specific national security concerns. Earlier this month, three new members were confirmed to the board, ensuring a quorum. Two additional nominations are still pending confirmation in the US Senate.

Last month, Washington also appointed a new State Department official, Manisha Singh, to serve as ombudsperson in an acting capacity, and thus mediate claims by European individuals with regard to access to EU data by US authorities. The absence of a permanent ombudsperson has been a sticking point for EU officials, and has been raised in previous meetings. There has not been a permanent ombudsman in this role under the administration of US President Donald Trump.

“Both sides recognise the need for prompt progress on nominating a permanent Under Secretary,” read the joint statement released after the conclusion of the talks last week. “This process is well underway and the US will be in close contact with the EU on this important matter.”

US officials have pointed to a low usage rate of the instrument. “Even though the ombudsperson has remained ready for more than two years to address EU requests, not a single inquiry has been received,” said Ross in the Financial Times op-ed.

Washington says it has also made commitments to restrict the use of EU data by domestic intelligence agencies. “To limit inappropriate access to personal data by American government agencies, the US has committed to protect civil liberties, privacy, and transparency,” said Ross in the same article.

EU officials also raised concerns with the monitoring of how US companies engage with the Privacy Shield in the first annual review, including inconsistencies in the certifications and re-certifications logged by the US Commerce Department. Re-certification requests have increased since GDPR entered into force, reportedly leading to a backlog in the processing of applications.

Last month, the FTC brought enforcement actions against four companies for falsely or erroneously claiming participation in the framework. Three actions were brought last year, according to a statement from FTC Chairman Joseph Simons during the Brussels meetings.

The Commerce Department resolved to remove companies who fail to meet Privacy Shield requirements from its coverage, according to the joint statement.

A report featuring the European Commission’s views and potential actions is due to be published at the end of November. Meanwhile, the European Court of Justice, Europe’s highest court, is expected to review concerns raised domestically about the accord next year.

“US and EU officials will continue to work closely together to ensure the framework functions as intended, including on commercial and national-security related matters,” the joint statement concluded.

ICTSD reporting; “EU Officials Critical of U.S. Data Pact Oversight as Review Looms,” BLOOMBERG LAW, 17 October 2018; “Europe and US lock horns on transatlantic privacy,” POLITICO, 17 October 2018; “Transatlantic privacy deal is vital to trade,” FINANCIAL TIMES, 17 October 2018; “EU-US Privacy Shield review: Jourová to meet US secretary amid compliance concerns,” EURACTIV, 17 October 2018. 

This article is published under
25 October 2018
Last week, Australia’s Senate passed legislation ratifying the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the sweeping trade accord signed by 11 Pacific Rim...
25 October 2018
Three months after US and EU leaders agreed to launch an “Executive Working Group” to tackle a series of trade issues, questions over how future talks will proceed and what those efforts will cover...