While the European Union (EU) has now formally approved Privacy Shield, will it stand up to judicial and political scrutiny? Privacy Shield itself is a mix of requirements on U.S. businesses doing business with consumers in the EU, and a set of requirements imposed on the U.S. government. Most of the government requirement focuses on preventing the perception that the U.S. government is routinely “sweeping” consumer’s personal data and exploiting it. Many observers feel that Privacy Shield does not do enough to prevent this type of governmental intervention.
We are not going to make any kind of predictions here, but we will offer some events and triggers which will happen so that readers can track progress and make an informed decision. Our view is that the steps the U.S. took on paper to reassure the Europeans now needs to be executed in a way that shows the U.S. gets it and is prepared to protect data in the way expected. Below we cover some of the main measures and offer key points to monitor.
A big change demanded by the EU was the creation of a high level position in the U.S. government to act as a facilitator/”owner” for the EU. Right now the position is rated as a Cabinet undersecretary – we are not federal government pundits but it certainly sounds like a high level position. The key point here is to see how this position gets filled. If an individual with a strong consumer protection, legal, or military background is named, EU confidence will be higher. If the role is another purely political appointment, our bet is the EU will not get the reassurance they are seeking.
Enforcement by the Department of Commerce and the FTC
Commerce has committed to performing ongoing reviews of companies signing up for Privacy Shield. While much of the work is planned to be a remote process done through questionnaires, if planned and executed appropriately, the process could be effective in forcing businesses to take it seriously. Frankly, we would be encouraged if Commerce performs audits “early and often” and actually identifies issues. Not that they have to expose the violators and name them, but public disclosure of issues could help businesses to understand Privacy Shield is being taken much more seriously than its predecessor Safe Harbor.
The Federal Trade Commission (FTC) is the government agency with authority to pursue actions against businesses that wrong consumers in the U.S. Through the Privacy Shield negotiation process, the FTC has stated that if a business publicly states it is Privacy Shield compliant and it is not, they will consider that an “unfair and deceptive practice.” Again, look to see if the FTC takes an “early and often” approach to Privacy Shield compliance.
Public disclosures of wide-reaching U.S. government sweeps of consumer data
Europeans see privacy as U.S. citizens see free speech – a fundamental right that can’t be breached in any way. The EU interpreted the Snowden disclosures as evidence the U.S. government was routinely undermining their basic rights. Much of the document entitled “Commission Implementing Decision” released by the EU on July 12, 2016 discusses how the EU became comfortable with U.S. government commitments in addressing the Snowden issue. Any new data incursions by the U.S. government will be seen as another indication that the U.S. does not take European privacy seriously.
Yearly review meeting and EU litigation
Obviously any new litigation in the EU related to Privacy Shield will be a factor to consider. Also, the agreement has a built in yearly review process with the EU and U.S. to discuss progress and process. We expect feelings on both sides to be heavily leaked before the meeting. Definitely watch for the annual review caucus.
For more information on this topic, or to learn how Baker Tilly financial service specialists can help, contact our team.