At the IAPP Global Privacy Summit here in Washington yesterday, the FTC's Edith Ramirez and the CNIL's Isabelle Falque-Pierrotin faced reporter Jennifer Baker to address whether this whole Privacy Shield thing is really going to work and, more broadly, whether the EU and U.S. can find a way to play nicely and allow data transfers to continue between the continents.
The consensus? It's a solid start. Falque-Pierrotin was tight-lipped over Article 29 Working Party deliberations on the framework, which are ongoing. She wouldn't say whether DPAs are happy about the Shield as it stands today. But she did say the Shield is a positive development and an opportunity for the European Commission to cooperate more closely with the FTC; an opportunity the commission relishes.
Ramirez said the Shield provides an enhanced framework for enforcement and, assuming the European Commission approves it, the FTC plans to be much more systematic about enforcing it than it was with Safe Harbor.
However, even if it is approved, no one is starry-eyed about its success. The approval is just the beginning, as the legal backdrop continues to shift. Once the GDPR comes into force, for example, things could change. But Ramirez said the Shield was designed to be agile and adaptable. That's why there will be frequent meetings between DPAs, the FTC and the U.S. Department of Commerce to evaluate what must change in light of tech innovations and regulatory shifts.
Baker asked the women whether there remains distrust among the two parties. After all, the Schrems decision only added fuel to a fire that had been burning for some time, with Europeans concerned about U.S. law enforcement access to data as well as companies self-certifying to the Safe Harbor framework while, allegedly, not always following through with the required practices.
But Falque-Pierrotin said, "We don't have any mistrust or trust, we have to see the facts and see what we think of this [framework]."
She added that the Working Party will likely insist that a European DPA be part of the regular review system.
The real concern from a European standpoint is simple: U.S. companies are collecting data from European citizens to be transferred to the U.S. and used for commercial purposes, and that data is accessed at times by law enforcement authorities. What Europeans must be sure of to feel comfortable with the deal is that that access is proportionate somehow and done with strict guarantees.
The proposal that an ombudsman would be appointed to handle cases in which individuals felt their data was being mistreated in some way is one that appeals to Falque-Pierrotin.
"An ombudsperson is clearly an innovation, a huge innovation," she said. "Is it enough or not? Is the independence of this ombudsman really effective in terms of power?"
Baker asked her to answer her own question, to which Falque-Pierrotin simply said, "I'm not going to answer to you. I'm one of 28 [DPAs]," and that was the end of that.
Falque-Pierrotin said companies need not fear the potential for sanctions, as included in the Shield proposal. Sanctions aren't used to regulate data environments, she said. As it is, the CNIL receives 8,000 complaints per year and only issues about 15 sanctions.
"Our effort is dedicated to compliance, and sanctions are only used really as a last word if the company doesn't want to comply," she said. But the fact that a higher level of sanction exists within the Shield is a positive.
"It gives the signal that privacy now is a serious matter, and I think it's important. But it doesn't mean all the data controllers of the world will receive sanctions on everything," she said.
Ramirez echoed the sentiment, though she was quick to note the FTC plans to be on top of its game.
"We want to be constructive here," she said. "Our aim is to elevate the practices of companies, and we intend to be very active and rigorous in how we enforce the Privacy Shield arrangement."
For both women, the Shield means something bigger than just data transfers.
Falque-Pierrotin said it's about trust.
"Market forces need trust," she said. "If we're able to build an infrastructure, a system that provides security and trust in the way the data is protected, it's good for business but also good for the individuals," she said. "The Shield is a good example of how the EU and the U.S. can build not only an economic standard but also an ethical standard."
Top photo: Jennifer Baker, Isabelle Falque-Pierrotin and Edith Ramirez
If you want to comment on this post, you need to login.