Radar_Webcon_Generali_300x250_ad_3.7.17Radar-01
PrivacyCore_ad_300x250-01
S17_Banner_300x250-COPY
The Trump effect on Privacy Shield: ‘There’s a great deal that’s unknown’

Last week's IAPP Europe Data Protection Congress 2016 in Brussels was already shaping up to be a lively affair, what with Privacy Shield and the implementation of the EU General Data Protection Regulation to discuss, but then Donald Trump was announced as the next president of the United States.

Trump's victory — a shock for many, and revealed just hours before the Congress keynotes commenced — left everyone trying to figure out its implications for trans-Atlantic data flows. After all, this was a candidate who campaigned on a “law-and-order” platform and has expressed support for bulk data collection.

Privacy Shield's predecessor, Safe Harbor, was sunk by the Court of Justice of the European Union partly because it did not provide effective protections for Europeans against U.S. mass surveillance. With EU regulators having given the new deal only tentative support, pending its first annual review next year, could Trump's election threaten Privacy Shield? Opinions expressed on-stage at the Brussels conference were divided, but generally cautious.

"There has unquestionably been a stunning and unexpected outcome in the election in the U.S.," said Edith Ramirez, the current chairwoman of the U.S. Federal Trade Commission. (As she was a Democratic appointee, Trump will replace Ramirez with a Republican as chair. Former FTC commissioner Julie Brill said at the conference that this would almost certainly be the only current Republican commissioner, Maureen Ohlhausen.) 

Ramirez noted that "with any change in administration there will of course be shifts in approaches taken," but said she was cautiously optimistic. "From the American perspective, the commitment to Privacy Shield is real and sincere," she said.

"Bear in mind the history of the Safe Harbor program, which was negotiated under the Clinton administration, implemented under the Bush administration and continued under the Obama administration. This is the type of program that carries on across administrations." — Ted Dean, U.S. Department of Commerce

Ted Dean, deputy assistant secretary for services at the U.S. Department of Commerce, suggested that Privacy Shield should benefit from a system designed for continuity. "Bear in mind the history of the Safe Harbor program, which was negotiated under the Clinton administration, implemented under the Bush administration and continued under the Obama administration," he said. "This is the type of program that carries on across administrations."

Dean, an appointee likely to move on in January, also pointed out that "there would be tremendous pressure from industry on any administration coming in to continue" with the negotiated deal. He said the list of certified Privacy Shield-compliant companies already numbered 700, with a further 1,000 companies having submitted their certifications for the Commerce Department's approval.

However, some of those speaking from the European perspective seemed deeply worried about the implications of a Trump presidency.

"It shows that Snowden was right," said Ralf Bendrath, senior policy advisory to Jan Philipp Albrecht, the Green member of the European Parliament who has been a prominent critic of Privacy Shield. Edward Snowden, the NSA whistleblower, has repeatedly warned that the U.S. surveillance apparatus provides the mechanisms for a "turnkey tyranny," in that a would-be tyrant could easily abuse it in ways less authoritarian governments did not.

Bendrath referenced the political philosopher Karl Popper, who said political institutions had to be built in ways that prevent abuse. "The same is true for technical infrastructures," Bendrath said. "We will now see what Mr. Trump will do with all the powers he [has]. This will have an impact on trans-Atlantic discussions on the privacy issue."

 "We will now see what Mr. Trump will do with all the powers he [has]. This will have an impact on trans-Atlantic discussions on the privacy issue." — Ralf Bendrath, EU Parliament policy advisor

But how open are these systems to abuse? According to Ralf Sauer, the deputy head of unit for international data flows at the European Commission's justice directorate, the Commission doesn't see vulnerability in the system – otherwise it "wouldn't have accepted" the Privacy Shield deal in the first place.

"We see an area of interest for litigants. It makes it politically vulnerable," Sauer said (Privacy Shield is already being challenged in court by Digital Rights Ireland). "When it comes to a change of administration, it was clear there would be a change. But what does that mean? Why would that change it?"

Peter Swire, the Huang professor of law and ethics at Georgia Tech and one of the people president Obama tasked with reviewing intelligence and communications technology, argued strongly against Snowden's "turnkey tyranny" thesis. He pointed to the various bodies providing oversight for the intelligence services — the FISA court, inspectors general, Senate and House intelligence committees, the Privacy and Civil Liberties Oversight Board — and said that, "to co-opt all of them is a really large exercise."

"'Turnkey' doesn't capture the need to suborn the courts and inspectors general and the Congress," Swire said. "The evidence for 'turnkey' is quite weak."

Swire conceded that there are "some things we don't know" about the intelligence community's activities. However, he said, president Obama's post-Snowden reforms had provided more transparency than previously existed surrounding the decisions of the FISA court. "These are legislative changes that would take legislation to undo, and the list is much more extensive than non-specialists would probably know," he said.

"'Turnkey' doesn't capture the need to suborn the courts and inspectors general and the Congress. The evidence for 'turnkey' is quite weak." — Peter Swire, Director of National Intelligence Review Group

If Trump were to undo Obama's "PPD-28" directive, which lays out protocols for U.S. signals intelligence collection — and which was key in winning European trust during the Privacy Shield talks — then this would require a "very public repudiation," Swire said. If Trump were to try reversing the reforms in secret, he suggested, then the news would undoubtedly leak out. "It could be that the new president signs those orders, but I don't think he could do so secretly," he said.

Swire pointed out that it was hard to tell what Trump would do with regards to data protection, because there was nothing on his website or in his speeches about such policies. "We have very little [idea] right now of who will be in the Commerce Department, who will be in intelligence," he said. "The people will come in and will need to come to some view of how to handle these issues vis-à-vis Europe. It will be hard for them to have a very developed political team on this before the summer, and it could take longer. … People who want answers on January 21 will not get them. There's a great deal that's unknown."

Brill, too, highlighted the current lack of clear privacy policy from the president-elect. However, the former FTC commissioner suggested that, at first, the issue was likely to take a back seat to those on which he explicitly campaigned.

"With regard to Privacy Shield and PPD-28, the truth is we don't know for sure what this administration will do," Brill said. "But I do know the executive orders with regard to the day-one agenda mostly dealt with other issues like Obamacare. My deep hope is that Privacy Shield and some of these other issues that are relatively non-controversial, both among consumer groups and among business stakeholders, that Privacy Shield and even PPD-28 are really not going to rise to the level of that kind of attention. These agreements ought to be durable."

"It is probably time to speak out in Washington now, to make clear the connect between economic interest, the ability to grow trust … and national security matters," said Paul Nemitz, the European Commission justice directorate's fundamental rights chief. "It is important that it plays a role now, when policies are defined and people are appointed."

"My deep hope is that Privacy Shield and some of these other issues that are relatively non-controversial, both among consumer groups and among business stakeholders, that Privacy Shield and even PPD-28 are really not going to rise to the level of that kind of attention. These agreements ought to be durable." — Julie Brill, former FTC Commissioner

Even without the Trump factor, Privacy Shield's survival seems far from certain. Isabelle Falque-Pierrotin, the head of the Article 29 Working Party of European data protection authorities, stressed that she wanted to see "metrics to make sure mass surveillance is not present" when the first annual review rolls around. Only then, she said, can the EU side "see whether these points of concern have been addressed."

Nemitz, who played a pivotal role in the Privacy Shield negotiations, added that the "burden of coming up with these metrics is on the U.S. government, because only they know what they do."

"[The Department of] Commerce, the State Department and the Office of the Director of National Intelligence have choices to make in terms of demonstrating that this is not just a piece of paper, it's not fragile and cannot just be brushed away," Nemitz warned. "In these times now, it is very important to show all this has stability and will continue to be taken seriously in its application."

Nemitz also said U.S. companies could also help ensure Privacy Shield's longevity by "working with European DPAs" to resolve EU citizens' potential complaints — not just using the U.S. arbitration mechanisms that are the other option described in the deal. "The Commission encourages actors to choose the DPA dispute settlement because it is more consistent with the overall purpose … which is to instil trust," he said. "U.S. companies can signal that they take the commitment on working with European DPAs very seriously."

Brill, who sat on the other side of the table from Nemitz during the negotiations and is these days the co-head of Hogan Lovells' privacy and cybersecurity practice, expressed frustration with Nemitz on this point. "It's a headscratcher to me why, since Privacy Shield allows you to do both, anyone should say choose one or the other for the purposes of the annual review," she said. "It should certainly not be part of the metrics."

On the issue of the Digital Rights Ireland challenge, Nemitz praised the fact that the rights group was able to challenge Privacy Shield.

"There we have to live with the fact, which is good, that we live in the rule of law, and that in our legal system normal people, civil society, can bring such important [questions] to the court and they do not face problems of admissibility as they have in the U.S.," he said. "Our highest courts show they do understand the challenges of our times. It goes to the core of what freedoms mean in the digital age in which we are living. I have great confidence that our judiciaries will do the right thing."

A court challenge. An annual review. A Trump presidency. Can Privacy Shield survive all three?

Written By

David Meyer

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»