EU to Closely Monitor Trump on Data Transfer Compliance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Dec. 1 —The European Union will watch carefully for any signs that the administration of U.S. President-elect Donald Trump might backslide on EU-U.S. Privacy Shield data transfer pact requirements, EU officials said Dec. 1.

But EU and U.S. officials played down fears companies might have about the continued legal viability of trans-Atlantic data transfers under the program.

EU Justice Commissioner Vera Jourova said the European Commission, the EU's executive arm, would “closely monitor the respect of protection standards and the correct implementation” of Privacy Shield “under the new U.S. leadership.”

The viability of Privacy Shield under Trump has been brought into question because the transfer mechanism is predicated on respect for EU privacy rights when personal data of EU citizens is transferred to the U.S. for commercial purposes. During the U.S. presidential campaign, Trump made statements that some in the EU interpreted to mean that such privacy rights might be disregarded.

Chris Connolly, director of the information technology consulting company Galexia Pty Ltd, said that, in particular, Trump has promised to cancel the Trans-Pacific Partnership trade agreement, which includes data protection commitments and that he was in favor of law enforcement profiling on the basis of ethnicity or religious group affiliation.

But Adina-Ioana Valean, a center-right Romanian member of the European Parliament, said at the same conference that during the U.S. presidential campaign “a lot of things were said,” and “we should sit and wait for the next move and then we can judge” the impact of the Trump administration on data flows.

Jourova, Connolly and Valean spoke at the European Data Protection and Privacy Conference in Brussels.

‘Keep Calm and Carry On’

The Privacy Shield is a data protection program under which U.S. companies can self-certify that their privacy practices are in line with European Union privacy standards. Participating companies can use this certification to legitimize their transfers of the personal data of EU citizens to the U.S. and other companies, including those in the EU, can point to the certification to allow transfers to those companies.

Certification under Privacy Shield became possible Aug. 1. Shannon Coe, head of international data transfers in the U.S. Department of Commerce, also speaking at the Brussels conference, said that more than 1,800 companies had submitted self-certifications, and about 1,000 of these had been processed and listed on the Privacy Shield website.

Coe said the high level of interest in Privacy Shield was “revealing about the importance of our trans-Atlantic data flows,” and companies should “keep calm and carry on” as the Trump administration takes office.

’Dynamic’ Monitoring

Privacy Shield was agreed to by the EU and U.S. after the EU's top court in 2015 invalidated Privacy Shield's predecessor, the U.S.-EU Safe Harbor program, on the basis that it didn't offer an adequate level of privacy and hadn't been sufficiently monitored by the European Commission.

Bruno Gencarelli, head of the data protection unit within the commission's Justice Directorate and one of the lead Privacy Shield negotiators, told Bloomberg BNA Dec. 1 that one consequence of the court ruling was that Privacy Shield would be monitored “in a much more dynamic way” than had the Safe Harbor.

The Privacy Shield contains provisions on protection of data in commercial contexts and checks on government access to data that is transferred to the U.S. Gencarelli said that if monitoring by the commission “would reveal that these mechanisms are not functioning, that would put in question the arrangement.”

The Privacy Shield requires the commission to carry out an annual review of the functioning of the mechanism, with the first review to be completed in summer or fall 2017.

Under Privacy Shield the U.S. administration must “do a number of things,” such as ensure redress for EU citizens in cases of privacy breaches, and “the practice will tell us if the U.S. is complying or not with its commitments, Gencarelli said.

He added that Privacy Shield received bipartisan support in the U.S. and “we should not assume that the situation will change to an extent that will put those arrangements in danger.”

International Transfers Strategy

Gencarelli also said the commission would issue a strategy paper in January on the range of mechanisms that companies can use to transfer the personal data of EU citizens outside the bloc, and how these mechanisms could be built on to create a more encompassing framework for transfers.

Gencarelli said “we have a diversified toolkit in terms of transfers,” including Privacy Shield, adequacy decisions that recognize as effective the data protection regimes of non-EU countries, and mechanisms used by companies, such as binding corporate rules.

“We need now to use those tools and see how these tools can be adapted to a diversified world,” Gencarelli said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security