Last week's IAPP Europe Data Protection Congress 2016 in Brussels was already shaping up to be a lively affair, what with Privacy Shield and the implementation of the EU General Data Protection Regulation to discuss, but then Donald Trump was announced as the next president of the United States.
Trump's victory — a shock for many, and revealed just hours before the Congress keynotes commenced — left everyone trying to figure out its implications for trans-Atlantic data flows. After all, this was a candidate who campaigned on a “law-and-order” platform and has expressed support for bulk data collection.
Privacy Shield's predecessor, Safe Harbor, was sunk by the Court of Justice of the European Union partly because it did not provide effective protections for Europeans against U.S. mass surveillance. With EU regulators having given the new deal only tentative support, pending its first annual review next year, could Trump's election threaten Privacy Shield? Opinions expressed on-stage at the Brussels conference were divided, but generally cautious.
"There has unquestionably been a stunning and unexpected outcome in the election in the U.S.," said Edith Ramirez, the current chairwoman of the U.S. Federal Trade Commission. (As she was a Democratic appointee, Trump will replace Ramirez with a Republican as chair. Former FTC commissioner Julie Brill said at the conference that this would almost certainly be the only current Republican commissioner, Maureen Ohlhausen.)
Ramirez noted that "with any change in administration there will of course be shifts in approaches taken," but said she was cautiously optimistic. "From the American perspective, the commitment to Privacy Shield is real and sincere," she said.
"Bear in mind the history of the Safe Harbor program, which was negotiated under the Clinton administration, implemented under the Bush administration and continued under the Obama administration. This is the type of program that carries on across administrations." — Ted Dean, U.S. Department of Commerce
Ted Dean, deputy assistant secretary for services at the U.S. Department of Commerce, suggested that Privacy Shield should benefit from a system designed for continuity. "Bear in mind the history of the Safe Harbor program, which was negotiated under the Clinton administration, implemented under the Bush administration and continued under the Obama administration," he said. "This is the type of program that carries on across administrations."
Dean, an appointee likely to move on in January, also pointed out that "there would be tremendous pressure from industry on any administration coming in to continue" with the negotiated deal. He said the list of certified Privacy Shield-compliant companies already numbered 700, with a further 1,000 companies having submitted their certifications for the Commerce Department's approval.
However, some of those speaking from the European perspective seemed deeply worried about the implications of a Trump presidency.
"It shows that Snowden was right," said Ralf Bendrath, senior policy advisory to Jan Philipp Albrecht, the Green member of the European Parliament who has been a prominent critic of Privacy Shield. Edward Snowden, the NSA whistleblower, has repeatedly warned that the U.S. surveillance apparatus provides the mechanisms for a "turnkey tyranny," in that a would-be tyrant could easily abuse it in ways less authoritarian governments did not.
Bendrath referenced the political philosopher Karl Popper, who said political institutions had to be built in ways that prevent abuse. "The same is true for technical infrastructures," Bendrath said. "We will now see what Mr. Trump will do with all the powers he [has]. This will have an impact on trans-Atlantic discussions on the privacy issue."
"We will now see what Mr. Trump will do with all the powers he [has]. This will have an impact on trans-Atlantic discussions on the privacy issue." — Ralf Bendrath, EU Parliament policy advisor
But how open are these systems to abuse? According to Ralf Sauer, the deputy head of unit for international data flows at the European Commission's justice directorate, the Commission doesn't see vulnerability in the system – otherwise it "wouldn't have accepted" the Privacy Shield deal in the first place.
"We see an area of interest for litigants. It makes it politically vulnerable," Sauer said (Privacy Shield is already being challenged in court by Digital Rights Ireland). "When it comes to a change of administration, it was clear there would be a change. But what does that mean? Why would that change it?"
Peter Swire, the Huang professor of law and ethics at Georgia Tech and one of the people president Obama tasked with reviewing intelligence and communications technology, argued strongly against Snowden's "turnkey tyranny" thesis. He pointed to the various bodies providing oversight for the intelligence services — the FISA court, inspectors general, Senate and House intelligence committees, the Privacy and Civil Liberties Oversight Board — and said that, "to co-opt all of them is a really large exercise."
"'Turnkey' doesn't capture the need to suborn the courts and inspectors general and the Congress," Swire said. "The evidence for 'turnkey' is quite weak."
Swire conceded that there are "some things we don't know" about the intelligence community's activities. However, he said, president Obama's post-Snowden reforms had provided more transparency than previously existed surrounding the decisions of the FISA court. "These are legislative changes that would take legislation to undo, and the list is much more extensive than non-specialists would probably know," he said.
"'Turnkey' doesn't capture the need to suborn the courts and inspectors general and the Congress. The evidence for 'turnkey' is quite weak." — Peter Swire, Director of National Intelligence Review Group
If Trump were to undo Obama's "PPD-28" directive, which lays out protocols for U.S. signals intelligence collection — and which was key in winning European trust during the Privacy Shield talks — then this would require a "very public repudiation," Swire said. If Trump were to try reversing the reforms in secret, he suggested, then the news would undoubtedly leak out. "It could be that the new president signs those orders, but I don't think he could do so secretly," he said.
Swire pointed out that it was hard to tell what Trump would do with regards to data protection, because there was nothing on his website or in his speeches about such policies. "We have very little [idea] right now of who will be in the Commerce Department, who will be in intelligence," he said. "The people will come in and will need to come to some view of how to handle these issues vis-à-vis Europe. It will be hard for them to have a very developed political team on this before the summer, and it could take longer. … People who want answers on January 21 will not get them. There's a great deal that's unknown."
Brill, too, highlighted the current lack of clear privacy policy from the president-elect. However, the former FTC commissioner suggested that, at first, the issue was likely to take a back seat to those on which he explicitly campaigned.
"With regard to Privacy Shield and PPD-28, the truth is we don't know for sure what this administration will do," Brill said. "But I do know the executive orders with regard to the day-one agenda mostly dealt with other issues like Obamacare. My deep hope is that Privacy Shield and some of these other issues that are relatively non-controversial, both among consumer groups and among business stakeholders, that Privacy Shield and even PPD-28 are really not going to rise to the level of that kind of attention. These agreements ought to be durable."
"It is probably time to speak out in Washington now, to make clear the connect between economic interest, the ability to grow trust … and national security matters," said Paul Nemitz, the European Commission justice directorate's fundamental rights chief. "It is important that it plays a role now, when policies are defined and people are appointed."
"My deep hope is that Privacy Shield and some of these other issues that are relatively non-controversial, both among consumer groups and among business stakeholders, that Privacy Shield and even PPD-28 are really not going to rise to the level of that kind of attention. These agreements ought to be durable." — Julie Brill, former FTC Commissioner
Even without the Trump factor, Privacy Shield's survival seems far from certain. Isabelle Falque-Pierrotin, the head of the Article 29 Working Party of European data protection authorities, stressed that she wanted to see "metrics to make sure mass surveillance is not present" when the first annual review rolls around. Only then, she said, can the EU side "see whether these points of concern have been addressed."
Nemitz, who played a pivotal role in the Privacy Shield negotiations, added that the "burden of coming up with these metrics is on the U.S. government, because only they know what they do."
"[The Department of] Commerce, the State Department and the Office of the Director of National Intelligence have choices to make in terms of demonstrating that this is not just a piece of paper, it's not fragile and cannot just be brushed away," Nemitz warned. "In these times now, it is very important to show all this has stability and will continue to be taken seriously in its application."
Nemitz also said U.S. companies could also help ensure Privacy Shield's longevity by "working with European DPAs" to resolve EU citizens' potential complaints — not just using the U.S. arbitration mechanisms that are the other option described in the deal. "The Commission encourages actors to choose the DPA dispute settlement because it is more consistent with the overall purpose … which is to instil trust," he said. "U.S. companies can signal that they take the commitment on working with European DPAs very seriously."
Brill, who sat on the other side of the table from Nemitz during the negotiations and is these days the co-head of Hogan Lovells' privacy and cybersecurity practice, expressed frustration with Nemitz on this point. "It's a headscratcher to me why, since Privacy Shield allows you to do both, anyone should say choose one or the other for the purposes of the annual review," she said. "It should certainly not be part of the metrics."
On the issue of the Digital Rights Ireland challenge, Nemitz praised the fact that the rights group was able to challenge Privacy Shield.
"There we have to live with the fact, which is good, that we live in the rule of law, and that in our legal system normal people, civil society, can bring such important [questions] to the court and they do not face problems of admissibility as they have in the U.S.," he said. "Our highest courts show they do understand the challenges of our times. It goes to the core of what freedoms mean in the digital age in which we are living. I have great confidence that our judiciaries will do the right thing."
A court challenge. An annual review. A Trump presidency. Can Privacy Shield survive all three?