Greetings from Brussels!
This week, for the third year running, EU officials signed off on U.S. commitments to the EU-U.S. Privacy Shield program, relied on by more than 5,000 companies, following the publication of the European Commission’s annual review of the Shield’s functioning. The overall conclusion is that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S.
The European Commission welcomed several improvements on last year’s review that included a more systematic checking of company compliance measures by the U.S. Department of Commerce, an uptake in enforcement actions by the Federal Trade Commission and an increasing number of EU citizens making use of their rights under the Privacy Shield. European Commissioner for Justice, Consumers and Gender Equality Věra Jourová said of the annual health check on Twitter, “It is a great tool of digital diplomacy that incentivizes dialogue and is an example of successful [trans-Atlantic] cooperation.”
The European Commission did go further in its recommendations to ensure a strengthening and effective functioning of the Privacy Shield in practice. Such measures included a shortening of the time frame for (re)certification for companies who want to participate in the program, more rigorous compliance checks — particularly concerning false claims of participation — and additional guidance for companies related to the transfer of human resources data.
As reported by Bloomberg Law, there also remains some apparent ongoing concern regarding the topic of foreign communications surveillance. In its reports, the European Commission acknowledged the surveillance limits and safeguards provisioned under the USA Freedom Act. However, it was also stated that it hoped U.S. lawmakers would not seek to broaden the scope of this authority. Congress will be working to reauthorize provisions of the act, which are set to expire 15 Dec. 2019. European officials want Congress to keep “privacy protections” for surveillance communications data on European citizens sent to the U.S. via the Privacy Shield, according to a separate staff report on the annual program review.
In short, the National Security Agency and other U.S. intelligence agencies can collect business records more easily in national security investigations under the law. And while certain surveillance gathering activities on identifying data of foreign parties were previously limited, the NSA would like those limitations removed. Congress is likely to reauthorize the U.S. foreign surveillance authority under the law but the extent and for how long is not clear. The Trump administration wants a permanent reauthorization for the NSA surveillance powers, while some lawmakers want to add civil liberties and privacy protections to limit the intelligence agency’s activities.
In this regard, Jourová also praised the appointment of the permanent ombudsperson, in addition to the final two vacancies filled, on the Privacy and Civil Liberties Oversight Board — a first since the board was introduced in 2016. Yet, she said that more was needed in terms of proactive oversight. The Commission sees the PCLOB as key to safeguarding privacy and would like to see an increased frequency in their findings and reporting on intelligence activities.
All in all, this third review is to be seen as a success; that for three years running the Privacy Shield has maintained its operational viability. And while there may still be some way to go to strengthen its mechanisms, what is clear is that its contribution and example to establishing sustainable global privacy standards remains critical.
If you want to comment on this post, you need to login.