Washington — The EU-US Privacy Shield Framework, concluded last year, is critical to the information flows driving $260 billion in transatlantic digital services. It is critical to the ability of Europeans to enjoy these services in a privacy-protective way, and to supporting innovation on both sides of the Atlantic. The agreement’s multi-layered privacy protections are based on a wide range of constitutional, statutory, administrative, and non-judicial protections and remedies available in the U.S. to ensure adequacy under EU law, including several commitments by federal agencies, law enforcement, and the U.S. intelligence community.
In recent weeks, a handful of international stakeholders expressed concern about the continued viability of the EU-U.S. Privacy Shield Framework, claiming there have been changes (or may be future changes) impacting Privacy Shield following the change in U.S. administration. It’s time to set the record straight: there have been no changes in U.S. law, policy, or practice that would impact the viability of Privacy Shield.
One of these stakeholders recently wrote to the European Commission seeking suspension of Privacy Shield based on a variety of “recent developments.” The developments they cite have no material impact on the viability of Privacy Shield and should not be invoked to push for its suspension. What’s more, the European Commission issued statements affirming the continued viability of Privacy Shield just two weeks ago.
Jan. 25 Executive Order on “Enhancing Public Safety in the Interior of the United States”
Concerns about Section 14 of the January 25 Executive Order do not apply to Privacy Shield in any manner. First, Privacy Shield did not rely on the Privacy Act to offer protections to non-U.S. persons whose data is transferred under its terms. Instead, Privacy Shield created separate mechanisms for data protection and redress. Second, though Privacy Shield’s adequacy is in no way reliant on the redress rights separately afforded to citizens of certain foreign countries pursuant to the Judicial Redress Act of 2015, the EO does not, according to prevailing analysis, impact those rights as they pertain to EU persons. The EO cannot supersede existing statute, and acknowledges this with the caveat, “to the extent consistent with applicable law.” Ultimately, the JRA is on the books, and its protections have already been extended to the citizens of 26 countries and the European Union.
Executive Order 12333
The strength of Privacy Shield is unrelated to the amount of reporting by the Privacy and Civil Liberties Oversight Board, and concerns about Executive Order 12333 are not applicable to data transferred from the EU to the U.S. by organizations certified under Privacy Shield. As the European Commission (relying on U.S. government representations) notes in its adequacy determination, intelligence agencies may only seek personal data transferred via Privacy Shield pursuant to Foreign Intelligence Surveillance Act orders or individualized National Security Letters. Thus, a lack of reporting by the PCLOB on EO 12333 is also not relevant to Privacy Shield adequacy.
PPD 28 and USA FREEDOM Act
The letter also suggests that prior statements by future leaders of the Trump Administration’s law enforcement and intelligence agencies indicate that the surveillance reforms contained within PPD-28 and the USA FREEDOM Act are at risk. At present, no pending executive or legislative actions would roll back these important protections—these footings for Privacy Shield are as strong as ever. Any concern about what the Executive Branch or Congress may do in the future is merely speculative.
Privacy and Civil Liberties Oversight Board
Finally, the letter argues that the PCLOB is operating below full capacity due to board member term expirations. However, the Board is in fact fully operational at the staff level, and short-term periods without a full complement of appointees are typical of any presidential transition. Moreover, the PCLOB is mentioned by the EC in its adequacy determination as one of the many layers of oversight applicable to U.S. surveillance activities.
Simply put, the European Commission did not rely on the laws or policies potentially affected by these developments in making its adequacy determination for Privacy Shield. Nor should the Commission take any action based on the mere speculation of future actions by a new Administration. With Privacy Shield on firm ground, it is premature to call for the suspension of such a vital, privacy-protective component of the transatlantic digital relationship.