With the latest guidance from the European Data Protection Board killing any chance for a regulatory grace period for companies that rely on Privacy Shield to transfer data between Europe and the United States, the need for a replacement deal is more imperative than ever.
While it’s unclear where the two regions are with negotiations, three former Commerce Department officials who have worked with Privacy Shield in various roles told Morning Consult that there are two options the United States could pursue to make a deal more likely: create stronger rights for E.U. citizens to submit complaints about how their data is used in the United States or move the Privacy Shield’s ombudsman position from its current home at the State Department to an autonomous agency to increase its independence. The Court of Justice of the European Union named both issues as its top reasons for striking down the transatlantic agreement.
“If you solve either one of them, you may have a path to either adequacy or something that works this out,” said Justin Antonipillai, the former undersecretary for economic affairs at the Commerce Department who co-led the U.S. negotiations to create Privacy Shield in 2016. “I don’t think it’s both.”
The Court of Justice of the European Union’s ruling, issued July 16, upends yet again the more than 5,300 American and European companies that rely on the program to transfer data like customer information or human resources files between their U.S. and European offices. Privacy Shield had been established in 2016 as a replacement to the Safe Harbor data pact, which was invalidated by the same court in a 2015 ruling on a lawsuit filed by Austrian privacy advocate Max Schrems in response to Edward Snowden’s 2013 revelations of the U.S. government’s mass surveillance operations.
Although the court clearly laid out a roadmap for the Commerce Department and the European Commission to establish a new deal, former U.S. officials say the talks will have to jump over a recurring hurdle at the heart of negotiations: the fundamental difference in how the two regions view consumer privacy and government surveillance issues.
Former officials say that concerns over how companies handle consumer data didn’t appear to drive the E.U. court’s decision to strike down the Privacy Shield agreement. Instead, they noted, the court cited its worries about the U.S. government’s access to such data for surveillance purposes.
While the European Union’s General Data Protection Regulation, one of the toughest comprehensive privacy laws on the books worldwide, applies both to companies and government bodies, the United States typically views consumer data privacy and government surveillance as two separate issues, creating opportunities for misunderstandings and imbalances in negotiations.
Any future discussions between the E.U. and U.S. officials will closely “mirror some of the other discussions” that happened following the invalidation of Safe Harbor in 2015, said John Verdi, vice president of policy at the Future of Privacy Forum, who was also the director of privacy initiatives at Commerce’s National Telecommunications and Information Administration from 2012 through 2016.
“Those were discussions about the nature of U.S. surveillance authorities, the constraints — legislative, administrative, technical, judicial — on those surveillance authorities and the degree to which those constraints align with European law and the degree to which they provide meaningful redress to European citizens,” he said.
Antonipillai said the court ruling failed to properly account for the existing oversight mechanisms in place for the U.S. government’s surveillance mechanisms, such as congressional committees, inspector generals at executive departments and the entire Privacy and Civil Liberties Oversight Board — underscoring the differences between the two regions’ approaches.
During the last round of negotiations, Antonipillai said the United States made “good first steps” when it created an ombudsperson for the Privacy Shield program who worked with independent oversight bodies, like the inspectors general, to process data requests. But he said additional layers of protection and changing the reporting structure to provide the Privacy Shield ombudsman role, which currently sits in the State Department, with more independence could help matters.
One obstacle to this is the appointments clause in the U.S. Constitution, which gives the president sole authority to appoint certain positions, making it difficult for the data pact’s ombudsman and other oversight roles to be truly independent from the executive branch.
“Because there’s no constitutionally approved independent overseer of the president, you have to try to work something out that is in between something that’s permissible under the U.S. Constitution and something that is permitted, or required, under the Schrems decision,” he said. One possible outlet could sit with Congress, he said, which could establish a new role that strikes a balance between the executive powers afforded under the Constitution and what the E.U. courts want.
Caitlin Fennessy, a former Privacy Shield director from 2018 to 2019 and the current research director at the International Association of Privacy Professionals, said negotiations could require a bit of help from Congress if it’s determined that any new laws or reforms are needed, a process that could also add more question marks to the timeline for a new deal. During the last round of negotiations, Congress passed the Judicial Redress Act in February 2016 to give certain non-U.S. citizens specific rights, including the ability to sue companies, in privacy cases as part of the Privacy Shield negotiations.
But Fennessy said that in the short term, passing a comprehensive federal privacy law could help ease worries as the United States and European Union negotiate a replacement deal.
“Having a longer-term, steadier framework on the commercial front — something like a federal privacy law, which so many companies have called for, for other reasons — could help separate out those national security issues and perhaps help lead you to a more sustainable solution,” Fennessy said.