Editor's Note:
Prior to joining the IAPP as senior privacy fellow, Caitlin Fennessy served as the former Privacy Shield director at the U.S. International Trade Administration.
Dozens of senior U.S. and EU government officials gathered at the National Press Club in Washington last week for the Privacy Shield annual review. They were joined by officials from data protection authorities in Austria, Bulgaria, France, Germany and Hungary to discuss whether the three-year-old framework is functioning as intended.
I had the opportunity to catch up with Privacy Shield Director Alex Greenstein shortly after the review concluded Friday evening to get his take on how it all went. Having previously sat in his seat, I was anxious to hear how it differed from previous years and where the framework might be headed. As staff deconstructed the meeting room around him, he kindly filled me in.
“With every successive review, both sides have gained a greater understanding of where each other are coming from and their experiences and processes,” he said. “We are definitely moving past the phase of mutual education and into exchanging experience and cooperating and finding common ground.”
Bruno Gencarelli, who heads the International Data Flows and Protection Unit at the European Commission, seemed to feel similarly. I caught up with Bruno by phone as he waited to board a plane back to Brussels. “What was interesting about this review is that we have three years of experience, so it is less static," he said. "We looked more at how it works in practice and moved from the implementation stage to the operation stage.”
Many of the officials in the room have remained the same year to year, which has helped avoid a rehashing of first principles. It has also forged relationships, something U.S. Secretary of Commerce Wilbur Ross highlighted in his opening remarks.
Ross began on a somber note, recognizing the passing of a legend in the field and transatlantic ambassador – Giovanni Buttarelli. “He dedicated himself to the cause of protecting personal data,” Ross said. “Your commitment to the functioning of the Privacy Shield Framework continues his work in our increasingly complex, digitized world.” Ross and European Commissioner Věra Jourová touted that “longstanding commitment” to the Framework in their joint news release, as well.
Ross then turned to the value of the Framework itself, to $7.1 trillion in transatlantic trade, to more than 5,000 business, to individuals, and to privacy. “We are in full agreement on the need to protect our basic human rights, and the sanctity of our citizens’ privacy. Accordingly, we will work with all of you in the European Commission and the European Data Protection Board to ensure that Privacy Shield functions effectively for our governments, our businesses, and our citizens.”
“It was definitely a two-way discussion. ... Over time there has been an increasing recognition that there is a great deal of commonality and that we are all facing similar problems and challenges as we all work to implement these laws and obligations.” — Privacy Shield Director Alex Greenstein
This year, U.S. and EU officials sat at tables that were much closer than in years past, bringing the two-sides within arms-length. Perhaps the furniture arrangement made a difference. “It was definitely a two-way discussion,” Greenstein said. “Over time there has been an increasing recognition that there is a great deal of commonality and that we are all facing similar problems and challenges as we all work to implement these laws and obligations.”
FTC Chairman Joseph Simons raised some of those mutual challenges in his opening remarks and explained how the FTC had tackled them. Simons discussed the still-fresh $5 billion FTC settlement with Facebook and the seven Privacy Shield actions the FTC brought since the last review. He cited now familiar, but previously unprecedented numbers as he ran through the FTC’s enforcement work this year: the $170 million COPPA settlement with Google and YouTube, the $575 to $700 million settlement with Equifax, and another COPPA settlement of $5.7 million with TikTok.
Gencarelli welcomed this focus, noting that “oversight and enforcement was very much at the center of discussions.”
But, Simons said, “Privacy Shield and other enforcement is only part of the story of our efforts to address privacy.” He cited the agency’s public hearings on privacy and planned workshop to examine whether the COPPA Rule should be updated. “We welcome observations and contributions from our European colleagues, including their experiences with children’s privacy protection under the EU General Data Protection Regulation.” And with that, he too helped set the stage for that more collaborative discussion, turning to the head of the FTC’s privacy enforcement division, officials from its International Office and others for a deeper dive on FTC work.
FTC officials discussed their increasing scrutiny of Privacy Shield participants and the false claims referrals received from Commerce. Similarly, Commerce focused on oversight. “We talked about our efforts to conduct more frequent compliance checks, ex-officio checks, to make sure companies are fulfilling their obligations,” Greenstein said. “We are proactively looking into companies to ensure they are meeting the terms of the Privacy Shield Framework.”
Several industry representatives joined the discussions for a short period on day one, helping to shed light on practical considerations companies face implementing Privacy Shield compliance programs.
Greenstein noted that the European Commission and DPAs were really interested in their contributions. “They were interested in hearing: Had the companies run into any difficulties fulfilling their obligations? Were there situations where it was difficult to provide individuals the type of redress supposed to be available under the Framework? Did they have any difficulties ... providing people access to data and rectification and correction?”
Fabrizio Venturelli, Workday’s associate director and data protection officer, spoke at the review and shared his thoughts on what that was like. “We felt it was important to participate directly in the Privacy Shield review to demonstrate our ongoing support for the framework and all programs that protect cross-border transfers of personal data.” While he was asked to prepare for discussions around Workday’s certification and compliance processes, EU authorities also expressed interest in other aspects of Workday’s privacy program and alternative transfer mechanisms. “The European data protection authorities showed interest in the EU Cloud Code of Conduct. Workday is the first company to be declared adherent to the provisional version of the Code,” he said.
As in year’s past, commercial considerations were only half of the story.
Day two of the review again covered national security issues. I had the opportunity to speak with Adam Klein, chairman of the Privacy and Civil Liberties Oversight Board, and his fellow board member Travis LeBlanc to get their thoughts on the discussions.
Since Privacy Shield’s inception, European officials have focused a good deal of attention on the PCLOB, welcoming its independent status and privacy oversight authorities, but expressing concern when the board lacked a quorum. What LeBlanc termed “personnel issues” plagued the Framework during its first two years, as both sides waited for Senate confirmations of PCLOB members and the Privacy Shield Ombudsperson. Those confirmations came in June of this year and were applauded by Privacy Shield stakeholders on both sides of the Atlantic.
“This is a big deal,” LeBlanc said. It certainly removed a critical pain point in diplomatic discussions.
With a full complement of board members for the first time since 2016, the PCLOB has been busy. During the review, PCLOB representatives discussed their authorities, structure and work. “We are able to help them understand how we operate independently and who decides the matters we pursue,” LeBlanc said. Klein noted that the PCLOB’s staff has more than doubled and that the board is actively working on at least ten oversight projects, including an examination of the USA Freedom Act, up for reauthorization this year.
“In the future, what would also be beneficial to us would be to speak with our counterparts at the member state level who have responsibility for national security oversight so that we can exchange best practices and learn from one another and as we pursue our shared commitment to the rule of law and to privacy.” — PCLOB Chairman Adam Klein
The PCLOB has also focused on increasing the transparency of its work, publishing the list of those oversight projects, which is a first. In keeping with its goal of providing as much unclassified information to the public as possible, Klein said he was happy to discuss PCLOB’s oversight work, but also encouraged a more collaborative approach to the national security discussions at the review going forward. “In the future, what would also be beneficial to us would be to speak with our counterparts at the member state level who have responsibility for national security oversight so that we can exchange best practices and learn from one another and as we pursue our shared commitment to the rule of law and to privacy.”
As review participants welcomed the strides that have been made over the past half-decade, they also recognized the hurdles that lay ahead.
The U.S. government and European Commission are both participating in the Schrems II case before the Court of Justice of the EU, which challenges model contracts and raises questions about Privacy Shield. There is no doubt that case is top of mind for review participants.
When I asked him about contingency planning, Commerce's Greenstein said, “We are closely monitoring the [CJEU] cases and are in close touch with the Commission about that.” Both the European Commission and U.S. have defended the strength of Framework before the Court.
While any shadow cast by the case seems muted, it has certainly created additional impetus to take these reviews seriously and ensure the Framework is functioning well.
Top image courtesy of European Commission