Surveillance & Privacy

The Economic Case for Preserving PPD-28 and Privacy Shield

Cameron Kerry, Alan Charles Raul
Tuesday, January 17, 2017, 3:19 PM

As the new administration takes office this week, we will start to see just how literally to take Donald Trump's pronouncements and the promised targeting of his predecessor’s executive orders for immediate destruction. Trade policy appointments signal that statements about being aggressive against barriers to trade should be taken very literally. Wilbur Ross, the prospective Commerce Secretary; Peter Navarro, tapped to lead a new Trade Council on the White House staff; and Robert Lighthizer, designated U.S.

Published by The Lawfare Institute
in Cooperation With
Brookings

As the new administration takes office this week, we will start to see just how literally to take Donald Trump's pronouncements and the promised targeting of his predecessor’s executive orders for immediate destruction. Trade policy appointments signal that statements about being aggressive against barriers to trade should be taken very literally. Wilbur Ross, the prospective Commerce Secretary; Peter Navarro, tapped to lead a new Trade Council on the White House staff; and Robert Lighthizer, designated U.S. Trade Representative, all have been vociferous in calling out China's mercantilist policies and advocating a more transactional approach to breaking down market barriers in the world's second largest national economy.

As this team targets barriers to trade, it should look beyond just China and manufacturing. Below we make the case that the Obama executive order extending certain privacy protections to ordinary foreign citizens should not be on the chopping block because it is vital to transatlantic digital trade and ecommerce.

Digital trade and the information economy are also subject to rampant protectionism and increasing balkanization. There is a growing array of regulatory barriers to digital services and the flow of data across all sectors. Data localization measures that require data to be kept inside the country of origin and other restrictions on the flow of information across borders amount to virtual tariffs that threaten US trade and commerce. US information technology and internet companies are hardest hit.

Discarding the Trans Pacific Partnership (TPP) trade deal means forgoing some forceful digital commerce provisions that would prohibit forced data localization and barriers to the free flow of data across borders. The new administration should take care not also to discard the Privacy Shield framework established last summer. The Privacy Shield enables transfers of personal data from the European Union to the United States. European Union restrictions on transferring data outside the EU are a vital trade issue because, with an economy collectively larger than China's, the EU represents the US's largest trading relationship, annual transatlantic trade in digital services amounts to $260 billion, and information transfers support almost all other trade flows.

These flows were disrupted in 2015 when a European Court of Justice judgment invalidated a European Commission decision that had approved a "Safe Harbor" framework allowing data transfers to the US. The court focused especially on the perceived risk that data transferred to the US could be subject to unlimited surveillance by the NSA.

US and EU negotiators raced to put in place a new, stronger mechanism, which became the EU-US Privacy Shield. Reaching this unique trade agreement demonstrated a strong and pragmatic commitment to the US-EU trade relationship on both sides. So far, more than 500 companies have signed up, and more are in the pipeline. The Trump Administration needs to protect this key agreement.

A keystone underlying support for the Privacy Shield is President Obama's 2014 Presidential Policy Directive 28 (PPD-28) declaring that "all persons should be treated with dignity and respect regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information." This order extended to citizens of foreign countries safeguards that require that surveillance of Americans be targeted carefully for defined and legitimate purposes. These safeguards essentially protect the privacy interests of innocent foreigners whose electronic communications are scooped up by the NSA merely as incidental collections to the agency’s actual targeting of malicious individuals.

The economic significance of PPD-28

This directive has been vital in restoring global trust in US technology and values. And it is central to the European Commission's conclusion in its Privacy Shield decision that US law adequately safeguards EU citizens.

Rather than some form of concession to countries outside the US, PPD-28 is an affirmative statement of US values in an interconnected world. As the recent experience with Russian hacking demonstrates, a global internet in which anything goes anywhere in the world is untenable. PPD-28 is an important step toward new global norms that reinforces a vision of the US as a beacon of civil liberties and democratic values and makes public practices largely consistent with what the intelligence community has done anyway. The fact is the US has more safeguards and checks and balances on surveillance than most other countries (including European countries suspicious of US surveillance), and reasonable limits on retention and dissemination in incidental collection of data about Europeans who are not the intended targets or subjects of surveillance does not diminish US security.

PPD-28 also calls for designation of a senior State Department official as coordinator for international diplomacy on information technology issues and "a point of contact for foreign governments who wish to raise concerns regarding signals intelligence activities conducted by the United States," a role assigned to the Undersecretary of State for Economics, Energy & Environment. Based on this role, the Privacy Shield makes the same undersecretary an "ombudsperson" to handle complaints from EU citizens about US surveillance. This function is essential to the Privacy Shield because EU law requires some form of individual redress for surveillance.

President-elect Donald Trump spoke during the campaign of revoking "all illegal and overreaching executive orders" immediately after January 20, and transition officials have intimated an ambitious array of actions. There has been no concrete suggestion from the transition that PPD-28 could be on this hit list but, if it is, the effect for transatlantic data transfers would be catastrophic.

The Privacy Shield is under fire in the EU. EU privacy organizations have filed legal challenges to the European Commission approval decision in the Court of Justice. Even if the court declines to hear those cases, other challenges are sure to follow in time. An influential EU group of privacy regulators has expressed doubts about the effectiveness of ombudsperson.

Under the terms of the Privacy Shield, the European Commission will conduct an annual review of the framework's operation in practice in mid-2017, with the participation of these privacy regulators. EU officials will be taking a hard look at the Privacy Shield in operation.

The Commission has reserved the right to suspend the framework if US agencies "do not comply with the representations and commitments contained in the documents annexed to this Decision," especially those relating to government access, or for "a systematic failure by the Privacy Shield Ombudsperson to provide timely and appropriate responses to requests from EU data subjects ...." A revocation of PPD-28 would undercut important elements of the decision and almost surely trigger suspension of the framework.

Bipartisan support for PPD-28 and Privacy Shield

In December, veteran Congressman James Sensenbrenner (R-VA) wrote to President-elect Trump highlighting the importance of PPD-28 to jobs and economic growth as a foundation of the Privacy Shield. Congressman Sensenbrenner previously persuaded Congress of the importance of transatlantic data flows by winning passage of the Judicial Redress Act of 2015, extending protections of the federal Privacy Act of 1974 to citizens of countries that provide similar protection for US citizens.

Also in December, national security experts at the Center for New American Security (CNAS) issued a comprehensive surveillance agenda for the next administration. They found that "a thriving, world leading American technology industry" is in America's economic interest and national security interest, and recommend protecting the Privacy Shield and reaffirming PPD-28.

Congressman Sensenbrenner's Judicial Redress Act provides a reciprocity model that the CNAS report suggests incorporating into the operation of PPD-28. Congress conditioned international privacy rights on “effectively shar[ing] information with the United States for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses, … permit[ting] the transfer of personal data for commercial purposes … [to] the United States, … [and] “not materially imped[ing] the national security interests of the United States” as determined by the Attorney General. This links the effect of its provisions to frameworks like the Privacy Shield and the US-EU "umbrella agreement" on law enforcement information-sharing.

The CNAS report suggests placing a deadline on the effect of PPD-28 that in time would restrict its application to countries that give similar protection to US citizens. This would highlight the exceptional step PPD-28 involved and provide an incentive for allies to adopt the international norm the directive establishes.

The President-elect, his transition team, and his incoming national security and economic teams would be wise to heed these bipartisan recommendations by keeping PPD-28 and upholding the Privacy Shield.


Cameron F. Kerry is the Ann R. and Andrew H. Tisch Distinguished Visiting Fellow in Governance Studies at the Brookings Institution, and is Senior Counsel at Sidley Austin. He previously served as general counsel and acting secretary of the Department of Commerce.
Alan Raul is the founder and leader of Sidley’s Privacy, Data Security and Information Law practice. He represents companies on federal, state and international privacy issues, including global data protection and compliance programs, data breaches, cybersecurity, consumer protection issues and Internet law. He previously served as Vice Chairman of the White House Privacy and Civil Liberties Oversight Board, General Counsel of the Office of Management and Budget, and of the U.S. Department of Agriculture, and Associate Counsel to the President. Currently, Alan serves as a member of the Data Security, Privacy, and Intellectual Property Litigation Advisory Committee of the U.S. Chamber Litigation Center and serves ex officio on the American Bar Association’s Cybersecurity Legal Task Force.

Subscribe to Lawfare