Commerce Nominee Unlikely to Upset Cybersecurity, Privacy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

President-elect Donald Trump’s Commerce secretary nominee Wilbur Ross gave no indication during a Jan. 18 confirmation hearing that he might roll back international data transfer programs or domestic cybersecurity initiatives under the Commerce Department’s jurisdiction.

U.S. companies concerned about possible Trump administration changes in how they legally move personal data from Europe under the European Union-U.S. Privacy Shield data transfer program should be able to breathe easier based on Ross’ responses. Companies that have been relying on Commerce’s National Institute of Standards and Technology (NIST) cybersecurity advice should also be able to continue to rely on those standards, if Ross is confirmed.

Billionaire private-equity investor Ross—worth an estimated $2.9 billion, according to Bloomberg data—appeared before the Senate Commerce, Science and Transportation Committee to answer questions about how he would run Commerce.

Many of the questions swirled around spectrum allocation, international trade and climate change. But Ross, who has been largely silent on cybersecurity and privacy issues, also answered questions on cross-border data transfer programs, cybersecurity initiatives and private-public threat data sharing partnerships. Ross appeared supportive of cross-border data sharing programs and cybersecurity initiatives but also said privacy and security must be balanced in a “cost-benefit approach.”

Privacy attorneys and advocates didn’t all agree with that assessment.

Michelle Cohen, data privacy member at Ifrah Law in Washington and head of the firm’s electronic commerce practice, told Bloomberg BNA Jan. 18 that privacy and security complement one another. Companies should strive for top-notch cybersecurity to protect the data they collect and provide privacy policies sufficient to protect against consumer class claims, regulatory enforcement charges and other potentially costly action, she said.

“Privacy is absolutely key to security,” Matt Wood, policy director for open internet think tank Free Press in Washington, told Bloomberg BNA Jan. 18. To protect against cybersecurity incidents and other privacy problems, companies should realize that “strong encryption and other so-called privacy measures are essential to defending our security,” Wood said.

Privacy Shield Safe for Now

Ross’ comments on the EU-U.S. Privacy Shield data transfer program indicated that the program is viable for the foreseeable future.

The Privacy Shield allows U.S. companies that self-certify their compliance with EU-approved privacy and security principles with Commerce to legally transfer personal data from the EU to the U.S. It provides critical support for the more than $260 billion in trade in services between the U.S. and EU, according to the Obama administration’s Jan. 4 exit memo on Commerce.

The Privacy Shield is relied upon by over 1,000 companies, including Alphabet Inc.'s Google, Microsoft Corp. and Facebook Inc. Ross, who may be hesitant to upend new relationships he’s forged with tech sector leaders, said that he was “impressed” with the willingness of leaders such as Apple Inc. CEO Tim Cook and Sheryl Sandberg, Facebook’s chief operating officer, to work with the incoming Trump administration.

Although Ross said that he doesn’t “intend to be pushed around by anyone,” the tech sector’s influence may help insulate programs like the Privacy Shield, which was finalized in July 2016 as a replacement for the U.S.-EU Safe Harbor data transfer program, from cuts or elimination for the time being.

The Safe Harbor program was relied on by over 4,000 U.S. companies and tens of thousands of EU business partners before being invalidated by the EU’s top court, partly over cybersecurity concerns related to government access to transferred data.

During the hearing, Ross said “there are agreements that exist” for cross-border data transfers but also said tensions may arise between privacy and data localization efforts. Data localization is the practice whereby a country demands that certain types of data be stored within its geographic borders.

‘Large and Imminent’ Cybersecurity Threat

Under questioning, Ross weighed in on the cybersecurity risk to government and industry in light of the Russian hacking scandal, including allegations of that country’s interference in the U.S. presidential election.

In response to questions from Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.), Ross called cybersecurity issues “very complicated” and said the U.S. needs to be “extremely vigilant in developing new and better systems” to protect against a “large and imminent” cyberattack risk.

In particular, Ross said he understood about cybersecurity risks to small- and medium-sized banks because of his experience investing in those institutions. But a growing cybersecurity threat faces all industrial sectors, he said.

To combat threats, Commerce’s development of cybersecurity standards for companies will remain a “very serious function,” Ross said. He also called for a “thorough investigation” into what could help companies fight cyberattacks.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security