As predicted in my last post on Privacy Shield (here), this story continues to make the headlines every few months. Most recently the European Commission released its report ("Report", available here) following the second annual review. Overall the Shield got a passing grade, but could do better. The lack of a permanent Ombudsman is a real bone of contention, and the Commission threatened to take action if this is not rectified by 28 February 2019.
Firstly the positives. The Department of Commerce ("DoC") is regulating the Shield more proactively. The Commission had previously complained the DoC only checked the privacy notice without examining any underlying processes or agreements (all those Privacy Shield DPAs we negotiated for nothing!) Since last year they have conducted 100 spot checks, and found issues with 21 that are being addressed. The signup process has been amended to prevent the old problem of organizations publishing their notices claiming to be certified whilst their application was being processed.
The DoC is using better tools to seek out false claims and has referred more than 50 cases to the Federal Trade Commission ("FTC"). The FTC on its part has initiated the first enforcement proceedings under the scheme, against organizations claiming to be Privacy Shield certified that are not. The FTC has also issued subpoenas from a number of participants to request information on compliance.
Of key importance was the improvement to the Privacy and Civil Liberties Oversight Board ("Board"). This was seen as a vital protector of EU individuals' rights and its lack of functionality (there was only one member out of the required five) was a major issue for the Commission and EDPB. It was a one of the reasons the Shield is being challenged at the European Court of Justice: a similar lack of oversight formed part of the Court's reasoning in quashing Safe Harbor. In October the Board received its chairperson and two additional members, restoring full quorum. The Commission's request for the Board to release its report on Presidential Policy Directive 228 was acquiesced to, and the report showed that intelligence agencies have improved their practices to align with the Directive.
The Commission was pleased that momentum in the US in support of a federal privacy law has been building and would like the two systems to grow closer.
Could be better
Section 702 of the Foreign Intelligence Service Act, which permits mass surveillance of foreigners, was reauthorized. The EDPB had previously asked for amends to this prior to reauthorization, which did not occur. Presidential Policy Directive 28 was not incorporated into the act. However, the Commission took comfort in the fact that the surveillance powers under the act were not expanded and that limited safeguards were added.
The FTC, whilst it confirmed the investigation into Facebook/Cambridge Analytica was ongoing, was unable to provide details of recent investigations.
The Commission's main complaint concerned the lack of a permanent Ombudsperson. This is seen as a key safeguard to ensure European's data are not abused by US intelligence agencies. Whilst this was a recommendation of the Commission on last review and a demand of the EDPB, no permanent Ombudsperson has been appointed. This is the main sticking point for the Commission, although it accepted that in practice there have so far been no complaints to the Ombudsperson. It is understandable why the Americans may not see it as a full time role or one that must be filled urgently. If this year's frantic actions over the Board appointments are anything to judge by, the Ombudsperson will be appointed a few days before the third annual review following pressure from lobbyists and tech majors.
The Commission also noted that a lot of the improvements had only been made very recently, likely as a result of the imminent review. As anyone who submitted a Shield application this autumn can attest, the DoC was suffering some major delays! The Commission will monitor the effectiveness of the DoC mechanisms and FTC investigations as well as the Ombudsperson process (once appointed).
Of course no blog would be complete these days without mentioning the 'B' word. On 20 December the DoC helpfully released some FAQs (here) on the applicability of the Shield for transfers from the UK once (if?) it leaves the EU. The FAQs confirm that in the event of a deal, Privacy Shield will continue to be effective for UK-US data transfers for the duration of the transitional period.
No-deal: In a no-deal scenario, Privacy Shield can still be relied on after 29 March 2019, however the certified organization must update its privacy notice to specifically reaffirm its protection of data being transferred from the UK. The DoC provides some suggested language. Of course the organization will also have to maintain its certification for the Shield to be effective.
If there's a deal: Privacy Shield can still be relied on throughout the transitional period, currently slated to be 31 December 2020.
We will be providing a client update about this shortly for our Privacy Shield clients.
For more explanation of the potential Brexit scenarios and context see our recent post (here).
The Report concludes that Privacy Shield continues to ensure an adequate level of protection for Europeans' personal data. Whilst not specifically mentioning GDPR, it has clearly passed under the new regime. It is hardly surprising that the Commission continues support the Shield, given the political will behind free transatlantic data flows and that some of its recommendations were listened to. In its press release (here) the Commission stated its wide take-up "highlights Privacy Shield's vital importance to transatlantic data protection and commerce".
It will be interesting to read what the EDPB thinks as it has previously been more vocal in its opposition and made stronger demands in its own report. The European Parliament passed another non-binding resolution calling for the Shield's downfall in October (here). However several of the key complaints about its effectiveness or Europeans' rights have been addressed.
To all those certified to the Shield or considering it, fear not: Privacy Shield passed its latest challenge and previous reports of its imminent downfall now seem exaggerated. Trump has a little over two months to fill another hole in his administration to cement its future.
Update 5 February 2019
President Trump has now nominated ex-DocuSign CEO Keith Krach as permanent Ombudsperson. Whilst it has to be ratified by the Senate, this removes a big complaint of the Commission.
In parallel the EDPB released its own report on the second annual review. It echoed many of the same sentiments as the Commission's: liked that many recommendations from the first review acted upon, approved of more proactive enforcement and further guidance, hailed the quorate Board; however felt the substance of applications should be checked, lamented the reapplication of s702 FISA without safeguards and the lack of fulltime Ombudsperson (now a moot point). The EDPB's report was far less vitriolic than last year's in which it threatened a direct ECJ referral (see post here), although it still concluded with an opaque reference to ongoing ECJ challenges.