Following its plenary meeting last week, the EU's Article 29 Working Party, the collection of European data protection authorities, issued a press release (note: link automatically downloads a PDF) regarding its preparations for the annual review of the Privacy Shield data transfer framework, scheduled for this coming September. The release comes amid something of a flurry of Shield activity that includes concerns raised by former Acting Commerce Secretary and Commerce General Counsel Cam Kerry, as well as a call from the Department of Commerce for applications to join the list of arbitrators for Shield violation claims.
While it is the EU Commission that will be conducting the review of Privacy Shield with the U.S. government, the WP29 notes EU DPAs are able to participate and that they are "intensely preparing" for it. Particularly, they note areas of concern regarding U.S. law covering commercial privacy practices, as well as law-enforcement operations. They expect the dialogue in the U.S. to require two or three days.
Regarding law enforcement, the WP29 notes the EU DPAs are seeking "precise evidence to show that bulk collection, when it exists, is 'as tailored as feasible,' limited and proportionate." In that language, they may have picked up on a recent admission by Director of National Intelligence Daniel Coats in a U.S. congressional hearing that certain data regarding information collection is "infeasible to extract." While Coats was referring to the difficult nature of identifying when data or communications regarding U.S. citizens are mistakenly collected, EU DPAs may also wonder how the U.S. can be sure intelligence gathering isn't also sweeping up EU citizen data by mistake.
The WP29 also expresses concerns in its press release about "the four missing members of the [U.S. Privacy and Civil Liberties Oversight Board]," a subject addressed by former PCLOB member Jim Dempsey in a letter to the editor of The New York Times.
"In calling on Congress to extend permanently the warrantless collection provision of the Foreign Intelligence Surveillance Act, Mr. Bossert, the president’s homeland security and counterterrorism adviser, cites the oversight mechanisms intended to keep the program within bounds," Dempsey writes.
"Among those, he says, the Privacy and Civil Liberties Oversight Board 'deserves special praise.' The problem is that the board is crippled, with only one serving member. ... If President Trump is serious about seeking renewal of the extraordinary powers granted under the surveillance law, he should promptly nominate a bipartisan slate of privacy experts to the oversight board."
In fact, Kerry notes this discrepancy in an Op-Ed for Lawfare, where he says the Trump administration has acknowledged Privacy Shield's importance in international commerce but has not yet taken certain steps to support the framework. Namely, Trump has not nominated and Undersecretary of State to serve as Ombudsman for the Shield program, nor yet nominated new PCLOB members. While Kerry says the Trump administration has started the wheels turning toward fulfilling those Shield requirements, he at the same time bemoans the "background music" of discord Trump has orchestrated during his trips abroad and in meetings with EU leaders.
Trump's recent EU visit for NATO and G-7 meetings, says Kerry, "could not have been more catastrophic as a diplomatic mission."
Nevertheless, as Kerry also notes, EU Commissioner Vera Jourová did visit Washington not long ago and has pronounced assurances from the Trump administration "satisfactory."
Further, Shield framework plans do continue apace, with the Department of Commerce announcing today in the U.S. Federal Register an invitation for applications for inclusion on the list of arbitrators, who would help resolve citizen claims than an organization has violated its obligations under the Shield framework. "The DOC and the European Commission will work together to implement the arbitration mechanism, including by jointly developing a list of at least 20 arbitrators," the announcement reads. "Parties to a binding arbitration under this Privacy Shield mechanism may only select arbitrators from this list."
Who's qualified? Applicants must be licensed to practice law in the United States, have demonstrated expertise in both U.S. and EU privacy law, and be able to demonstrate both independence and a high regard among peers. Applications are being accepted through July 14, 2017. If accepted, arbitrators would remain on the list for a period of three years, initially.
Finally, and perhaps most interestingly for those engaging in big data analytics work, the WP29 took specific care to mention it will be looking for discussion at the Privacy Shield review of how the U.S. legal system handles issues of automated decision making. Nor should this be surprising. It is an area of concern addressed in the Shield implementing documents, including in the letter from the International Trade Administration that outlines the Department of Commerce's responsibilities as part of the framework.
In that letter from then Acting Undersecretary for International Trade Ken Hyatt to Jourová, he writes, "The first annual review and subsequent reviews as appropriate will include a dialogue on other topics, such as in the area of automated decision-making, including aspects relating to similarities and differences in the EU and the U.S."
The WP29 followed that up this week, saying it "has questions concerning, among others, the existence of legal guarantees regarding automated decision-making or the existence of any guidance made available by the DOC regarding the application of the Privacy Shield principles to organisations acting as agents/processors. Clarifications that will be sought also include the definition of human resources data."
While the EU and U.S. haggle over the law-enforcement aspects of the Shield framework, these topics may emerge as the most substantive issues for commercial enterprises.
Top image courtesy of European Commission