News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The Trump effect on Privacy Shield: ‘There’s a great deal that’s unknown’ Related reading: Regulators: Trump presidency won't derail progress made

rss_feed

""

""

Last week's IAPP Europe Data Protection Congress 2016 in Brussels was already shaping up to be a lively affair, what with Privacy Shield and the implementation of the EU General Data Protection Regulation to discuss, but then Donald Trump was announced as the next president of the United States.

Trump's victory — a shock for many, and revealed just hours before the Congress keynotes commenced — left everyone trying to figure out its implications for trans-Atlantic data flows. After all, this was a candidate who campaigned on a “law-and-order” platform and has expressed support for bulk data collection.

Privacy Shield's predecessor, Safe Harbor, was sunk by the Court of Justice of the European Union partly because it did not provide effective protections for Europeans against U.S. mass surveillance. With EU regulators having given the new deal only tentative support, pending its first annual review next year, could Trump's election threaten Privacy Shield? Opinions expressed on-stage at the Brussels conference were divided, but generally cautious.

"There has unquestionably been a stunning and unexpected outcome in the election in the U.S.," said Edith Ramirez, the current chairwoman of the U.S. Federal Trade Commission. (As she was a Democratic appointee, Trump will replace Ramirez with a Republican as chair. Former FTC commissioner Julie Brill said at the conference that this would almost certainly be the only current Republican commissioner, Maureen Ohlhausen.) 

Ramirez noted that "with any change in administration there will of course be shifts in approaches taken," but said she was cautiously optimistic. "From the American perspective, the commitment to Privacy Shield is real and sincere," she said.

"Bear in mind the history of the Safe Harbor program, which was negotiated under the Clinton administration, implemented under the Bush administration and continued under the Obama administration. This is the type of program that carries on across administrations." — Ted Dean, U.S. Department of Commerce

Ted Dean, deputy assistant secretary for services at the U.S. Department of Commerce, suggested that Privacy Shield should benefit from a system designed for continuity. "Bear in mind the history of the Safe Harbor program, which was negotiated under the Clinton administration, implemented under the Bush administration and continued under the Obama administration," he said. "This is the type of program that carries on across administrations."

Dean, an appointee likely to move on in January, also pointed out that "there would be tremendous pressure from industry on any administration coming in to continue" with the negotiated deal. He said the list of certified Privacy Shield-compliant companies already numbered 700, with a further 1,000 companies having submitted their certifications for the Commerce Department's approval.

However, some of those speaking from the European perspective seemed deeply worried about the implications of a Trump presidency.

"It shows that Snowden was right," said Ralf Bendrath, senior policy advisory to Jan Philipp Albrecht, the Green member of the European Parliament who has been a prominent critic of Privacy Shield. Edward Snowden, the NSA whistleblower, has repeatedly warned that the U.S. surveillance apparatus provides the mechanisms for a "turnkey tyranny," in that a would-be tyrant could easily abuse it in ways less authoritarian governments did not.

Bendrath referenced the political philosopher Karl Popper, who said political institutions had to be built in ways that prevent abuse. "The same is true for technical infrastructures," Bendrath said. "We will now see what Mr. Trump will do with all the powers he [has]. This will have an impact on trans-Atlantic discussions on the privacy issue."

 "We will now see what Mr. Trump will do with all the powers he [has]. This will have an impact on trans-Atlantic discussions on the privacy issue." — Ralf Bendrath, EU Parliament policy advisor

But how open are these systems to abuse? According to Ralf Sauer, the deputy head of unit for international data flows at the European Commission's justice directorate, the Commission doesn't see vulnerability in the system – otherwise it "wouldn't have accepted" the Privacy Shield deal in the first place.

"We see an area of interest for litigants. It makes it politically vulnerable," Sauer said (Privacy Shield is already being challenged in court by Digital Rights Ireland). "When it comes to a change of administration, it was clear there would be a change. But what does that mean? Why would that change it?"

Peter Swire, the Huang professor of law and ethics at Georgia Tech and one of the people president Obama tasked with reviewing intelligence and communications technology, argued strongly against Snowden's "turnkey tyranny" thesis. He pointed to the various bodies providing oversight for the intelligence services — the FISA court, inspectors general, Senate and House intelligence committees, the Privacy and Civil Liberties Oversight Board — and said that, "to co-opt all of them is a really large exercise."

"'Turnkey' doesn't capture the need to suborn the courts and inspectors general and the Congress," Swire said. "The evidence for 'turnkey' is quite weak."

Swire conceded that there are "some things we don't know" about the intelligence community's activities. However, he said, president Obama's post-Snowden reforms had provided more transparency than previously existed surrounding the decisions of the FISA court. "These are legislative changes that would take legislation to undo, and the list is much more extensive than non-specialists would probably know," he said.

"'Turnkey' doesn't capture the need to suborn the courts and inspectors general and the Congress. The evidence for 'turnkey' is quite weak." — Peter Swire, Director of National Intelligence Review Group

If Trump were to undo Obama's "PPD-28" directive, which lays out protocols for U.S. signals intelligence collection — and which was key in winning European trust during the Privacy Shield talks — then this would require a "very public repudiation," Swire said. If Trump were to try reversing the reforms in secret, he suggested, then the news would undoubtedly leak out. "It could be that the new president signs those orders, but I don't think he could do so secretly," he said.

Swire pointed out that it was hard to tell what Trump would do with regards to data protection, because there was nothing on his website or in his speeches about such policies. "We have very little [idea] right now of who will be in the Commerce Department, who will be in intelligence," he said. "The people will come in and will need to come to some view of how to handle these issues vis-à-vis Europe. It will be hard for them to have a very developed political team on this before the summer, and it could take longer. … People who want answers on January 21 will not get them. There's a great deal that's unknown."

Brill, too, highlighted the current lack of clear privacy policy from the president-elect. However, the former FTC commissioner suggested that, at first, the issue was likely to take a back seat to those on which he explicitly campaigned.

"With regard to Privacy Shield and PPD-28, the truth is we don't know for sure what this administration will do," Brill said. "But I do know the executive orders with regard to the day-one agenda mostly dealt with other issues like Obamacare. My deep hope is that Privacy Shield and some of these other issues that are relatively non-controversial, both among consumer groups and among business stakeholders, that Privacy Shield and even PPD-28 are really not going to rise to the level of that kind of attention. These agreements ought to be durable."

"It is probably time to speak out in Washington now, to make clear the connect between economic interest, the ability to grow trust … and national security matters," said Paul Nemitz, the European Commission justice directorate's fundamental rights chief. "It is important that it plays a role now, when policies are defined and people are appointed."

"My deep hope is that Privacy Shield and some of these other issues that are relatively non-controversial, both among consumer groups and among business stakeholders, that Privacy Shield and even PPD-28 are really not going to rise to the level of that kind of attention. These agreements ought to be durable." — Julie Brill, former FTC Commissioner

Even without the Trump factor, Privacy Shield's survival seems far from certain. Isabelle Falque-Pierrotin, the head of the Article 29 Working Party of European data protection authorities, stressed that she wanted to see "metrics to make sure mass surveillance is not present" when the first annual review rolls around. Only then, she said, can the EU side "see whether these points of concern have been addressed."

Nemitz, who played a pivotal role in the Privacy Shield negotiations, added that the "burden of coming up with these metrics is on the U.S. government, because only they know what they do."

"[The Department of] Commerce, the State Department and the Office of the Director of National Intelligence have choices to make in terms of demonstrating that this is not just a piece of paper, it's not fragile and cannot just be brushed away," Nemitz warned. "In these times now, it is very important to show all this has stability and will continue to be taken seriously in its application."

Nemitz also said U.S. companies could also help ensure Privacy Shield's longevity by "working with European DPAs" to resolve EU citizens' potential complaints — not just using the U.S. arbitration mechanisms that are the other option described in the deal. "The Commission encourages actors to choose the DPA dispute settlement because it is more consistent with the overall purpose … which is to instil trust," he said. "U.S. companies can signal that they take the commitment on working with European DPAs very seriously."

Brill, who sat on the other side of the table from Nemitz during the negotiations and is these days the co-head of Hogan Lovells' privacy and cybersecurity practice, expressed frustration with Nemitz on this point. "It's a headscratcher to me why, since Privacy Shield allows you to do both, anyone should say choose one or the other for the purposes of the annual review," she said. "It should certainly not be part of the metrics."

On the issue of the Digital Rights Ireland challenge, Nemitz praised the fact that the rights group was able to challenge Privacy Shield.

"There we have to live with the fact, which is good, that we live in the rule of law, and that in our legal system normal people, civil society, can bring such important [questions] to the court and they do not face problems of admissibility as they have in the U.S.," he said. "Our highest courts show they do understand the challenges of our times. It goes to the core of what freedoms mean in the digital age in which we are living. I have great confidence that our judiciaries will do the right thing."

A court challenge. An annual review. A Trump presidency. Can Privacy Shield survive all three?

Author
Headshot David Meyer Nonmember Contributor
Tags
Europe
U.S.
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
What will a Trump administration mean for privacy?
1
As the dust settles after one of the most contentious and surprising elections in recent memory, many in the privacy world are looking ahead to what a Trump presidency will mean for privacy, cybersecurity, and surveillance. Though it is not yet clear how a President Trump will come down on privacy i...
Read More queue Save This
Hillary Clinton, Google, and algorithmic transparency
If you’re an avid fan of House of Cards, you know this past season delved into some privacy issues – my colleague Courtney wrote about them here. If you're not, I don't think it spoils anything to say one such privacy issue concerned a presidential candidate’s close ties to the world’s leading searc...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Transborder Data Flow
Recent Comments