Trump Puts U.S.-EU Privacy Shield At Risk
The U.S.-EU Privacy Shield framework, the agreement between the U.S. government and the European Commission that enables continued flows of commercial data from Europe to the United States, is undergoing its first annual review by the Commission and other European institutions. A report on their review is due in September. In the longer term, the Privacy Shield faces potential legal challenges in the Court of Justice of the European Union. [Disclosure: I have advised legal clients on the Privacy Shield and legal challenges.]
Published by The Lawfare Institute
in Cooperation With
The U.S.-EU Privacy Shield framework, the agreement between the U.S. government and the European Commission that enables continued flows of commercial data from Europe to the United States, is undergoing its first annual review by the Commission and other European institutions. A report on their review is due in September. In the longer term, the Privacy Shield faces potential legal challenges in the Court of Justice of the European Union. [Disclosure: I have advised legal clients on the Privacy Shield and legal challenges.]
The Trump Administration has come to understand that the Privacy Shield is vital to U.S. businesses involved in the world’s largest trade relationship: it has affirmed support for the framework and its essential pillars. Without these, the European Commission would face little choice but to exercise the right it reserved to suspend the framework. Even so, the damage the president and his administration have done to relationships with Europe and perceptions of the United States as a trusted partner have made the Commission’s job much harder.
When the new administration was about to take office, my colleague Alan Raul and I pointed out here the importance of Presidential Policy Directive 28 as “a keystone” of the Privacy Shield. (PPD-28 is the Obama order that extended to foreign nationals safeguards that protect the privacy and dignity of people in the US against overreaching government surveillance). Both Carrie Cordero of Brookings and Adam Klein of the Center for New American Security called similar attention to filling vacancies on the Privacy and Civil Liberties Oversight Board (PCLOB), which lacks a chair and a quorum necessary to conduct its full business. Another key element for the Privacy Shield is the designation of the “E” Undersecretary of State (Economics, Energy, Environment & Oceans) as an “Ombudsperson” to look into complaints from individuals in the EU concerning US surveillance.
The two European Commission commissioners responsible for the Privacy Shield both scheduled surprisingly early visits to Washington, aimed at underscoring the importance of the Privacy Shield and heading off damage. Each one left pronouncing the meetings satisfactory.
The Trump administration has left PPD-28 alone and, in his meetings with counterparts from the European Commission as well as in his opening remarks to Commerce Department employees, Secretary of Commerce Wilbur Ross affirmed support for the Privacy Shield.
Although the administration has yet to nominate any undersecretaries of State, much less one for Economics, Energy, Environment and Oceans, it has clarified that the acting official in charge of that bureau has the powers of the Privacy Shield Ombudsperson. And, while the pace of nominations ensures the PCLOB will remain handicapped by vacancies at least through 2017, the White House has sought names of people to nominate.
The trouble is, the administration keeps doing other things that jeopardize support for the Privacy Shield. A clause in the very first immigration executive order overriding agency regulations that apply federal Privacy Act to persons outside the United States raised alarm bells that the President was undoing steps PPD-28 and other steps to extend privacy protections to people in Europe. In fact, the order did neither, but the alarms displayed the level of wariness on the part of the Europeans, subsequently heightened by border searches of cell phones and social media accounts. Congressional action signed by President Trump repealing the Federal Communication Commission privacy regulations that flowed from the FCC’s application of its Title II regulations added to concerns, again fueled by overstated reactions.
EU officials visiting Washington in April acknowledged that these events do not affect data transferred under the Privacy Shield and that the major elements of the Privacy Shield were intact and working. Nevertheless, they expressed concern about what one characterized as “background music” that is making the annual review challenging.
This background music reached a crescendo with Trump’s NATO and G-7 meetings and subsequent announcement of plans to withdraw from the Paris climate accords. Trump’s eruptions – so impulsive that they went in the face of the advice of his national security team – proclaimed loudly that “America First” means contempt for our allies and central alliances. The schoolyard response from Emmanuel Macron and others show that Trump-baiting plays well with voters in EU countries. The trip could not have been more catastrophic as a diplomatic mission.
The European Commission made a strong political commitment to the U.S.-EU relationship in endorsing the Privacy Shield. It opened its announcement of the proposed Privacy Shield with a tribute to “[a] solid transatlantic partnership,” relating that “we have common values, pursue shared political and economic objectives, and cooperate closely in the fight against common threats to our security. The enduring strength of our relationship is evidenced by the extent of our commercial exchanges and our close cooperation in global affairs.”
The Commission approved the framework last July despite a non-binding vote against it by the European Parliament and negative opinions from Europe privacy watchdogs, the Article 29 Working Party committee of data protection regulators and the European Data Protection Supervisor. Each of these institutions has expressed increased concern, with the only change in the past year being the background music.
When then-Commissioner Viviane Reding was calling into question the predecessor to the Privacy Shield, the EU-US Safe Harbor Framework, she termed it “a gift which the EU makes to the United States.” I subsequently defended the framework as a special arrangement because of “the special relationship between Europe and the U.S.” in terms similar to those of the Commission: “a strong and deep alliance based on shared security needs, economic interests and values ….”
When the administration turns its back on that alliance and those interests and values, it negates this defense. Our allies certainly won't be disposed to give any “gifts.”