U.S. Surveillance Will Be Focus of EU Data Transfer Pact Review

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The upcoming first annual review of the European Union-U.S. Privacy Shield data transfer program will focus on EU concerns about U.S. government surveillance, privacy professionals and officials on both sides of the Atlantic told Bloomberg BNA.The Privacy Shield program is used to more easily transfer data out of the EU by over 2,100 U.S. companies, including Facebook Inc., Alphabet Inc.'s Google, and Microsoft Corp., that certify to the Department of Commerce their compliance with EU-approved privacy principles. Limiting U.S. government access to data once it is moved to the U.S. is a fundamental basis underlying the EU’s approval of the system.

Under the Privacy Shield, individuals can refer any complaints about undue surveillance of data by U.S. authorities to an ombudsman established in the U.S. State Department. The position is currently filled by Judith G. Garber, acting assistant secretary, Bureau of Oceans and International Environmental and Scientific Affairs, who was appointed Jan. 18.

EU Justice Commissioner Vera Jourova—who is due to visit the U.S. in September for the review—tweeted July 12 that the “independence and efficiency” of the ombudsman “is crucial.”

Other surveillance oversight processes to be reviewed include the Privacy and Civil Liberties Oversight Board (PCLOB), which was created during the George W. Bush administration to monitor U.S. homeland security efforts and secure the consideration of privacy and civil liberties issues. However, the board, at present, lacks a quorum necessary to conduct new business.

Overall, Jourova said, also in a July 12 tweet, that she will “carefully assesses the proper functioning, implementation, supervision, & enforcement of the Privacy Shield.” Every EU-U.S. body involved in the program must “do their homework” in order for the Privacy Shield to “keep running,” she tweeted.

Some EU lawmakers and regulators have expressed skepticism about U.S. privacy commitments after a Trump administration executive order and repeal of internet service provider privacy rules earlier this year. However, officials on both sides of the Atlantic have reconfirmed their commitment to Privacy Shield principles.

Cameron F. Kerry, privacy and cybersecurity senior counsel at Sidley Austin LLP in Washington and former general counsel and acting secretary at Commerce, told Bloomberg BNA July 13 that the European Commission will face a “challenging political environment” as it faces the first annual review. However, the review’s focus will be the substance of the agreement, not politics, he said.

The White House and Commerce didn’t immediately respond to Bloomberg BNA’s email requests for comment.

Privacy Oversight

A State official told Bloomberg BNA July 13 that the department will participate in the September review and has had productive meetings with its EU counterparts in both Brussels and Washington. The department “strongly supports the EU-U.S. Privacy Shield framework, including the Ombudsperson Mechanism” because it “facilitates transatlantic commerce and protects the privacy of individuals,” the official said.

Commission spokesman Christian Wigand told Bloomberg BNA that the review will take into account the “functioning of all relevant” agencies and organizations, including the PCLOB.

Jen Burita, the PCLOB’s media and legislative affairs officer, told Bloomberg BNA that the board lost its quorum on Jan. 7 and can’t “take on new projects until it reaches a quorum of at least three members.” However, it may continue to work on “mission-related projects that were approved” before the quorum was lost, she said. Also, without a chairman, the board can’t hire additional staff, she said.

Kerry said it’s imperative that the U.S. have the board “fully running again before another annual review.” Having a fully functioning PCLOB “is important to the oversight and transparency that are strong points in U.S. surveillance safeguards,” he said.

However, for the upcoming review, “PCLOB appointments shouldn’t be a significant issue” because appointing a chairman and new board members takes time “even in the best circumstances,” Kerry said. Additionally, “the White House has been soliciting names” to appoint to the PCLOB, he said.

Intelligence Surveillance Issues

Congressional efforts to make certain federal intelligence surveillance provisions permanent will also be studied by EU officials involved in assessing the Privacy Shield, officials say. Also up for discussion will be the “limitations, safeguards, and oversight mechanisms enshrined in” the Foreign Intelligence Surveillance Act (FISA) Section 702, and “assurances and representations received from the Office of the Director of National Intelligence and expressly referred to” in the Privacy Shield agreement, Wigand said.

The PCLOB released a 2014 report that found the National Security Agency was authorized to implement a program that targeted the electronic communications of non-U.S. citizens. That justification came under FISA Section 702. That provision is set to expire Dec. 31 but will likely be renewed either permanently or with another sunset provision requiring subsequent review and reauthorization.

Kerry said that it doesn’t look like the Section 702 reauthorization will be a major factor in the upcoming annual review because the “debate is between a clean reauthorization and changes that would tighten controls” on U.S. government surveillance.

Wigand said that “it is important that a future reauthorization does not lower these protections recognised to non-U.S. citizens.”

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security