3 Reasons the Privacy Shield Recommendations May Not Be Easy to Implement

EU flags in front of European Commission.

Despite a host of challenges facing the Privacy Shield, the EU-U.S. data transfer agreement cleared its first annual review. Yet while EU officials offered their approval for the agreement, they still noted there is much work left to be done.

In a statement, Věra Jourová, an European Justice commissioner who led the EU Commission review of the Privacy Shield, said that the Privacy Shield “works well, but there is some room for improving its implementation.”

The European Commission went on to release 10 recommendations for improving the agreement in the near and long term. While many of these recommendations are far from new, there many be challenges in executing some of them, given both the new administration in the United States and the different privacy attitudes held by U.S. and the EU officials.

Here is a look at three of the most potentially difficult recommendations to implement, and what they mean for the future of the Privacy Shield:

1. An Opening Salvo to Debate Automated Processing?

The EU Commission recommends to “commission a study to collect factual evidence and further assess the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.” Given that this study will take place around the time the EU will be preparing for new privacy laws of its own, this recommendation could represent the first salvo in a broader effort to regulate automated decision making, also known as automated processing, under the Privacy Shield.

The move may be an attempt to bring the Privacy Shield in line with the EU's upcoming General Data Protection Regulation (GDPR), which will “require organizations to be more communicative and thoughtful in their automated decision-making activities,” said Pulina Whitaker, partner at Morgan, Lewis & Bockius.

Article 22 of the GDPR said that EU citizens “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affect him or her.” But regulating automated processing in the U.S. may be difficult: many organizations employ automation to collect, process and analyze data for a variety of purposes,

Debbie Reynolds, director of EimerStahl Discovery Solutions at Eimer Stahl, said that how such processing factors into Privacy Shield will need to be figured out quickly not only “because of the GDPR coming into effect next year,” but also because “it poses a significant challenge to the integrity of the Privacy Shield.”

Reynolds explained that the “three biggest calls” to invalidate the Safe Harbor Agreement, the since-nullified predecessor to the Privacy Shield, were all “things have to do with people of the EU being uncomfortable with bulk [automated] processing”: the “Patriot Act, the Edward Snowden revelations and the Max Schrems' case out of Ireland,”

Reynolds added that while commissioning a study is “a good idea,” the EU and U.S. “are far apart on where they stand on bulk [automated] processing and how that is going to impact EU citizens.”

2. Staffing Woes

Among its recommendations, the EU Commission reiterated what it had called for at the beginning of the annual review: the need for the United States to fill out key administrative positions vital to Privacy Shield operations.

These position include the still vacant Ombudsperson role at the U.S. Department of State to address complaints by EU citizens over Privacy Shield violations, and numerous vacant positions on the Privacy and Civil Liberties Oversight Board (PCLOB), which is meant to oversee U.S. government surveillance programs.

There are signs that it may be an uphill battle. When asked about the slow pace of appointments in his administration during an October 2017 interview with Forbes magazine, U.S. President Donald Trump signaled the vacancies in many federal departments were intentional.

“I'm generally not going to make a lot of the appointments that would normally be—because you don't need them,” he said. “I mean, you look at some of these agencies, how massive they are, and it's totally unnecessary.”

There are signs, however, that the administration is moving to fill out the PCLOB, given the recent nomination of Adam Klein, senior fellow at the Center for a New American Security and former law clerk to the late U.S. Supreme Court Justice Antonin Scalia, as its chairman.

Charles-Albert Helleputte, a partner in Mayer Brown's Brussels office, said that this “recent appointment is likely to be considered as a good signal by EU institutions.”

He added, “For the EU, the appointment can be considered as a course of action.”

But while a good sign, Morgan Lewis' Whitaker notes that the Privacy Shield apparatus is still missing far more essential U.S. officials. “Appointing a permanent ombudsman is more critical at this stage, including for continuing communications about the operation of the Privacy Shield,” she said.

3. From Policy Directive to Law?

Under Presidential Policy Directive 28, former President Barack Obama limited U.S. mass surveillance activities to respect the privacy of both U.S. and foreign citizens. The directive, known as PPD-28, was a key assurance for the EU, curtailing U.S. surveillance activities within certain boundaries.

Now, EU officials want to make sure these protections become permanent. The EU Commission for the Privacy Shield Review recommended that the policy directive be enshrined under the Foreign Intelligence Surveillance Act (FISA) when the law is up for reauthorization at the end of 2017.

It is difficult to know, however, whether there is support for such a move from the Trump administration, or leaders of Congress, as there has been little public comment on the fate of PPD-28. However, during his March 2017 U.S. Senate nomination hearing, now-approved director of National Intelligence Daniel Coats briefly addressed the issue in written responses to the Senate Select Committee on Intelligence questionnaire.

Coats wrote that “the European Commission relied in significant part on the privacy protections of PPD-28 when it found the U.S.-E.U. Privacy Shield framework was adequate. For that reason, before any changes to the PPD are made, I believe it [important to consider the consequence of any modifications.”

Beyond Coats, though, it is difficult to know how others in the Trump administration view the PPD-28. “Especially because [this administration] has not been of very supportive of some of the prior Obama administrations activities or actions, I think people are waiting to see whether this administration will support the [PPD-28],” Reynolds said.

She added that “it's in everyone's best interest to ensure that these issues don't impact commerce or impact Europeans fundamental right to privacy.”