Greetings from Portsmouth, New Hampshire!
We've been talking a lot about the prospect of federal privacy legislation in recent weeks, but tucked away in all these developments is the status of the EU-U.S. Privacy Shield arrangement. That is until last Friday when the White House announced its intent to nominate former DocuSign CEO Keith Krach as undersecretary of State for Economic Growth, Energy, and the Environment (along with six other positions!). This role includes the famed ombudsperson for Shield. Manisha Singh has served as acting secretary for some time now, but, if confirmed, Krach would be the first "permanent" ombudsperson.
According to Euractiv, the European Commission has been pressuring the White House to nominate someone for the role. And though EU Justice Commissioner Věra Jourová said she was "pleased that the U.S. has decided to follow our recommendation from [the] December report," she also urged the U.S. Senate "to proceed with the hearings swiftly so Mr. Krach can assume his duties as soon as possible."
European Data Protection Supervisor Giovanni Buttarelli also responded to the nomination, saying the announcement came "later than expected," adding, "This is not a concession. ... This announcement comes over two years after the agreement was initially made. ... We understand that privacy is not a priority everywhere in the world."
Indeed, the European Data Protection Board, the group of EU-based data protection authorities, made Privacy Shield a priority topic during its sixth plenary session, the details of which were released this week. The good news for participating companies is that the EDPB adopted the Second Annual Review of Shield and welcomed "the efforts made by the U.S. authorities and the [European] Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts to publish a number of important documents, in part by declassification (such as decisions by the FISA Court), the appointment of a new Chair as well as of three new members of the Privacy and Civil Liberties Oversight Board ... and the recently announced appointment of a permanent Ombudsperson."
Of course, concerns remain, including the "lack of concrete assurances that indiscriminate collection [of] and access [to] personal data for national security purposes are excluded." The EDPB also does not believe the ombudsperson "is vested with sufficient powers to remedy non-compliance." Other concerns involve onward transfer requirements and "the scope of meaning of HR Data and the recertification process," among others. Clearly, more work needs to be done to tie up these loose ends.
In light of Shield, though, it's also worth mentioning the big $57 million GDPR fine levied this week by the CNIL against Google. Even though Google has its EU headquarters in Ireland, it was the French regulator that took action against the U.S. tech company, arguing that the business decisions made by Google were enacted in California, not Ireland. Ireland's Data Protection Commission agreed, saying, "Google until now hasn't met its criteria for having an establishment in Ireland, because its U.S. entity was responsible for processing EU users' data, rather than its Irish unit."
But the question remains: How will the CNIL's enforcement action affect Google's participation in Shield, if at all? I'd be curious to hear your thoughts on this.
Comments
If you want to comment on this post, you need to login.