While the Privacy Shield was approved in July 2016 and certification began the following month, the EU-US cross border data transfer framework, which has been used by more than 2,400 organizations since its inception, has since been panned by many EU officials and agencies.
The EU’s Article 29 Working Party, for example, still has concerns over the agreement that it believes were not properly addressed in last year’s negotiations.
But on Monday, September 18, EU officials got the chance address their criticisms with U.S. officials at the two-day Annual Joint Review on the Privacy Shield in Washington D.C.
While an official report documenting what was discussed and agreed to at the conference may be still weeks away, experts weighed on what issues were most likely discussed during the review:
- Automated Data Processing and Decision Making
With the EU’s General Data Protection Regulation (GDPR) coming online in 2018, the Privacy Shield review likely included discussions on how best to ensure the agreement is in sync with GDPR standards. One potentially significant sticking point, however, may have been the rights of U.S. companies to allow automated processing and decision-making with EU citizen data.
Automated processing and decision making is the core of many artificial intelligence (AI)-powered tools and processes deployed by U.S. companies. Amazon, for example, uses AI to automatically aggregate and review each user’s purchase history to recommend items for purchase. Similarly, parties performing big data analytics, such as legal tech providers looking to benchmark legal services costs or law enforcement uncovering information about internet users, often use AI-powered automated processing and decision making as well.
Under GDPR’s Article 22, however, EU citizens “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similar significantly affects him or her.”
It is not entirely clear how the GDPR’s provision will be interpreted or applied once it is the law of the land, nor how Privacy Shield will adjust to the provisions restrictions in the coming year. Kendall Burman, cybersecurity and data privacy counsel at Mayer Brown, noted that as a “carry over from the Safe Harbor framework,” the Privacy Shield, “does not address this issue head on.”
“I think one of the questions that I imagine the EU delegation has discussed is how the Privacy Shield responds to the changes in EU data protection law with the GDPR,” she said.
- U.S. Surveillance Assurances
One of the most problematic areas of the Privacy Shield for many EU officials has been what they see as lackluster assurances from the US regarding the commitment not to perform bulk data collection or surveillance on EU citizens.
Ryan Costello, European operations manager at eTERA Consulting, noted that such assurances are necessary because “you don’t really have anything in the Privacy Shield that addresses surveillance.”
Burman added she believes there was “a focus on explaining some of the commitments” regarding surveillance during the review, calling it a “main objective” for both sides to make sure these commitments are satisfactory.
For their part, EU officials have been adamant that the current assurances do not go far enough. In April 2017, the European Parliament adopted a resolution listing what it sees as the inadequacies of the Privacy Shield. The resolution specifically declared that the European Parliament “deplores the fact that the EU-US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes.”
It added that the parliament has reason to “strongly doubt the assurances brought by the Office of the Director of National Intelligence [ODNI]” that the US would not indiscriminately conduct bulk data collection and surveillance on EU citizens.
Those assurances by the ODNI, along with other US federal agencies, that such activities would not be permitted outside of allowed limited use cases were essential to the Privacy Shield’s initial approval in July 2016.
In addition to the EU Parliament, parties like the EU Article 29 Working Group have also been vocal about their distrust with the assurances.
In a letter to Věra Jourová, an EU commissioner and leader of the EU team that participated in the annual joint review, the Article 29 Working Group noted it is likely to weigh in on whether the Annual Joint Review adequately addressed its concerns.
“Subject to the outcome of the Joint Review and the report of the Commission, the [Article 29 Working Group] may also present a separate public report following the Joint Review,” wrote Isabelle Falque-Pierrotin, chairwoman of the group.
- Vacancies in Key Privacy Shield Roles
The Privacy Shield requires certain officials in the US to act as arbiters in EU-US data transfer disputes and provide a check on US bulk data collection and surveillance programs. The problem, however, is that many of those officials have not yet been nominated or approved by the US government.
There is no ombudsman at the State Department, for example, to address complaints from European citizens over Privacy Shield violations. Commissioner Jourová told The Hill that the appointment of an ombudsman is a “very clear-cut requirement from our side.”
But she declined to set a hard deadline for when such officials should be appointed, noting that the EU understands appointment process “is rather complicated.”
Vacancies on the U.S. government’s Privacy and Civil Liberties Oversight Board (PCLOB), which is meant to oversee government surveillance programs, were also likely to have been brought up by EU officials during the review.
The Trump administration has been slow to fill out the board, though it recently nominated Adam Klein, senior fellow at the Center for a New American Security and former law clerk to the late Justice Antonin Scalia, as its chairman.
Costello noted that role of this board was “a major part of getting the Privacy Shield getting approved, and I think the fact that the PCLOB has not been fleshed out is a problem.”
Reprinted with permission from the September 22, 2017 edition of Legaltech News © 2017 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.