Department of Commerce

In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.”  The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country.  According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”

The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.”  It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II

On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see also the Commission’s Press Release).  The Report welcomed a number of improvements following the second annual review, including efforts made by U.S. authorities to monitor compliance with the framework, as well as key appointments that have been made in the last year.  The Commission in particular noted the appointment of Keith Krach to the position of Privacy Shield Ombudsperson on a permanent basis, filling a vacancy that had been noted in previous reviews.  The Report also provided a number of recommendations for further improvement and monitoring.

Recognizing that, in its third year, Privacy Shield has “moved from the inception phase to a more operational phase,” the Report placed particular emphasis on the effectiveness of the “tools, mechanisms and procedures in practice.”  Not only has the number of Privacy Shield certifications exceeded 5,000 companies — eclipsing in three years the number of companies that had registered to the Safe Harbor Framework in its nearly 15 years of existence — the Report also noted that “an increasing number of EU data subjects are making use of their rights under the Privacy Shield and that the relevant redress mechanisms function well.”

As with prior reviews, the Commission sought feedback from trade associations, NGOs, and certified companies, and  addressed the functioning of (i) the framework’s commercial aspects, and (ii) U.S. authorities’ access to personal data.Continue Reading Privacy Shield Third Annual Review

On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”).  In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield,  including in particular the recent appointment of a permanent Ombudsperson.  But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.

The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU.  The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield.  The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.    
Continue Reading European Data Protection Board Releases Report on the Privacy Shield

Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States.  The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.

In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU. 
Continue Reading Privacy Shield Updates: Second Annual Review and Brexit Guidance

On July 20, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) published comments it received from a wide array of tech and telecom companies, trade groups, civil society, academia, and others regarding its “international Internet policy priorities for 2018 and beyond.”  NTIA’s Office of International Affairs (“OIA”) had requested comments and recommendations from interested stakeholders in four broad categories: (1) free flow of information and jurisdiction; (2) the multistakeholder approach to Internet governance; (3) privacy and security; and (4) emerging technologies and trends.  NTIA plans to harness the comments it received to help it identify “priority” issues, and to leverage its resources and expertise to effectively address stakeholders’ interests.  
Continue Reading NTIA’s International Internet Policy Priorities for 2018 and Beyond

Earlier this week, the National Telecommunications and Information Administration (NTIA), the executive branch agency responsible for telecommunications and information policy, released a Notice of Inquiry requesting that any interested party—including the private sector, technical experts, academics, and civil society—help the agency determine its international internet policy priorities. In particular, NTIA is seeking comments and recommendations

Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website.  Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months.

EU Justice Commissioner Věra Jourová recently concluded her visit to the U.S. to meet with Trump Administration officials and others regarding the status of the Privacy Shield.  During her visit, Commissioner Jourová spoke about the importance of the Privacy Shield as a framework with “enormous potential to strengthen the transatlantic economy and reaffirm our shared values.”  She also met with Commerce Secretary Wilbur Ross to discuss the Privacy Shield, and announced that the first annual joint review will occur in September, which she indicated would be “an important milestone where we need to check that everything is in place and working well.”
Continue Reading Privacy Shield Approaches 2,000 Participants; Review Scheduled for September

Last week, the multistakeholder group convened by the National Telecommunications and Information Administration (“NTIA”) to create set of voluntary best practices for the commercial use of facial recognition technology finalized its guidelines.  While the three-page code of conduct was praised by industry groups, including the Software & Information Industry Association and Consumer Technology Association, many consumer groups, who withdrew from the process before the guidelines were finalized, criticized the final product as weak and flawed.

The guidelines are the result of a more than two-year process, first announced by the NTIA in December 2013.  They recommend commercial entities do the following:

  • Disclose their practices regarding collection, storage, and use of facial template data to consumers, including any sharing, retention, and de-identification policies;
  • Provide notice to consumers where facial recognition is used on a physical premises;
  • Consider privacy concerns when developing data management programs;
  • Protect facial recognition data by implementing a program that contains administrative, technical, and physical safeguards appropriate to the entity’s size, complexity, the nature of its activities, and the sensitivity of the data;
  • Take reasonable steps to maintain the integrity of the data collected; and,
  • Provide a means for consumers to contact the entity regarding its use of the data.

Continue Reading NTIA Multistakeholder Group Reaches Consensus on Best Practices for Commercial Use of Facial Recognition Technology

Today, the European Commission published the text of the new EU-U.S. Privacy Shield (see the Commission’s press release here), which consists of:

  • a draft adequacy decision;
  • the EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of Commerce; and
  • the official representations and commitments contained in separate letters from:
    • Secretary of Commerce Penny Pritzker (Annex I);
    • Secretary of State John Kerry (Annex III);
    • Federal Trade Commission Chairwoman Edith Ramirez (Annex IV),
    • Secretary of Transportation, Anthony Foxx (Annex V);
    • General Counsel Robert Litt, Office of the Director of National Intelligence (Annex VI); and
    • Deputy Assistant Attorney General Bruce Swartz, U.S. Department of Justice (Annex VII).

In addition, the European Commission issued a Communication titled “Transatlantic Data Flows: Restoring Trust through Strong Safeguards” which presents the developments and the Commission’s findings since its critical 2013 Communication on the Functioning of the Safe Harbor, a Q&A and a Fact sheet.
Continue Reading EU-U.S. Privacy Shield Package Released