VIDEO: Ex-U.S. Commerce Official Discusses EU Privacy Challenges

By Jimmy H. Koo

The upcoming first annual review of a critical European Union-U.S. data transfer pact provides crucial opportunities to solidify its implementation, Justin Antonipillai, founder and CEO of data privacy management company WireWheel.io, told Bloomberg BNA in a video interview.

Antonipillai was the Department of Commerce acting undersecretary who led the U.S. team that negotiated the EU-U.S. Privacy Shield agreement easing transfers of personal data from the EU to U.S. companies. A new pact was necessary after the EU’s top court invalidated the previous agreement over concerns that data transferred to the U.S. wouldn’t be safe from government surveillance.

Some of the challenges in negotiating the Privacy Shield included bridging different legal regimes and providing real judicial redress mechanisms for EU citizens, he said. It was also difficult to share information with EU officials about U.S. government national security operations without disclosing classified information, he said. But ultimately, the sides came together to approve the new agreement.

More than 2,400 U.S. companies and tens of thousands of EU companies rely on the Privacy Shield to transfer data legally from the EU to U.S. companies that self-certify to Commerce their compliance with EU privacy principles. The U.S. and EU agreed to review the program each year to assess how well the privacy protections are working. The first review of the Privacy Shield is scheduled to begin Sept. 18.

According to Antonipillai, one of the topics to be highlighted during the review is how companies deal with automated processing of personal data using artificial intelligence and machine learning. “There are lots of judgment calls” involved in privacy issues, so AI needs human assistance, he said.

At Commerce, Antonipillai also worked on privacy and security issues surrounding the EU’s upcoming privacy regime—the General Data Protection Regulation (GDPR)—which will come into effect in May 2018.

The GDPR brings strict new requirements for gaining consent from individuals to collect and use their data, mandatory data breach notification, and the threat of massive fines. Companies located outside the EU that do business there or aim at EU consumers will be subject to the GDPR, and that has left many companies concerned about complying with the new law.

“If you’re Privacy Shield-certified, you’re well on your way to GDPR compliance,” Antonipillai said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.