When the European Commission re-approved the Privacy Shield agreement during its first annual review in the fall of 2017, permitting the transatlantic transfer of personal information to compliant U.S. companies to continue, it did so with a number of reservations. As the Privacy Shield agreement fast approaches its second annual review at the end of this week, it remains to be seen if the steps taken by the U.S. government at the close of the summer will be enough to satisfy skeptical European lawmakers.
Appointment of PCLOB Members
On October 12, the Senate confirmed three nominees to the five-seat Privacy and Civil Liberties Oversight Board, the independent agency within the executive branch that oversees U.S. Government compliance with privacy and civil liberties. Adam Klein was confirmed as Chair, along with Ed Felton and Jane Nitze. They will join Elisebeth B. Collins, the Board’s only current member, to give the Board the quorum necessary for it to resume regular operations. The Board has spent a number of years in effective limbo without a sufficient number of confirmed commissioners to conduct its regular business. One of the EU Commission’s suggestions for further compliance (as well as one of the reasons for suspending the agreement in the EU Parliament’s June letter) was the necessity of rectifying the PCLOB’s operational vacancies.
Two additional PCLOB nominees, Travis LeBlanc and Aditya Bamzai, remain before the Senate. If he is confirmed, Mr. Bamzai will serve the remainder of Ms. Collins’ term, who has announced her resignation.
Appointment of Privacy Shield Ombudsperson
On September 28, 2018, the United States designated Manisha Singh, the acting Undersecretary of State for Economic Growth, Energy, and the Environment, as the acting Privacy Shield Ombudsperson. The ombudsperson’s function under the agreement is to provide EU citizens with a place to direct their complaints about the U.S. government’s access to and treatment of their personal data. The previous acting ombudsperson was Judith Garber.
EU officials have repeatedly expressed frustration with the United States’ failure to appoint a permanent privacy shield ombudsperson to operate in a more independent role within the State Department. The European Commission urged the U.S. to appoint a permanent ombudsperson in its “first annual review on the functioning of the EU-US Privacy Shield” last year, and the European Parliament cited the government’s failure to do so as one of the reasons it advocated a suspension of the Privacy Shield. A permanent ombudsperson would require a separate nomination and confirmation process.
Other important steps in U.S. privacy law since the 2017 annual review of the Privacy Shield include the Supreme Court’s decision that cell site location information is subject to Fourth Amendment protections in Carpenter v. United States, and the May passage of the CLOUD Act, which gives U.S. law enforcement more authority to access personal data stored by U.S. companies outside of the United States. In addition, as it did just before last year’s first annual review, the FTC announced enforcement actions against entities that made deceptive privacy shield compliance claims.
It remains to be seen if the U.S.-EU Privacy Shield will survive its sophomore review And, if so, as-is or with additional recommendations from the EU Commission.