EU Will Push for US Requests for Europeans' Data at Privacy Shield Review, Says Jourová
When Privacy Shield comes up for its first review in September, EU Justice Commissioner Vera Jourová said, one of the "crucial" questions that her side will ask companies is how many times U.S. authorities asked them to provide Europeans' private data. She said during a Center for Strategic and International Studies (CSIS) event Friday she has been trying to convince representatives of companies that have self-certified under trans-Atlantic data transfer framework to provide such information upon EU request and has gotten "positive" responses. When the framework was being negotiated, she said the U.S. wouldn't agree to companies providing that information.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Jourová's address wrapped up three days of talks with Commerce Secretary Wilbur Ross and Attorney General Jeff Sessions (see 1703290015), among other administration and congressional officials, civil society groups and industry groups including the Information Technology Industry Council. ITI didn't comment. Jourová said she and Ross agreed to the September review of Privacy Shield, which will be primarily undertaken by the Department of Commerce and European Commission with invitations to U.S. national intelligence experts and European data protection authorities. An EC spokeswoman in an emailed statement said that during the Thursday meeting with Ross, the commissioner received reassurances from the secretary about the importance of trans-Atlantic framework and U.S. tasks and commitments.
At the CSIS event, Jourová said one important topic will be assessing positive or negative changes to U.S. legislation. She didn't want to see changes to Presidential Policy Directive 28, which provides government surveillance protections to non-U.S. individuals. The directive is called crucial to the framework (see 1702080004 and 1701260015). Section 702 of the Foreign Intelligence Surveillance Act Amendments Act, which will expire by the end of the year unless reauthorized (see 1703010015), is another area that Jourová said is important to keep an eye on.
“If Privacy Shield works in the way it is described in the adequacy decision, the data will be fully protected," said the EU commissioner, whom Heather Conley, CSIS director-Europe program, referred to as the "privacy czar." Besides talking to companies during the review, Jourová said reviewers will talk to EU and U.S. agencies involved, civil society groups and whistleblowers. While many civil society groups are concerned about an imbalance between security and privacy under President Donald Trump, Jourová said, "I don't have such signs yet.”
During a panel, CSIS Senior Vice President Jim Lewis, a government and technology expert, said Privacy Shield which "looked like to be a desperate measure perhaps a year or two ago is now, I think, largely a success." More than 1,900 companies have self-certified.
BSA|The Software Alliance Counselor Emery Simon said the framework has become an "indispensable element" in providing predictability and stability to companies and preserving it is vital. He said challenges to bilateral data flows go beyond Privacy Shield, citing privacy activist Max Schrems' legal challenge in Ireland to Facebook's use of standard or model contractual clauses (see 1702060029 and 1607060009) and lawsuits against Privacy Shield by French and Irish groups (see 1611040002). He said preserving PPD-28 and the State Department ombudsperson to handle European data misuse complaints are important elements.
With Sessions, Jourová said she discussed encryption, adding that it would be efficient to join forces and find solutions since both sides of the Atlantic facing the same global challenges. The commissioner noted the code of conduct created by Facebook, Google's YouTube, Microsoft and Twitter almost a year ago to counter online hate speech (see 1606030037) and 1512030009). "We are currently monitoring how the code is implemented and I expect the results to be released by the end of May," she said. "A lack of progress may challenge the effectiveness of self-regulation in this area and may increase the pressure to legislate." She said working on the issue doesn't mean the government doesn't value freedom of expression, but certain speech that advocates violence is prohibited by law.