A senior U.S. Department of Commerce official spoke with SCMagazine.com this morning to defend the virtues of the newly introduced EU-U.S. Privacy Shield pact, which attempts to place standardized privacy restrictions on how businesses transfer consumer data from European localities to America.
The senior official, who requested anonymity, attempted to allay concerns expressed by privacy advocates who worry the new regulation is not a substantial improvement over its predecessor, the Safe Harbor agreement. The European Court of Justice struck down Safe Harbor in October 2015, ruling that the European Commission failed to substantiate its claims that the doctrine guaranteed citizens adequate privacy protection, especially in light of revelations surrounding the U.S.' mass surveillance of transatlantic data.
Asked to name specific reasons that the ECJ is more likely to validate the Privacy Shield's adequacy this time around, the official cited several key additions to the framework; namely:
- Written assurances from U.S. federal law enforcement officials, defining limitations on government surveillance, as well as the establishment of an ombudsman within the U.S. State Department to oversee surveillance-related complaints.
- A multitude of clearly defined redress options for European citizens who believe their digital privacy has been violated, with no limitations on how European data protection authorities (DPAs) can pursue claims against companies.
- The establishment of a robust annual review of Privacy Shield processes to ensure the doctrine is working as effectively as it should.
The Privacy Shield generally encourages European businesses to be measured and conservative when sharing data with U.S. entities, but critics claim the policy is riddled with exceptions when it comes to sharing information with U.S. law enforcement. Indeed, privacy advocates argue that the new framework serves more to clarify the U.S.'s position on digital surveillance rather than actually place tighter, Euro-centric restrictions on the practice.
Nevertheless, the Commerce Department official asserted the importance of communicating current U.S. doctrine in this fashion, as such transparency was previously lacking with Safe Harbor, the official explained. The official expressed confidence that with better transparency, European citizens and governments will see that the U.S. actually has a “long history of privacy protection, like the Fourth Amendment—one of those shining examples around the world.”
With this in mind, drafters of the new framework placed an emphasis of clarifying such policies as the Foreign Intelligence Surveillance Act (FISA) and Presidential Policy Directive 28, which sets guidelines on signals intelligence gathering.
“This is one of those things we need to really make sure that the world understands: in the U.S. government, we work under a lot of oversight—independent oversight, Congressional oversight, and there are lot of mechanisms to make sure that we and other elements of the U.S. government…are following our own policies, procedures and the law,” said the official. Other forms of oversight include “everything from inspectors-general to privacy and civil liberties officers, and as you know ‘the Hill' is quite concerned about these things” as well, the official added.
“Our total [Privacy Shield] package, together with our domestic laws, are actually very strong on privacy; they're just in a different form than they are in other parts of the world. They really are something to be proud of,” the official continued.
Moreover, the official lauded the creation of an ombudsman position within the State Department who will hear European citizens' challenges against U.S. acts of surveillance. “This is a very important part of the package,” said the official.
Concerning redress, the official explained that the Commerce Department and other U.S. agencies participating in the Privacy Shield (including the Federal Trade Commission, State Department and Department of Transportation) “wanted to provide a lot of options for EU individuals to pursue concerns that are easy, straightforward and… don't cost EU individuals out-of-pocket to try and pursue.”
Indeed, complainants can take their grievances directly to the company that improperly handled sensitive data, or they can engage the Commerce Department via their local data protection authority. The FTC will also provide oversight in certain cases, with the power to levy monetary fines against companies that violate Privacy Shield statutes by, for example, failing to stop a data breach or sharing sensitive data with unauthorized third parties. Should such measures prove to be of little recourse, the aggrieved party also has the option of entering binding arbitration, at no cost.
As a final important piece of the puzzle, the senior Commerce official cited the Privacy Shield's robust annual review mechanisms. According to the official, the review process will ensure that the Commerce Department, “together with the [European] Commission and other stakeholders, including DPAs and enforcement agencies on this side of the Atlantic, are going to get together and ensure that this privacy Shield package is actually working going forward.”