Despite Concerns, EU Official Confident in Upcoming First Review on Privacy Shield

Several EU officials and the European Parliament over the past month (see 1704190057 and 1704060013) have expressed worry that some U.S. commitments such as the Department of State's ombudsperson and Privacy and Civil Liberties Oversight Board (PCLOB) (see 1703290015) haven't been brought up to full strength under the Trump administration. Members of European Parliament two weeks ago passed a resolution outlining what it considers problems with U.S. surveillance activities, PCLOB vacancies that prevent it from meeting, the independence of the ombudsperson and effective judicial redress.

It would reassure everybody if those positions were filled, Gencarelli said, but the EC's role is to ensure "those functions are exercised and that they're exercised effectively." He said no deadlines or ultimatums have been or expect to be set down before the review, which will take place in Washington around mid-September and expected to be conducted annually. He said it will cover all aspects of Privacy Shield, including the administrative, general and regulatory elements, and check and assess everything that was agreed to has been effectively put into place and is functioning. He described the review as a "health check" that looks at all aspects with all interlocutors to identify and address problems with enough time to solve them before it's too late.

The review also will seek feedback from companies, trade associations, nongovernmental organizations and civil society groups, said Gencarelli during the panel discussion, which included Caitlin Fennessy, senior policy adviser to the International Trade Administration's (ITA) Data Flows and Privacy Team, and the FTC's Hugh Stevenson, deputy director-Office of International Affairs. Fennessy said more than 2,000 companies have self-certified under the framework in the nine months since the process began and the government is still reviewing "several hundred" certifications that haven't been finalized. She also said Trump administration officials stand firmly behind the framework.

Some elements of the framework are still being built out, said Fennessy. She said the "arbitral panel" will provide "last resort arbitration" to individuals who filed complaints about data abuse or misuse that weren't resolved through other redress mechanisms. She said ITA is reviewing submissions to be administrator of the arbitral panel and is working with the EC to develop a list of 20 potential arbitrators to sit on the panel, and develop procedures. She said the two sides are working to develop a notice seeking applicants and will soon publish it.

During the Privacy Shield negotiations, Fennessy said the two sides focused "quite a lot on the long-term durability" of the framework. She said it was designed with an eye toward addressing the substantive and procedural elements of the sweeping EU's general data protection regulation, which take effect May 2018. She also said the U.S. filed applications to intervene in two lawsuits by Irish and French privacy advocates against Privacy Shield in the EU General Court (see 1611040002). She said the U.S. is prepared to explain its safeguards and contributions in defending the framework.

The FTC's Stevenson explained the commission's role in the trans-Atlantic data transfer framework, saying it's one of several layers that provides backup enforcement. He cited the 40 cases the FTC brought against companies under the old safe harbor agreement, which mainly dealt with false claims from companies that they were self-certified. Under Privacy Shield, he said the FTC will give priority consideration to referrals from European data protection authorities, dispute resolution providers and the Department of Commerce. He said there's a more structured referral process in place with points of contact and greater information sharing under Privacy Shield.