Privacy Shield Data Transfer Pact Review to Focus on Enforcement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo and George Lynch

European regulators are approaching the Sept. 18 first annual review of the EU-U.S. Privacy Shield data transfer framework with pressing concerns over U.S. government surveillance and potentially indiscriminate processing of EU citizens’ personal information, privacy and security professionals told Bloomberg BNA.

The continuing functioning of the Privacy Shield is critical because nearly 2,500 U.S. companies and tens of thousands of EU companies rely on it to transfer data legally from the European Union to U.S. companies that self-certify to the U.S. Department of Commerce their compliance with EU privacy principles.

The review of the Privacy Shield will focus on U.S. compliance with its privacy commitments under the pact, the pros told Bloomberg BNA.

Among the concerns is that the automated processing of data once it gets to the U.S. may not fully protect privacy, Emerald de Leeuw, CEO of EuroComply Data Protection Technology in Dublin, told Bloomberg BNA.

EU regulators have expressed concern over “the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data,” de Leeuw said.

EU regulators, too, want to know that the U.S. ombudsman office set up to accept individual privacy complaints is effective. Meanwhile, some EU lawmakers have expressed concern that President Donald Trump may not be fully committed to limitations on government surveillance of data transferred to the U.S.

The framework replaced a data transfer agreement that was invalidated by the EU’s top court, in part, over concerns that data transferred to the U.S. might be subject to government misuse. The U.S. and EU agreed to review the replacement Privacy Shield each year to assess how well new privacy protections are working.

Despite concerns, some are confident that the framework will pass its first review.

Robert Litt, of counsel in Morrison & Foerster LLP’s national security and global risk & crisis management practice, and a member of the Privacy Shield negotiating team when he was general counsel at the Office of the Director of National Intelligence, told Bloomberg BNA that the review “will confirm that the Privacy Shield is working as intended.”

Redress Ombudsman

The Privacy Shield agreement required the U.S. to appoint an ombudsman to whom individuals can refer any complaints about undue surveillance of data by U.S. authorities.

But the Trump administration hasn’t appointed a permanent ombudsman, something that doesn’t help create EU confidence that privacy is being protected, de Leeuw said. Moreover, the acting ombudsman is a government official, inherently raising concerns about independence, she said.

Some European officials have questioned the independence of the ombudsman. EU Justice Commissioner Vera Jourova, who is leading the EU Privacy Shield review delegation, has said the “independence and efficiency” of the U.S. ombudsman is crucial.

Automated Processing

Justin Antonipillai, CEO of data privacy management company, told Bloomberg BNA in a recent video interview that how U.S. companies deal with automated processing of personal data is of concern to EU officials. Antonipillai was the Commerce acting undersecretary who led the U.S. team that negotiated the Privacy Shield.

Automated processing of personal data raises high-risk privacy concerns under the EU’s new privacy regime, the EU General Data Protection Regulation, which is set to take effect in May 2018.

Businesses on Board?

Some professionals are underwhelmed by the response of U.S. businesses to the Privacy Shield.

The safe harbor program, approved in 2000, had over 5,400 U.S. companies in its registry when Commerce closed it. Less than half that number have applied for Privacy Shield certification since it began taking applications in August 2016, de Leeuw said.

The “Privacy Shield was always going to be a band-aid solution after Safe Harbor was declared invalid,” de Leeuw said. Many companies haven’t found the Privacy Shield “worth their while to sign up,” he said, citing the application numbers.

Others say U.S. businesses are generally supportive of the Privacy Shield as a necessary mechanism to allow data transfers.

The Privacy Shield is proof of the “strong desire on both sides of the Atlantic to ensure privacy and innovation improve together,” Thomas Boue, director general for EMEA policy at BSA | TheSoftware Alliance, said in a Sept. 14 statement.


During its tenure, the Safe Harbor was criticized by EU privacy advocates who alleged the Federal Trade Commission, which didn’t publicize any Safe Harbor enforcement actions until 2009, didn’t do enough to ensure corporate compliance with privacy promises.

The FTC also has enforcement authority over the Privacy Shield. It recently reached settlements against three companies alleged to have falsely claimed Privacy Shield certification.

The Commerce Department didn’t immediately respond to a Bloomberg BNA email requesting comment.

To contact the reporter on this story: Jimmy H. Koo in Washington at and George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security