Expect Facebook, PCLOB, Ombudsman to Highlight EU-US Privacy Shield Talks
The Trump administration’s failure to appoint a permanent EU-U.S. Privacy Shield ombudsman and stagnation of the Privacy and Civil Liberties Oversight Board (PCLOB) will be points of contention when officials from both sides of the Atlantic meet in October, experts told us. Also expect the Facebook-Cambridge Analytica privacy breach (see 1804100054 and 1804110065) to be a major topic, said Access Now Policy Counsel Drew Mitnick. EU officials want details on how the FTC, U.S. enforcer of the Privacy Shield, is handling its investigation into potential Facebook violations of a 2011 consent decree, so they can better gauge the strength of the agency’s authority.
World Privacy Forum Executive Director Pam Dixon described the Cambridge Analytica breach as the “kindling for the fire” in Brussels, where officials will meet. The U.K. Information Commissioner’s Office closed its own Facebook investigation earlier this summer, fining Facebook a maximum amount of $663,850. EU officials are wondering why U.S. regulators haven't concluded their own probe, Dixon said. Progress on the PCLOB and the Privacy Shield ombudsman will also have significant impacts on discussions in Brussels, she said.
Despite U.S. commitments in October -- during the first review of the Privacy Shield in Washington -- a permanent ombudsman, responsible for handling EU Privacy Shield-related complaints, hasn't been named. Principal Deputy Assistant Secretary for Oceans, Environment and Science Judith Garber is serving in the role. President Donald Trump’s five nominations to serve on the PCLOB, which advises U.S. law enforcement on surveillance matters, are at various stages in a drawn out confirmation process (see 1806210043). Trump announced the final two nominees this week (see 1808070013) for a board that currently has one sitting member.
The PCLOB’s inactivity has meant delays for some high-profile reports. The European Commission in October recommended the PCLOB analyze implementation of the previous administration’s Presidential Policy Directive 28 (PPD-28), which President Barack Obama issued in response to European backlash over Edward Snowden’s NSA leaks. PPD-28 extends surveillance protections to European data, saying U.S. agencies use surveillance powers only in highly defined circumstances, when no other option is available for gaining information essential to national security.
The European Commission also recommended Congress enshrine PPD-28 protections in the Foreign Intelligence Surveillance Act when reauthorizing Section 702 (see 1801190062). PPD-28 protections weren't included in the six-year reauthorization. Congress’ “whiff” on FISA means a “ticking time bomb” is waiting before the European Union Court of Justice, said Constitution Project Senior Counsel Jake Laperruque.
In 2015, the EU’s high court dismantled the U.S.-EU Safe Harbor Framework, the Privacy Shield’s predecessor. The Snowden leaks had shown U.S. handling of EU data that was considered illegal by European standards. Congress failed to address European concerns during FISA reauthorization, Laperruque said, and various legal challenges are working their way toward the EU high court, which could invalidate the new data law.
Access Now's Mitnick agreed no substantive moves have been made for protecting European data since 2015, only unfulfilled U.S. Privacy Shield commitments. Center for Democracy & Technology Director-European Affairs Jens-Henrik Jeppesen agreed stagnation at the PCLOB and with the ombudsman position will be points of criticism. Frustration from EU officials boiled over with the European Parliament recently adopting a resolution that would suspend the agreement unless the U.S. deals with those issues (see 1807270038). But Jeppesen said European officials know maintaining the Privacy Shield is the only alternative, since some 3,000 companies registered would no longer be able to transfer certain types of data legally without it. From the commission’s point of view, the Privacy Shield is “as good as it’s going to get” right now, he said.
Commerce Secretary Wilbur Ross will lead the U.S. delegation in Brussels, along with officials from the State Department and the FTC. In 2017, officials from Justice, Transportation, PCLOB and the Office of the Director of National Intelligence also participated in the annual review. European Commissioner for Justice Vera Jourova will lead the EU delegation.
EU officials concluded last year the U.S. is providing “an adequate level of protection for personal data transferred under the Privacy Shield.” Software & Information Industry Association Senior Director-International Public Policy Carl Schonander, who worked on behalf of trade associations to craft the U.S.-EU Safe Harbor Framework, cited the EU’s 2017 conclusion, saying the framework is working as anticipated. He did, however, note concerns about the PCLOB and ombudsman. Industry representatives look forward to offering continued stakeholder input as officials prepare to meet in Brussels, he said.