The EU-U.S. Privacy Shield Stands on Firm Ground

BY CCIA Staff
February 9, 2017

Washington — The EU-US Privacy Shield Framework, concluded last year, is critical to the information flows driving $260 billion in transatlantic digital services. It is critical to the ability of Europeans to enjoy these services in a privacy-protective way, and to supporting innovation on both sides of the Atlantic. The agreement’s multi-layered privacy protections are based on a wide range of constitutional, statutory, administrative, and non-judicial protections and remedies available in the U.S. to ensure adequacy under EU law, including several commitments by federal agencies, law enforcement, and the U.S. intelligence community.

In recent weeks, a handful of international stakeholders expressed concern about the continued viability of the EU-U.S. Privacy Shield Framework, claiming there have been changes (or may be future changes) impacting Privacy Shield following the change in U.S. administration. It’s time to set the record straight: there have been no changes in U.S. law, policy, or practice that would impact the viability of Privacy Shield.

One of these stakeholders recently wrote to the European Commission seeking suspension of Privacy Shield based on a variety of “recent developments.” The developments they cite have no material impact on the viability of Privacy Shield and should not be invoked to push for its suspension. What’s more, the European Commission issued statements affirming the continued viability of Privacy Shield just two weeks ago.

Jan. 25 Executive Order on “Enhancing Public Safety in the Interior of the United States”

Concerns about Section 14 of the January 25 Executive Order do not apply to Privacy Shield in any manner. First, Privacy Shield did not rely on the Privacy Act to offer protections to non-U.S. persons whose data is transferred under its terms. Instead, Privacy Shield created separate mechanisms for data protection and redress. Second, though Privacy Shield’s adequacy is in no way reliant on the redress rights separately afforded to citizens of certain foreign countries pursuant to the Judicial Redress Act of 2015, the EO does not, according to prevailing analysis, impact those rights as they pertain to EU persons. The EO cannot supersede existing statute, and acknowledges this with the caveat, “to the extent consistent with applicable law.” Ultimately, the JRA is on the books, and its protections have already been extended to the citizens of 26 countries and the European Union.

Executive Order 12333

The strength of Privacy Shield is unrelated to the amount of reporting by the Privacy and Civil Liberties Oversight Board, and concerns about Executive Order 12333 are not applicable to data transferred from the EU to the U.S. by organizations certified under Privacy Shield. As the European Commission (relying on U.S. government representations) notes in its adequacy determination, intelligence agencies may only seek personal data transferred via Privacy Shield pursuant to Foreign Intelligence Surveillance Act orders or individualized National Security Letters. Thus, a lack of reporting by the PCLOB on EO 12333 is also not relevant to Privacy Shield adequacy.

PPD 28 and USA FREEDOM Act

The letter also suggests that prior statements by future leaders of the Trump Administration’s law enforcement and intelligence agencies indicate that the surveillance reforms contained within PPD-28 and the USA FREEDOM Act are at risk. At present, no pending executive or legislative actions would roll back these important protections—these footings for Privacy Shield are as strong as ever. Any concern about what the Executive Branch or Congress may do in the future is merely speculative.

Privacy and Civil Liberties Oversight Board

Finally, the letter argues that the PCLOB is operating below full capacity due to board member term expirations. However, the Board is in fact fully operational at the staff level, and short-term periods without a full complement of appointees are typical of any presidential transition. Moreover, the PCLOB is mentioned by the EC in its adequacy determination as one of the many layers of oversight applicable to U.S. surveillance activities.

Simply put, the European Commission did not rely on the laws or policies potentially affected by these developments in making its adequacy determination for Privacy Shield. Nor should the Commission take any action based on the mere speculation of future actions by a new Administration. With Privacy Shield on firm ground, it is premature to call for the suspension of such a vital, privacy-protective component of the transatlantic digital relationship.

Related Articles

Oxford Economics presents study on digital services in the EU, offers recommendations for upcoming Digital Services Act

Nov 20, 2020

Brussels, BELGIUM — Oxford Economics has released a study examining digital services in Europe. The study investigates how digital services weave into Europe’s economy and society and explores online content moderation best practices to fight against the dissemination of illegal content, products and conduct online. The Computer & Communications Industry Association commissioned the study to…

CCIA Weighs In On European Commission Request For Input On Trade Strategy

Nov 16, 2020

Brussels, BELGIUM — The Computer & Communications Industry Association filed comments with the European Commission as it crafts a trade strategy for the digital age. The EC consultancy is an opportunity to accelerate the digital transformation of Europe’s trade policies. CCIA encouraged the EU “to pursue an ambitious trade agenda that includes the strengthening of the…

DSA: Unlocking the Benefits of Digital Services in Europe

Nov 12, 2020

Join us to discuss the role of digital services in Europe as Oxford Economics unveils a new CCIA-commissioned study on “Digital Services in Europe” on 20 November. The study investigates how digital services weave into Europe’s economy and society and explores online content moderation best practices to fight against the dissemination of illegal content, products…