Commerce’s Ross May Face EU-U.S. Data Transfer Pact Tests

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Recently confirmed U.S. Commerce Secretary Wilbur Ross may be faced with the task of bolstering confidence in an important European Union-U.S. cross border data transfer program, privacy attorneys told Bloomberg BNA March 1.

Although Ross has other priorities on his plate, including North American Free Trade Agreement (NAFTA) reform, he can expect, at some point this year, to deal with EU-U.S. Privacy Shield data transfer program issues. Over a thousand U.S. companies certified in the program, as well as tens of thousands of EU companies that work with them, rely on the program to legally transfer personal data out of the EU. Some in the EU are concerned that President Donald Trump may take action to undercut the program’s privacy guarantees, and it may fall to Ross to calm those fears.

Ross should be up to the task, Brian Hengesbaugh, former special counsel to the general counsel at Commerce and part of the core team that negotiated the U.S.-EU Safe Harbor data transfer pact that preceded the Privacy Shield, told Bloomberg BNA March 1. He “will have a strong grasp of the importance of Privacy Shield for the U.S. and the global digital economy,” Hengesbaugh, now a privacy and data protection partner at Baker McKenzie in Chicago, said.

Jeewon Kim Serrato, counsel at Shearman & Sterling LLP and co-head of the firm’s global privacy and data protection group, told Bloomberg BNA March 1 that Ross and the Trump administration will need to balance U.S. national security interests with EU citizens’ "rights to privacy and data protection” to make sure the Privacy Shield remains intact.

Hengesbaugh said Ross’ background as “a successful investor and business leader” will invariably lead him to start with trade reforms such as NAFTA, but he will inevitably have to face Privacy Shield issues head-on. Ross, a private equity investor, is worth $3 billion, Bloomberg data show.

Companies shouldn’t worry that a lack of completed, lower-level political appointments may negatively affect Commerce’s administration of the Privacy Shield, Hengesbaugh said. The Privacy Shield process predates Ross at Commerce, so there won’t be “much differentiation” in how different staffs handle the data transfer program, he said.

Commerce didn’t immediately respond to Bloomberg BNA’s email request for comment.

Privacy Shield

The Privacy Shield allows U.S. companies that self-certify their compliance with EU-approved privacy and security principles with Commerce to legally transfer personal data from the EU to the U.S. It provides critical support for the more than $260 billion in trade in services between the U.S. and EU, according to the Obama administration’s Jan. 4 exit memo on Commerce. The Privacy Shield replaced the Safe Harbor framework, which was invalidated, in part, due to fears that it was inadequate to protect EU personal data sent to the U.S. from widespread government access.

Ross said during a Jan. 18 confirmation hearing that he remains committed to the Privacy Shield, but “there will be a tension between privacy on one hand and problems of localization and data and the implications that they have for the internet as we go forward.”

The Privacy Shield’s first annual review set for this summer will be an early test for Ross to see how “businesses, the U.S. Department of Commerce and the European data protection authorities” have lived up to expectations under the cross-border data transfer program, Serrato said. Ross will need to reach out to EU privacy regulators to ensure “that the data collection practices by U.S. intelligence agencies and businesses meet the requirements for providing adequate protections” for EU citizens, she said.

EU Privacy Shield Concerns

Earlier, Trump’s immigration executive order asserted limitations on the ability to extend the Privacy Act, which allows individuals to sue the government over alleged misuse of their personal data, to non-U.S. citizens. The Privacy Shield depends, in part, on amendments to the Privacy Act that allow the Department of Justice to designate that citizens from countries or groups of countries, such as the EU, may also sue under the law.

The immigration order has been stayed by federal courts, and officials on both sides of the Atlantic have promised that it doesn’t affect the Privacy Shield. Trump is expected to release a new version of the immigration order soon, but it is unknown if it will include language similar to the initial order.

In the meantime, the U.S. Department of Justice has assured the European Commission, the EU’s executive arm, that Trump’s executive orders won’t affect EU citizen redress rights under U.S. laws, Hengesbaugh said. That should signal to companies that the “Privacy Shield will remain in place and operating as currently structured for the foreseeable future,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security