Privacy Shield is an EU-instigated unilateral agreement that obliges the US to protect the personal data of US citizens that came into force on 1 Aug 2016.
It’s fair to say that since then, Privacy Shield has not been considered the lighthouse of data privacy law. The history of US corporate observance is far less than positive. But this is perhaps unsurprising given its original construction lacked a legal foundation or punitive measures – as MEPs and the wider privacy industry and media have repeatedly and forcefully bemoaned.
Privacy Shield is required to be reviewed each year, during which it can be revoked if it’s not performing or being adhered to, and last month saw Privacy Shield’s second annual review.
As the review approached, there were various theories that Privacy Shield would indeed be suspended or even cancelled by the EU Commission in response to the US’ underwhelming response to the 10 recommendations (or perhaps demands) made by the EU this time last year.
One of the key requirements was new senior appointments to the PCLOB (Privacy and Civil Liberties Oversight Board), an independent agency headed by a board of at least three, ideally five, bipartisan members and designed to ensure personal privacy is not infringed in anti-terrorism activity or legislation. These appointments have been slow to say the least. A chair was appointed almost immediately, but two further senior members were only nominated in March and were for many months yet to be confirmed. Indeed, just before the review, a coalition of 31 organisations even called for faster action on this, noting that the PCLOB had only had a full senior complement for 4.5 of its 11 years!
MEPs also resented the US refusal to include Presidential Policy Directive 28 within FISA when it was reviewed at the end of 2017. This would have required US surveillance activities to safeguard all personal information, regardless of the individual’s nationality. This was rejected, and so the EU requested (and is still waiting for) evidence that FISA is not indiscriminately collecting data in direct violation of the EU’s Charter on Fundamental Rights.
All of this said, it seems that this review may have resulted in some notable developments – ones that may save it from being suspended, cancelled or embarrassingly ignored.
The official report is due before the end of the year, but there have already been announcements of practical progress. For example, three PCLOB members were appointed on 12 October (one week before the review), creating a total of four, with one resignation pending and two further nominees before the Senate for approval.
Also, an acting Privacy Shield Ombudsperson was appointed in late September. Granted, this was also overdue and required after the first annual review a year ago, but Manisha Singh, a previous Undersecretary for State, now heads up the focal point for EU citizens to direct their complaints about the US Government’s treatment of their personal data. This appointment has been welcomed by the EU Commission, although judging by the language in the official press release, it is still a source of frustration for the EU that a permanent appointment is still outstanding.
Almost hidden in that same release however was a seed of something potentially rather significant:
“Among other things, the Commerce Department will revoke the certification of companies that do not comply with Privacy Shield’s vigorous data protection requirements.”
This is a new development, and assuming it is carried through in practice, it answers one of the main criticisms about Privacy Shield – its lack of enforcement. It also marks a notable change for the 4,000-odd companies registered with them.
Previously, Privacy Shield has been viewed by many as a tick box exercise. Companies would simply upload their privacy policies, pay a fee and then be self-certified. No third party had to be involved to verify the policies or their performance. Clearly, this was hardly robust.
If companies will now need to demonstrate compliance to the requirements of Privacy Shield, and by extension, create and follow more robust privacy policies and procedures, then for many this will result in a marked increase in effort to protect EU citizens’ data.
There may still not be the threat of financial fines, but active statements of enforcement are a marked improvement on the past. Revocation of certifications will most likely depend on complaints and whistleblowing, and it is true that the Federal Trade Commission has in two years only received four complaints of companies’ false or lapsed compliance. But GDPR and other national privacy legislation has heightened society’s and companies’ scrutiny of how data is collected, shared and used, meaning more objections are likely, in turn making the possession or loss of the certification more important.
We may well see revoked certifications having dramatic commercial impacts on those companies whose ability to tender for, or continue to hold, certain contracts depend on them holding that certification. For a few, that revocation may even be more dangerous than the fines possible under GDPR, and we all saw how those potential penalties spurred the global business world into action.
Of course, we have to wait and see what actually happens. Privacy Shield will most likely live to see another day, or year. The above warning will lead to either a serious change in how Privacy Shield operates and companies treat it, or the criticism of “toothlessness” will continue. The imminent report will reveal all, but it certainly appears that the wheels are in motion to require companies to go to a great deal more effort with Privacy Shield than they have before.