I am pleased to be back in Brussels for this Second Annual Review of the Privacy Shield Framework. Thank you to the European Commission for planning and hosting this year’s event. And a special thank you to Commissioner Jourová for inviting me to join you in this review.
I have been looking forward to traveling here for many months, given the growing importance of digital commerce, the news stories that we all hear, and the growing demand among our citizenry to protect our personal data.
As you may know, I published an editorial in the Financial Times this morning, showing my public commitment to making Privacy Shield a success.
This Second Review marks an important milestone for the Privacy Shield Framework. It presents us with a timely opportunity to discuss our collective work on Privacy Shield over the last year to protect the privacy of our citizens.
As of today, nearly 4,000 organizations and their EU partners rely on Privacy Shield to conduct business across our borders. That number grows every week. Privacy Shield participants range from startups and emerging companies developing leading-edge technologies, to Global 1,000 and Fortune 500 enterprises.
Companies in dozens of industry sectors are using Privacy Shield to assure the security of their customers’, clients’, and their suppliers’ data. Notably, about 60 percent of all Privacy Shield-certified organizations are small to medium-sized businesses. More than 1,000 participating organizations use the program to transfer human resources data between the EU and the United States. They support countless jobs on both sides of the Atlantic.
Privacy Shield enables the data flows that underpin the $1.1 trillion trade relationship between the United States and the European Union. Participating companies and their employees, as well as millions of consumers on both sides of the Atlantic, are relying on us to ensure that Privacy Shield continues to function.
The United States and the European Union have been working together for decades on data protection and privacy matters. We both understand that our democracies depend on strong privacy protections and the unencumbered flow of commercial data across borders.
Privacy Shield’s predecessor, the Safe Harbor program, was negotiated by the European Union and the United States in the 1990s, and it was formally implemented in 2000. After 13 years of operation, there were just over 4,000 U.S.-based companies in the Safe Harbor program.
To address the dramatic changes and growth in the global digital economy, the European Union and the United States began discussions to develop a new framework in 2013. The Schrems ruling by the European Court of Justice in 2015 heightened the need for a more robust framework. The result, of course, was the creation of the Privacy Shield Framework.
From its start in 2016, the Privacy Shield program was designed with enhanced protections for EU individuals, along with the flexibility to adapt to accelerating data-driven innovation.
During Privacy Shield’s first year, we focused on implementing the new program. We established an independent Privacy Shield office within the Commerce Department. We expanded our team and invested resources in the program. We launched a major website, and created comprehensive review processes.
Our professional staff, whom many of you know and are here with us today, conducted extensive industry outreach programs on refining the Framework’s requirements.
Last September, the Commerce Department was honored to host the successful First Annual Review of the Privacy Shield program in Washington, D.C. We met with our European colleagues for several days of in-depth discussions and information sharing. We heard from dozens of privacy, cybersecurity, and legal experts from throughout the U.S. government.
In October 2017, we welcomed the Commission’s conclusion that the Privacy Shield program was ensuring an adequate level of protection for the personal data of EU individuals.
In the run-up to last year’s review, the White House issued a statement that still applies today — and, I quote: “The United States commitment to Privacy Shield cannot be stronger.”
Now, as we begin this Second Annual Review, I am pleased to share with you that it has taken only 24 months for Privacy Shield to enroll the same number of participants as it took the Safe Harbor program 13 years to achieve. The high level of demand among so many companies for Privacy Shield is a testament to the growing desire for stable and secure cross-border data flows. It is also testament to the necessity that we work together on a critical component of the new digital, global economy.
I would be remiss not to highlight the extensive work by our team in the International Trade Administration to ensure that Privacy Shield’s protections have been implemented as intended. In “Year Two” — this past year — our Privacy Shield Team dedicated itself to refining the program’s functioning and governance. We promoted greater stakeholder understanding of the Framework. And we engaged with our European partners to address and implement the recommendations stemming from the first annual review.
To expand public knowledge of the Privacy Shield program, Commerce officials have engaged in hundreds of outreach initiatives. We have taken to the road, criss-crossing the North American continent. We are sponsoring workshops; presenting at conferences; and hosting webinars and training sessions. We are publishing blogs and articles, and we are developing easy-to-understand guidelines and support materials.
Throughout the past year, we have continued to work cooperatively and jointly with you and your colleagues as we addressed the Commission’s recommendations and developed new resources for companies to utilize.
We look forward to our continued collaboration.
We have made substantial financial investments in the program. And we broadened its scope within the U.S. federal government.
Senior officials from other U.S. agencies share our commitment to Privacy Shield. The evidence is in this room today, measured by the size of our delegation that travelled here to be with you. They are eager to share the details of their work, their successes, and their commitment to Privacy Shield.
As you will hear from our State Department colleagues, the Privacy Shield Ombudsperson Mechanism is fully operational. It is ready to receive and resolve complaints from European individuals.
In light of Ambassador Judy Garber’s recent nomination to become U.S. Ambassador to the Republic of Cyprus, Secretary of State Mike Pompeo selected his Assistant Secretary, Manisha Singh, to assume the duties and obligations of the Ombudsperson. On September 28, President Trump designated her as the Acting Under Secretary of State for Economic Growth, Energy, the Environment, and Privacy Shield Ombudsperson.
Ms. Singh has served in senior political positions in multiple presidential Administrations, and was confirmed unanimously by the Senate in 2017 — a rare occurrence in Washington these days. She is truly a rising star, and her designation shows the seriousness with which we view the responsibilities of the Ombudsperson. I am pleased that she will be here tomorrow to discuss the Ombudsperson Mechanism.
You will also hear from the Privacy and Civil Liberties Oversight Board. This Board has just publicly released an unclassified version of its report regarding Presidential Policy Directive 28, in which the entire U.S. government privacy community is engaged. The Administration recognizes the important role the Privacy and Civil Liberties Oversight Board plays as an independent federal agency in ensuring that government efforts to prevent terrorism are balanced with the need to protect privacy.
The President has nominated five individuals to serve as board members, three of whom were just confirmed. With their confirmation, the board now has a quorum and can carry out all of its normal activities.
Over the past year, the United States Congress also reauthorized Section 702 of the Foreign Intelligence Surveillance Act — maintaining the legal foundation upon which we built the Privacy Shield Framework. That reauthorization maintained all elements on which the European Commission’s Privacy Shield adequacy determination was based.
Before I close, I want to emphasize that, if Privacy Shield is to continue to work as intended, we must work together to ensure the confidence in its durability among businesses and the public. A positive public perception and attitude towards Privacy Shield is vital to the Framework’s future. Our work together over the next two days and in the year to come will go a long way to assuring confidence in the system.
The United States looks forward to working with the Commission, the DPAs, and others in Europe to build and win public support for the program so that it can continue to function and grow.
Greater Privacy Shield participation results in more companies making enforceable commitments on data privacy. It provides recourse for EU individuals who feel they have been harmed by data disclosures or breaches. It also ensures that more businesses and consumers on both sides of the Atlantic can benefit from the data flows that underpin our economies.
Thank you to everyone in this room for all the work you do to support Privacy Shield, and in strengthening the transatlantic systems that form the basis of our economic prosperity. It takes mutual respect and a constant focus.
The fact that our efforts have steadily evolved over decades to the point of our meeting today is a significant accomplishment. Our working together is the reason our economies are so vibrant, and so vital.
I hope that we can accomplish even more during this Review, and that we also take a moment to celebrate the success of our enduring partnership and friendship.
Again, I am pleased to be leading our delegation, and to be here personally with you in Brussels to discuss these issues. I look forward to a positive outcome from this Review.