Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
President-elect Donald Trump’s trade-focused Commerce Department secretary pick Wilbur Ross heads into his Jan. 18 nomination hearing without a clear data privacy and cybersecurity policy stance.
Ross, an investor worth $2.9 billion according to Bloomberg data, has been silent on how he would handle oversight of Commerce cybersecurity and international data transfer matters. Companies rely on Commerce programs for cybersecurity guidance and the ability to transfer consumer, human resources and other personal data out of the European Union.
Ross’ confirmation hearing before the Senate Commerce, Science and Transportation Committee comes two weeks after President Barack Obama’s administration released exit memos highlighting national security, cybersecurity and commercial cross-border transfer issues that will face the Trump administration, including at Commerce.
A Senate staffer told Bloomberg BNA on background Jan. 17 that Sen. Richard Blumenthal (D-Conn.), a committee member, is expected to ask questions regarding Ross’ cybersecurity stance. That would be in line with how Senate Democrats on other committees have questioned Trump appointees about their views on cybersecurity issues.
If confirmed by the Senate, Ross would oversee critical cybersecurity, data privacy and data transfer programs, including the National Institute of Standards and Technology’s cybersecurity framework and the European Union-U.S. Privacy Shield data transfer mechanism.
Ross “appears to have no direct experience or expertise in cybersecurity or privacy,” Edward J. McAndrew, privacy and data security partner at Ballard Spahr LLP in Philadelphia, told Bloomberg BNA Jan. 17. Although the lack of experience may impact Ross’ efficiency, there’s “no reason to believe that the new Administration will change course” on the NIST framework or Privacy Shield, he said.
The Department of Commerce had no comment on the confirmation hearings or on Trump’s appointments. Representatives for Trump’s transition team didn’t respond to Bloomberg BNA requests for comment.
Ross’ lack of a clear policy stance may cause concerns for companies that rely on Commerce and NIST for cybersecurity guidance documents and other publications.
Vanessa Henri, legal counsel at information technology consulting company Above Security in Montreal, told Bloomberg BNA Jan. 17 that it is “worrying” that Trump wants Ross to lead “efforts to reduce burdensome regulations pertaining to cybersecurity.” Although U.S. federal cybersecurity harmonization may be beneficial, internet of things (IoT) and other pervading issues call for increased—not decreased— regulation, she said.
Data privacy deregulation “would create instability and endangers new initiatives such as intelligence sharing, which is critical to foster public-private partnerships,” Henri said.
Commerce has cited NIST’s Framework for Improving Critical Infrastructure Cybersecurity as a central development in setting baseline cybersecurity standards for the private sector. Whether Ross would pull back funding for NIST or other policy maneuvers that would handicap the group remains unclear.
McAndrew said that NIST should “continue to continue to play an increasingly important role in cybersecurity guidance in both the public and private sectors.” However, Ross’ lack of cybersecurity expertise may harm how effective NIST is in “building effective public-private relationships and partnerships on cybersecurity issues,” he said.
Henri said that NIST’s guidelines are fundamental for businesses that rely on the guidance documents. For example, a recent NIST publication on IoT “stresses how a fundamental cultural change to the current business model is needed,” she said.
Ross, or whomever is confirmed as the next Commerce secretary, “will have to act as a catalyst for such organizational and cultural changes,” Henri said.
The EU-U.S. Privacy Shield, which allows U.S. companies that self-certify to Commerce their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S., is a crucial mechanism to support the more than $260 billion in trade in services between the U.S. and EU, according to the Obama exit memo on Commerce.
The Privacy Shield was finalized in July 2016 as a replacement for the U.S.-EU Safe Harbor data transfer program relied on by over 4,000 U.S. companies and tens of thousands of EU business partners that was invalidated by the EU’s top court, in part, over cybersecurity concerns related to government access to transferred data.
EU officials have said that they will closely monitor Trump’s handling of the Privacy Shield. EU Justice Commissioner Vera Jourova said in November 2016 that the European Commission, the EU’s executive arm, would “closely monitor the respect of protection standards and the correct implementation” of Privacy Shield “under the new U.S. leadership.”
The exit memo also called cybersecurity in cross-border data transfers fundamental to establishing necessary corporate and consumer confidence to grow the digital economy. The Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, which establish a system for mutual interaction of privacy and security laws of the 21 member economies, are a vital component, the memo said. The U.S. and China are APEC members.
But Ross’ business dealings in China, and statements he made during the campaign, could suggest hesitancy toward working with China and related trade partners. Ross previously co-authored a report that described the world as “riddled with trade cheaters,” with China as the biggest culprit. Such statements are in line with Trump’s remarks about China during the campaign and in the run up to the inauguration.
To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)