As dozens of officials from the US and the EU convene in Brussels this week for the second annual review of the EU-US Privacy Shield framework, they can take pride in one overriding fact: Privacy Shield works.
The Privacy Shield framework, which governs transatlantic exchanges of personal data, works for European individuals by creating enforceable privacy protections and multiple layers of redress. It works for US and EU companies by permitting the cross-border transfers of data that have become integral to business operations and innovation. It enables consumers on both sides of the Atlantic access to more and better products and services.
Since Privacy Shield’s implementation on August 1 2016, nearly 4,000 companies have made legally enforceable commitments to comply with the framework. These range from start-ups and small businesses to Global 1000 and Fortune 500 enterprises in every sector — including manufacturing, services, agriculture and retail. Because of their Privacy Shield certification, participating companies can receive personal data from the EU to increase business efficiencies and productivity and to fuel medical and technological advances, new forms of social interaction, and economic growth.
To help protect personal data against improper disclosure or misuse by companies, the US government has moved swiftly to ensure that participating businesses comply with their obligations. The US commerce department has implemented a binding arbitration mechanism for EU individuals and new processes to enhance compliance oversight and reduce false claims. The Federal Trade Commission has also brought multiple enforcement actions against companies that falsely claimed participation in the programme.
To limit inappropriate access to personal data by American government agencies, the US has committed to protect civil liberties, privacy and transparency. In 2016, the state department established a Privacy Shield ombudsperson to address requests by EU individuals about US intelligence access to their personal data. Contrary to some accounts, that position has never been vacant. Even though the ombudsperson has remained ready for more than two years to address EU requests, not a single inquiry has been received.
To restore a chair and a quorum at the independent Privacy and Civil Liberties Oversight Board, President Donald Trump nominated, and the Senate confirmed, a bipartisan slate of highly qualified lawyers and technologists. And, in January 2018, Congress passed, and the president signed, the Fisa Amendments Reauthorization Act of 2017, thus maintaining all elements on which the European Commission based its decision that the Privacy Shield framework protections are adequate.
We must be mindful that countries take different approaches to privacy concerns and challenges presented by our hyper-connected world
Despite all this, Privacy Shield faces challenges. For example, even though the framework was not in place at the time when Cambridge Analytica reportedly gained access to information on as many as 87m Facebook users, some erroneously cited the incident as evidence that Privacy Shield does not work. The FTC has announced that it is investigating Facebook’s privacy practices, and the company could face a fine of $41,000 (more than €35,000) for each of the users whose data may have been mishandled. Moreover, because Facebook later became a Privacy Shield participant, the commerce department will remove it from the Privacy Shield list, should the FTC determine it failed to comply with its Privacy Shield commitments.
The most crucial tests for Privacy Shield come from Europe, where two legal cases are challenging the framework and another key data transfer mechanism available under EU law. Should either or both be struck down, data privacy protections, transatlantic data flows and the $1.1tn in annual trade between the US and the EU could all be seriously impaired.
As we look ahead, to this week’s second annual review and beyond, we would do well to remember that the internet revolution that began some 25 years ago — and ushered in unparalleled economic prosperity — has only begun. In the coming years, evolving technologies and vast amounts of data generated by connected devices will spur the development of more new products and services. We must be mindful that countries take different approaches to privacy concerns and challenges presented by our hyper-connected world.
The US government and the European Commission developed Privacy Shield to bridge the differences between our respective approaches to privacy — and it works. If both parties are to realise the full potential of the digital revolution in a way that protects individual privacy, we must preserve the framework that we have worked so hard to build — and upon which so many on both sides of the Atlantic have come to rely.