The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C. The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.
Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security. Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.
Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny. The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield.
This scrutiny has not stopped with the Privacy Shield’s adoption. Over the past year, European policymakers and NGOs, and industry in both the EU and United States, have debated the Privacy Shield’s merits. Predicting the conclusions of the Privacy Shield Joint Review would be impossible in this context. There are some important developments over the past year to note, however. Among them:
Under EU rules, a legal challenge to annul the Privacy Shield could be brought before the EU General Court two months following its publication in the EU Official Journal. Although two NGOs have brought challenges (Digital Rights Ireland and La Quadrature du Net), none of the EU institutions or any Member States chose to do so. The EU Parliament did recently adopt a resolution expressing certain concerns about the Privacy Shield, but also acknowledged the “significant improvements” compared to the prior Safe Harbor framework and stressed the importance of a “thorough and in-depth examination” of the Privacy Shield during the first annual review.
As indicated in the EU Parliament resolution, there has been some concern on the part of EU stakeholders that the Trump Administration is less committed to the Privacy Shield than the Obama Administration, which negotiated and finalized the framework last year. But there have been no indications from Trump Administration officials that they are less committed to the Privacy Shield than their predecessors, and there have been no changes to U.S. law or practice that would call the legal basis for the Privacy Shield into question. And, in fact, both Commerce Secretary Wilbur Ross and Acting FTC Chairman Maureen Ohlhausen have made public statements in support of the Privacy Shield.
Although the Privacy Shield is focused on data transfers between private organizations, a central element of the framework from an EU standpoint is potential access to personal data by U.S. national security and law enforcement authorities once it is transferred to the United States. As such, the Privacy Shield was based in part on letters from U.S. national security and law enforcement authorities detailing existing protections for EU personal data under U.S. law, and a letter from the U.S. State Department establishing a Privacy Shield Ombudsperson to field inquiries from the EU regarding U.S. surveillance practices.
The law enforcement and national security issues are likely to be a key point during the annual review. Despite concerns that have been raised, there have been a number of positive developments in this regard from a Privacy Shield perspective. First, the Trump Administration formally announced that Judith Garber is serving as the new Privacy Shield Ombudsperson. Second, the NSA released a public statement indicating that it would cease certain of its foreign surveillance activities conducted under Section 702 of the FISA Amendments Act, which is set to expire (but expected to be re-authorized) in December 2017. Finally, while an Executive Order provision relating to the Privacy Act of 1974 initially caused confusion in the EU, the Commission moved swiftly to clarify that the Privacy Act was not a legal basis of the Privacy Shield and that the Executive Order had no effect on the Privacy Shield.
Finally, in terms of the operation of the Privacy Shield itself, more than 2,000 organizations have self-certified to the framework. To date, there do not appear to have been any Privacy Shield complaints that were not resolved internally by these organizations. We will continue to monitor developments relating to the Privacy Shield, and particularly issues that arise in the context of the first annual review.