At last week’s Privacy. Security. Risk. conference in San Jose, California, no topic was hotter than the EU-U.S. Privacy Shield agreement. Attendees battled for dwindling empty seats in panel discussion rooms, CPOs met with U.S. Department of Commerce administrators in one-on-one sessions, and the intricacies of European views on data subject rights were debated hotly over drinks at Block Party.
So, where do things stand right now?
Perhaps the most definitive portrait was painted in the event’s final session, featuring Commerce leaders, along with the European Commission and the U.S. Office of the Director of National Intelligence.
Commerce Deputy Assistant Secretary Ted Dean made it clear that Commerce’s heavy presence at P.S.R. was no accident and that they are dedicated to making Shield work. “We’re trying to be as available as we can to make the process of coming into compliance as smooth as possible,” he said. “And we’re already looking ahead to how we engage with the [EU data protection authorities] who are our partners in this. I’ll be in Europe next month talking to them.”
There is still much work to be done, Dean said, in the implementation of the complaint-resolution process and creation of process in general.
"DPAs will have to work together to a much larger degree and extent. The Privacy Shield will be a test case of that new way of cooperating, especially when it comes to investigation or channeling complaints." -Bruno Gencarelli, European Commission
The European Commission’s Head of Data Protection Bruno Gencarelli said the Commission is equally dedicated to making Shield work. “The first thing we did was communicate to citizens and educate citizens on the protections that are afforded by the Shield and the redress mechanism, including the new ones of the ombudsperson, and avenues that are provided in the commercial arena,” he said.
Noting that the Commission has already published a guide to the Privacy Shield for public consumption, Gencarelli allowed that, “there’s been a lot of misunderstanding on our side of the Atlantic. What is the Shield and how different is it from Safe Harbor? And it is significantly different … DPAs will have to work together to a much larger degree and extent. The Privacy Shield will be a test case of that new way of cooperating, especially when it comes to investigation or channeling complaints.”
It may very well foreshadow the way DPAs will work together once the GDPR is finally in place.
Gencarelli emphasized that, “we need to prove that it functions well and that the various commitments are fully complied with in practice.”
Further, said Commerce Counsel Justin Antonipillai, the U.S. government is actively preparing, and is prepared, to defend the agreement should legal challenges arise. “We’re amicus to the CJEU case,” he said, referring to the challenge to standard contractual clauses, currently underway. “The great benefit of the first Schrems decisions is that it provided us a fair amount of guidance, so we could build something that responds to those issues. We are ready to stand behind the Shield if there are issues that come up.”
However, Commerce is happy with the uptake thus far. Roughly 200 companies have certified and been posted on the Privacy Shield web site; 300 have completed the certification application and are being processed by Commerce; and yet another 400 have submitted some of their information and begun the process.
While organizations are struggling a bit with the onward transfer principle of the Shield, everyone involved knew that would happen, Dean said, and that’s why there’s that nine-month grace period for managing vendors if organizations self-certify by the end of September.
“It’s the one area in the entire framework where there was a transition period and we knew it would be difficult,” said Dean. “We wanted to bring companies in the door and we wanted them to implement soon.”
"If we had had an annual review over the last 15 years for Safe Harbor, we wouldn’t have had a Schrems ruling.” -Ted Dean, U.S. Department of Commerce
For the ODNI’s part, Civil Liberties Protection Officer Alexander Joel, CIPP/G, CIPP/US, said he’s focused on supporting the annual review process, making sure the ombudsperson is up to snuff. And, he emphasized, intelligence operations are still figuring out the right way to do things, alongside their EU brethren. “How do you share information appropriately between intelligence and security? While also protecting privacy and respecting the rights that are at issue? It’s a very important conversation we’re obviously having with our partners in Europe, but it’s going to take a while to play itself out,” Joel said.
“Let me stress the importance of the annual review,” Gencarelli said. As the Schrems case in many ways turned on the fact that Safe Harbor was a static program, “we’ve learned the lesson,” he said. “That’s why we have a dynamic process, which consists of monitoring the implementation of the decision.”
“What can happen? It’s too early to say,” said Gencarelli, “but clearly the first annual review will have to focus on the full operation, both on the commercial side and on the national security side. There must be an effective system of oversight and redress. Every complaint must be properly handled and resolved. That’s what we’re going to look at: Both what has happened at the granular level and how various elements have been implemented.”
That doesn’t mean, said Dean, that the annual review means the whole thing is going to change every year. “There may be things that we look at,” Dean said, “and we do on both sides view this as a living process, but the point I would make for companies at a very basic level is, if we had had an annual review over the last 15 years for Safe Harbor, we wouldn’t have had a Schrems ruling.”
If you want to comment on this post, you need to login.